Trojan-PSW.Win32.Nilage.bcw
Trojan-PSW.Win32.Nilage.bcw是属于木马类病毒,是基于Borland Delphi 设计的主要针对微软windows系统的病毒,通过存储介质、 恶意网站、其它病毒,木马下载方式进入用户的电脑后进行信息盗取、arp欺骗、远程控制等活动。 目前常见的杀毒软件均有针对性升级病毒库和专杀工具。
基本信息
中文名称
Trojan-PSW.Win32.Nilage.bcw
病毒类型
木马类
危害等级
3
公开范围
完全公开
目录
1病毒简介
2文件长度
3感染系统
4开发工具
5加壳类型
6病毒描述
7行为分析
8清除方案
折叠编辑本段病毒简介
病毒名称: Trojan-PSW.Win32.Nilage.bcw
病毒类型: 木马类
文件 MD5: 48ABEEBC0D32069184C46A86A4C363D9
公开范围: 完全公开
危害等级: 3
折叠编辑本段文件长度
33,363 字节,脱壳后120,832 字节
折叠编辑本段感染系统
windows 98以上版本
折叠编辑本段开发工具
Borland Delphi 6.0 - 7.0
折叠编辑本段加壳类型
UPX 0.89.6 - 1.02 / 1.05 - 1.22
折叠编辑本段病毒描述
该病毒通过移动存储介质、 恶意网站、其它病毒 /木马下载大面积传播;由于 该病毒查杀和劫持杀毒软件、防火墙、病毒查杀工具软件,且插入其它进程的"随机 8位数字与字母组合.dll"
对注册表和病毒文件有监视和保护功能,则对其查杀该病毒有一定难度,更增加了其生存的空间。该木马可以通过插入的"随机8位数字与字母组合.dll"来记录用户的操作,从而达到盗取用户的
敏感信息目的。该木马运行后连接网络,更新文件,下载其它病毒文件,进行信息盗取、 arp 欺
骗、远程控制等。
折叠编辑本段行为分析
1 、病毒被激活后,复制自身到系统目录和各个驱动器下,衍生病毒文件:
自身副本文件:
%Program Files%\Common Files\Microsoft Shared\
MSInfo\随机8位数字与字母组合.dat
%WINDIR%\Help\随机8位数字与字母组合.chm
衍生病毒文件:
%Program Files%\Common Files\Microsoft Shared\
MSInfo\随机8位数字与字母组合.dll
%WINDIR%\随机8位数字与字母组合.hlp
%system%\verclsid.exe.bak(删除原verclsid.exe文件,
并建立副本verclsid.exe.bak)
各个驱动器下释放自身副本:
[DRIVE LETTER]:\ AutoRun.inf
[DRIVE LETTER]:\ 随机8位数字与字母组合.exe
注:随机 8位数字与字母组合, 本次感染为:80C88D28
2 、启动项目:
(1)、修改注册表,在ShellExecuteHooks添加键值,以钩子挂接文件的打开操作,以达
到启动的目的:
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-0C8D2 0C88D28}
键值 : 字串: " 默认 " = ""
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32\
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32
键值 :字串:"默认"=" %ProgramFiles%\CommonFiles\MicrosoftShared\
MSInfo\ 随机 8位数字与字母组合.dll "
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32
键值 : 字串: " ThreadingModel " = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ShellExecuteHooks
键值 : 字串: " " = ""
(2)、修改注册表恢复硬盘或光驱的 AutoRun功能:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\NoDriveTypeAutoRun
键值 : DWORD: 145 (0x91)
在 各个驱动器下释放 AutoRun.inf文件,从而在打开驱动器时运行同目录下的
"随机8位数字与字母组合.exe"文件, AutoRun代码如下:
[AutoRun]
open=80C88D28.exe
shell\open=打开(&O)
shell\open\Command= 随机 8位数字与字母组合.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command= 随机 8位数字与字母组合.exe
3 、"随机 8位数字与字母组合.dll"插入到Explorer.exe进程中,以Explorer.exe进程监视其
写入的注册表键值,如删除则恢复; 尝试通过钩子挂接使"随机8位数字与字母组合.dll"插入
到IEXPLORER.EXE进程和应用程序进程中。
4 、监视并关闭众多杀毒软件、防火墙、病毒查杀工具软件的进程与窗口及和杀毒相关网站,甚
至带有病毒等关键字的窗口:
AntiVirus TrojanFirewall
Kaspersky
JiangMin
KV200
Kxp
Rising
RAV
RFW
KAV200
KAV6
McAfe
Network Associates
TrustPort
NortonSymantec SYMANT~1
Norton SystemWorks
ESET
Grisoft
F-Pro
Alwil Software
ALWILS~1
F-Secure
ArcaBit
Softwin
ClamWin
DrWe
Fortineanda Software
Vba3
Trend Micro
QUICKH~1
TRENDM~1
Quick Heal
eSafewido
Prevx1
Ers
Avg
Ikarus
SophoSunbeltPC-cilli
ZoneAlar
Agnitum
WinAntiVirus
AhnLab
Normasurfsecret
Bullguard\Blac
360safe
SkyNet
Micropoint
Iparmor
Ftc
mmjk2007
Antiy Labs
LinDirMicro Lab
Filseclab
Ast
System Safety Monitor
ProcessGuard
FengYun
Lavasoft
Spy Cleaner Gold
CounterSpy
EagleEyeOS
Webroot
BufferZ
Avp
AgentSvr
CCenter
Rav
RavMonD
RavStub
RavTask
Rfwcfg
Rfwsrv
RsAgent
Rsaupd
Runiep
SmartUp
FileDsty
RegClean
360tray
360Safe
360rpt
Kabaload
Safelive
Ras
KASMain
KASTask
KAV32
KAVDX
KAVStart
KISLnchr
KMailMon
KMFilter
KPFW32
KPFW32X
KPFWSvc
KWatch9x
KWatch
KWatchX
TrojanDetector
UpLive.EXE
KVSrvXP
KvDetect
KRegEx
Kvol
Kvolself
Kvupload
Kvwsc
UIHost
IceSword
iparmo
mmsk
adam
MagicSet
PFWLiveUpdate
SREng
WoptiClean
scan32
QHSET
zxsweep.
AvMonitor
UmxCfg
UmxFwHlp
UmxPol
UmxAgent
UmxAttachment
KPFW32
KPFW32X
KvXP_1
KVMonXP_1
KvReport
KVScan
KVStub
KvXP
KVMonXP
KVCenter
TrojDie
avp.com.
krepair.COM
KaScrScn.SCR
Trojan
Virus
kaspersky
jiangmin
rising
ikaka
duba
kingsoft
360safe
木马
木马
病毒
杀毒
杀毒
查毒
防毒
反病毒
专杀
专杀
卡巴斯基
江民
瑞星
卡卡社区
金山毒霸
毒霸
金山社区
360安全
恶意软件
流氓软件
举报
报警
杀软
杀软
防骇
微点
MSInfo
winRAR
IceSword
HijackThis
Killbox
Procexp
Magicset
EQSysSecureProSecurity
Yahoo!
Baidu
P4P
Sogou PXP
Ardsys
超级兔子木马
KSysFiltsys
KSysCallsys
KsLoader
KvfwMcl
autoruns
AppSvc32
ccSvcHst
isPwdSvc
symlcsvcnod32kui
avgrssvc
RfwMain
KAVPFW
Iparmor
nod32krn
AVK
K7
Zondex
Blcorp
Tiny Firewall Pro
Jetico
HAURI
CA
Kmx
PCClear_Plus
Novatix
Ashampoo
WinPatrol
PFW
Mmsk
The Cleaner
Defendio
kis6Beheadsreng
Trojanwall
FTCleanerShell
loaddll
rfwProxy
mcconsol
HijackThis
Mmqczj
RavMon
KAVSetup
NAVSetup
SysSafe
hcfg32
NOD3
5 、破坏注册表安全模式,删除下列注册表项:
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
6、改变注册表值使隐藏文件不可见,达到病毒体隐藏目的:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
键值 : dword:"CheckedValue"=dword:00000001
改为:键值 : dword:"CheckedValue"=dword:00000000
7、在注册表的映像劫持中添加多个劫持项,劫持多个杀毒软件、防火墙、病毒查杀工具等相关
软件:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\krepair.COM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\zxsweep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UpLive.EXE.exe
被劫持到 C:\Program Files\Common Files\Microsoft Shared\MSInfo\
下面的那个dat文件
8、在注册表中改变键值,以禁用特定杀毒软件服务项,禁用自动更新功能:
HKLM\SYSTEM\ControlSet001\Services\杀毒软件服务名\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\start
9、该木马运行后连接网络,更新文件,下载其它病毒文件,进行信息盗取、arp欺骗、远程
控制等。
注:随机 8位数字与字母组合, 本次感染为:80C88D28 .
%System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
折叠编辑本段清除方案
1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )
2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1)使用 安天木马防线 "进程管理"关闭病毒进程:
mstsc.exe
(2)强行删除病毒文件:
%Program Files%\Common Files\Microsoft Shared\
MSInfo\XXXXXXXX.dat
%Program Files%\Common Files\Microsoft Shared\
MSInfo\XXXXXXXX.dll
%WINDIR%\Help\ XXXXXXXX.chm
%WINDIR%\XXXXXXXX.hlp
[DRIVE LETTER]:\ AutoRun.inf
[DRIVE LETTER]:\ XXXXXXXX.exe
(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:
HKLM\SOFTWARE\Classes\CLSID\
键值 : 字串: " 默认 " = ""
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32\
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
键值 :字串:"默认"="%ProgramFiles%\CommonFiles\
MicrosoftShared\MSInfo\XXXXXXXX.dll"
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
键值 : 字串: " ThreadingModel " = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ShellExecuteHooks
键值 : 字串: " " = ""
(4)将%system%\verclsid.exe.bak中的.bak后缀去掉,改为:
%system%\verclsid.exe
(5)显示隐藏文件:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
键值 : dword:"CheckedValue"=dword:00000000
改为:键值 : dword:"CheckedValue"=dword:00000001
(6)将映像劫项中添加多个劫持项删除,路径为:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options
(7)恢复注册表安全模式,开启特定杀毒软件服务项,自动更新功能,删除
其下载病毒文件。
(8)进行免疫设置,在各个驱动器根目录下新建autorun.ini与autorun.inf
文件,文件属性设为不可删,不可写。
- 上一篇:MSE
- 下一篇:I-Worm/Dinfor
- 文章
- 推荐
- 热门新闻