写入Appinit_dlls由于写入过多dll信息导致sreng无法检测到该项目。数据如下：
bauhgnem.dll,eohsom.dll,fyom.dll,sauhad.dll,ijougiemnaw.dll,taijoad.dll,lnaixnauhqq.dll,idtj.dll,

vhqq.dll,atgnehz.dll,rsqq.dll,tsqc.dll,vauyiqvlnaix.dll,wQ.dll,fmxh.dll,cty.dll,pahzij.dll,jz.dll,

bz.dll,pyomielnux.dll,mhtd.dll,qnefnaib.dll,ej.dll,uixauh.dll,hjiq.dll,kiluw.dll,dsfg.dll,yqhs.dll

,oaijihzeuyouhz.dll,jemnaw.dll,cuhad.dll,laixuhz.dll,rfhx.dll,mnauygniqaixnaij.dll,oqnauhc.dll,xjxr.

dll,utiemnaw.dll,sve.dll,wininat.dll,gnolnait.dll,zadnew.dll,htwx.dll,knaixnauhuoyizqq.dll,duygnef.

dll,gmx.dll,nadgnohiac.dll,agzg.dll,qlihzouhgnfe.dll,bchib.dll,tzm.dll,r2.dll,slcs.dll,xptyj.dll,

xhtd.dll,QQ.dll,sfhx.dll,gnaixnauhqq.dll,3auhad.dll,oadnew.dll,iemnaw.dll,qcsct.dll,oadgnohiac.dll

iqnauhc.dll,aixauh.dll,ddtj.dll,nuygnef.dll,uohsom.dll,gnefnaib.dll,ijiq.dll,hjxr.dll,naijoad.dll,

naixuhz.dll,nahzij.dll,fmxh.dll,zqhs.dll,jsfg.dll,utgnehz.dll,uyom.dll,wtiemnaw.dll,uyomielnux.dll,

vlihzouhgnfe.dll,2ty.dll,nauhgnem.dll,auhad.dll,rj.dll,hz.dll,naijihzeuyouhz.dll,xhqq.dll,jmx.dll,

dgzg.dll,gsqq.dll,fz.dll,gnaixnauhuoyizqq.dll,gnolnait.dll,jsqc.dll,dqncj.dll,eve.dll,2nauygniqaixnaij

.dll,niluw.dll,ijougiemnaw.dll,wtwx.dll,jghf.dll,msd.dll,asj.dll,her.dll,awf.dll,

目的是为了安全模式也能加载，导致用户修复安全模式无效。如图所示：

后台联网下载木马程序：
1=http://iii.u***u.com/wm/1.exe
2=http://iii.u***u.com/wm/2.exe
3=http://iii.u***u.com/wm/3.exe
4=http://iii.u***u.com/wm/4.exe
5=http://iii.u***u.com/wm/5.exe
6=http://iii.u***u.com/wm/6.exe
7=http://iii.u***u.com/wm/7.exe
8=http://iii.u***u.com/wm/8.exe
9=http://iii.u***u.com/wm/9.exe
10=http://iii.u***u.com/wm/10.exe
11=http://iii.u***u.com/wm/11.exe
12=http://iii.u***u.com/wm/12.exe
13=http://iii.u***u.com/wm/13.exe
14=http://iii.u***u.com/wm/14.exe
15=http://iii.u***u.com/wm/15.exe
16=http://iii.u***u.com/wm/16.exe
17=http://iii.u***u.com/wm/17.exe
18=http://iii.u***u.com/wm/18.exe
19=http://iii.u***u.com/wm/19.exe
20=http://iii.u***u.com/wm/20.exe
21=http://iii.u***u.com/wm/21.exe
22=http://iii.u***u.com/wm/22.exe
23=http://iii.u***u.com/wm/23.exe
24=http://iii.u***u.com/wm/24.exe
25=http://iii.u***u.com/wm/25.exe
26=http://iii.u***u.com/wm/26.exe
27=http://iii.u***u.com/wm/27.exe
28=http://iii.u***u.com/wm/28.exe

与auto木马群勾结，写入盗号木马：
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <mhuslmqi><C:\WINDOWS\hsmijpow.exe>
    <AVPSrv><C:\WINDOWS\AVPSrv.exE>
    <upxdnd><C:\WINDOWS\upxdnd.exe>
    <Kvsc3><C:\WINDOWS\Kvsc3.exE>
    <DbgHlp32><C:\WINDOWS\DbgHlp32.exe>
    <SHAProc><C:\WINDOWS\SHAProc.exe>等

加载rootkits驱动进行自我保护：
[iCafe Manager / iCafe Manager][Stopped/Manual Start]
  <\??\C:\DOCUME~1\papa\LOCALS~1\Temp\usbhcid.sys>
[Sc Manager / Sc Manager][Running/Manual Start]
  <\??\C:\DOCUME~1\papa\LOCALS~1\Temp\usbcams3.sys>
[dohs / dohs][Stopped/Auto Start]
  <\??\C:\DOCUME~1\papa\LOCALS~1\Temp\tmp3.tmp>
[fpids32 / fpids32][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\msosfpids32.sys>
[msertk / msertk][Running/Auto Start]
  <system32\drivers\msyecp.sys>
[msert / msert][Running/Auto Start]
  <system32\drivers\mselk.sys>

写入ntsd劫持与破坏安全模式，导致杀软失效

该病毒的处理方法：

对于已经中此病毒的用户可以尝试在正常模式运行使用附件中的脚本Del_AtiSrv.bat后重启进入安全模式。
进入安全模式后运行附件中的Clean_IFEO.bat清除映像劫持，并运行金山清理专家清理恶意软件即可。如图所示：

该病毒融合了目前多种流行病毒木马技术，破坏杀毒程序导致普通用户很难进行清理操作。建议用户对该病毒以注意日常防范为主，保持毒霸病毒库更新以及良好健康的上网习惯。

转截请注明:文章来自 pc捍卫者 http://www.pchwz.com 本站发布此文为传递更多信息之目的,不表明pc捍卫者赞同其观点