楼主及各位高手们：

    小弟被这个病毒所困扰已久!!还有construct.exe!!

这是小弟某一次杀毒后所做的纪录：
Backdoor.Win32.SdBot.aad_15
C:\windows\system32\eraseme_38427.exe
C:\windows\system32\setup_57874.exe
C:\windows\Construct.exe

Trojan.Win32.VB.aak
C:\SVCHOST.exe
D:\SVCHOST.exe

Backdoor.Win32.Delf.adj_12
C:\Program Files\Internet Explorer\Test.exe
C:\Program Files\Internet Explorer\Syssmss.exe
杀毒后，防火墙所有的选项都是灰的，防火墙启用不了，默认是关闭！
添加删除程序的面板打不开，运行没有反应！
我也不知道它到底改了注册表里哪些键值,上网查资料也无果。真是一筹莫展...

求楼主及各位高手们指点一二。

鸽子
论坛有鸽子的解决办法
看看吧

建立文件:
%system%\Run552.exe
%system%\win.dll
%system%\windll.dll内容为
"Think",

%system%\N0TEPAD.EXE
%system32%\N0TEPAD.EXE
%Windows%\N0TEPAD.EXE
以上文件中的数字"0"并非字母"O"，注意区分.
修改注册表:
HKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Run\\Run552.exe
"%system%\Run552.exe"
建立病毒自启动项.

修改:
HKCR\txtfile\Shell\open\command\\
"%System%\N0TEPAD.EXE "%1""
使病毒文件%system%\N0TEPAD.EXE关联文本TXT文件.


清除:

结束进程:
%system%\Run552.exe

修改注册表:
HKCR\txtfile\Shell\open\command\\
"%System%\N0TEPAD.EXE "%1"" 内容为正常的记事本文件NOTEPAD.EXE(特别注意数字"0"与字母"O"的区别)
建议用Regfix来修复文本TXT关联比较方便.

删除病毒文件:
%system%\Run552.exe
%system%\N0TEPAD.EXE
%system32%\N0TEPAD.EXE
%Windows%\N0TEPAD.EXE
%system%\windll.dll

不是灰鸽子

建议参考http://forum.ikaka.com/topic.asp?board=28&artid=7174264

OK
解决了

高手一起看过来
研究一下了
Antivirus Version Update Result
AntiVir 6.33.0.81 02.06.2006 TR/VB.SJ.400
Avast 4.6.695.0 02.04.2006 no virus found
AVG 718 02.04.2006 no virus found
Avira 6.33.0.81 02.06.2006 no virus found
BitDefender 7.2 02.06.2006 no virus found
CAT-QuickHeal 8.00 02.04.2006 Trojan.VB.sj
ClamAV devel-20060126 02.06.2006 no virus found
DrWeb 4.33 02.06.2006 Trojan.Popuper
eTrust-InoculateIT 23.71.69 02.05.2006 no virus found
eTrust-Vet 12.4.2066 02.06.2006 no virus found
Ewido 3.5 02.06.2006 Trojan.VB.sj
Fortinet 2.54.0.0 02.06.2006 W32/VB.SJ!tr
F-Prot 3.16c 02.04.2006 no virus found
Ikarus 0.2.59.0 02.06.2006 no virus found
Kaspersky 4.0.2.24 02.06.2006 Trojan.Win32.VB.sj
McAfee 4689 02.03.2006 no virus found
NOD32v2 1.1394 02.05.2006 a variant of Win32/VB.SJ
Norman 5.70.10 02.06.2006 no virus found
Panda 9.0.0.4 02.06.2006 Suspicious file
Sophos 4.02.0 02.06.2006 no virus found
Symantec 8.0 02.06.2006 no virus found
TheHacker 5.9.3.091 02.06.2006 Trojan/VB.sj
UNA 1.83 02.03.2006 Trojan.Win32.VB
VBA32 3.10.5 02.06.2006 Trojan.Win32.VB.sj

【回复“MicroAthur”的帖子】
我见过一个，不知是否对你有帮助。看看吧：

木马eraseme_13348.exe分析结果

一、创建的文件
Create file
Object:C:\windows\nvideogui.exe

Create file
Object:C:\WINDOWS\system32\remon.sys

二、注册表更改

1、启动项：
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvideoGUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nvideoGUI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\remon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\remon

2、其它项：
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\\MSBCRM
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\\Minstallvariable
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\\Mupvariable
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistryTools
HKLM\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride
HKLM\SOFTWARE\Microsoft\Security Center\\FirewallOverride
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\\EnableFirewall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\\AUOptions
HKLM\System\CurrentControlSet\Services\wscsvc\\Start
HKLM\System\CurrentControlSet\Services\TlntSvr\\Start
HKLM\System\CurrentControlSet\Services\RemoteRegistry\\Start
HKLM\System\CurrentControlSet\Services\Messenger\\Start
HKLM\System\CurrentControlSet\Control\Lsa\\restrictanonymous
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\\AutoShareWks
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\\AutoShareServer
HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters\\AutoShareWks
HKLM\System\CurrentControlSet\Services\lanmanworkstation\parameters\\AutoShareServer
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\\DoNotAllowXPSP2
HKLM\SOFTWARE\Microsoft\Ole\\EnableDCOM
HKLM\System\CurrentControlSet\Control\\WaitToKillServiceTimeout


3、HJ日志内容：
O23 - NT 服务: Nvidia Graphic Displacement (nvideoGUI) - Unknown owner - C:\windows\nvideogui.exe

4、其它特点：
有进程守护功能。

【回复“凌晨25点的爱”的帖子】
这有什么可研究的
无非是一些杀软的查杀比较

【回复“baohe”的帖子】
非常感谢！
nvideogui.exe及remon.sys也经常碰到，
后来它改了个名叫nvidcgui.exe,在%windows%目录还有个sysmanager.exe文件是它的帮凶。
以致后来只要发现nvideogui.exe及remon.sys就啃腚有eraseme*.exe。
请问版主，查杀eraseme*.exe有什么规律可循吗？

请高手们看看！！
HijackThis_zww汉化版扫描日志 V1.99.1
保存于      15:29:13, 日期 2006-2-28
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\P4P\p2psvr.exe
C:\Program Files\Lenovo\联想智能控制中心\SCC\SCCMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Lenovo\联想智能控制中心\SCC\LenovoSmartControlCenter.exe
E:\扫黄工具\扫黄工具\blackjack\HijackThis1991zww.exe

O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v10.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SohuDAIEHelper - {0CA51D02-7739-43EA-8D9A-1E8AD4327B03} - C:\Program Files\P4P\sodaie.dll
O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\PROGRA~1\SEARCH~1\SNHpr.dll (file missing)
O2 - BHO: yPhtb - {33BBE430-0E42-4f12-B075-8D21ACB10DCB} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll
O2 - BHO: Anti Fish - {38928D50-8A48-44C2-945F-D2F23F771410} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yangling.dll
O2 - BHO: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O2 - BHO: QQBrowserHelperObject Class - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O3 - IE工具栏增项: MSN 工具栏 - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\zh-cn\msntb.dll
O3 - IE工具栏增项: 雅虎助手 - {406F94F0-504F-4a40-8DFD-58B0666ABEBD} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yasbar.dll
O3 - IE工具栏增项: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - 启动项HKLM\\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - 启动项HKLM\\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
O4 - 启动项HKLM\\Run: [杀毒] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
O4 - 启动项HKLM\\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - IE右键菜单中的新增项目: 雅虎搜索 - res://C:\PROGRA~1\Yahoo!\Assistant\Assist\yasbar.dll/246
O9 - 浏览器额外的按钮: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yahoomail (file missing)
O9 - 浏览器额外的按钮: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=taobao (file missing)
O9 - 浏览器额外的按钮: 雅虎助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=yassist (file missing)
O9 - 浏览器额外的按钮: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的“工具”菜单项: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - 浏览器额外的按钮: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - 浏览器额外的“工具”菜单项: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=repair (file missing)
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的按钮: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O9 - 浏览器额外的“工具”菜单项: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm?source=cns&btn=clean (file missing)
O11 - Options group: [!CNS]  网络实名
O16 - DPF: {62B938C4-4190-4F37-8CF0-A92B0A91CC77} (InfoSecNetSign Class) - https://mybank.icbc.com.cn/icbc/NetSign.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://oa.ghepc.net/domcfg.nsf/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4703/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1667C693-1F9C-4088-BC15-8BC9E8666072}: NameServer = 10.1.106.222,202.106.0.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{1667C693-1F9C-4088-BC15-8BC9E8666072}: NameServer = 10.1.106.222,202.106.0.20
O20 - AppInit_DLLs: C:\WINDOWS\system32\SoDAHK.DLL
O23 - NT 服务: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - NT 服务: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - NT 服务: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - NT 服务: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - NT 服务: P4P Service - Sohu.com Inc. - C:\Program Files\P4P\p2psvr.exe
O23 - NT 服务: SCCMonitor - Unknown owner - C:\Program Files\Lenovo\联想智能控制中心\SCC\SCCMonitor.exe
O23 - NT 服务: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



O2 - BHO: Zhongsou Browser Helper - {2A0176FE-008B-4706-90F5-BBA532A49731} - C:\PROGRA~1\SEARCH~1\SNHpr.dll (file missing)
O4 - 启动项HKLM\\Run: [MoveSearch] C:\Program Files\HuaCi\huaci\zsearch.exe
O4 - 启动项HKLM\\Run: [SearchNet_Up] "C:\Program Files\SearchNet\ServeUp.exe"
以上三个灭不掉！