分析報告
File: pmovrao.exe
Size: 26816 bytes
MD5: 8A43F7A2EB37728D5D808C4E72B65242
SHA1: A61CB036BC9A851A61E79F815A688DC04603C509
CRC32: 2B59AD2F
運行後在C:\Program Files\Common Files\Microsoft Shared
和C:\Program Files\Common Files\System下面分別生成兩個隨機7位字母組合成的exe
我此次測試是C:\Program Files\Common Files\System\gamkqme.exe和
C:\Program Files\Common Files\Microsoft Shared\vdiwghf.exe
C:\Program Files\meex.exe
C:\Program Files\syuhxcx.inf(隨機7位字母組合)
刪除C:\WINDOWS\system32\verclsid.exe
遍歷D~Z分區 在根目錄下生成
autorun.inf和隨機7位字母組合成的exe(我這裡是pmovrao.exe)
右鍵選單無變化
檢測有無如下檔案
如果有將其改名為隨機7位字母
各個分區下面的autorun.inf
MSInfo\wniapsvr.exe
MSInfo\Shell.exe
MSInfo\Shell.pci
system32\progmon.exe
system32\internt.exe
Web\css.css
Com\lsass.exe
IME\svchost.exe
IME\smss.exe
Debug\debug.exe
Common Files\svchost.cnc
Common Files\Relive.dll
Internet Explorer\msvcrt.dll
Internet Explorer\PLUGINS\SysWin64.Jmp
Internet Explorer\PLUGINS\SysWin64.Sys
Internet Explorer\PLUGINS\SysWin64.Tao
將HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
HKLM\SYSTEM\CurrentControlSet\Services\helpsvc
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
的啟動選項改成 已禁用
刪除
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
破壞安全模式
修改
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
值為0x00000000 破壞顯示隱藏檔案
更改C:\Program Files\Common Files\Microsoft Shared
C:\Program Files\Common Files\System的屬性 為隱藏
添加如下IFEO值
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
指向C:\Program Files\Common Files\Microsoft Shared 下面的隨機7位字母的exe
監視並關閉如下進程
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
過濾如下“關鍵字”
如果這些在視窗出現的話,那么會被關閉
木馬
木馬
病毒
防毒
防毒
查毒
防毒
專殺
專殺
卡巴
江民
瑞星
毒霸
惡意軟體
流氓軟體
上報
QQ安全
舉報
報警
殺軟
殺軟
防殺
防殺
專 殺(這就是金山的專殺不能啟動的原因,關鍵字也被過濾了)
360安全
QQ醫生
進程
System
Microsoft Shared
微點
上報
舉報
進程
Process
Virus
Trojan
連線網路 下載木馬和流氓軟體
http://www.xxxxx.com/soft/fox/GameSetup.exe
http://www.xxxxx.com/soft/fox/Setup.exe
到program files下面 分別命名為1AGameSetup.exe
和2BSetup.exe
兩個分別是木馬和流氓軟體的安裝包
木馬和流氓軟體植入完畢後生成如下檔案(包括但不限於)
C:\WINDOWS\system32\drivers\809igndb.sys
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\iExplorer.exe
C:\WINDOWS\system32\drivers\kz0q8id6.sys
C:\WINDOWS\system32\1b1.dll
C:\WINDOWS\system32\60e41.exe
C:\WINDOWS\system32\ad_2201.exe
C:\WINDOWS\system32\b601.dll
C:\WINDOWS\system32\bnkgqpadwh.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\031.bmp
C:\WINDOWS\3fa1.exe
C:\WINDOWS\716dairx.exe
C:\WINDOWS\716daiwm.exe
C:\WINDOWS\716daiwow.exe
C:\WINDOWS\716daizx.exe
C:\WINDOWS\716dgj.exe
C:\WINDOWS\716dwl.exe
C:\WINDOWS\ad_2201.exe
C:\WINDOWS\boolan95.exe
C:\WINDOWS\dodolook386.exe
C:\WINDOWS\fa7c1.txt
C:\WINDOWS\kulionrx.dll
C:\WINDOWS\kulionrx.exe
C:\WINDOWS\kulionwl.dll
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\kulionzx.dll
C:\WINDOWS\kulionzx.exe
C:\WINDOWS\my_70087.exe
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwl.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\WINDOWS\齊看網Setup2.exe
C:\Program Files\1AGameSetup.exe
C:\Program Files\2BSetup.exe
C:\PROGRA~1\yxry
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
裡面包括一些流氓軟體和盜號木馬
sreng日誌表現如下
服務
[Windows dcwd RunThem / dcwd][Running/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\yxry\ihbi.dll>< >
[Fax 2Client / ms_2fax][Running/Auto Start]
<C:\WINDOWS\system32\60e41.exe><N/A>
驅動程式
[809ignd / 809igndb][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\809igndb.sys><N/A>
[acpidisk / acpidisk][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\acpidisk.sys><N/A>
[kz0q8id6 / kz0q8id6][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\kz0q8id6.sys><N/A>
瀏覽器載入項
[Info cache]
{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, 金泰豐(廣州)科
技有限公司>
[ff Class]
{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\b601.dll, TODO: <公司名>>
解決方法
清理病毒主程式
由於相關專殺已經失效,所以只能手動查殺
1.下載Icesword這個軟體
http://www.ttian.net/website/2005/0829/391.html
解壓後
把Icesword.exe改名 運行
點擊 選單欄 檔案>設定 鉤選 禁止進執行緒創建 確定
查看視窗中 單擊 進程 查找有無C:\Program Files\Common Files\Microsoft Shared
和C:\Program Files\Common Files\System下面的隨機7位字母的進程(記住他們的名字)
如果有分別結束他們
另外如果裝有瑞星防火牆 需要結束rfwsrv.exe進程
然後 點擊 點擊 選單欄 檔案>設定 去掉 禁止進執行緒創建的鉤 確定
還是Icesword這個軟體 單擊左下角的檔案按鈕
找到剛才C:\Program Files\Common Files\Microsoft Shared
和C:\Program Files\Common Files\System的 兩個隨機7位字母的exe 分別右鍵 刪除他們
另外還需要刪除如下檔案
C:\Program Files\meex.exe
C:\Program Files\syuhxcx.inf(隨機7位字母組合)
以及各個分區下面的autorun.inf和隨機7位字母組合成的exe(一定不要忘記這步)
2.下載sreng
http://download.kztechs.com/files/sreng2.zip
運行 啟動項目 註冊表 刪除所有紅色的IFEO項目
刪除[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]下面的隨機7位字母啟動項目
本次測試為如下鍵值
<syuhxcx><C:\Program Files\Common Files\System\gamkqme.exe> []
<pmovrao><C:\Program Files\Common Files\Microsoft Shared\vdiwghf.exe> []
sreng 修復>Windows shell/IE 選中 顯示隱藏檔案 單擊 下面的修復
sreng 修復>高級修復>修復安全模式 在彈出的視窗中點擊 是
清理下載的木馬和流氓軟體
此時 病毒主程式已經清理完畢
下面清理下載的木馬和流氓軟體
注意:由於病毒下載的木馬和流氓軟體各異,所以此清除辦法僅供參考
首先 需要下載http://www.i170.com/attach/92EB2ED9-6D11-441D-8A28-2A9B08F0452E Xdelbox1.3這個軟體
然後重啟計算機 進入安全模式(開機後不斷 按F8鍵 然後出來一個高級選單 選擇第一項 安全模式 進入系統)
打開sreng
“啟動項目”-“服務”-“Win32服務應用程式”中點“隱藏經認證的微軟項目”,
選中以下項目,點“刪除服務”,再點“設定”,在彈出的框中點“否”:
Windows dcwd RunThem / dcwd
Fax 2Client / ms_2fax
在“啟動項目”-“服務”-“驅動程式”中點“隱藏經認證的微軟項目”,
選中以下項目,點“刪除服務”,再點“設定”,在彈出的框中點“否”:
acpidisk / acpidisk
kz0q8id6 / kz0q8id6
系統修復-瀏覽器載入項-找到如下項目 點擊刪除項目,在彈出的對話框中點“是”
[ff Class]
{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\b601.dll, TODO: <公司名>>
雙擊我的電腦,工具,資料夾選項,查看,單擊選取"顯示隱藏檔案或資料夾" 並清除"隱藏受保護的作業系統檔案(推薦)"前面的鉤。在提示確定更改時,單擊
“是” 然後確定
點擊 選單欄下方的 資料夾按鈕(搜尋右邊的按鈕)
從左邊的資源管理器 進入C糟
刪除如下檔案
C:\Program Files\yxry資料夾
C:\WINDOWS\system32\1b1.dll
C:\WINDOWS\system32\60e41.exe
C:\WINDOWS\system32\ad_2201.exe
C:\WINDOWS\system32\b601.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\031.bmp
C:\WINDOWS\3fa1.exe
C:\WINDOWS\716dairx.exe
C:\WINDOWS\716daiwm.exe
C:\WINDOWS\716daiwow.exe
C:\WINDOWS\716daizx.exe
C:\WINDOWS\716dgj.exe
C:\WINDOWS\716dwl.exe
C:\WINDOWS\ad_2201.exe
C:\WINDOWS\boolan95.exe
C:\WINDOWS\dodolook386.exe
C:\WINDOWS\fa7c1.txt
C:\WINDOWS\kulionrx.dll
C:\WINDOWS\kulionrx.exe
C:\WINDOWS\kulionwl.dll
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\kulionzx.dll
C:\WINDOWS\kulionzx.exe
C:\WINDOWS\my_70087.exe
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwl.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\WINDOWS\齊看網Setup2.exe
C:\Program Files\1AGameSetup.exe
C:\Program Files\2BSetup.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\iExplorer.exe
C:\WINDOWS\system32\drivers\kz0q8id6.sys
打開Xdelbox1.3
把下列檔案輸入進去
C:\WINDOWS\system32\drivers\809igndb.sys
C:\WINDOWS\system32\bnkgqpadwh.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
添加 然後選中3個檔案 立即重啟執行刪除。
再次重啟後 恭喜你,所有病毒都被幹掉了!