快捷導(dǎo)航

利用tasklist與taskkill實(shí)現(xiàn)AV終結(jié)者新變種（隨機(jī)7位字母病毒）的刪除方法原創(chuàng)

原創(chuàng) 更新時間：2025年03月14日 11:42:58 原創(chuàng) 投稿：mdxy-dxy

今天公司的電腦中了這個病毒,卡巴和360都無法運(yùn)行,因?yàn)槭莤p系統(tǒng),所以我想到了用tasklist和taskkill實(shí)現(xiàn)刪除方法,具體方法如下

今天公司的電腦中了這個病毒,卡巴和360都無法運(yùn)行,因?yàn)槭莤p系統(tǒng),所以我想到了用tasklist和taskkill實(shí)現(xiàn)刪除方法,具體方法

運(yùn)行-->cmd.exe
先用tasklist >>list.txt得到病毒的pid值
然后用taskkill /F /T /PID pid值,
/F是強(qiáng)制終止,
/T因?yàn)椴《居嘘P(guān)聯(lián)程序,必須加上這個才能徹底刪除.
/PID 就是用tasklist的到的pid值
最后用你的殺毒軟件和360徹底搜索吧,應(yīng)該能搜出很多病毒文件

下面是從網(wǎng)上找到的資料,大家可以參考下

作者：清新陽光 ( http://hi.baidu.com/newcenturysun)
日期：2007/07/21 (轉(zhuǎn)載請保留此申明)

AV終結(jié)者已經(jīng)猖狂一段時間了，經(jīng)過殺毒軟件廠商的共同努力，其勢頭有所減弱
，但最近突然發(fā)現(xiàn)又出現(xiàn)了小規(guī)模的爆發(fā)，并且用戶反映專殺也被殺掉了，今天
拿到了這個新的變種，立即分析了一下。特別值得注意的是此變種開始下載各種
流氓軟件（以前一般是下載一些木馬）
分析報告：
File: pmovrao.exe
Size: 26816 bytes
MD5: 8A43F7A2EB37728D5D808C4E72B65242
SHA1: A61CB036BC9A851A61E79F815A688DC04603C509
CRC32: 2B59AD2F
運(yùn)行后在C:\Program Files\Common Files\Microsoft Shared
和C:\Program Files\Common Files\System下面分別生成兩個隨機(jī)7位字母組合成
的exe
我此次測試是C:\Program Files\Common Files\System\gamkqme.exe和
C:\Program Files\Common Files\Microsoft Shared\vdiwghf.exe
C:\Program Files\meex.exe
C:\Program Files\syuhxcx.inf（隨機(jī)7位字母組合）
刪除C:\WINDOWS\system32\verclsid.exe
遍歷D~Z分區(qū) 在根目錄下生成
autorun.inf和隨機(jī)7位字母組合成的exe（我這里是pmovrao.exe）
右鍵菜單無變化
檢測有無如下文件
如果有將其改名為隨機(jī)7位字母
各個分區(qū)下面的autorun.inf
MSInfo\wniapsvr.exe
MSInfo\Shell.exe
MSInfo\Shell.pci
system32\progmon.exe
system32\internt.exe
Web\css.css
Com\lsass.exe
IME\svchost.exe
IME\smss.exe
Debug\debug.exe
Common Files\svchost.cnc
Common Files\Relive.dll
Internet Explorer\msvcrt.dll
Internet Explorer\PLUGINS\SysWin64.Jmp
Internet Explorer\PLUGINS\SysWin64.Sys
Internet Explorer\PLUGINS\SysWin64.Tao
將HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
HKLM\SYSTEM\CurrentControlSet\Services\helpsvc
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
的啟動選項改成已禁用
刪除
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE
-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE
-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-
11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-
11CE-BFC1-08002BE10318}
破壞安全模式
修改
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL\CheckedValue
值為0x00000000 破壞顯示隱藏文件
更改C:\Program Files\Common Files\Microsoft Shared
C:\Program Files\Common Files\System的屬性為隱藏
添加如下IFEO值
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\ArSwp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\EGHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\FYFireWall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVPF.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KPfwSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KRepair.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Navapsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Navapw32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\NPFMntor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\QQDoctor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\QQKav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwmain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rstrui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SREng.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\upiea.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\UpLive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\USBCleaner.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\vsstat.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\webscanx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\WoptiClean.exe
指向C:\Program Files\Common Files\Microsoft Shared 下面的隨機(jī)7位字母的
exe
監(jiān)視并關(guān)閉如下進(jìn)程
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
過濾如下“關(guān)鍵字”，如果這些在窗口出現(xiàn)的話，那么會被關(guān)閉
木馬
木馬
病毒
殺毒
殺毒
查毒
防毒
專殺
專殺
卡巴
江民
瑞星
毒霸
惡意軟件
流氓軟件
上報
QQ安全
舉報
報警
殺軟
殺軟
防殺
防殺
專殺（這就是金山的專殺不能啟動的原因，關(guān)鍵字也被過濾了）
360安全
QQ醫(yī)生
進(jìn)程
System
Microsoft Shared
微點(diǎn)
上報
舉報
進(jìn)程
Process
Virus
Trojan
連接網(wǎng)絡(luò) 下載木馬和流氓軟件
http://www.xxxxx.com/soft/fox/GameSetup.exe
http://www.xxxxx.com/soft/fox/Setup.exe
到program files下面分別命名為1AGameSetup.exe
和2BSetup.exe
兩個分別是木馬和流氓軟件的安裝包
木馬和流氓軟件植入完畢后生成如下文件（包括但不限于）
C:\WINDOWS\system32\drivers\809igndb.sys
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\iExplorer.exe
C:\WINDOWS\system32\drivers\kz0q8id6.sys
C:\WINDOWS\system32\1b1.dll
C:\WINDOWS\system32\60e41.exe
C:\WINDOWS\system32\ad_2201.exe
C:\WINDOWS\system32\b601.dll
C:\WINDOWS\system32\bnkgqpadwh.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\031.bmp
C:\WINDOWS\3fa1.exe
C:\WINDOWS\716dairx.exe
C:\WINDOWS\716daiwm.exe
C:\WINDOWS\716daiwow.exe
C:\WINDOWS\716daizx.exe
C:\WINDOWS\716dgj.exe
C:\WINDOWS\716dwl.exe
C:\WINDOWS\ad_2201.exe
C:\WINDOWS\boolan95.exe
C:\WINDOWS\dodolook386.exe
C:\WINDOWS\fa7c1.txt
C:\WINDOWS\kulionrx.dll
C:\WINDOWS\kulionrx.exe
C:\WINDOWS\kulionwl.dll
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\kulionzx.dll
C:\WINDOWS\kulionzx.exe
C:\WINDOWS\my_70087.exe
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwl.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\WINDOWS\齊看網(wǎng)Setup2.exe
C:\Program Files\1AGameSetup.exe
C:\Program Files\2BSetup.exe
C:\PROGRA~1\yxry
C:\Documents and Settings\All Users\Application
Data\Microsoft\PCTools\pctools.dll
里面包括一些流氓軟件和盜號木馬
sreng日志表現(xiàn)如下
服務(wù)
[Windows dcwd RunThem / dcwd][Running/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1
\yxry\ihbi.dll>< >
[Fax 2Client / ms_2fax][Running/Auto Start]
  <C:\WINDOWS\system32\60e41.exe><N/A>
驅(qū)動程序
[809ignd / 809igndb][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\809igndb.sys><N/A>
[acpidisk / acpidisk][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\acpidisk.sys><N/A>
[kz0q8id6 / kz0q8id6][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\kz0q8id6.sys><N/A>
瀏覽器加載項
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All
Users\Application Data\Microsoft\PCTools\pctools.dll, 金泰豐(廣州)科技
有限公司>
[ff Class]
  {FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\b601.dll,
TODO: <公司名>>

解決方法：
一.清理病毒主程序
由于相關(guān)專殺已經(jīng)失效，所以只能手動查殺
1.下載Icesword這個軟件
http://www.ttian.net/website/2005/0829/391.html
解壓后
把Icesword.exe改名運(yùn)行
點(diǎn)擊菜單欄文件>設(shè)置鉤選禁止進(jìn)線程創(chuàng)建確定
查看窗口中單擊進(jìn)程查找有無C:\Program Files\Common Files\Microsoft
Shared
和C:\Program Files\Common Files\System下面的隨機(jī)7位字母的進(jìn)程（記住他們
的名字）
如果有分別結(jié)束他們
另外如果裝有瑞星防火墻需要結(jié)束rfwsrv.exe進(jìn)程
然后點(diǎn)擊點(diǎn)擊菜單欄文件>設(shè)置去掉禁止進(jìn)線程創(chuàng)建的鉤確定
還是Icesword這個軟件單擊左下角的文件按鈕
找到剛才C:\Program Files\Common Files\Microsoft Shared
和C:\Program Files\Common Files\System的兩個隨機(jī)7位字母的exe 分別右鍵
刪除他們
另外還需要刪除如下文件
C:\Program Files\meex.exe
C:\Program Files\syuhxcx.inf（隨機(jī)7位字母組合）
以及各個分區(qū)下面的autorun.inf和隨機(jī)7位字母組合成的exe（一定不要忘記這步
）
2.下載sreng
http://download.kztechs.com/files/sreng2.zip
運(yùn)行啟動項目注冊表刪除所有紅色的IFEO項目
刪除[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
下面的隨機(jī)7位字母啟動項目
本次測試為如下鍵值
<syuhxcx><C:\Program Files\Common Files\System\gamkqme.exe>  []
    <pmovrao><C:\Program Files\Common Files\Microsoft
Shared\vdiwghf.exe>  []
sreng 修復(fù)>Windows shell/IE 選中顯示隱藏文件單擊下面的修復(fù)
sreng 修復(fù)>高級修復(fù)>修復(fù)安全模式在彈出的窗口中點(diǎn)擊是
二.清理下載的木馬和流氓軟件
此時病毒主程序已經(jīng)清理完畢
下面清理下載的木馬和流氓軟件
注意：由于病毒下載的木馬和流氓軟件各異，所以此清除辦法僅供參考
首先需要下載http://www.i170.com/attach/92EB2ED9-6D11-441D-8A28-
2A9B08F0452E Xdelbox1.3這個軟件
然后重啟計算機(jī) 進(jìn)入安全模式(開機(jī)后不斷按F8鍵  然后出來一個高級菜單選
擇第一項安全模式進(jìn)入系統(tǒng))
打開sreng
“啟動項目”-“服務(wù)”-“Win32服務(wù)應(yīng)用程序”中點(diǎn)“隱藏經(jīng)認(rèn)證的微軟項目”
，
選中以下項目，點(diǎn)“刪除服務(wù)”，再點(diǎn)“設(shè)置”，在彈出的框中點(diǎn)“否”：
Windows dcwd RunThem / dcwd
Fax 2Client / ms_2fax
在“啟動項目”-“服務(wù)”-“驅(qū)動程序”中點(diǎn)“隱藏經(jīng)認(rèn)證的微軟項目”，
選中以下項目，點(diǎn)“刪除服務(wù)”，再點(diǎn)“設(shè)置”，在彈出的框中點(diǎn)“否”：
acpidisk / acpidisk
kz0q8id6 / kz0q8id6
系統(tǒng)修復(fù)－瀏覽器加載項－找到如下項目點(diǎn)擊刪除項目，在彈出的對話框中點(diǎn)“
是”
[ff Class]
  {FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:\WINDOWS\system32\b601.dll,
TODO: <公司名>>

雙擊我的電腦，工具，文件夾選項，查看，單擊選取"顯示隱藏文件或文件夾" 并
清除"隱藏受保護(hù)的操作系統(tǒng)文件（推薦）"前面的鉤。在提示確定更改時，單擊
“是” 然后確定
點(diǎn)擊  菜單欄下方的文件夾按鈕（搜索右邊的按鈕）
從左邊的資源管理器進(jìn)入C盤
刪除如下文件
C:\Program Files\yxry文件夾
C:\WINDOWS\system32\1b1.dll
C:\WINDOWS\system32\60e41.exe
C:\WINDOWS\system32\ad_2201.exe
C:\WINDOWS\system32\b601.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\031.bmp
C:\WINDOWS\3fa1.exe
C:\WINDOWS\716dairx.exe
C:\WINDOWS\716daiwm.exe
C:\WINDOWS\716daiwow.exe
C:\WINDOWS\716daizx.exe
C:\WINDOWS\716dgj.exe
C:\WINDOWS\716dwl.exe
C:\WINDOWS\ad_2201.exe
C:\WINDOWS\boolan95.exe
C:\WINDOWS\dodolook386.exe
C:\WINDOWS\fa7c1.txt
C:\WINDOWS\kulionrx.dll
C:\WINDOWS\kulionrx.exe
C:\WINDOWS\kulionwl.dll
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\kulionzx.dll
C:\WINDOWS\kulionzx.exe
C:\WINDOWS\my_70087.exe
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwl.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\WINDOWS\齊看網(wǎng)Setup2.exe
C:\Program Files\1AGameSetup.exe
C:\Program Files\2BSetup.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\iExplorer.exe
C:\WINDOWS\system32\drivers\kz0q8id6.sys
打開Xdelbox1.3
把下列文件輸入進(jìn)去
C:\WINDOWS\system32\drivers\809igndb.sys
C:\WINDOWS\system32\bnkgqpadwh.dll
C:\Documents and Settings\All Users\Application
Data\Microsoft\PCTools\pctools.dll
添加然后選中3個文件立即重啟執(zhí)行刪除
再次重啟后恭喜你，所有病毒都被干掉了！