vmware virtual pc VMsky

版权声明：转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://3day.blogbus.com/logs/6236053.html

   昨晚，在一个小网站下载【三款钢笔字体】时，下载文件名是install.rar安装时发现是uusee，记得是个网络电视软件，就安装了，然后感觉计算机运行很慢，在资源管理器一看，有个cdnup.exe进程，baidu一查是中国互联网信息中心CNNIC出品的垃圾，查cdnup专杀IE自动关闭，准备用360安全卫士清除，启动不了，icesword也是，autoruns也是。还好我电脑还有filemon，regmon，启动—过滤器—360，

运行360安全卫士，filemon捕捉到

62 15:06:19 上午 TOTALCMD.EXE:1804 OPEN C:\Program Files\Common Files\Microsoft Shared\MSINFO\A1D29050.dat "D:\Program Files\360safeVzs\360safe\360Safe.exe" NAME INVALID Options: Open  Access: All 
63 15:06:19 上午 TOTALCMD.EXE:1804 OPEN C:\Program Files\Common Files\Microsoft Shared\MSINFO\A1D29050.dat "D:\Program Files\360safeVzs\360safe\360Safe.exe".exe NAME INVALID Options: Open  Access: All 
64 15:06:19 上午 TOTALCMD.EXE:1804 OPEN C:\Program Files\Common Files\Microsoft Shared\MSINFO\A1D29050.dat "D:\Program Files\360safeVzs\360safe\360Safe.exe" NAME INVALID Options: Open  Access: All 
65 15:06:19 上午 TOTALCMD.EXE:1804 OPEN C:\Program Files\Common Files\Microsoft Shared\MSINFO\A1D29050.dat "D:\Program Files\360safeVzs\360safe\360Safe.exe" NAME INVALID Options: Open  Access: All 
66 15:06:19 上午 TOTALCMD.EXE:1804 OPEN C:\Program Files\Common Files\Microsoft Shared\MSINFO\A1D29050.dat "D:\Program Files\360safeVzs\360safe\360Safe.exe".exe NAME INVALID Options: Open  Access: All 
67 15:06:19 上午 TOTALCMD.EXE:1804 OPEN C:\Program Files\Common Files\Microsoft Shared\MSINFO\A1D29050.dat "D:\Program Files\360safeVzs\360safe\360Safe.exe" NAME INVALID Options: Open  Access: All 

regmon捕捉到

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe

双击regedit跳转到HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe，删除360sae.exe，autoruns.exe，icesword.exe等安全工具项，

现在，打开360安全卫士—清除恶评软件

autoruns—映像劫持—取消除Your Image File Name Here without a path

icesword删除C:\Program Files\Common Files\Microsoft Shared\MSINFO\

c:\widows\system32\7fc*

c:\proram files\cnnic\