主題: 七年之癢!3721網路實名被認定為病毒
瀏覽單個文章
simon121
Major Member
 
simon121的大頭照
 

加入日期: Jun 2001
您的住址: 火炎山和鐵砧山之間
文章: 198
哇哈哈!!! 終於清除3721了^_^
刪除3721 重要步驟

http://www.txsoft.cn/iso_details.as...id=30.30&ID=843

仔細一想,win2k/xp下似乎沒有了debug程式了,而或許問題解決起來也不是那麼複雜。再又嘗試了幾種方法後,終於得到了啟示:既然文件不允許操作,那麼我操作目錄如何?
我先把windows\system32\drivers目錄複製一份,取名為drivers1,並將其中的CnsMinKP.sys刪除(注意,因為是drivers1中的,所以可以被成功地真正刪除掉);
重新啟動機器,到安全模式下;
用drivers1目錄替代原來的drviers目錄
cd windows\system
ren drivers drivers2
ren drivers1 drivers
之後重新啟動機器,到安全模式,然後進到windows後先把drivers2目錄刪除了,然後慢慢收拾殘餘文件和清理註冊表吧。在這裡天緣提供一個reg文件,方便各位刪除註冊表:
Windows Registry Editor Version 5.00(用98的把這行改成regeidt4)

[-HKEY_LOCAL_MACHINE\SOFTWARE\3721]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsHelper.CH.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CnsMinHK.CnsHook.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\!CNS]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{00000000-0000-0001-0001-596BAEDD1289}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CnsMin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{00000000-0000-0001-0001-596BAEDD1289}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{0F7DE07D-BD74-4991-9D5F-ECBB8391875D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5D73EE86-05F1-49ed-B850-E423120EC338}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FD00D911-7529-4084-9946-A29F1BDF4FE5}]

[-HKEY_CURRENT_USER\Software\3721]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\OCustomizeSearch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\OSearchAssistant]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CnsMin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\EK_Entry]
[-HKEY_USERS\S-1-5-21-789336058-764733703-1343024091-1003\Software\Microsoft\Internet Explorer\Main\CNSAutoUpdate]
[-HKEY_USERS\S-1-5-21-789336058-764733703-1343024091-1003\Software\Microsoft\Internet Explorer\Main\CNSEnable]
[-HKEY_USERS\S-1-5-21-789336058-764733703-1343024091-1003\Software\Microsoft\Internet Explorer\Main\CNSHint]
[-HKEY_USERS\S-1-5-21-789336058-764733703-1343024091-1003\Software\Microsoft\Internet Explorer\Main\CNSList]
[-HKEY_USERS\S-1-5-21-789336058-764733703-1343024091-1003\Software\Microsoft\Internet Explorer\Main\CNSMenu]
[-HKEY_USERS\S-1-5-21-789336058-764733703-1343024091-1003\Software\Microsoft\Internet Explorer\Main\CNSReset]
結局:病毒敗,天緣勝
(雖然是成功地刪除了它,但是感覺贏得好險,如果該病毒加一個禁止上級文件改名的功能那麼就真的沒折了,為了預防類似的情形,最後還是找到了徹底一點的辦法,見下)
__________________
舊 2005-07-04, 10:54 AM #5
回應時引用此文章
simon121離線中