清理了一毒窝,基本上能中的全中了
最后那些病毒的尸体加起来就有30M,恐怖。害得我杀了一个工作日,好久不碰病毒,技艺生疏也。
能干的坏事全干了,能藏的位置全藏了。病毒主要藏身位置:
C:/ 系统盘根目录下
C:/WINDOWS/
C:/WINDOWS/system
C:/windows/fonts
c:/windows/inf
C:/WINDOWS/system32/config/
C:/WINDOWS/system32
c:/windows/system32/drivers
C:/WINDOWS/system32/inf/
C:/WINDOWS/temp
c:/docume~1/admini~1/locals~1/temp/
C:/Documents and Settings/All Users/「开始」菜单/程序/启动/
c:/program files/internet explorer/plugins/
C:/windows/Downloaded Program Files/
C:/WINDOWS/Help/
C:/Documents and Settings/Administrator/Local Settings/Temp
各个盘根目录下,各个盘回收站receycled目录中
等等。
还有个乖乖的目录 C:/runauto...
很多病毒图标就采用文件夹的图标,勿混淆
C:/windows/zuoyu16.ini 是一个病毒的记录,把其中记录的文件一一删除
把文件按照创建时间和修改时间排序,即可基本上把所有病毒体都找出来。
打开C:/windows/system32/drivers/etc/hosts文件(可用记事本、word等文本编辑器或字处理软件打开),把其中的东西该删除的删除,如果不会,直接使用SREng把hosts文件重置即可。
C:/ntldr.exe
C:/discovery.exe
C:/recycled/dc1.exe
C:/WINDOWS/SVIQ.EXE
C:/WINDOWS/system/Fun.exe
C:/WINDOWS/dc.exe
C:/WINDOWS/inf/Other.exe
C:/WINDOWS/system32/config/Win.exe
C:/WINDOWS/Fonts/cd8b366baadbfc0c4ab44b982b5c3781/system/soundma.exe
c:/program files/internet explorer/plugins/winsys8v.sys
C:/WINDOWS/system32/15b1.dll
C:/windows/Downloaded Program Files/461b.dll
C:/windows/Downloaded Program Files/15b.exe
C:/Program Files/Common Files/CPUSH/cpush.dll
下面的东西摘自SREng和Autoruns的扫描,有删减,删减过程中可能遗漏某些病毒,也可能勿写非病毒文件。
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<dc2k5><C:/WINDOWS/SVIQ.EXE> []
<Fun><C:/WINDOWS/system/Fun.exe> []
<dc><C:/WINDOWS/dc.exe> []
[HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Windows]
<load><C:/WINDOWS/inf/Other.exe> []
<run><C:/WINDOWS/system32/config/Win.exe> []
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run]
<inudhya><C:/WINDOWS/Fonts/cd8b366baadbfc0c4ab44b982b5c3781/system/soundma.exe> []
<mfchlp32><C:/WINDOWS/mfchlp32.exe> []
<tciocp32><C:/WINDOWS/tciocp32.exe> []
<msccrt><C:/WINDOWS/msccrt.exe> []
<fmsbbqi><C:/WINDOWS/fmsbbqi.exe> []
<RavLoa><C:/WINDOWS/system32/RavLoa.exe> []
<TBMonEx><C:/WINDOWS/Fonts/cd8b366baadbfc0c4ab44b982b5c3781/system/> [N/A]
<DbgHlp32><C:/WINDOWS/DbgHlp32.exe> []
<SHAProc><C:/WINDOWS/SHAProc.exe> []
<igzwzslm><C:/WINDOWS/gwsmhxuq.exe> []
<PTSShell><C:/WINDOWS/PTSShell.exe> []
<WSockDrv32><C:/WINDOWS/WSockDrv32.exe> []
<AVPSrv><C:/WINDOWS/AVPSrv.exE> []
<upxdnd><C:/WINDOWS/upxdnd.exe> []
<LotusHlp><C:/WINDOWS/LotusHlp.exe> []
<cmdbcs><C:/WINDOWS/cmdbcs.exe> []
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce]
<vymwvk44><%systemroot%/system32/Rundll32.exe %systemroot%/system32/vymwvk44.dll DllUnregisterServer> [N/A]
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run]
<zuoyue><C:/WINDOWS/system32/inf/svch0st.exe C:/WINDOWS/system32/lwizysy16_080414.dll start> [N/A]
<zsmscc><rundll32.exe C:/WINDOWS/system32/mycc080201.dll mymain> [N/A]
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Windows Component Publisher]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><> [N/A]
<{6ce08af1-5f70-4c1a-8d1a-8aba11619e87}><C:/WINDOWS/system32/ayFKKFKK1055.dll> []
<{fe0ebc25-107f-4fda-ada3-7238573f90ad}><C:/WINDOWS/system32/ayJHVJHV1015.dll> []
<{734bfbb9-34f7-441c-b064-b3590bbe34ea}><C:/WINDOWS/system32/txWWQWWQ1006.dll> []
<{c4bf46a2-1c05-427d-992f-4e24f7d57f68}><C:/WINDOWS/system32/ttNNBNNB1047.dll> []
<{05922c2d-da84-48e8-a3e4-e797c58c39cf}><C:/WINDOWS/system32/ttEZZEZZ1046.dll> []
<{29fab913-d0cd-477b-a3f0-3d7c3a90379b}><C:/WINDOWS/system32/ttVUFVUF1011.dll> []
<{79dae25e-7bee-4484-bb1a-f30c45d535d9}><C:/WINDOWS/system32/ttQACQAC1035.dll> []
<{6167F471-EF2B-41DD-A5E5-C26ACDB5C096}><C:/Program Files/Internet Explorer/PLUGINS/WinSys8v.Sys> []
<{b669b098-7a40-42da-91f5-f3cadf9319e1}><C:/WINDOWS/system32/txRJHRJH1021.dll> []
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Active Setup/Installed Components/Discoverr]
<N/A><C:/WINDOWS/system32/Discovery.exe> []
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/] 映像劫持
<C:/WINDOWS/system32/Discovery.exe> 和 <C:/xue.exe>劫持了一大堆的工具软件,这俩还有竞争
==================================
启动文件夹
[webspeed]
<C:/Documents and Settings/All Users/「开始」菜单/程序/启动/webspeed.exe --> [N/A]><N>
==================================
服务
[DCOM Service Process Manager / DCOMManager][Stopped/Auto Start]
<C:/WINDOWS/system32/svchost.exe -k netsvcs-->c:/windows/inf/pcidevices8.inf><Microsoft Corporation>
[Windows ptug RunThem / ptug][Stopped/Auto Start]
<C:/WINDOWS/System32/svchost.exe -k netsvcs-->C:/PROGRA~1/kopb/uyzl.dll><>
[Remote Procedure Call System(RPCS) / RpcS][Stopped/Auto Start]
<C:/WINDOWS/system32/RpcS.exe><Microsoft Corporation>
[Perfor and Alell / Transfer Service][Stopped/Auto Start]
<C:/WINDOWS/system32/Transfer Sebvice.exe><N/A>
==================================
驱动程序
[cqit / cqit][Stopped/Auto Start]
</??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp33.tmp><N/A>
[dohs / dohs][Stopped/Auto Start]
</??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmpDF.tmp><N/A>
[fpids32 / fpids32][Stopped/Auto Start]
</??/C:/WINDOWS/system32/drivers/msosfpids32.sys><N/A>
[iCafe Manager / iCafe Manager][Stopped/Manual Start]
</??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/usbhcid.sys><N/A>
[kbrhqjlb / kbrhqjlb][Running/Boot Start]
</SystemRoot//SystemRoot/System32/drivers/kbrhqjlb.sys><N/A>
[mhfp / mhfp][Stopped/Auto Start]
</??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp258.tmp><N/A>
[mnsf / mnsf][Stopped/Auto Start]
</??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp265.tmp><N/A>
[msfpfis64 / msfpfis64][Stopped/Auto Start]
</??/C:/WINDOWS/system32/drivers/msosmsfpfis64.sys><N/A>
[ZTE USB / MX_98Drv][Stopped/Auto Start]
[NPF / NPF][Stopped/Manual Start]
</??/C:/WINDOWS/system32/drivers/EF.tmp><N/A>
[npkcrypt / npkcrypt][Stopped/Auto Start]
</??/C:/Program Files/QQ2006/npkcrypt.sys><N/A>
[ntptdb / ntptdb][Stopped/Auto Start]
</??/C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/ntptdb.sys><N/A>
[RESSDT / RESSDT][Stopped/Manual Start]
</??/C:/WINDOWS/system32/ssdtdt.sys><N/A>
[Sc Manager / Sc Manager][Stopped/Manual Start]
</??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/usbcams3.sys><N/A>
[vymwvk4 / vymwvk44][Running/Boot Start]
</SystemRoot/System32/DRIVERS/vymwvk44.sys><N/A>
[kavell / kavell][Stopped/Manual Start]
</??/C:/WINDOWS/system32/kavell.sys><N/A>
[PID: 956][C:/WINDOWS/Explorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:/WINDOWS/system32/xbcvxb.dll] [N/A, ]
[C:/WINDOWS/system32/msepbe.dll] [N/A, ]
[C:/WINDOWS/system32/ayFKKFKK1055.dll] [N/A, ]
[C:/WINDOWS/system32/ayJHVJHV1015.dll] [N/A, ]
[C:/WINDOWS/system32/txWWQWWQ1006.dll] [N/A, ]
[C:/WINDOWS/system32/ttNNBNNB1047.dll] [N/A, ]
[C:/WINDOWS/system32/ttEZZEZZ1046.dll] [N/A, ]
[C:/WINDOWS/system32/ttVUFVUF1011.dll] [N/A, ]
[C:/WINDOWS/system32/ttQACQAC1035.dll] [N/A, ]
[C:/Program Files/Internet Explorer/PLUGINS/WinSys8v.Sys] [N/A, ]
[C:/WINDOWS/system32/txRJHRJH1021.dll] [N/A, ]
[PID: 1140][C:/WINDOWS/SVIQ.EXE] [, 1.00]
[C:/WINDOWS/system32/xbcvxb.dll] [N/A, ]
[C:/WINDOWS/system32/msepbe.dll] [N/A, ]
[C:/Program Files/Internet Explorer/PLUGINS/WinSys8v.Sys] [N/A, ]
[PID: 1188][C:/WINDOWS/dc.exe] [, 1.00]
[PID: 1416][C:/WINDOWS/system/Fun.exe] [, 1.00]
==================================
Autorun.inf
[C:/]
[AutoRun]
Open=Discovery.exe
Shell/Open=打开(&O)
Shell/Open/Command=Discovery.exe
Shell/Open/Default=1
Shell/Explore=资源管理器(&X)
Shell/Explore/Command=Discovery.exe
==================================
进程特权扫描
特殊特权被允许: SeDebugPrivilege [PID = 1140, C:/WINDOWS/SVIQ.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1188, C:/WINDOWS/DC.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1416, C:/WINDOWS/SYSTEM/FUN.EXE]
[QQgame]
<C:/Documents and Settings/All Users/「开始」菜单/程序/启动/QQgame.exe --> [N/A]><N>
==================================
浏览器加载项
+ brush Class File not found: c:/windows/system32/solid.dll
+ CAdLogic Object c:/program files/common files/cpush/cpush.dll
+ HTML Doucment File not found: C:/WINDOWS/system32/mseval.dll
+ Invoke Class File not found: C:/WINDOWS/system32/15b1.dll
+ Windows Word File not found: C:/WINDOWS/system32/newtn.dll
+ {989D2FEB-5411-4565-8988-1DD2C5263377} File not found: C:/WINDOWS/system32/SysInfo.dll
HKLM/Software/Microsoft/Internet Explorer/Toolbar
+ msdxm.ocx File not found: C:/msdxm.ocx
HKLM/System/CurrentControlSet/Services
+ DCOMManager 管理 DCOM 服务加载功能,该服务不能被删除。 Microsoft Corporation c:/windows/inf/pcidevices8.inf
+ IPRIP File not found: C:/WINDOWS/system32/wordms.dll
+ kkdc 在域控制器上此服务启用用户使用 Kerberos 授权协议登录网络。如果此服务在域控制器上被停用,用户将无法登录网络。如果此服务被禁用,任何依赖于它的服务将无法启用 File not found: C:/WINDOWS/lsass.exe
+ ms_2fax Fax 2Client File not found: C:/WINDOWS/system32/5b211.exe
+ ptug 网络管理服务,如果此服务被停止,有可能部分网络功能无法实现。 c:/program files/kopb/uyzl.dll
HKLM/System/CurrentControlSet/Services
+ ALCXWDM File not found: system32/drivers/ALCXWDM.SYS
+ cqit File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp33.tmp
+ dohs File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmpDF.tmp
+ mhfp File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp258.tmp
+ mnsf File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp265.tmp
+ msfpfis64 c:/windows/system32/drivers/msosmsfpfis64.sys
+ NPF File not found: C:/WINDOWS/system32/drivers/5A.tmp
+ npkcrypt File not found: C:/Program Files/QQ2006/npkcrypt.sys
HKLM/Software/Microsoft/Command Processor/Autorun
+ C:/WINDOWS/system32/sashost.exe File not found: C:/WINDOWS/system32/sashost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Appinit_Dlls
+ atehhz.dllawef.dll File not found: atehhz.dllawef.dll
+ m File not found: m
+ msoscqit01.dll c:/windows/system32/msoscqit01.dll
+ msosdohs00.dll c:/windows/system32/msosdohs00.dll
+ msosmhfp00.dll c:/windows/system32/msosmhfp00.dll
+ msosmnsf01.dll c:/windows/system32/msosmnsf01.dll
+ msosping01.dll c:/windows/system32/msosping01.dll
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
+ eqaxsh54 Run a DLL as an App Microsoft Corporation c:/windows/system32/rundll32.exe
+ vymwvk44 Run a DLL as an App Microsoft Corporation c:/windows/system32/rundll32.exe
C:/Documents and Settings/All Users/「开始」菜单/程序/启动
+ Adobe Gamma Loader.lnk Adobe Gamma Loader Adobe Systems, Inc. c:/program files/common files/adobe/calibration/adobe gamma loader.exe
+ qqgame.exe c:/documents and settings/all users/「开始」菜单/程序/启动/autorunsdisabled/qqgame.exe
+ webspeed.exe c:/documents and settings/all users/「开始」菜单/程序/启动/autorunsdisabled/webspeed.exe
HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/Load
+ C:/WINDOWS/inf/Other.exe File not found: C:/WINDOWS/inf/Other.exe
HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/Run
+ C:/WINDOWS/system32/config/Win.exe File not found: C:/WINDOWS/system32/config/Win.exe
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
+ 011 File not found: C:/WINDOWS/system32/011.dll
+ 461b Microsoft DirectMusic Interactive Engine Microsoft Corporation c:/windows/downloaded program files/461b.dll
+ zsmscc File not found: C:/WINDOWS/system32/mycc080201.dll mymain
+ zsmscc File not found: C:/WINDOWS/system32/mycc080201.dll mymain
+ zuoyue Run a DLL as an App Microsoft Corporation c:/windows/system32/inf/svch0st.exe
+ zuoyue Run a DLL as an App Microsoft Corporation c:/windows/system32/inf/svch0st.exe
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
+ ctfmon.exe CTF Loader Microsoft Corporation c:/windows/system32/ctfmon.exe
+ dc File not found: C:/WINDOWS/dc.exe
+ dc2k5 File not found: C:/WINDOWS/SVIQ.EXE
+ Fun File not found: C:/WINDOWS/system/Fun.exe
+ imscmig File not found: C:/WINDOWS/imscmig.exe
清理了一毒窝,基本上能中的全中了相关推荐
- 如何从值中删除数组中的项目?
有没有一种方法可以从JavaScript数组中删除项目? 给定一个数组: var ary = ['three', 'seven', 'eleven']; 我想做类似的事情: removeItem('s ...
- Knockout中ko.utils中处理数组的方法集合
每一套框架基本上都会有一个工具类,如:Vue中的Vue.util.Knockout中的ko.utils.jQuery直接将一些工具类放到了$里面,如果你还需要更多的工具类可以试试lodash.本文只介 ...
- python字典怎么设置_在python中设置字典中的属性
在python中设置字典中的属性 是否可以在python中从字典创建一个对象,使每个键都是该对象的属性? 像这样的东西: d = { 'name': 'Oscar', 'lastName': 'Rey ...
- react回调函数_React中的回调中自动绑定ES6类函数
在使用ES6类的React组件时,您必须遇到这种现象,必须显式绑定类函数,然后将其传递给诸如onClick.例如,采用以下示例. import React from 'react';class MyC ...
- 如何从JavaScript中删除数组中的元素?
本文翻译自:How to remove element from an array in JavaScript? var arr = [1,2,3,5,6]; I want to remove the ...
- 渗透中超全的Google hack语法
inurl:Login 将返回url中含有Login的网页 intitle:后台登录管理员 将返回含有管理员后台的网页 intext:后台登录 将返回含有后台的网页 inurl:/admin/logi ...
- 关于js中获取div中的数据
原文地址为: 关于js中获取div中的数据 最近用js写了一个计算器的页面.基本上使用到了,ul li的几点用法.用来布局,并且创造出了很不错的鼠标悬停效果. 关于从中学到的知识: document ...
- 计算机中xp系统中qq文件,PC端QQ中的腾讯文档怎么使用
PC端QQ中的腾讯文档怎么使用 腾讯视频/爱奇艺/优酷/外卖 充值4折起 今天给大家介绍一下PC端QQ中的腾讯文档怎么使用的具体操作步骤. 1. 首先打开电脑上的QQ软件,登录进入主面板后,点击底部的 ...
- 移动验证:本机校验和一键登录(中移动、中联通、中电信提供)
更新时间:2019/07/23 先推荐 直接从三大运营商那里直接做这个功能,相对麻烦.所以我们想到了三方代理 代理1:阿里云 - 号码验证,每次4分,已经支持一键登录,SDK大约在20M左右,UI是半 ...
- 苹果:水果中的全科医生
新华网上海频道10月16日消息:苹果又叫滔婆,仁果类,由结实.多汁的果肉包着有几个种子的果核,与梨同属.商品型苹果原产于西亚或东欧,在世界范围内约有7500个品种,酸甜可口,营养丰富,是老幼皆宜的水果 ...
最新文章
- 2017年前端面试题整理汇总100题
- id 怎么获取jira 评论_一篇文章教会你使用Python定时抓取微博评论
- php XML文件解释类
- 编写TA链接静态库的方法
- Qt C++属性类型提供给 QML调用(一)
- java实现多级菜单(java递归)方法二
- Vue Cli 打包之后静态资源路径不对的解决方法
- MCU——JLINK接外部电源调试问题
- linux 联合编译,在Linux上编译UEFI SDK 2018/OVMF的方法
- echo和narcissus寓意_【故事】三毛的英文名Echo,有什么含义?
- Python-Opencv 基本操作(三)
- 软件测试性能工程师工资,软件测试工程师工资一般多少 前景怎么样
- 10分钟建个人网站 - Amazon Lightsail
- 用electron做一个浏览器
- wait释放锁的说明
- Win10系统下语音识别聆听功能使用方法
- redis使用c++ API 的hiredis连接详解
- 用java设计节拍器_java定时执行方法节拍器
- 关于YDWE在保存时的Lua数据添加
- 互联网产品之网站活动策划