释放

c:setup.exe

Size:28,672bytes

c:DocumentsandSettingsuserLocalSettingsTemprs.bat

Size:105bytes

%windir%system32microsoft.exe

Size:28,672bytes

%windir%system32SP00LV.exe

Size:28,672bytes

%windir%system32driverssvchost.exe

Size:28,672bytes

d:setup.exe

Size:28,672bytes

e:setup.exe

Size:28,672bytes

f:setup.exe

Size:28,672bytes

其中rs.bat内容

@echooff

:start

ifnotexist""%1""gotodone

del/F""%1""

del""%1""

gotostart

:done

del/F%t

注册表添加HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesWinnetCOM+

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"Internat"

Type:REG_SZ

Data:C:windowssystem32microsoft.exe顠|癓搢?爧笒綴弱荎搢怎(S-▼5-((?72搢?77?D?顠|?T?8搢?搢?搢!?搢?搢?蛈駷|Wk苪X鴐苪捳抾

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"ProgramFiles"

Type:REG_SZ

Data:C:windowssystem32SP00LV.exe72搢?77旜?伉顠|?桫8搢?搢0?@7tem32drx7erssvost.exe@?p972搢?77?顠|?l?x7?搢H970?袐x7@7x97@

修改HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL"CheckedValue"

Olddata:01,00,00,00修改以使系统不显示隐藏文件

Newdata:00,00,00,00

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses{6994AD04-93EF-11D0-A3CC-00A0C9223196}##?#PCI#VEN_8086&DEV_24C5&SUBSYS_4720414C&REV_02#3&13C0B0C5&0&FD#{6994ad04-93ef-11d0-a3cc-00a0c9223196}#WaveDeviceParametersMixer使系统静音

关闭带有以下字符的窗口

安全卫士

扫描

专杀

注册表

process

进程

毒

木马

防御

防火墙

病毒

检测

firewall

virus

anti

金山

江民

卡巴斯基

worm

360

微点

micropoint

克星

广告

avk

kaspersky

f-secure

escan

Norton

诺顿

mcafee

Virus

panda

熊猫

trojan

Door

AVG

360tray.exe

ravtask.exe

ravstub.exe

ravmond.exe

ravmon.exe

ccenter.exe

rfwstub.exe

rfwproxy.exe

rfwsrv.exe

rfwain.exe

ras.exe

runiep

反汇编一下。。发现:%spsexec.exe%s-u%s-p%s-c%sservrr.exe-

并且利用http://tools.hxstat.com/ip/获得ip地址

解决：

使用sreng除启动项[]

[]

删除服务[WinnetCOM+/WinnetCOM+][Stopped/AutoStart]

删除文件：*:setup.exe

c:WINDOWSsystem32microsoft.exe

c:WINDOWSsystem32SP00LV.exe

c:WINDOWSsystem32driverssvchost.exe

最后修复注册表