一、将以下8个文件改名为1.dll、2.dll、……8.dll,然后重启进入安全模式(进不了安全模式就进入正常模式)
[C:\WINDOWS\system32\mxaman.dll] [N/A, ]
[C:\WINDOWS\system32\ztmpri.dll] [N/A, ]
[C:\WINDOWS\system32\wlhpri.dll] [N/A, ]
[C:\WINDOWS\system32\zxipri.dll] [N/A, ]
[C:\WINDOWS\system32\jzipri.dll] [N/A, ]
[C:\WINDOWS\system32\qhepri.dll] [N/A, ]
[C:\WINDOWS\system32\dhdpri.dll] [N/A, ]
[C:\WINDOWS\system32\WinFormA5.dll] [N/A, ]
二、用SRENG扫描工具删除以下三部分的注册表值项:
1、[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<tqbwxhb><C:\Program Files\Common Files\System\ejxytov.exe> [N/A]
<yxyiete><C:\Program Files\Common Files\Microsoft Shared\vvmuhca.exe> [N/A]
<RAVGJMON><C:\Program Files\Internet Explorer\RAVGJMON.exe> []
<RAVWDMON><C:\Program Files\Internet Explorer\RAVWDMON.exe> []
<TIMHost><C:\WINDOWS\TIMHost.exe> []
2、[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{1231A43A-1642-641A-64FD-146ADAB223B1}><C:\WINDOWS\system32\mxaman.dll> []
<{5182C1EB-375C-573D-1F5E-234552345215}><C:\WINDOWS\system32\wlhpri.dll> []
<{42311A42-AC1B-158F-FD32-5674345F23A4}><C:\WINDOWS\system32\dhdpri.dll> []
<{56368135-64FA-BC34-DA32-DCF4FD431C95}><C:\WINDOWS\system32\qhepri.dll> []
<{D1351752-5628-1547-FFAB-BADC13512AFD}><C:\WINDOWS\system32\ztmpri.dll> []
<{959AFD5B-159F-ACD8-954C-ACD545FA6589}><C:\WINDOWS\system32\jzipri.dll> []
<{9A65498A-7653-9801-1647-987114AB7F49}><C:\WINDOWS\system32\zxipri.dll> []
<{A12BC423-3713-224D-3F55-32B35C62B11A}><C:\WINDOWS\system32\WinFormA5.dll> []
3、日志上所有类似[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]<IFEO[360rpt.exe]><C:\Program Files\Common Files\Microsoft Shared\vvmuhca.exe> [N/A]所有IFEO劫持注册表值项。
此外,请SRENG扫描工具编辑[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] <AppInit_DLLs>的数值数据为空(即删除zxipri.dll这个字符串)
==================================
三、用SRENG扫描工具删除以下服务
[WMI Performance API / WMIApiSrv][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe WMIApiSrv.dll,input><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe msdebug.dll,input><Microsoft Corporation>
==================================
四、重启电脑删除以下文件:
C:\WINDOWS\TIMHost.exe
C:\Program Files\Internet Explorer\RAVWDMON.exe
C:\Program Files\Internet Explorer\RAVGJMON.exe
C:\Program Files\Common Files\Microsoft Shared\vvmuhca.exe
C:\Program Files\Common Files\System\ejxytov.exe
[C:\WINDOWS\system32\mxaset.exe] [N/A, ]
[C:\WINDOWS\system32\4.exe] [N/A, ]
[C:\WINDOWS\system32\wlhins.exe] [N/A, ]
[C:\WINDOWS\system32\WinFormA5.exe] [N/A, ]
[C:\WINDOWS\system32\dhdins.exe] [N/A, ]
[C:\WINDOWS\system32\qheins.exe] [N/A, ]
[C:\WINDOWS\system32\ztmins.exe] [N/A, ]
[C:\WINDOWS\system32\jziins.exe] [N/A, ]
[C:\WINDOWS\system32\zxiins.exe] [N/A, ]
[C:\Program Files\Internet Explorer\RAVWDMON.DAT] [N/A, ]
[C:\Program Files\Internet Explorer\RAVGJMON.DAT] [N/A, ]
[C:\WINDOWS\system32\1.dll] [N/A, ]
[C:\WINDOWS\system32\2.dll] [N/A, ]
[C:\WINDOWS\system32\3.dll] [N/A, ]
[C:\WINDOWS\system32\4.dll] [N/A, ]
[C:\WINDOWS\system32\5.dll] [N/A, ]
[C:\WINDOWS\system32\6.dll] [N/A, ]
[C:\WINDOWS\system32\7.dll] [N/A, ]
[C:\WINDOWS\system32\8.dll] [N/A, ]
[C:\WINDOWS\system32\TIMHost.dll] [N/A, ]
[C:\WINDOWS\system32\msdebug.dll] [N/A, ]
[C:\WINDOWS\system32\WMIApiSrv.dll] [N/A, ]
[C:\WINDOWS\winow.dll] [N/A, ]
D:\Autorun.inf
D:\yxyiete.exe
E:\Autorun.inf
E:\yxyiete.exe
F:\Autorun.inf
F:\yxyiete.exe
说明:
1、关于用SRENG扫描工具对注册表、服务、驱动进行操作的方法,可以参考下帖,不再多说了:http://hi.baidu.com/teyqiu/blog/item/f706213fc52346ec54e72351.html
2、操作过程中,不得以任何访问D、E、F这三个驱动器,否则一切重来。删除这些不能访问的驱动器上的文件,可以用系统的“开始--搜索--文件和文件夹”命令完成寻找和删除任务。
