Worm.Win32.AutoRun.eee的清除方案
1、使用安天防线可彻底清除此病毒(推荐)
2、手工清除请按照行为分析删除对应文件,恢复相关系统设置。
(1)使用安天防线或ATool中的“进程管理”关闭病毒进程:
强行结束为以下路径的进程:
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\ Global.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
(2)强行删除病毒文件:
%DriveLetter%\autorun.inf
%Temp%\~DF7634.tmp
%Temp%\~DF8840.tmp
%Temp%\~DF9A47.tmp
%DriveLetter%\MS-DOS.com
%Windir%\Cursors\Boom.vbs
%Windir%\Fonts\Fonts.exe
%Windir%\Fonts\tskmgr.exe
%Windir%\Media\rndll32.pif
%Windir%\pchealth\Global.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.com
%Windir%\system\KEYBOARD.exe
%System32%\dllcache\autorun.inf
%System32%\dllcache\Default.exe
%System32%\dllcache\Global.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
%System32%\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
%System32%\dllcache\rndll32.exe
%System32%\dllcache\svchost.exe
%System32%\dllcache\tskmgr.exe
%System32%\drivers\drivers.cab.exe
%System32%\regedit.exe
(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
新: 字符串: C:\WINDOWS\pchealth
\helpctr\binaries\HelpHost.com
旧: 字符串: C:\WINDOWS\system32\logon.scr
描述:设置屏幕保护为病毒文件
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer
\Advanced\ShowSuperHidden
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
描述:修改文件夹不可见隐藏文件
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\MSCFile\Shell\Open\Command\@
新: 字符串: C:\WINDOWS\Fonts\Fonts.exe
旧: 字符串: %SystemRoot%\system32\mmc.exe %1
描述:修改在运行命令中输入mmc.exe时候运行病毒
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\regfile\shell\open\command\@
新: 字符串: C:\WINDOWS\pchealth\Global.exe
旧: 字符串: regedit.exe %1
描述:修改在运行命令中输入regedit.exe时候运行病毒
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\RunOnce\@
键值: 字符串: C:\WINDOWS\system32
\dllcache\Default.exe
描述:添加启动项
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache
\C:\WINDOWS\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}
\Global.exe
键值: 字符串: Global
描述:添加启动项
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache
\C:\WINDOWS\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}
\svchost.exe
键值: 字符串: svchost
描述:添加启动项
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache
\C:\WINDOWS\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}
\system.exe
键值: 字符串: system
描述:添加启动项
HKEY_CURRENT_USER\Software\Policies
\Microsoft\Windows\System\Scripts
\Logoff\0\0\Script
键值: 字符串: C:\WINDOWS\Cursors\Boom.vbs
描述:系统注销时启动病毒脚本
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\auto.exe
\Debugger
键值: 字符串: C:\WINDOWS\system32
\drivers\drivers.cab.exe
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\boot.exe\Debugger
键值: 字符串: C:\WINDOWS\Fonts\fonts.exe
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options
\msconfig.exe\Debugger
键值: 字符串: C:\WINDOWS\Media\rndll32.pif
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options
\procexp.exe\Debugger
描述:添加映像劫持项
键值: 字符串: C:\WINDOWS\pchealth
\helpctr\binaries\HelpHost.com
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options
\taskmgr.exe\Debugger
键值: 字符串: C:\WINDOWS\Fonts\tskmgr.exe
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\policies
\Explorer\Run\sys
键值: 字符串: C:\WINDOWS\Fonts\Fonts.exe
描述:添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run\@
键值: 字符串: C:\WINDOWS\system\KEYBOARD.exe
描述:添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\RunOnce\@
键值: 字符串: C:\WINDOWS\system32
\dllcache\Default.exe
描述:添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts
\Shutdown\0\0\Script
键值: 字符串: C:\WINDOWS\Cursors\Boom.vbs
描述:系统关闭时启动病毒脚本
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts\Startup\0\0\Script
键值: 字符串: C:\WINDOWS\Cursors\Boom.vbs
描述:系统启动时启动病毒脚本
麦保(深圳)科技有限公司_
2023-03-28 广告
