下载xdelbox后,右键点击从剪贴板导入而不检查路径
c;\windows\system32\anymie360.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sv1D.tmp
C:\WINDOWS\system32\jbdngeno.dll
C:\WINDOWS\system32\nhembgab.dll
C:\WINDOWS\system32\gdhlkoaf.dll
C:\WINDOWS\system32\mhecffpl.dll
C:\WINDOWS\system32\ahimcipk.dll
C:\WINDOWS\system32\gmledajb.dll
C:\WINDOWS\system32\pphggbho.dll
C:\WINDOWS\system32\kadncgng.dll
C:\WINDOWS\system32\nhhnnfhh.dll
C:\WINDOWS\system32\ogjnnpni.dll
C:\WINDOWS\system32\jpokdegf.dll
C:\WINDOWS\system32\pgefcebm.dll
C:\WINDOWS\system32\ldpfepmn.dll
C:\WINDOWS\system32\hohjoeik.dll
C:\WINDOWS\system32\ebafgkca.dll
C:\WINDOWS\system32\sv20.tmp.exe
C:\WINDOWS\system32\sv1F.tmp.exe
c:\windows\System32\Drivers\msiffei.sys
D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPEL.SYS
C:\WINDOWS\system32\151973EE.dat
c:\Program Files\Symantec\SYMEVENT.SYS
C:\WINDOWS\system32\DRIVERS\67cc
C:\Program Files\Thunder Network\Thunder\Components\InMedia\peerid.dll
C:\WINDOWS\system32\tbdvcuzbgn.dll
C:\WINDOWS\system32\rbqzxkfgsc.dll
C:\WINDOWS\system32\yyhmsehrfi.dll
C:\WINDOWS\system32\vnqznqehiu.dll
C:\WINDOWS\system32\kegrxamilc.dll
C:\WINDOWS\system32\csrss.dll
C:\WINDOWS\system32\sh07006.dll
C:\WINDOWS\system32\sh08025.dll
C:\WINDOWS\system32\sh28016.dll
C:\WINDOWS\system32\sinx32.dll
C:\WINDOWS\system32\NavLogon.dll
C:\WINDOWS\system32\sinx32.dll
重启后删除.
从启动中删除注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Expl
orer\Run]
<Alcmtr><anymie360.exe> []
<gem><C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sv1D.tmp> []
把
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><sinx32.dll,ebafgkca.dll,hohjoeik.dll,ldpfepmn.dll,pgefcebm.d
ll,jpokdegf.dll,ogjnnpni.dll,nhhnnfhh.dll,kadncgng.dll,pphggbho.dll,gmledaj
b.dll,ahimcipk.dll,mhecffpl.dll,gdhlkoaf.dll,nhembgab.dll,jbdngeno.dll> []
<AppInit_DLLs>后面括号里的部分清空
把
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shel
lExecuteHooks]
<{3BD70E78-5EC9-47D7-B6FD-CA4BB018CB38}><C:\WINDOWS\system32
\jbdngeno.dll> []
<{71E6B0AB-3134-4881-8927-701171F06224}><C:\WINDOWS\system32
\nhembgab.dll> []
<{0D1548AF-F075-419A-A0D8-974AF499E400}><C:\WINDOWS\system32
\gdhlkoaf.dll> []
<{61ECFF95-07A8-4291-BF7E-12E678B92586}><C:\WINDOWS\system32
\mhecffpl.dll> []
<{A126C294-65AE-4D6B-BF98-3AA56A0538BB}><C:\WINDOWS\system32
\ahimcipk.dll> []
<{065EDA3B-8544-4988-A9C4-913D0549361D}><C:\WINDOWS\system32
\gmledajb.dll> []
<{99100B18-6745-4D99-86E5-C1959119C176}><C:\WINDOWS\system32
\pphggbho.dll> []
<{4AD7C070-0EA1-4635-9F40-849C370426BA}><C:\WINDOWS\system32
\kadncgng.dll> []
<{71177F11-AA50-4996-B3BB-ECF55B49A8AC}><C:\WINDOWS\system32
\nhhnnfhh.dll> []
<{80377972-21A8-4154-ACF6-AE3B6139CE5E}><C:\WINDOWS\system32
\ogjnnpni.dll> []
<{3984DE0F-8A61-4EA3-B376-56731CDA0633}><C:\WINDOWS\system32
\jpokdegf.dll> []
<{90EFCEB6-E05D-4F02-9ECC-B528DE5C83E0}><C:\WINDOWS\system32
\pgefcebm.dll> []
<{5D9FE967-7A0D-4B24-BF8C-944BF2CE41DB}><C:\WINDOWS\system32
\ldpfepmn.dll> []
<{18138E24-7440-44D2-AC72-E845FDEFC6FC}><C:\WINDOWS\system32
\hohjoeik.dll> []
<{EBAF04CA-BD23-4500-93D5-9740C475237D}><C:\WINDOWS\system32
\ebafgkca.dll> []
里面的键值清空
把
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceO
bjectDelayLoad]
<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>
[(Verified)Microsoft Windows Component Publisher]
<3BD70E78><C:\WINDOWS\system32\jbdngeno.dll> []
<71E6B0AB><C:\WINDOWS\system32\nhembgab.dll> []
<0D1548AF><C:\WINDOWS\system32\gdhlkoaf.dll> []
<61ECFF95><C:\WINDOWS\system32\mhecffpl.dll> []
<A126C294><C:\WINDOWS\system32\ahimcipk.dll> []
<065EDA3B><C:\WINDOWS\system32\gmledajb.dll> []
<99100B18><C:\WINDOWS\system32\pphggbho.dll> []
<4AD7C070><C:\WINDOWS\system32\kadncgng.dll> []
<71177F11><C:\WINDOWS\system32\nhhnnfhh.dll> []
<80377972><C:\WINDOWS\system32\ogjnnpni.dll> []
<3984DE0F><C:\WINDOWS\system32\jpokdegf.dll> []
<90EFCEB6><C:\WINDOWS\system32\pgefcebm.dll> []
<5D9FE967><C:\WINDOWS\system32\ldpfepmn.dll> []
<18138E24><C:\WINDOWS\system32\hohjoeik.dll> []
<EBAF04CA><C:\WINDOWS\system32\ebafgkca.dll> []
这个键值里只保留<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>
删除服务
[ervice / ervice][Running/Auto Start]
<C:\WINDOWS\system32\sv20.tmp.exe><N/A>
[Provisioning Transaction Service / pangu222][Running/Auto Start]
<C:\WINDOWS\system32\sv1F.tmp.exe><N/A>
[msiffei / msiffei][Stopped/Manual Start]
<System32\Drivers\msiffei.sys><N/A>
删除驱动
[msiffei / msiffei][Stopped/Manual Start]
<System32\Drivers\msiffei.sys><N/A>
[NAVAP / NAVAP][Stopped/Manual Start]
<\??\D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys><N/A>
[NAVAPEL / NAVAPEL][Stopped/Auto Start]
<\??\D:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPEL.SYS><N/A>
[Safe Mon 360 / SafeMon0][Running/System Start]
<\??\C:\WINDOWS\system32\151973EE.dat><N/A>
[SymEvent / SymEvent][Stopped/Manual Start]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><N/A>
[TKP / TKP][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\DRIVERS\67cc><N/A>
下载ifeo修复工具再运行
http://www.mopery.cn/mopery/IFEO重定向劫持修复工具.exe
系统文件C:\WINDOWS\system32\userinit.exe和C:\WINDOWS\system32\rpcss.dll两个文件被感染。
开始——运行——dllcache
在里面找到相对应文件替换掉原来的文件。