intercpudriver.sys, flashtimedriver.exe, flashphone.exe, mem32TCL.exe, ersVGA.exe, regkeyboard.exe等的清理
intercpudriver.sys, flashtimedriver.exe, flashphone.exe, mem32TCL.exe, ersVGA.exe, regkeyboard.exe等的清理
btlulu原创文章
转载请保留http://blog.btlulu.net/2008/02/20/intercpudriver/
看样子和diskcdriver.sys系列木马是同一个系列,具体见http://blog.btlulu.net/2008/02/02/diskcdriver/
在SREng的日志中表现如下:
启动文件夹:
[flashtimedriver]
<C:\Documents and Settings\new\「开始」菜单\程序\启动\flashtimedriver.exe –> [N/A]><H>
[flashphone]
<C:\Documents and Settings\new\「开始」菜单\程序\启动\flashphone.exe –> [N/A]><H>
[mem32TCL]
<C:\Documents and Settings\new\「开始」菜单\程序\启动\mem32TCL.exe –> [N/A]><H>
服务:
[ersVGA / ersVGA][Running/Auto Start]
<C:\WINDOWS\system32\ersVGA.exe><N/A>
[regkeyboard / regkeyboard][Running/Auto Start]
<C:\WINDOWS\system32\regkeyboard.exe><N/A>
驱动:
[1202903985 / 1202903985][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1202908320 / 1202908320][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1202909116 / 1202909116][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1202997391 / 1202997391][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203075220 / 1203075220][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203130353 / 1203130353][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203131728 / 1203131728][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203216964 / 1203216964][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203230120 / 1203230120][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203299137 / 1203299137][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203421903 / 1203421903][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203422309 / 1203422309][Running/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
正在运行的进程:
[PID: 224 / SYSTEM][C:\WINDOWS\system32\ersVGA.exe] [N/A, ]
[PID: 280 / SYSTEM][C:\WINDOWS\system32\moonrepert.exe] [Microsoft Corporation, 6.00.2901.2181 (xpsp_sp2_rtm.040803-2158)]
[PID: 508 / SYSTEM][C:\WINDOWS\system32\regkeyboard.exe] [N/A, ]
清理方法:
用XDelBox删除下列文件(全部复制后从剪贴板导入):
C:\Documents and Settings\new\「开始」菜单\程序\启动\flashtimedriver.exe
C:\Documents and Settings\new\「开始」菜单\程序\启动\flashphone.exe
C:\Documents and Settings\new\「开始」菜单\程序\启动\mem32TCL.exe
C:\WINDOWS\system32\ersVGA.exe
C:\WINDOWS\system32\moonrepert.exe
C:\WINDOWS\system32\regkeyboard.exe
C:\WINDOWS\system32\intercpudriver.sys
再用SREng删除下列项:
启动文件夹:
[flashtimedriver]
<C:\Documents and Settings\new\「开始」菜单\程序\启动\flashtimedriver.exe –> [N/A]><H>
[flashphone]
<C:\Documents and Settings\new\「开始」菜单\程序\启动\flashphone.exe –> [N/A]><H>
[mem32TCL]
<C:\Documents and Settings\new\「开始」菜单\程序\启动\mem32TCL.exe –> [N/A]><H>
服务:
[ersVGA / ersVGA][Running/Auto Start]
<C:\WINDOWS\system32\ersVGA.exe><N/A>
[regkeyboard / regkeyboard][Running/Auto Start]
<C:\WINDOWS\system32\regkeyboard.exe><N/A>
驱动:
[1202903985 / 1202903985][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1202908320 / 1202908320][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1202909116 / 1202909116][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1202997391 / 1202997391][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203075220 / 1203075220][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203130353 / 1203130353][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203131728 / 1203131728][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203216964 / 1203216964][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203230120 / 1203230120][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203299137 / 1203299137][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203421903 / 1203421903][Stopped/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
[1203422309 / 1203422309][Running/Manual Start]
<\??\C:\WINDOWS\system32\intercpudriver.sys><N/A>
沙发~谢谢贡献你的才智~~~