AV终结者新变种

王朝百科·作者佚名 2010-02-19

宽屏版字体: 小|中|大|超大

AV终结者已经猖狂一段时间了，经过杀毒软件厂商的共同努力，其势头有所减弱，但最近突然发现又出现了小规模的爆发，并且用户反映专杀也被杀掉了，今天

拿到了这个新的变种，立即分析了一下。特别值得注意的是此变种开始下载各种流氓软件（以前一般是下载一些木马）

分析报告：

File: pmovrao.exe

Size: 26816 bytes

MD5: 8A43F7A2EB37728D5D808C4E72B65242

SHA1: A61CB036BC9A851A61E79F815A688DC04603C509

CRC32: 2B59AD2F

运行后在C:Program FilesCommon FilesMicrosoft Shared

和C:Program FilesCommon FilesSystem下面分别生成两个随机7位字母组合成的exe

我此次测试是C:Program FilesCommon FilesSystemgamkqme.exe和

C:Program FilesCommon FilesMicrosoft Sharedvdiwghf.exe

C:Program Filesmeex.exe

C:Program Filessyuhxcx.inf（随机7位字母组合）

删除C:WINDOWSsystem32verclsid.exe

遍历D~Z分区在根目录下生成

autorun.inf和随机7位字母组合成的exe（我这里是pmovrao.exe）

右键菜单无变化

检测有无如下文件

如果有将其改名为随机7位字母

各个分区下面的autorun.inf

MSInfowniapsvr.exe

MSInfoShell.exe

MSInfoShell.pci

system32progmon.exe

system32internt.exe

Webcss.css

Comlsass.exe

IMEsvchost.exe

IMEsmss.exe

Debugdebug.exe

Common Filessvchost.cnc

Common FilesRelive.dll

Internet Explorermsvcrt.dll

Internet ExplorerPLUGINSSysWin64.Jmp

Internet ExplorerPLUGINSSysWin64.Sys

Internet ExplorerPLUGINSSysWin64.Tao

将HKLMSYSTEMCurrentControlSetServicesSharedAccess

HKLMSYSTEMCurrentControlSetServiceshelpsvc

HKLMSYSTEMCurrentControlSetServiceswscsvc

HKLMSYSTEMCurrentControlSetServiceswuauserv

的启动选项改成已禁用

删除

HKLMSYSTEMControlSet001ControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLMSYSTEMControlSet001ControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLMSYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}

HKLMSYSTEMCurrentControlSetControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}

破坏安全模式

修改HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLCheckedValue

值为0x00000000 破坏显示隐藏文件

更改C:Program FilesCommon FilesMicrosoft Shared

C:Program FilesCommon FilesSystem的属性为隐藏

添加如下IFEO值

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360rpt.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safe.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsadam.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAgentSvr.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAppSvc32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsArSwp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAST.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsautoruns.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavconsol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavgrssvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAvMonitor.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.com

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsCCenter.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccSvcHst.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsEGHOST.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFileDsty.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFTCleanerShell.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFYFireWall.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsHijackThis.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIceSword.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsiparmo.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsIparmor.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsisPwdSvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskabaload.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKaScrScn.SCR

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASMain.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASTask.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVDX.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPF.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVPFW.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVSetup.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKISLnchr.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMailMon.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMFilter.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32X.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPfwSvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRegEx.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRepair.com

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKsLoader.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVCenter.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvDetect.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvfwMcl.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVMonXP_1.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvolself.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvReport.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVScan.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVStub.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvupload.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvwsc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvXP_1.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch9x.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchX.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsloaddll.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMagicSet.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcconsol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmqczj.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmmsk.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapsvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNavapw32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

od32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

od32krn.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

od32kui.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsNPFMntor.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFW.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsPFWLiveUpdate.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQHSET.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQDoctor.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQKav.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRas.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRav.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMon.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMonD.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavStub.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavTask.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRegClean.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

fwcfg.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

fwmain.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

fwsrv.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsAgent.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsaupd.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

strui.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

uniep.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssafelive.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsscan32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsshcfg32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSmartUp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSREng.EXE

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssymlcsvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSysSafe.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanDetector.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanwall.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojDie.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUIHost.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxAgent.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxAttachment.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxCfg.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxFwHlp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUmxPol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsupiea.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUpLive.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUSBCleaner.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvsstat.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionswebscanx.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsWoptiClean.exe

指向C:Program FilesCommon FilesMicrosoft Shared 下面的随机7位字母的exe

监视并关闭如下进程

avp.com

avp.exe

runiep.exe

PFW.exe

FYFireWall.exe

rfwmain.exe

rfwsrv.exe

KAVPF.exe

KPFW32.exe

nod32kui.exe

nod32.exe

Navapsvc.exe

Navapw32.exe

avconsol.exe

webscanx.exe

NPFMntor.exe

vsstat.exe

KPfwSvc.exe

RavTask.exe

Rav.exe

RavMon.exe

mmsk.exe

WoptiClean.exe

QQKav.exe

QQDoctor.exe

EGHOST.exe

360Safe.exe

iparmo.exe

adam.exe

IceSword.exe

360rpt.exe

360tray.exe

AgentSvr.exe

AppSvc32.exe

autoruns.exe

avgrssvc.exe

AvMonitor.exe

CCenter.exe

ccSvcHst.exe

FileDsty.exe

FTCleanerShell.exe

HijackThis.exe

Iparmor.exe

isPwdSvc.exe

kabaload.exe

KaScrScn.SCR

KASMain.exe

KASTask.exe

KAV32.exe

KAVDX.exe

KAVPFW.exe

KAVSetup.exe

KAVStart.exe

KISLnchr.exe

KMailMon.exe

KMFilter.exe

KPFW32X.exe

KPFWSvc.exe

KRegEx.exe

KRepair.com

KsLoader.exe

KVCenter.kxp

KvDetect.exe

KvfwMcl.exe

KVMonXP.kxp

KVMonXP_1.kxp

kvol.exe

kvolself.exe

KvReport.kxp

KVScan.kxp

KVSrvXP.exe

KVStub.kxp

kvupload.exe

kvwsc.exe

KvXP.kxp

KvXP_1.kxp

KWatch.exe

KWatch9x.exe

KWatchX.exe

loaddll.exe

MagicSet.exe

mcconsol.exe

mmqczj.exe

nod32krn.exe

PFWLiveUpdate.exe

QHSET.exe

RavMonD.exe

RavStub.exe

RegClean.exe

rfwcfg.exe

RfwMain.exe

RsAgent.exe

Rsaupd.exe

safelive.exe

scan32.exe

shcfg32.exe

SmartUp.exe

SREng.EXE

symlcsvc.exe

SysSafe.exe

TrojanDetector.exe

Trojanwall.exe

TrojDie.kxp

UIHost.exe

UmxAgent.exe

UmxAttachment.exe

UmxCfg.exe

UmxFwHlp.exe

UmxPol.exe

UpLive.exe

upiea.exe

AST.exe

ArSwp.exe

USBCleaner.exe

rstrui.exe

过滤如下“关键字”，如果这些在窗口出现的话，那么会被关闭

木马

病毒

杀毒

查毒

防毒

专杀

卡巴

江民

瑞星

毒霸

恶意软件

流氓软件

上报

QQ安全

报警

杀软

防杀

专杀（这就是金山的专杀不能启动的原因，关键字也被过滤了）

360安全

QQ医生

进程

System

Microsoft Shared

微点

上报

进程

Process

Virus

Trojan

连接网络下载木马和流氓软件

http://www.xxxxx.com/soft/fox/GameSetup.exe

http://www.xxxxx.com/soft/fox/Setup.exe

到program files下面分别命名为1AGameSetup.exe

和2BSetup.exe

两个分别是木马和流氓软件的安装包

木马和流氓软件植入完毕后生成如下文件（包括但不限于）

C:WINDOWSsystem32drivers809igndb.sys

C:WINDOWSsystem32driversacpidisk.sys

C:WINDOWSsystem32driversiExplorer.exe

C:WINDOWSsystem32driverskz0q8id6.sys

C:WINDOWSsystem321b1.dll

C:WINDOWSsystem3260e41.exe

C:WINDOWSsystem32ad_2201.exe

C:WINDOWSsystem32601.dll

C:WINDOWSsystem32nkgqpadwh.dll

C:WINDOWSsystem32mprmsgse.axz

C:WINDOWSsystem32mscpx32r.det

C:WINDOWS31.bmp

C:WINDOWS3fa1.exe

C:WINDOWS716dairx.exe

C:WINDOWS716daiwm.exe

C:WINDOWS716daiwow.exe

C:WINDOWS716daizx.exe

C:WINDOWS716dgj.exe

C:WINDOWS716dwl.exe

C:WINDOWSad_2201.exe

C:WINDOWSoolan95.exe

C:WINDOWSdodolook386.exe

C:WINDOWSfa7c1.txt

C:WINDOWSkulionrx.dll

C:WINDOWSkulionrx.exe

C:WINDOWSkulionwl.dll

C:WINDOWSkulionwm.dll

C:WINDOWSkulionzx.dll

C:WINDOWSkulionzx.exe

C:WINDOWSmy_70087.exe

C:WINDOWSvideo.dll

C:WINDOWSwinow.dll

C:WINDOWSwinow.exe

C:WINDOWSwinwl.exe

C:WINDOWSwinwm.exe

C:WINDOWSwmsj.exe

C:WINDOWS齐看网Setup2.exe

C:Program Files1AGameSetup.exe

C:Program Files2BSetup.exe

C:PROGRA~1yxry

C:Documents and SettingsAll UsersApplication DataMicrosoftPCToolspctools.dll

里面包括一些流氓软件和盗号木马

sreng日志表现如下

服务

[Windows dcwd RunThem / dcwd][Running/Auto Start]

<C:WINDOWSSystem32svchost.exe -k netsvcs-->C:PROGRA~1yxryihbi.dll>< >

[Fax 2Client / ms_2fax][Running/Auto Start]

<C:WINDOWSsystem3260e41.exe><N/A>

驱动程序

[809ignd / 809igndb][Running/Boot Start]

<SystemRootSystem32DRIVERS809igndb.sys><N/A>

[acpidisk / acpidisk][Running/Auto Start]

<??C:WINDOWSsystem32driversacpidisk.sys><N/A>

[kz0q8id6 / kz0q8id6][Running/Auto Start]

<??C:WINDOWSsystem32driverskz0q8id6.sys><N/A>

浏览器加载项

[Info cache]

{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:Documents and SettingsAll UsersApplication DataMicrosoftPCToolspctools.dll, 金泰丰(广州)科

技有限公司>

[ff Class]

{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:WINDOWSsystem32601.dll, TODO: <公司名>>

解决方法：

一.清理病毒主程序

由于相关专杀已经失效，所以只能手动查杀

1.下载Icesword这个软件

http://www.ttian.net/website/2005/0829/391.html

解压后

把Icesword.exe改名运行

点击菜单栏文件>设置钩选禁止进线程创建确定

查看窗口中单击进程查找有无C:Program FilesCommon FilesMicrosoft Shared

和C:Program FilesCommon FilesSystem下面的随机7位字母的进程（记住他们的名字）

如果有分别结束他们

另外如果装有瑞星防火墙需要结束rfwsrv.exe进程

然后点击点击菜单栏文件>设置去掉禁止进线程创建的钩确定

还是Icesword这个软件单击左下角的文件按钮

找到刚才C:Program FilesCommon FilesMicrosoft Shared

和C:Program FilesCommon FilesSystem的两个随机7位字母的exe 分别右键删除他们

另外还需要删除如下文件

C:Program Filesmeex.exe

C:Program Filessyuhxcx.inf（随机7位字母组合）

以及各个分区下面的autorun.inf和随机7位字母组合成的exe（一定不要忘记这步）

2.下载sreng

http://download.kztechs.com/files/sreng2.zip

运行启动项目注册表删除所有红色的IFEO项目

删除[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]下面的随机7位字母启动项目

本次测试为如下键值

<syuhxcx><C:Program FilesCommon FilesSystemgamkqme.exe> []

<pmovrao><C:Program FilesCommon FilesMicrosoft Sharedvdiwghf.exe> []

sreng 修复>Windows shell/IE 选中显示隐藏文件单击下面的修复

sreng 修复>高级修复>修复安全模式在弹出的窗口中点击是

二.清理下载的木马和流氓软件

此时病毒主程序已经清理完毕

下面清理下载的木马和流氓软件

注意：由于病毒下载的木马和流氓软件各异，所以此清除办法仅供参考

首先需要下载http://www.i170.com/attach/92EB2ED9-6D11-441D-8A28-2A9B08F0452E Xdelbox1.3这个软件

然后重启计算机进入安全模式(开机后不断按F8键然后出来一个高级菜单选择第一项安全模式进入系统)

打开sreng

“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”，

选中以下项目，点“删除服务”，再点“设置”，在弹出的框中点“否”：

Windows dcwd RunThem / dcwd

Fax 2Client / ms_2fax

在“启动项目”-“服务”-“驱动程序”中点“隐藏经认证的微软项目”，

选中以下项目，点“删除服务”，再点“设置”，在弹出的框中点“否”：

acpidisk / acpidisk

kz0q8id6 / kz0q8id6

系统修复－浏览器加载项－找到如下项目点击删除项目，在弹出的对话框中点“是”

[ff Class]

{FAAAC0F6-94BE-4466-934B-7C53666A2F41} <C:WINDOWSsystem32601.dll, TODO: <公司名>>

双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件（推荐）"前面的钩。在提示确定更改时，单击

“是” 然后确定

点击菜单栏下方的文件夹按钮（搜索右边的按钮）

从左边的资源管理器进入C盘

删除如下文件

C:Program Filesyxry文件夹

C:WINDOWSsystem321b1.dll

C:WINDOWSsystem3260e41.exe

C:WINDOWSsystem32ad_2201.exe

C:WINDOWSsystem32601.dll

C:WINDOWSsystem32mprmsgse.axz

C:WINDOWSsystem32mscpx32r.det

C:WINDOWS31.bmp

C:WINDOWS3fa1.exe

C:WINDOWS716dairx.exe

C:WINDOWS716daiwm.exe

C:WINDOWS716daiwow.exe

C:WINDOWS716daizx.exe

C:WINDOWS716dgj.exe

C:WINDOWS716dwl.exe

C:WINDOWSad_2201.exe

C:WINDOWSoolan95.exe

C:WINDOWSdodolook386.exe

C:WINDOWSfa7c1.txt

C:WINDOWSkulionrx.dll

C:WINDOWSkulionrx.exe

C:WINDOWSkulionwl.dll

C:WINDOWSkulionwm.dll

C:WINDOWSkulionzx.dll

C:WINDOWSkulionzx.exe

C:WINDOWSmy_70087.exe

C:WINDOWSvideo.dll

C:WINDOWSwinow.dll

C:WINDOWSwinow.exe

C:WINDOWSwinwl.exe

C:WINDOWSwinwm.exe

C:WINDOWSwmsj.exe

C:WINDOWS齐看网Setup2.exe

C:Program Files1AGameSetup.exe

C:Program Files2BSetup.exe

C:WINDOWSsystem32driversacpidisk.sys

C:WINDOWSsystem32driversiExplorer.exe

C:WINDOWSsystem32driverskz0q8id6.sys

打开Xdelbox1.3

把下列文件输入进去

C:WINDOWSsystem32drivers809igndb.sys

C:WINDOWSsystem32nkgqpadwh.dll

C:Documents and SettingsAll UsersApplication DataMicrosoftPCToolspctools.dll

添加然后选中3个文件立即重启执行删除

再次重启后恭喜你，所有病毒都被干掉了！