瑞星19.06.30还查不到。
此外，中了这个变种后，常用扫日志工具扫出的日志中没什么异常发现。
释放文件：除了在X:\windows\system32\com\文件夹中释放lsass.exe和smss.exe外，还在其它各个分区根目录下释放autorun.inf和pagefile.pif。
感染文件：感染系统分区以外的其它分区中的可执行文件。
注：X为系统分区盘符。


图1：病毒进程

图2：用SSM如此处理后重启系统

图3：重启后用WINRAR删除的病毒文件

需要删除/处理的注册表项：

1、HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
"d"="C:\\pagefile.pif"
"g"="D:\\pagefile.pif"
2、HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\pif
"a"="C:\\pagefile.pif"
"b"="D:\\pagefile.pif"
3、HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14875d11-0f90-11d9-963d-00d059c0b859}\Shell\Auto\command
@="F:\\pagefile.pif"
4、HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14875d11-0f90-11d9-963d-00d059c0b859}\Shell\AutoRun\command
@="C:\\windows\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif"
5、HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\526\Shell
"ItemPos800x600(1)"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,\
  00,00,00,4c,00,31,00,00,00,00,00,9c,35,82,0a,30,00,49,43,45,53,\
  57,4f,7e,31,00,00,34,00,03,00,04,00,ef,be,9c,35,82,0a,9b,35,00,\
  80,14,00,00,00,49,00,63,00,65,00,53,00,77,00,6f,00,72,00,64,00,\
  31,00,32,00,30,00,5f,00,63,00,6e,00,00,00,18,00,b4,00,00,00,02,\
  00,00,00,36,00,31,00,00,00,00,00,9c,35,78,0a,30,00,53,52,45,4e,\
  47,00,22,00,03,00,04,00,ef,be,9c,35,78,0a,9b,35,00,80,14,00,00,\
  00,53,00,52,00,45,00,6e,00,67,00,00,00,14,00,66,01,00,00,02,00,\
  00,00,58,00,32,00,11,66,01,00,26,36,f3,32,20,00,32,30,30,37,31,\
  36,7e,31,2e,52,41,52,00,00,3c,00,03,00,04,00,ef,be,26,36,99,33,\
  25,36,00,80,14,00,00,00,32,00,30,00,30,00,37,00,31,00,36,00,31,\
  00,34,00,32,00,32,00,32,00,32,00,35,00,36,00,2e,00,72,00,61,00,\
  72,00,00,00,1c,00,02,00,00,00,3a,00,00,00,4e,00,32,00,6c,e6,02,\
  00,26,36,c2,41,20,00,4d,45,44,49,41,53,7e,31,2e,52,41,52,00,00,\
  32,00,03,00,04,00,ef,be,26,36,da,41,25,36,00,80,14,00,00,00,4d,\
  00,65,00,64,00,69,00,61,00,53,00,75,00,70,00,73,00,2e,00,72,00,\
  61,00,72,00,00,00,1c,00,b4,00,00,00,3a,00,00,00,56,00,32,00,e6,\
  e3,00,00,22,36,98,4d,20,00,4e,49,4d,41,59,41,7e,31,2e,52,41,52,\
  00,00,3a,00,03,00,04,00,ef,be,22,36,ca,4d,21,36,00,80,14,00,00,\
  00,6e,00,69,00,6d,00,61,00,79,00,61,00,5f,00,6b,00,69,00,6c,00,\
  6c,00,65,00,72,00,2e,00,72,00,61,00,72,00,00,00,1c,00,66,01,00,\
  00,3a,00,00,00,4c,00,32,00,00,c0,00,00,2f,36,20,3a,07,00,70,61,\
  67,65,66,69,6c,65,2e,70,69,66,00,00,30,00,03,00,04,00,ef,be,30,\
  36,a6,3b,2f,36,00,80,14,00,00,00,70,00,61,00,67,00,65,00,66,00,\
  69,00,6c,00,65,00,2e,00,70,00,69,00,66,00,00,00,1c,00,02,00,00,\
  00,72,00,00,00,48,00,32,00,58,00,00,00,30,36,b6,3c,07,00,41,55,\
  54,4f,52,55,4e,2e,49,4e,46,00,2e,00,03,00,04,00,ef,be,30,36,b5,\
  3c,2f,36,00,80,14,00,00,00,41,00,55,00,54,00,4f,00,52,00,55,00,\
  4e,00,2e,00,49,00,4e,00,46,00,00,00,1a,00,02,00,00,00,72,00,00,\
  00,00,00,00,00

越来越可怕了....大叔啊  俺们家的SSM  怎么看不到MD5呢..

万一某些人中毒了...求助都无门啊..

学习

又变种了……用冰刃干它怎么样？

引用:

【鸟儿天上飞的贴子】越来越可怕了....大叔啊  俺们家的SSM  怎么看不到MD5呢.. 万一某些人中毒了...求助都无门啊.. ………………

引用:

【鸟儿天上飞的贴子】越来越可怕了....大叔啊  俺们家的SSM  怎么看不到MD5呢.. 万一某些人中毒了...求助都无门啊.. ………………

引用:

【水樹雨下的贴子】又变种了……用冰刃干它怎么样？ ………………

IS不能删除autorun.inf和pagefile.pif；即使你预先终止了病毒进程lsass.exe和smss.exe