今天cnBeta在发布一份来自一份投递,来源为推送广告站点提供的Flash EXE资料时被报告发现捆绑有adware.Roogoo,并且对一些用户的PC造成了破坏,在此我们深感歉意.据悉,这是一种新出的病毒,许多反病毒软件对它仍然没有检测和清除方法,已知可以手工清除.

　　Update:更新专杀工具

　　下载NG为CB专门制作的专杀工具
　　恶意软件清理助手

　　以上两款软件均可以杀除


　　访问:Windows XP的WinSock修复器

　　新病毒资料:

　　Adware.Roogoo 是一种新出的非常恶毒的广告病毒,变种很多,部分变种目前杀毒软件无法顺利删除,必须进行繁琐的手工清除,而且很多时候会导致系统、网络无法正常访问.目前解决的方法只有重装系统或进行繁琐的手工清除.受该病毒危害最大的是WindowsXP(NTFS分区)、Windows2003(NTFS分区).

　　对于FAT32分区格式的Windows用户来说该病毒清除很方便,只需要在Windows下找到病毒本体的位置,然后在DOS下删除,再做一个网络协议的修复工作和注册表清理工作就可以了.

　　对于NTFS分区格式的Windows用户来说该病毒清除相对复杂一些,需要准备好你用的Windows系统的安装盘,在Windows下找到病毒本体的位置,然后用Windows安装盘启动,以Administrator登陆“故障恢复控制台”,在DOS下对NTFS分区内的病毒本体进行删除,再做一个网络协议的修复工作和注册表清理工作就可以了.

　　注意:由于该病毒是和Windows的通讯协议绑定在一起的,所以删除病毒本体后网络连接将无法正常使用,所以大家必须在删除病毒本体前准备好网络协议修复工具.(附件为网络通讯协议修复工具).

　　Symantec提供的资料有:

To delete the value from the registry

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
   
   Then click OK.
   
   Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
   
   
3. Navigate to the subkey:
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
   
   
4. In the right pane, delete the value:
   
   "FROMID" = "roogoo"
   
   
5. Navigate to the subkey:
   
   HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3
   
   
6. In the right pane, delete the value:
   
   "2102" = "0"
   
   
7. Navigate to and delete the subkeys:
   
   HKEY_CLASSES_ROOTCLSID{18F57D30-EF36-4C0E-9343-7BFA6DF79B4A}
   HKEY_CLASSES_ROOTInterface{2805A558-1E98-48FB-8BA5-49A3AD78B129}
   HKEY_CLASSES_ROOTTypeLib{57F7A59D-8F7F-41B2-98B8-A095456716E9}
   HKEY_CLASSES_ROOTAdplus.XLink
   HKEY_CLASSES_ROOTAdplus.XLink.1
   HKEY_LOCAL_MACHINESOFTWARERoogoo
   
   
8. Exit the Registry Editor.

4. To reinstall TCP/IP Protocol

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

1. Click Start > Run
2. Type regedit
3. Click OK.
   
   
   Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
   
4. Navigate to and delete the subkeys:
   
   HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock
   HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2
   
   
5. Exit the Registry Editor
   
   
6. Restart the computer
   
   
   1. Click Start > Control Panel > Network Connections >Local Area Connection
   2. Click Properties
   3. Click Install
   4. Select Protocol
   5. Click Add
   6. Click Have Disk
   7. Browse to the %Windir%inf folder
   8. Click Open
   9. Click OK
   10. Select Internet Protocol (TCP/IP)
   11. Click OK
   12. Restart the computer  

--
原文链接: http://www.cnbeta.com//modules.php?name=News&file=article&sid=14498