手动清除Trojan.PSW.Win32.Agent.mk(PegeFile.pif)病毒的操作办法

手动清除Trojan.PSW.Win32.Agent.mk(PegeFile.pif)病毒的操作办法

病毒名字:Trojan.PSW.Win32.Agent.mk(瑞星报毒名称)
样本名:
PegeFile.pif
以下解决步骤参考网友ixigua的分析:

一:1.到down.45it.com下载费尔木马强制删除器工具.zip,解压缩打开PowerRmv.exe,在文件名处依次输入

C:Program FilesInternet ExplorerPLUGINSNewTemp.bak
C:Program FilesInternet ExplorerPLUGINSNewTemp.dll
以及所有分区下的PegeFile.pifautorun.inf文件

,并勾选"抑制文件再次生成"最后点击清除来删除该文件。

二:ctrl+alt+del打开任务管理器,结束explorer.exe 进程然后删除以下文件(参考步骤一)

C:DOCUME~1TestUserLOCALS~1Temp2.exe
C:DOCUME~1TestUserLOCALS~1Temp1.exe
C:DOCUME~1TestUserLOCALS~1Tempmhso.exe
C:DOCUME~1TestUserLOCALS~1Tempmhso0.dll
C:DOCUME~1TestUserLOCALS~1Temp3.exe
C:WINDOWSsystem32ztinetzt.exe
C:WINDOWSsystem32ztinetzt.dll
C:DOCUME~1TestUserLOCALS~1Temp4.exe
C:DOCUME~1TestUserLOCALS~1Temprxso.exe
C:DOCUME~1TestUserLOCALS~1Temprxso0.dll
C:DOCUME~1TestUserLOCALS~1Temp5.exe
C:DOCUME~1TestUserLOCALS~1Temp6.exe
C:DOCUME~1TestUserLOCALS~1Tempqjso.exe
C:DOCUME~1TestUserLOCALS~1Tempqjso0.dll
C:WINDOWSsystem32Ravasktao.exe
C:WINDOWSsystem32Ravasktao.dll
C:DOCUME~1TestUserLOCALS~1Temp7.exe
C:DOCUME~1TestUserLOCALS~1Temptlso.exe
C:DOCUME~1TestUserLOCALS~1Temptlso0.dll
C:DOCUME~1TestUserLOCALS~1Temp8.exe
C:DOCUME~1TestUserLOCALS~1Tempdaso.exe
C:DOCUME~1TestUserLOCALS~1Tempdaso0.dll
C:DOCUME~1TestUserLOCALS~1Temp7.exe
C:DOCUME~1TestUserLOCALS~1Temp8.exe
C:DOCUME~1TestUserLOCALS~1Temp9.exe
C:Program FilesInternet ExplorerPLUGINSSystem64.Jmp
C:Program FilesInternet ExplorerPLUGINSSystem64.Sys
C:DOCUME~1TestUserLOCALS~1Temp10.exe
C:WINDOWSsystem32Driversusbinte.sys
C:WINDOWSsystem32visin.exe
C:DOCUME~1TestUserLOCALS~1Temp11.exe
C:WINDOWSsystem32mydata.exe
C:WINDOWSsystem32moyu103.dll
C:DOCUME~1TestUserLOCALS~1Temp13.exe
C:DOCUME~1TestUserLOCALS~1Tempwlso.exe
C:DOCUME~1TestUserLOCALS~1Tempwlso0.dll
C:DOCUME~1TestUserLOCALS~1Temp14.exe
C:DOCUME~1TestUserLOCALS~1Tempwgso.exe
C:DOCUME~1TestUserLOCALS~1Tempwgso0.dll
C:DOCUME~1TestUserLOCALS~1Temp15.exe
C:WINDOWSsystem32wuclmi.exe
C:WINDOWSsystem32wincfg.exe
C:WINDOWSsystem32mvdbc.exe
C:WINDOWSsystem32packet.dll
C:WINDOWSsystem32pthreadVC.dll
C:WINDOWSsystem32wanpacket.dll
C:WINDOWSsystem32wpcap.dll
C:WINDOWSsystem32driversnpf.sys
C:WINDOWSsystem32npf_mgm.exe
C:WINDOWSsystem32daemon_mgm.exe
C:WINDOWSsystem32NetMonInstaller.exe
C:WINDOWSsystem32rpcapd.exe
C:WINDOWSsystem32capinstall.exe

三:开始菜单-运行-输入“regedit”打开注册表删除以下标橙色的项

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionRun
"wosa" = %TEMP%WOSO.EXE
"mhsa" = %TEMP%MHSO.EXE
"Microsoft Autorun14" = %SYSTEM%ZTINETZT.EXE
"rxsa" = %TEMP%RXSO.EXE
"qjsa" = %TEMP%QJSO.EXE
"Microsoft Autorun9" = %SYSTEM%RAVASKTAO.EXE
"tlsa" = %TEMP%TLSO.EXE
"dasa" = %TEMP%DASO.EXE
"wlsa" = %TEMP%WLSO.EXE
"wgsa" = %TEMP%WGSO.EXE

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
"visin" = %SYSTEM%VISIN.EXE

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
"{0EA66AD2-CF26-2E23-532B-B292E22F3266}" =
"{754FB7D8-B8FE-4810-B363-A788CD060F1F}" =

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesnm
(Display Name)Network Monitor Driver = (IMAGEPATH)SYSTEM32DRIVERSNMNT.SYS
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNPF
(Display Name)NetGroup Packet Filter Driver = (IMAGEPATH)SYSTEM32DRIVERSNPF.SYS
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesrpcapd
(Display Name)Remote Packet Capture Protocol v.0 (experimental) = (IMAGEPATH)"%PROGRAMFILES%WINPCAPRPCAPD.EXE" -D -F "%PROGRAMFILES%WINPCAPRPCAPD.INI"

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworknm
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetworknm.sys

HKEY_LOCAL_MACHINESoftwareClassesCLSID{0EA66AD2-CF26-2E23-532B-B292E22F3266}
HKEY_LOCAL_MACHINESoftwareClassesCLSID{425882B0-B0BF-11CE-B59F-00AA006CB37D}
HKEY_LOCAL_MACHINESoftwareClassesCLSID{754FB7D8-B8FE-4810-B363-A788CD060F1F}
HKEY_LOCAL_MACHINESoftwareClassesCLSID{944AD531-B09D-11CE-B59C-00AA006CB37D}
HKEY_LOCAL_MACHINESoftwareClassesCLSID{D413C502-3FAA-11D0-B254-444553540000}