Step: CFScript
* 開啟記事本,貼上以下內容
KILLALL::
File::
c:\documents and settings\LAW\「開始」功能表\程式集\啟動\8D9104.lnk
c:\windows\imsins.BAK
c:\windows\system32\6715DA\8D9104.EXE
c:\windows\system32\drivers\pavboot.sys
C:\iexplor.bat
C:\explor.bat
c:\windows\system32\ruixing.exe
C:\Recycled.exe
D:\Recycled.exe
Driver::
pavboot
Rootkit::
pavboot
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8D9104"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360SE.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\360Start.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AdoIE.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avant.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\chrome.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\firefox.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GreenBrowser.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\hsreg.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iemate.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\IERepair.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\KylinBrowser.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Maxthon.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MiniIE.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MyIE.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\opera.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\SaaYaa.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\See9IE.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\srgui.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\sriecli.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\suda.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\theworld.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\top.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TouchNet.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\TTraveler.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\vu.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\winpatrol.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\XWebStar.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\zhinanzhenbrowser.exe]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06b9850e-f8fd-11dd-a86b-00ff58bec9d3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{17a2e6ce-bcc3-11dc-a565-00fff631cd47}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73feea02-afbc-11dd-a7b9-001d60189970}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba67581a-1d91-11dd-a66a-00fff631cd47}]
DirLook::
C:\WINDOWS\Prefetch
儲存--->存檔類型--->所有檔案-->檔名輸入為 CFScript.txt
把CFScript.txt 拉到 ComboxFix.exe
* ComboxFix 將會被執行
* 執行完會有報告於C:\ComboFix.txt.
