遇一中毒贼深的电脑

更新：这篇可能需要可终于搞掂Caepero.dll 配合使用。

病毒多的都写不下了。嗨，服了。

还是列些主要的吧：
//服务里都被添加了

HKLM/System/CurrentControlSet/Services
+ 148F06D4 B32B22A0 Microsoft Corporation c:/windows/system32/59f3e12c.exe
+ 3584E332 BCD57646 c:/windows/system32/e9711700.exe

//ati2evxx.dll也被利用了

HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
+ AVPSrv c:/windows/avpsrv.exe
+ cmdbcs c:/windows/cmdbcs.exe
+ DbgHlp32 c:/windows/dbghlp32.exe
+ Kvsc3 c:/windows/kvsc3.exe
+ LotusHlp c:/windows/lotushlp.exe
+ mppds c:/windows/mppds.exe
+ msccrt c:/windows/msccrt.exe
+ MsIMMs32 c:/windows/msimms32.exe
+ MsPrint32D c:/windows/msprint32d.exe
+ NAVMon32 c:/windows/navmon32.exe
+ NVDispDrv c:/windows/kycvcu.exe
+ PTSShell c:/windows/ptsshell.exe
+ RegSrv64D c:/windows/regsrv64d.exe
+ SHAProc c:/windows/shaproc.exe
+ SSLDyn c:/windows/ssldyn.exe
+ upxdnd c:/windows/upxdnd.exe
+ WinForm c:/windows/winform.exe
+ WINSvr32 c:/windows/winsvr32.exe
+ WinSysM File not found: C:/WINDOWS/533931M.exe
+ WSockDrv32 c:/windows/oqedrh.exe

HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks
+ avwgimn.dll c:/windows/fonts/avwgimn.dll
+ avwljmn.dll c:/windows/fonts/avwljmn.dll
+ avzxnmn.dll c:/windows/fonts/avzxnmn.dll
+ ekrxglrzyzj.dll Windows XP MSPLAY API DLL Microsoft Corporation c:/windows/system32/ekrxglrzyzj.dll
+ gjcsdyc.dll c:/windows/fonts/gjcsdyc.dll
+ gjfhbyc.dll c:/windows/fonts/gjfhbyc.dll
+ gjtmbyc.dll c:/windows/fonts/gjtmbyc.dll
+ IGB_DJOL_1007.dll c:/windows/system32/igb_djol_1007.dll
+ IGB_DJOL_1009.dll c:/windows/system32/igb_djol_1009.dll
+ jsqsbyc.dll c:/windows/system32/jsqsbyc.dll
+ jsqxbyc.dll File not found: C:/WINDOWS/Fonts/jsqxbyc.dll
+ jsqxcyc.dll c:/windows/fonts/jsqxcyc.dll
+ kaqhmzy.dll c:/windows/fonts/kaqhmzy.dll
+ kawdizy.dll c:/windows/system32/kawdizy.dll
+ kvdxsmma.dll File not found: C:/WINDOWS/system32/kvdxsmma.dll
+ kvdxsoma.dll c:/windows/fonts/kvdxsoma.dll
+ raqjkpi.dll File not found: C:/WINDOWS/system32/raqjkpi.dll
+ raqjlpi.dll File not found: C:/WINDOWS/Fonts/raqjlpi.dll
+ raqjmpi.dll c:/windows/fonts/raqjmpi.dll
+ rarjfpi.dll c:/windows/fonts/rarjfpi.dll
+ rsjzbpm.dll c:/windows/fonts/rsjzbpm.dll
+ rsmyjpm.dll c:/windows/system32/rsmyjpm.dll
+ rsztnpm.dll c:/windows/system32/rsztnpm.dll
+ swrcfzc.dll File not found: C:/WINDOWS/system32/swrcfzc.dll
+ swrcgzc.dll c:/windows/fonts/swrcgzc.dll
+ wn_sys8x.sys c:/program files/internet explorer/plugins/wn_sys8x.sys
+ wsmsezx.dll File not found: C:/WINDOWS/system32/wsmsezx.dll
+ wsmsfzx.dll c:/windows/fonts/wsmsfzx.dll

等等，不再写了。

C:/windows/fonts文件夹中有许多隐藏的dll和exe文件，这都是病毒，在windows任务管理器中是看不到的，需要使用命令行模式查看，命令"dir /ah *.dll *.exe"查看，删除命令"del /ah *.dll *.exe",很可能还删不掉，病毒也不是那么容易删除的。
C:/windows/system32中也有N多绝大部分都是6个随机字符串的dll文件，还有K*.exe，文件名类似于windows的补丁文件，初此之外还有。
C:/windows目录下也是一堆病毒。

File C:/Program Files/Common Files/System/mgmtapi.acm is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/Program Files/Common Files/System/msaudi32.acm is infected by Win32:Hupigon-ENQ [Trj], Moved to chest
File C:/Program Files/Common Files/System/msg80.acm is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/Program Files/Internet Explorer/IEXPLORE32.Sys is infected by Win32:Delf-DUO [Trj], Moved to chest
File C:/Program Files/Internet Explorer/PLUGINS/Wn_Sys8x.Sys is infected by Win32:Delf-FZG [Trj], Moved to chest
File C:/RECYCLER/S-1-5-21-1292428093-1788223648-1417001333-1003/Dc112.exe/[Upack] is infected by Win32:Agent-LSI [Trj], Moved to chest 这里有一对Dc*文件，全是病毒。

File C:/WINDOWS/system32/MCI32.dll is infected by Win32:Hupigon-ENQ [Trj], Moved to chest
File C:/WINDOWS/system32/MCI321.dll is infected by Win32:Hupigon-ENQ [Trj], Moved to chest
File C:/WINDOWS/system32/mscat.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/WINDOWS/system32/mscat1.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/WINDOWS/system32/mmtask.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/WINDOWS/system32/mmtask1.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/WINDOWS/system32/n1197187301k.exe/[Upack] is infected by Win32:AutoRun-IC, Moved to chest
File C:/WINDOWS/system32/n1197978886k.exe/[NsPack] is infected by Win32:AutoRun-IC, Moved to chest
File C:/WINDOWS/system32/PTSShell.dll is infected by Win32:Agent-CNF [Trj], Moved to chest
File C:/WINDOWS/system32/scvhost.exe/[Upack] is infected by Win32:Small-GXN [Trj], Moved to chest
File D:/Documents and Settings/jinru/Local Settings/Temp/ch100.exe is infected by Win32:Trojan-gen {Other}, Moved to chest
File D:/System Volume Information/_restore{7F62705C-139B-4229-B6BC-06033E80223D}/RP3/A0000362.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File D:/System Volume Information/_restore{7F62705C-139B-4229-B6BC-06033E80223D}/RP3/A0000776.exe is infected by Win32:Trojan-gen {VC}, Moved to chest
File D:/System Volume Information/_restore{7F62705C-139B-4229-B6BC-06033E80223D}/RP54/A0003022.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File D:/System Volume Information/_restore{7F62705C-139B-4229-B6BC-06033E80223D}/RP60/A0010381.dll is infected by Win32:Loof-B [Trj], Moved to chest
File D:/System Volume Information/_restore{7F62705C-139B-4229-B6BC-06033E80223D}/RP60/A0010638.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/WINDOWS/system32/drivers/cdnprot.sys is infected by Win32:Adware-gen [Adw], Moved to chest
File C:/WINDOWS/system32/drivers/ndsgqb.sys is infected by Win32:Agent-KHP [Trj], Moved to chest
File C:/WINDOWS/system32/BCD57646.DLL is infected by Win32:AutoRun-IC, Moved to chest
File C:/WINDOWS/533931MM.DLL is infected by Win32:OnLineGames-BOM [Trj], Moved to chest

。。
不写了，总之，安装Avast杀毒软件后，执行开机扫描杀毒，能得到比这个多得多的病毒列表，这只是其中一部分。当然，auto.exe/autorun.inf是少不了的.

恶意木马分析及清除：mscat1.dll,mci321.dll,mmtask1.dll,Proc.sys

另外注意这个File C:/WINDOWS/system32/Caepero.dll is infected by Win32:Zbot-D [Trj], Deleted，删不掉。使用冰刃也删不掉，不知道这是什么东东，会添加到AppInit_dlls中。

更新：怎样彻底干掉Caepero.dll 终于搞掂Caepero.dll