昨天晚上就中了,没以为有什么了不起,没理他,找到病毒文件,C:\WINNT\system32\drivers\exoowk26.sys 换操作系统;改名字。ok;搞定。 %��u=p$�1�
G
2ICRu:Om
今天白天看这么多帖子,也没注意,我今天一直用xp;刚刚回家,开2000,才发现,哦,昨天中的就是它。 gZ���%�O�g
\O�Ac7@<��
这个病毒文件大小是14.8kB, 15232字节,版本说明:disk driver;产品名称:Microsoft(R) Windows(R) Operating System ,m�H^���v�
�~X�$?*�WL
还有,此文件是8位sys 文件位于\system32\drivers\目录下,后2位是数字,用unlocker删除;或进dos删除。 \�vyd}Te�$
1.F �X8o&1
重要补充:此文件在system32目录下还有一个同名dll文件,一起删除。大小:52kB 53248字节 版本说明:Battery Meter Helper DLL 9���69bt?f
�1k�$O^yO
$y�<VGZLis
加载到注册表的项: �O.)1R1�RW
u\5��\U4v�
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26] E6K��QuT��
"Type"=dword:00000001 wBM7T���dQ
"Start"=dword:00000000 `�:S��)�p�
"ErrorControl"=dword:00000001 �W8Kzw��Y%
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ ^o�P]<L>b�
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ ~E�3jw3kGu
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 �.R�h�Ey l
"DisplayName"="exoowk26" |��OaU�>-C
"Group"="System Bus Extender" s_/>h7AN�Z
d_eW>O<�[
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26\Security] m�K�\^/��=
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ KZ�U!{^6R;
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ OZ<OA�PT<t
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ <3�tIYxl.*
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ k�jtOUI\a(
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ _O,, +�LF�
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ t
ZH��+��e
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ X7c2_Zm.5
00,01,01,00,00,00,00,00,05,12,00,00,00 N"r6iQ�'I
*I��n@)m=
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exoowk26\Enum] X\��N�r�7�
"0"="Root\\LEGACY_EXOOWK26\\0000" Z�LO6ONcd�
"Count"=dword:00000001 *�hWS �X@6
"NextInstance"=dword:00000001 �e�p/{S��R
/�xwnD3ot�
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\exoowk26] E|C�Z$U�UQ
"Type"=dword:00000001 33=�J<��%
"Start"=dword:00000000 !b6HcN=��
"ErrorControl"=dword:00000001 ki=�-_#ztg
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ %�t-�!9��J
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ �qg3D{�Zu[
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 JA|F>W�A�b
"DisplayName"="exoowk26" ����"��R2+
"Group"="System Bus Extender" 4IQ(&'b>]$
"�j}X�/���
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\exoowk26\Security] @�-�f:�R*
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ WzJL[x>f0�
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ W0�dms9�PB
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ `M4=�H[g6<
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ ps�:bz1:��
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ aUgR�p>{{r
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ �A__`l}7��
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ ��k;%[;02@
00,01,01,00,00,00,00,00,05,12,00,00,00 V*�Y%M($SE
Zc.�-kV[Z�
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26] ZiUb1 #�7*
"Type"=dword:00000001 XA ]�>k�Mp
"Start"=dword:00000000 �(*U�TFmI
"ErrorControl"=dword:00000001 `[�O`�~�dZ
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ �aIT^0�:&K
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,6f,00,6f,00,77,00,6b,\ ��5L4�<�;p
00,32,00,36,00,2e,00,73,00,79,00,73,00,00,00 "�U^ZF4�W�
"DisplayName"="exoowk26" gaMR;Dtc2M
"Group"="System Bus Extender" O�{C�:��Tc
Ll�_@
(�Zt
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26\Security] +�1@JR~#I
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ g��"p�=Hs
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ �t9{/yZ<Bi
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ fD�Xefp�J8
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ v$�R��#�Ii
20,00,00,00,20,02,00,00,d2,33,bc,8e,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ �Lr8v6XlQ/
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ qb�R0'�S?V
00,05,20,00,00,00,23,02,00,00,d2,33,bc,8e,01,01,00,00,00,00,00,05,12,00,00,\ Ko�5�@?N�c
00,01,01,00,00,00,00,00,05,12,00,00,00 t*+5<��
b;
#,c<�v���,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exoowk26\Enum] ~Q�
)D�!|�
"0"="Root\\LEGACY_EXOOWK26\\0000" j+a9Ou
0��
"Count"=dword:00000001 *<�Kkvn
o
"NextInstance"=dword:00000001 r4~%x�wUBP
5?~�"D�M4�
此病毒文件的查杀和删除办法,参见查杀ALLXUN的办法。 W1?�5">3`
]-�s3]sI
*
