风云小站 » 『 求助专区 』 » 电脑怎么了
王梓枫
级别: *


精华: *
发帖: *
威望: * 点
风云币: * 元
专家分: 0 分
在线时间:(小时)
注册时间:*
最后登录:*

 电脑怎么了

每次开机的时候总会弄出一个病毒来。名字是WINLOGON。EXE
杀毒的也杀不掉啊。。怎么办啊
[ 此贴被王梓枫在2007-01-25 15:19重新编辑 ]
本帖最近评分记录:
  • 风云币:2(刘彬)
  • 顶端 Posted: 2007-01-25 09:28 | 山东省潍坊市潍坊学院 [楼 主]
    gdst
    助人为乐奖
    级别: 荣誉会员


    精华: 0
    发帖: 1545
    威望: 67 点
    风云币: 2606 元
    专家分: 10 分
    在线时间:291(小时)
    注册时间:2006-05-30
    最后登录:2017-08-05

     

    用江民的落雪专杀查一下
    本帖最近评分记录:
  • 专家分:2(刘彬)
  • 风云币:3(刘彬)
  • 顶端 Posted: 2007-01-25 09:43 | 1 楼
    王梓枫
    级别: *


    精华: *
    发帖: *
    威望: * 点
    风云币: * 元
    专家分: 0 分
    在线时间:(小时)
    注册时间:*
    最后登录:*

     

    那个软件不和别的杀毒的冲突吧?
    顶端 Posted: 2007-01-25 10:24 | 山东省潍坊市潍坊学院 2 楼
    gdst
    助人为乐奖
    级别: 荣誉会员


    精华: 0
    发帖: 1545
    威望: 67 点
    风云币: 2606 元
    专家分: 10 分
    在线时间:291(小时)
    注册时间:2006-05-30
    最后登录:2017-08-05

     

    Quote:
    引用第2楼王梓枫2007-01-25 10:24发表的:
    那个软件不和别的杀毒的冲突吧?

    不冲突了。
    顶端 Posted: 2007-01-25 10:25 | 3 楼
    王梓枫
    级别: *


    精华: *
    发帖: *
    威望: * 点
    风云币: * 元
    专家分: 0 分
    在线时间:(小时)
    注册时间:*
    最后登录:*

     

    哪有下载的,,你会 用手动删除吗,,我不想用软件
    顶端 Posted: 2007-01-25 10:58 | 山东省潍坊市潍坊学院 4 楼
    autuman
    还是/\|孤单|/\
    级别: 超级会员


    精华: 0
    发帖: 986
    威望: 1566 点
    风云币: 4550 元
    专家分: 0 分
    在线时间:303(小时)
    注册时间:2006-11-21
    最后登录:2018-05-20

     

    试试symantec的专杀
    描述:FxNetsky.exe
    附件: FxNetsky.rar (144 K) 下载次数:1
    >偶的迅雷BOLG<
    大家多多支持呀
    资源不断更新ING
    顶端 Posted: 2007-01-25 11:05 | 5 楼
    王梓枫
    级别: *


    精华: *
    发帖: *
    威望: * 点
    风云币: * 元
    专家分: 0 分
    在线时间:(小时)
    注册时间:*
    最后登录:*

     

    楼上的不是病毒吧
    顶端 Posted: 2007-01-25 11:22 | 山东省潍坊市潍坊学院 6 楼
    tearysky
    级别: 初级会员


    精华: 0
    发帖: 232
    威望: 177 点
    风云币: 3131 元
    专家分: 0 分
    在线时间:25(小时)
    注册时间:2007-01-12
    最后登录:2007-11-14

     

    是专杀工具,你也可以自己去down
    顶端 Posted: 2007-01-25 11:23 | 7 楼
    heroyb
    风云墙第二帅哥(第一是我小弟)
    助人为乐奖 技术专家奖 特殊贡献奖
    级别: 风云元老


    精华: 2
    发帖: 2509
    威望: 2066 点
    风云币: 302 元
    专家分: 96 分
    在线时间:892(小时)
    注册时间:2006-08-22
    最后登录:2018-05-17

     

    首先确认是病毒!
    是病毒的话可以使用下述批处理解决,即另存为bat或者com文件。

    只支持系统盘装在C或D盘的XP系统。
    系统优化的那一步可以不做,做了之后出现问题后果自负(为了尊重原作者没有修改里面的内容)。

    说明:
    1.此批处理包括文件删除和注册表修复。
    2.不保证万无一失,使用前请做好系统备份。
    3.使用方法:
    先结束病毒进程WINLOGON.EXE(用IceSword即可,原来是用Procexp,两者均可用。记住是在WINDOWS文件夹中的才是病毒,在system32文件夹中的是系统关键进程,不要弄混)
    再运行此批处理程序,按提示操作即可。

    -------------------------
    @echo off
    cls
    echo ***********************************************************
    echo   此文件用于清除WINLOGON系列木马并修复其破坏的注册表信息
    echo       警告:只适用于XP操作系统
    echo   空指针 制作   感谢 风乱舞 鼎力相助并提供系统优化功能
    echo ***********************************************************
    echo   名称:WINLOGON系列木马修复程序
    echo   功能:
    echo   1. 删除木马相关文件
    echo   2. 修复被木马修改的系统关联
    echo   3. 部分系统优化(ADSL拨号.桌面速度.IE速度.等部分系统优化)
    echo.  

    pause
    cls
    @SETLOCAL
    @rem 活动代码页设为中文
    @chcp 936>nul 2>nul
    @echo.
    @echo ************************************************************
    @echo *                           *
    @echo *    欢迎使用WINLOGON系列木马清除/修复程序       *
    @echo *                           *
    @echo ************************************************************

    :chkOS
    @echo.
    @ver find "XP"
    @if "%ERRORLEVEL%"=="0" goto :XP
    @echo.
    @echo #您的操作系统不是Windows XP,无法使用。
    @goto quit

    @rem 在下面语句插不同系统的不同命令
    :XP
    @set UpdatePolicy=GPUpdate /Force
    @goto Selection

    :Selection
    @rem User Choice
    @echo.
    @echo   请注意选择您的操作系统安装在哪个分区
    @echo   我要进行功能选择:
    @echo.
    @echo 1: 我的XP系统安装在C盘
    @echo 2: 我的XP系统安装在D盘
    @echo 3: 我想做部分系统优化(网络.桌面.速度)
    @echo 4: 退出
    @echo.
    @set /p UserSelection=请输入您的选择(1=C盘、2=D盘、3=系统优化、4=退出程序)后按回车:
    @if "%UserSelection%"=="1" goto C
    @if "%UserSelection%"=="2" goto D
    @if "%UserSelection%"=="3" goto good
    @if "%UserSelection%"=="4" goto quit
    @rem 输入其他字符
    @cls
    @goto Selection


    :C
    if exist %windir%\1.com attrib -s -r -h %windir%\1.com
    if exist %windir%\exeroute.exe attrib -s -r -h %windir%\exeroute.exe
    if exist %windir%\explorer.com attrib -s -r -h %windir%\explorer.com
    if exist %windir%\2SY.EXE attrib -s -r -h %windir%\2SY.EXE
    if exist %windir%\1SY.EXE attrib -s -r -h %windir%\1SY.EXE
    if exist %windir%\EXP10RER.com attrib -s -r -h %windir%\EXP10RER.com
    if exist %windir%\exerouter.exe attrib -s -r -h %windir%\exerouter.exe
    if exist %windir%\EXERT.exe attrib -s -r -h %windir%\EXERT.exe
    if exist %windir%\finder.com attrib -s -r -h %windir%\finder.com
    if exist %windir%\IO.SYS.BAK attrib -s -r -h %windir%\IO.SYS.BAK
    if exist %windir%\lsass.exe attrib -s -r -h %windir%\lsass.exe
    if exist %windir%\services.exe attrib -s -r -h %windir%\services.exe
    if exist %windir%\SMSS.EXE attrib -s -r -h %windir%\SMSS.EXE
    if exist %windir%\WINLOGON.exe attrib -s -r -h %windir%\WINLOGON.exe
    if exist %windir%\debug\debugprogram.exe attrib -s -r -h %windir%\debug\debugprogram.exe
    if exist %programfiles%\common~1\iexplore.pif attrib -s -r -h %programfiles%\common~1\iexplore.pif
    if exist %programfiles%\intern~1\iexplore.com attrib -s -r -h %programfiles%\intern~1\iexplore.com
    if exist %programfiles%\common~1\inexplore.pif attrib -s -r -h %programfiles%\common~1\inexplore.pif
    if exist %programfiles%\intern~1\inexplore.com attrib -s -r -h %programfiles%\intern~1\inexplore.com
    if exist %windir%\system32\command.pif attrib -s -r -h %windir%\system32\command.pif
    if exist %windir%\system32\dxdiag.com attrib -s -r -h %windir%\system32\dxdiag.com
    if exist %windir%\system32\finder.com attrib -s -r -h %windir%\system32\finder.com
    if exist %windir%\system32\i.com attrib -s -r -h %windir%\system32\i.com
    if exist %windir%\system32\msconfig.com attrib -s -r -h %windir%\system32\msconfig.com
    if exist %windir%\system32\regedit.com attrib -s -r -h %windir%\system32\regedit.com
    if exist %windir%\system32\rundll32.com attrib -s -r -h %windir%\system32\rundll32.com
    if exist d:\pagefile.pif attrib -s -r -h d:\pagefile.pif
    if exist d:\autorun.inf attrib -s -r -h d:\autorun.inf

    echo ************************************************************
    @echo 删除病毒文件

    @echo off
    if exist %windir%\1.com del %windir%\1.com
    if exist %windir%\exeroute.exe del %windir%\exeroute.exe
    if exist %windir%\explorer.com del %windir%\explorer.com
    if exist %windir%\EXERT.exe del %windir%\EXERT.exe
    if exist %windir%\finder.com del %windir%\finder.com
    if exist %windir%\IO.SYS.BAK del %windir%\IO.SYS.BAK
    if exist %windir%\lsass.exe del %windir%\lsass.exe
    if exist %windir%\services.exe del %windir%\services.exe
    if exist %windir%\SMSS.EXE del %windir%\SMSS.EXE
    if exist %windir%\WINLOGON.exe del %windir%\WINLOGON.exe
    if exist %windir%\debug\debugprogram.exe del %windir%\debug\debugprogram.exe
    if exist %programfiles%\common~1\iexplore.pif del %programfiles%\common~1\iexplore.pif
    if exist %programfiles%\intern~1\iexplore.com del %programfiles%\intern~1\iexplore.com
    if exist %windir%\system32\command.pif del %windir%\system32\command.pif
    if exist %windir%\system32\dxdiag.com del %windir%\system32\dxdiag.com
    if exist %windir%\system32\finder.com del %windir%\system32\finder.com
    if exist %windir%\system32\i.com del %windir%\system32\i.com
    if exist %windir%\system32\msconfig.com del %windir%\system32\msconfig.com
    if exist %windir%\system32\regedit.com del %windir%\system32\regedit.com
    if exist %windir%\system32\rundll32.com del %windir%\system32\rundll32.com
    if exist d:\pagefile.pif del d:\pagefile.pif
    if exist d:\autorun.inf del d:\autorun.inf

    @echo ***********************************************************
    @echo *     已删除可能的病毒文件,按任意键修复注册表信息   *
    @echo ***********************************************************



    @echo Windows Registry Editor Version 5.00>Fix.reg
    @echo [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2A,00,00,00>>Fix.reg
    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]>>Fix.reg
    @echo @="exefile">>Fix.reg
    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]>>Fix.reg
    @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,43,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]>>Fix.reg
    @echo @=hex(2):49,00,45,00,58,00,50,00,4C,00,4F,00,52,00,45,00,2E,00,45,00,58,00,45,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Command]>>Fix.reg
    @echo @=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,4f,00,70,00,65,00,6e,00,41,00,73,00,5f,00,52,00,75,00,6e,00,44,00,4c,00,4c,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Command]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,61,00,70,00,70,00,77,00,69,00,7A,00,2E,00,63,00,70,00,6C,00,2C,00,4E,00,65,00,77,00,4C,00,69,00,6E,00,6B,00,48,00,65,00,72,00,65,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,2C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,5F,00,52,00,75,00,6E,00,44,00,4C,00,4C,00,20,00,22,00,25,00,31,00,22,00,2C,00,25,00,2A,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,64,00,6F,00,63,00,76,00,77,00,2E,00,64,00,6C,00,6C,00,2C,00,4F,00,70,00,65,00,6E,00,55,00,52,00,4C,00,20,00,6C,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,64,00,65,00,73,00,6B,00,2E,00,63,00,70,00,6C,00,2C,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,53,00,63,00,72,00,65,00,65,00,6E,00,53,00,61,00,76,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\]>>Fix.reg
    @echo @=hex(2):22,00,43,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,52,00,55,00,4E,00,44,00,4C,00,4C,00,33,00,32,00,2E,00,45,00,58,00,45,00,22,00,20,00,43,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,73,00,63,00,72,00,6F,00,62,00,6A,00,2E,00,64,00,6C,00,6C,00,2C,00,47,00,65,00,6E,00,65,00,72,00,61,00,74,00,65,00,54,00,79,00,70,00,65,00,4C,00,69,00,62,00,20,00,22,00,25,00,31,00,22,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,75,00,72,00,6C,00,2E,00,64,00,6C,00,6C,00,2C,00,54,00,65,00,6C,00,6E,00,65,00,74,00,50,00,72,00,6F,00,74,00,6F,00,63,00,6F,00,6C,00,48,00,61,00,6E,00,64,00,6C,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
    @echo "Shell"="Explorer.exe">>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
    @echo "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,">>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
    @echo "ToP"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
    @echo "TProgram"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
    @echo "TProgram"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
    @echo "Torjan Program"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
    @echo "Torjan Program"=->>Fix.reg
    echo.

    @pause
    start /w regedit /s Fix.reg
    del Fix.reg
    echo.
    @echo ***********************************************************
    @echo *       修复已知被破坏的文件关联成功       *
    @echo ***********************************************************
    echo.
    @echo 按任意键,返回选择
    @pause
    @cls
    @goto Selection

    :D
    if exist %windir%\1.com attrib -s -r -h %windir%\1.com
    if exist %windir%\exeroute.exe attrib -s -r -h %windir%\exeroute.exe
    if exist %windir%\explorer.com attrib -s -r -h %windir%\explorer.com
    if exist %windir%\2SY.EXE attrib -s -r -h %windir%\2SY.EXE
    if exist %windir%\1SY.EXE attrib -s -r -h %windir%\1SY.EXE
    if exist %windir%\EXP10RER.com attrib -s -r -h %windir%\EXP10RER.com
    if exist %windir%\exerouter.exe attrib -s -r -h %windir%\exerouter.exe
    if exist %windir%\EXERT.exe attrib -s -r -h %windir%\EXERT.exe
    if exist %windir%\finder.com attrib -s -r -h %windir%\finder.com
    if exist %windir%\IO.SYS.BAK attrib -s -r -h %windir%\IO.SYS.BAK
    if exist %windir%\lsass.exe attrib -s -r -h %windir%\lsass.exe
    if exist %windir%\services.exe attrib -s -r -h %windir%\services.exe
    if exist %windir%\SMSS.EXE attrib -s -r -h %windir%\SMSS.EXE
    if exist %windir%\WINLOGON.exe attrib -s -r -h %windir%\WINLOGON.exe
    if exist %windir%\debug\debugprogram.exe attrib -s -r -h %windir%\debug\debugprogram.exe
    if exist %programfiles%\common~1\iexplore.pif attrib -s -r -h %programfiles%\common~1\iexplore.pif
    if exist %programfiles%\intern~1\iexplore.com attrib -s -r -h %programfiles%\intern~1\iexplore.com
    if exist %programfiles%\common~1\inexplore.pif attrib -s -r -h %programfiles%\common~1\inexplore.pif
    if exist %programfiles%\intern~1\inexplore.com attrib -s -r -h %programfiles%\intern~1\inexplore.com
    if exist %windir%\system32\command.pif attrib -s -r -h %windir%\system32\command.pif
    if exist %windir%\system32\dxdiag.com attrib -s -r -h %windir%\system32\dxdiag.com
    if exist %windir%\system32\finder.com attrib -s -r -h %windir%\system32\finder.com
    if exist %windir%\system32\i.com attrib -s -r -h %windir%\system32\i.com
    if exist %windir%\system32\msconfig.com attrib -s -r -h %windir%\system32\msconfig.com
    if exist %windir%\system32\regedit.com attrib -s -r -h %windir%\system32\regedit.com
    if exist %windir%\system32\rundll32.com attrib -s -r -h %windir%\system32\rundll32.com
    if exist d:\pagefile.pif attrib -s -r -h d:\pagefile.pif
    if exist d:\autorun.inf attrib -s -r -h d:\autorun.inf

    echo ************************************************************
    @echo 删除病毒文件

    @echo off
    if exist %windir%\1.com del %windir%\1.com
    if exist %windir%\exeroute.exe del %windir%\exeroute.exe
    if exist %windir%\explorer.com del %windir%\explorer.com
    if exist %windir%\EXERT.exe del %windir%\EXERT.exe
    if exist %windir%\finder.com del %windir%\finder.com
    if exist %windir%\IO.SYS.BAK del %windir%\IO.SYS.BAK
    if exist %windir%\lsass.exe del %windir%\lsass.exe
    if exist %windir%\services.exe del %windir%\services.exe
    if exist %windir%\SMSS.EXE del %windir%\SMSS.EXE
    if exist %windir%\WINLOGON.exe del %windir%\WINLOGON.exe
    if exist %windir%\debug\debugprogram.exe del %windir%\debug\debugprogram.exe
    if exist %programfiles%\common~1\iexplore.pif del %programfiles%\common~1\iexplore.pif
    if exist %programfiles%\intern~1\iexplore.com del %programfiles%\intern~1\iexplore.com
    if exist %windir%\system32\command.pif del %windir%\system32\command.pif
    if exist %windir%\system32\dxdiag.com del %windir%\system32\dxdiag.com
    if exist %windir%\system32\finder.com del %windir%\system32\finder.com
    if exist %windir%\system32\i.com del %windir%\system32\i.com
    if exist %windir%\system32\msconfig.com del %windir%\system32\msconfig.com
    if exist %windir%\system32\regedit.com del %windir%\system32\regedit.com
    if exist %windir%\system32\rundll32.com del %windir%\system32\rundll32.com
    if exist d:\pagefile.pif del d:\pagefile.pif
    if exist d:\autorun.inf del d:\autorun.inf

    @echo ***********************************************************
    @echo *     已删除可能的病毒文件,按任意键修复注册表信息   *
    @echo ***********************************************************

    @echo Windows Registry Editor Version 5.00>Fix.reg

    @echo [HKEY_CLASSES_ROOT\exefile\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2A,00,00,00>>Fix.reg
    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]>>Fix.reg
    @echo @=hex(2):65,00,78,00,65,00,66,00,69,00,6C,00,65,00,00,00>>Fix.reg
    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]>>Fix.reg
    @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command]>>Fix.reg
    @echo @=hex(2):22,00,44,00,3A,00,5C,00,50,00,72,00,6F,00,67,00,72,00,61,00,6D,00,20,00,46,00,69,00,6C,00,65,00,73,00,5C,00,49,00,6E,00,74,00,65,00,72,00,6E,00,65,00,74,00,20,00,45,00,78,00,70,00,6C,00,6F,00,72,00,65,00,72,00,5C,00,69,00,65,00,78,00,70,00,6C,00,6F,00,72,00,65,00,2E,00,65,00,78,00,65,00,22,00,20,00,2D,00,6E,00,6F,00,68,00,6F,00,6D,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]>>Fix.reg
    @echo @=hex(2):49,00,45,00,58,00,50,00,4C,00,4F,00,52,00,45,00,2E,00,45,00,58,00,45,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc\ShellNew\Command]>>Fix.reg
    @echo @=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\find\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\print\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,45,00,78,00,70,00,6c,00,6f,00,72,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,73,00,65,00,74,00,75,00,70,00,61,00,70,00,69,00,2c,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,48,00,69,00,6e,00,66,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,20,00,31,00,33,00,32,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]>>Fix.reg
    @echo @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,72,00,75,00,6e,00,64,00,6c,00,6c,00,33,00,32,00,2e,00,65,00,78,00,65,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,4f,00,70,00,65,00,6e,00,41,00,73,00,5f,00,52,00,75,00,6e,00,44,00,4c,00,4c,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Command]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,61,00,70,00,70,00,77,00,69,00,7A,00,2E,00,63,00,70,00,6C,00,2C,00,4E,00,65,00,77,00,4C,00,69,00,6E,00,6B,00,48,00,65,00,72,00,65,00,20,00,25,00,31,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,65,00,6C,00,6C,00,33,00,32,00,2E,00,64,00,6C,00,6C,00,2C,00,43,00,6F,00,6E,00,74,00,72,00,6F,00,6C,00,5F,00,52,00,75,00,6E,00,44,00,4C,00,4C,00,20,00,22,00,25,00,31,00,22,00,2C,00,25,00,2A,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,73,00,68,00,64,00,6F,00,63,00,76,00,77,00,2E,00,64,00,6C,00,6C,00,2C,00,4F,00,70,00,65,00,6E,00,55,00,52,00,4C,00,20,00,6C,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,64,00,65,00,73,00,6B,00,2E,00,63,00,70,00,6C,00,2C,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,53,00,63,00,72,00,65,00,65,00,6E,00,53,00,61,00,76,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\]>>Fix.reg
    @echo @=hex(2):22,00,44,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,52,00,55,00,4E,00,44,00,4C,00,4C,00,33,00,32,00,2E,00,45,00,58,00,45,00,22,00,20,00,44,00,3A,00,5C,00,57,00,49,00,4E,00,44,00,4F,00,57,00,53,00,5C,00,73,00,79,00,73,00,74,00,65,00,6D,00,33,00,32,00,5C,00,73,00,63,00,72,00,6F,00,62,00,6A,00,2E,00,64,00,6C,00,6C,00,2C,00,47,00,65,00,6E,00,65,00,72,00,61,00,74,00,65,00,54,00,79,00,70,00,65,00,4C,00,69,00,62,00,20,00,22,00,25,00,31,00,22,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet\shell\open\command\]>>Fix.reg
    @echo @=hex(2):72,00,75,00,6E,00,64,00,6C,00,6C,00,33,00,32,00,2E,00,65,00,78,00,65,00,20,00,75,00,72,00,6C,00,2E,00,64,00,6C,00,6C,00,2C,00,54,00,65,00,6C,00,6E,00,65,00,74,00,50,00,72,00,6F,00,74,00,6F,00,63,00,6F,00,6C,00,48,00,61,00,6E,00,64,00,6C,00,65,00,72,00,20,00,6C,00,00,00>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
    @echo "Shell"="Explorer.exe">>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>>Fix.reg
    @echo "Userinit"="D:\\WINDOWS\\system32\\userinit.exe,">>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
    @echo "ToP"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
    @echo "TProgram"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
    @echo "TProgram"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>Fix.reg
    @echo "Torjan Program"=->>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]>>Fix.reg
    @echo "Torjan Program"=->>Fix.reg
    echo.

    @pause
    start /w regedit /s Fix.reg
    del Fix.reg
    echo.
    @echo ***********************************************************
    @echo *       修复已知被破坏的文件关联成功       *
    @echo ***********************************************************
    echo.
    @echo 按任意键,返回选择
    @pause
    @cls
    @goto Selection

    :good
    @cls
    @echo Windows Registry Editor Version 5.00>Fix.reg

    @echo [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
    @echo "MaxConnectionsPerServer"=dword:00000020>>Fix.reg
    @echo "MaxConnectionsPer1_0Server"=dword:00000020>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]>>Fix.reg
    @echo "SackOpts"=dword:00000001>>Fix.reg
    @echo "TcpWindowSize"=dword:0003ebc0>>Fix.reg
    @echo "Tcp1323Opts"=dword:00000001>>Fix.reg
    @echo "DefaultTTL"=dword:00000040>>Fix.reg
    @echo "EnablePMTUBHDetect"=dword:00000000>>Fix.reg
    @echo "EnablePMTUDiscovery"=dword:00000001>>Fix.reg
    @echo "GlobalMaxTcpWindowSize"=dword:0003ebc0>>Fix.reg

    @echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
    @echo "MaxConnectionsPerServer"=dword:00000020>>Fix.reg
    @echo "MaxConnectionsPer1_0Server"=dword:00000020>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vxd\BIOS]>>Fix.reg
    @echo "CPUPriority"=dword:00000001>>Fix.reg
    @echo "PCIConcur"=dword:00000001>>Fix.reg
    @echo "FastDRAM"=dword:00000001>>Fix.reg
    @echo "AGPConcur"=dword:00000001>>Fix.reg

    @echo[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]>>Fix.reg
    @echo "MaxConnectionsPer1_0Server"=dword:00000009>>Fix.reg
    @echo "MaxConnectionsPerServer"=dword:00000009>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]>>Fix.reg
    @echo "ConfigFileAllocSize"=dword:000001f4>>Fix.reg

    @echo [HKEY_CURRENT_USER\Control Panel\desktop]>>Fix.reg
    @echo "MenuShowDelay"="0">>Fix.reg

    @echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]>>Fix.reg
    @echo "NoRun"=dword:00000001>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Tour>>Fix.reg
    @echo "RunCount"=dword:00000000>>Fix.reg

    @echo [-HKEY_CLASSES_ROOT\.zip\CompressedFolder]>>Fix.reg
    @echo [-HKEY_CLASSES_ROOT\CLSID\{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}]>>Fix.reg
    @echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CompressedFolder]>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters]>>Fix.reg
    @echo "EnableBigLba"=dword:00000001>>Fix.reg

    @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction]>>Fix.reg
    @echo "Enable"="Y">>Fix.reg
    @echo.

    echo ******************************
    echo   *   正在进行系统优化   *
    echo ******************************
    pause
    start /w regedit /s Fix.reg
    del Fix.reg

    echo ******************************
    echo   *   系统优化完毕   *
    echo ******************************
    echo.
    @echo 按任意键,返回选择
    @pause
    @cls
    @goto Selection


    :quit
    exit
    附件: WINLOGON批处理.rar (4 K) 下载次数:1
    顶端 Posted: 2007-01-25 11:44 | 8 楼
    autuman
    还是/\|孤单|/\
    级别: 超级会员


    精华: 0
    发帖: 986
    威望: 1566 点
    风云币: 4550 元
    专家分: 0 分
    在线时间:303(小时)
    注册时间:2006-11-21
    最后登录:2018-05-20

     

    Quote:
    引用第6楼王梓枫2007-01-25 11:22发表的:
    楼上的不是病毒吧

    >偶的迅雷BOLG<
    大家多多支持呀
    资源不断更新ING
    顶端 Posted: 2007-01-25 11:50 | 9 楼
    chaler
    哈皮会门
    级别: 高级会员


    精华: 0
    发帖: 12878
    威望: 666 点
    风云币: 2914 元
    专家分: 0 分
    在线时间:1014(小时)
    注册时间:2007-01-12
    最后登录:2008-01-05

     

    看到有人写的解决方案:
    WINLOGON.EXE病毒彻底清除方案

    WINLOGON.EXE病毒,j近来在网络很流行,许多朋友都中了,许多杀毒软件能查到,但是无论如何都无法清除。
      
    不知道什么原因,这个病毒的中文译名叫做“落雪”,又叫“飘雪”,很美吧?

      我检查了一下,发现进程里多出一个大写的WINLOGON,是在winnt或windows目录下的,而正常情况下,这个进程应该是在winnt或windows/system32目录下的,此进程不言而知。注册表下的启动项,里面有个Torjan pragramme的启动项目,不能彻底删除。

    以下是删除的方法

    这个进程WINLOGON.EXE的用户名是用户自己,因此不可能是正常的系统进程,正常的winlogon系统进程,其用户名为“SYSTEM” 程序名为小写winlogon.exe。而伪装成该进程的木马程序其用户名为当前系统用户名,且程序名为大写的WINLOGON.exe。进程查看方式 ctrl+alt+del 然后选择进程。正常情况下有且只有一个winlogon.exe进程,其用户名为“SYSTEM”。如果出现了两个winlogon.exe,且其中一个为大写,用户名为当前系统用户的话,表明可能存在木马。

    这个木马非常厉害,能破坏掉木马克星等许多著名的杀毒软件,使其不能正常运行,就算能正常运行,也会错误杀毒或查毒。目前使用其他杀毒软件未能杀死。但是很明显,人工也可以看出,那个WINDOWS下的WINLOGON.EXE确实是病毒,但是,她不过是这个病毒中的小角色而已,大家用鼠标右键【打开】,打开D盘看看是否有一个pagefile的DOS指向文件和一个autorun.inf文件了,这些当然都是隐藏的,删这几个没用的,因为她关联了很多东西,甚至在安全模式都不能删死,只要运行任何程序,或者双击打开D盘,她就会重新被安装了。而且这段时间很多人的帐号被盗就是因为这个破解的传家宝了。

    我分析了一下这个木马的资料,连接是通向河南和天津的某一地区,看来是国内的。而且她很有趣,如果你机子上有传奇等游戏,必然惹来她的亲吻,那么说QQ之类的帐号密码会不会被泄漏,这个不清楚,但起码我有些朋友已经被盗了。

      解决“落雪”病毒的方法

    症状:D盘双击打不开,而且里面有autorun.inf和pagefile.com文件
    此病毒的制作者很了解系统的运作,因此此两个文件难以删除,在安全模式用Administrator一样解决不了!经过一个下午的奋战才算勉强解决。 我没用什么查杀木马的软件,全是手动一个一个把它揪出来把他删掉的。它所关联的文件如下,绝大多数文件都是显示为系统文件和隐藏的。 所以要在文件夹选项里打开显示隐藏文件。

    D盘里就两个,搞得你无法双击打开D盘。C盘很多相关文件程序

    D:\autorun.inf
    D:\pagefile.com
    C:\Program Files\Internet Explorer\iexplore.com
    C:\Program Files\Common Files\iexplore.com
    C:\WINDOWS\1.com
    C:\WINDOWS\iexplore.com
    C:\WINDOWS\finder.com
    C:\WINDOWS\Exeroud.exe(传奇的图标,很漂亮)
    C:\WINDOWS\Debug\*** Programme.exe(也是上面那个图标,名字每台机子都不同,但是明显是非隐藏的)
    C:\Windows\system32\command.com 这个不要轻易删,看看是不是和下面几个日期不一样而和其他文件日期一样,如果和其他文件大部分系统文件日期一样就不能删,当然系统文件肯定不是这段时间的。
    C:\Windows\system32\msconfig.com
    C:\Windows\system32\regedit.com
    C:\Windows\system32\dxdiag.com
    C:\Windows\system32\rundll32.com
    C:\Windows\system32\finder.com
    C:\Windows\system32\a.exe

    值得注意的是:看看这些文件的日期,看看其他地方还有没有相同时间的文件还是.COM结尾的可疑文件,小心不要运行任何程序,要不就又启动了,包括双击磁盘,还有一个头号文件!WINLOGON.EXE!做了这么多工作目的就是要离开她的亲吻!

    C:\Windows\WINLOGON.EXE
    这个在进程里明显可以看得到,有两个,一个是真的,一个是假的。
    真的是小写winlogon.exe,(不知你们的是不是),用户名是SYSTEM,
    而假的是大写的WINLOGON.EXE,用户名是你自己的用户名。
    这个文件在进程里是中止不了的,说是关键进程无法中止,搞得跟真的一样!就连在安全模式下它都会
    呆在你的进程里! 我现在所知道的就这些,要是不放心,就最好看一下其中一个文件的修改日期,然后用“搜索”搜这天修改过的文件,相同时间的肯定会出来一大堆的, 连系统还原夹里都有!! 这些文件会自己关联的,要是你删了一部分,不小心运行了一个,或在开始-运行里运行msocnfig,command,regedit这些命令,所有的这些文件全会自己补充回来!

    知道了这些文件,首先关闭可以关闭的所有程序,打开程序附件里头的WINDOWS资源管理器,并在上面的工具里头的文件夹选项里头的查看里设置显示所有文件和文件假,取消隐藏受保护操作系统文件,然后打开开始菜单的运行,输入命令 regedit,进注册表,到
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    里面,有一个Torjan pragramme,这个明摆着“我是木马”,删!!
    然后注销! 重新进入系统后,打开“任务管理器”,看看有没rundll32,有的话先中止了,不知这个是真还是假,小心为好。 到D盘(注意不要双击进入!否则又会激活这个病毒)右键,选【打开】,把autorun.inf和pagefile.com删掉,
    然后再到C盘把上面所列出来的文件都删掉!中途注意不要双击到其中一个文件,否则所有步骤都要重新来过! 然后再注销。
    我在奋战过程中,把那些文件删掉后,所有的exe文件全都打不开了,运行cmd也不行。

    打开我的电脑点工具==>文件夹选项==>文件类型==>新建exe扩展名,点高级选应用程序。
    即可运行

    但我在弄完这些之后,在开机的进入用户时会有些慢,并会跳出一个警告框,说文件"1"找不到。(应该是Windows下的1.com文件。),最后用System Repair Engineer看情况修理一下系统的启动项、系统关联等。
    最后说一下怎么解决开机提示找不到文件“1.com”的方法:
    在运行程序中运行“regedit”,打开注册表,在[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]中
    把"Shell"="Explorer.exe 1"恢复为"Shell"="Explorer.exe" 当然这也是启动项罢了。

    搞定!
    顶端 Posted: 2007-01-25 12:00 | 10 楼
    王梓枫
    级别: *


    精华: *
    发帖: *
    威望: * 点
    风云币: * 元
    专家分: 0 分
    在线时间:(小时)
    注册时间:*
    最后登录:*

     

    按照gdst的方法解决了   用sreng 修改注册表
    顶端 Posted: 2007-01-25 15:13 | 山东省潍坊市潍坊学院 11 楼
    帖子浏览记录 版块浏览记录
    风云小站 » 『 求助专区 』
    感谢,曾经的版主
    Total 0.013253(s) query 6, Time now is:12-28 13:32, Gzip enabled 渝ICP备20004412号-1

    Powered by PHPWind v6.3.2 Certificate Code © 2003-07 PHPWind.com Corporation
    Skin by Chen Bo