昨天晚上就中了,没以为有什么了不起,没理他,找到病毒文件,C:\WINNT\system32\drivers\exoowk26.sys 换操作系统;改名字。ok;搞定。 |56fw<X�=�
o~RWW)9Ut
今天白天看这么多帖子,也没注意,我今天一直用xp;刚刚回家,开2000,才发现,哦,昨天中的就是它。 n��9b��%FT
��iw��g�QK
这个病毒文件大小是14.8kB, 15232字节,版本说明:disk driver;产品名称:Microsoft(R) Windows(R) Operating System ��Kd�/1W�d
c��3SK$y*H
还有,此文件是8位sys 文件位于\system32\drivers\目录下,后2位是数字,用unlocker删除;或进dos删除。 ��;'8�Q|$L
St>��_09eZ
重要补充:此文件在system32目录下还有一个同名dll文件,一起删除。大小:52kB 53248字节 版本说明:Battery Meter Helper DLL m#�fK9Y#
wX��y�HX>�
��A��2-6!�
加载到注册表的项: O!da6AoB�i
8�7`X2�)�[
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26] QWJCW��B�*
"Type"=dword:00000001 �O`9�e�nR:
"Start"=dword:00000000 x�70�}��+�
"ErrorControl"=dword:00000001 gu�QRk9|eF
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ u,Xz�[G2J
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ 6=ek`OTE{`
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 �eKy2I9qpA
"DisplayName"="exoowk26" ��)&���z*�
"Group"="System Bus Extender" @7M�-]1�Zg
cAYd�lj;|\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26\Security] Ey�g87&j�F
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ �:0ygf�r
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ ��Fj��*J*p
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ �GN4�4�yD
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ �Fa@�vu�"S
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ �)��l�-�!
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ x���s�K�<w
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ (�=<aqr5�W
00,01,01,00,00,00,00,00,05,12,00,00,00 k}p=/�X�`r
N0\3dch:k�
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26\Enum] "Xbf"�0C(7
"0"="Root\\LEGACY_EXOOWK26\\0000" �9�^8�C[UL
"Count"=dword:00000001 |qi�w.NpqR
"NextInstance"=dword:00000001 Ztz��l\�,�
ydy��S�>�L
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\exoowk26] IfX]cXH2�q
"Type"=dword:00000001 g8)y:��]J�
"Start"=dword:00000000 W-O6'65SV
"ErrorControl"=dword:00000001 aVRQ�R�q�5
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ HN:cGj(<"�
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ c,S`�xFz>
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00
�l�$X>\YF
"DisplayName"="exoowk26" Fo!;X��Eo4
"Group"="System Bus Extender" }od|�{F(��
M�vUM�^ojm
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\exoowk26\Security] hJ�/#o a!�
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ �E���L��QH
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ ;ABu=tI%*o
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ C$Q+`�.Zw
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ �u`ajxg&`�
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ �z6L9B+_d#
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ nb;-i5PG_�
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ \OB��h~yM&
00,01,01,00,00,00,00,00,05,12,00,00,00 3g�����B\
Aq}c^{eK-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26] m��A(a:rY-
"Type"=dword:00000001 r+�Rch�u@R
"Start"=dword:00000000 fYQw}mm!��
"ErrorControl"=dword:00000001 $[]y�^�nCN
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ ihm�&�(�mf
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ iy�EMB!���
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 ��~�YT�V
"DisplayName"="exoowk26" |27�"Zx�eY
"Group"="System Bus Extender" ZL�MJ9n�4�
r����r,mr}
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26\Security] ��pG�d$�%}
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ �"�[���mC&
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ USxm$�#QV|
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ NmT�B'RR�K
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 0z��Xp0j��
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ :.7P�u^�:�
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ �92W��fX�0
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ =�J�*�5iHd
00,01,01,00,00,00,00,00,05,12,00,00,00 GL�uL"Zt[�
t�oyH.
b0w
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26\Enum] xX�}��hpJ�
"0"="Root\\LEGACY_EXOOWK26\\0000" �#(l>67A.~
"Count"=dword:00000001 sR606}�1.'
"NextInstance"=dword:00000001 �t,��d�uS
?;:H#D�jp-
此病毒文件的查杀和删除办法,参见查杀ALLXUN的办法。 L�7u\{AbwD
9vK==cQZ5�
