清理了一毒窝，基本上能中的全中了

最后那些病毒的尸体加起来就有30M，恐怖。害得我杀了一个工作日，好久不碰病毒，技艺生疏也。

能干的坏事全干了，能藏的位置全藏了。病毒主要藏身位置：
C:/ 系统盘根目录下
C:/WINDOWS/
C:/WINDOWS/system
C:/windows/fonts
c:/windows/inf
C:/WINDOWS/system32/config/
C:/WINDOWS/system32
c:/windows/system32/drivers
C:/WINDOWS/system32/inf/
C:/WINDOWS/temp
c:/docume~1/admini~1/locals~1/temp/
C:/Documents and Settings/All Users/「开始」菜单/程序/启动/
c:/program files/internet explorer/plugins/
C:/windows/Downloaded Program Files/
C:/WINDOWS/Help/
C:/Documents and Settings/Administrator/Local Settings/Temp
各个盘根目录下，各个盘回收站receycled目录中
等等。

还有个乖乖的目录 C:/runauto...
很多病毒图标就采用文件夹的图标，勿混淆
C:/windows/zuoyu16.ini 是一个病毒的记录，把其中记录的文件一一删除

把文件按照创建时间和修改时间排序，即可基本上把所有病毒体都找出来。

打开C:/windows/system32/drivers/etc/hosts文件（可用记事本、word等文本编辑器或字处理软件打开），把其中的东西该删除的删除，如果不会，直接使用SREng把hosts文件重置即可。

C:/ntldr.exe
C:/discovery.exe
C:/recycled/dc1.exe
C:/WINDOWS/SVIQ.EXE
C:/WINDOWS/system/Fun.exe
C:/WINDOWS/dc.exe
C:/WINDOWS/inf/Other.exe
C:/WINDOWS/system32/config/Win.exe
C:/WINDOWS/Fonts/cd8b366baadbfc0c4ab44b982b5c3781/system/soundma.exe
c:/program files/internet explorer/plugins/winsys8v.sys
C:/WINDOWS/system32/15b1.dll
C:/windows/Downloaded Program Files/461b.dll
C:/windows/Downloaded Program Files/15b.exe
C:/Program Files/Common Files/CPUSH/cpush.dll

下面的东西摘自SREng和Autoruns的扫描，有删减，删减过程中可能遗漏某些病毒，也可能勿写非病毒文件。

[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
<dc2k5><C:/WINDOWS/SVIQ.EXE>  []
<Fun><C:/WINDOWS/system/Fun.exe>  []
<dc><C:/WINDOWS/dc.exe>  []
[HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Windows]
<load><C:/WINDOWS/inf/Other.exe>  []
<run><C:/WINDOWS/system32/config/Win.exe>  []
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run]
    <inudhya><C:/WINDOWS/Fonts/cd8b366baadbfc0c4ab44b982b5c3781/system/soundma.exe>  []
    <mfchlp32><C:/WINDOWS/mfchlp32.exe>  []
    <tciocp32><C:/WINDOWS/tciocp32.exe>  []
    <msccrt><C:/WINDOWS/msccrt.exe>  []
    <fmsbbqi><C:/WINDOWS/fmsbbqi.exe>  []
    <RavLoa><C:/WINDOWS/system32/RavLoa.exe>  []
    <TBMonEx><C:/WINDOWS/Fonts/cd8b366baadbfc0c4ab44b982b5c3781/system/>  [N/A]
    <DbgHlp32><C:/WINDOWS/DbgHlp32.exe>  []
    <SHAProc><C:/WINDOWS/SHAProc.exe>  []
    <igzwzslm><C:/WINDOWS/gwsmhxuq.exe>  []
    <PTSShell><C:/WINDOWS/PTSShell.exe>  []
    <WSockDrv32><C:/WINDOWS/WSockDrv32.exe>  []
    <AVPSrv><C:/WINDOWS/AVPSrv.exE>  []
    <upxdnd><C:/WINDOWS/upxdnd.exe>  []
    <LotusHlp><C:/WINDOWS/LotusHlp.exe>  []
    <cmdbcs><C:/WINDOWS/cmdbcs.exe>  []
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce]
    <vymwvk44><%systemroot%/system32/Rundll32.exe %systemroot%/system32/vymwvk44.dll DllUnregisterServer>  [N/A]
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run]
    <zuoyue><C:/WINDOWS/system32/inf/svch0st.exe C:/WINDOWS/system32/lwizysy16_080414.dll start>  [N/A]
    <zsmscc><rundll32.exe C:/WINDOWS/system32/mycc080201.dll mymain>  [N/A]
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><>  [N/A]
    <{6ce08af1-5f70-4c1a-8d1a-8aba11619e87}><C:/WINDOWS/system32/ayFKKFKK1055.dll>  []
    <{fe0ebc25-107f-4fda-ada3-7238573f90ad}><C:/WINDOWS/system32/ayJHVJHV1015.dll>  []
    <{734bfbb9-34f7-441c-b064-b3590bbe34ea}><C:/WINDOWS/system32/txWWQWWQ1006.dll>  []
    <{c4bf46a2-1c05-427d-992f-4e24f7d57f68}><C:/WINDOWS/system32/ttNNBNNB1047.dll>  []
    <{05922c2d-da84-48e8-a3e4-e797c58c39cf}><C:/WINDOWS/system32/ttEZZEZZ1046.dll>  []
    <{29fab913-d0cd-477b-a3f0-3d7c3a90379b}><C:/WINDOWS/system32/ttVUFVUF1011.dll>  []
    <{79dae25e-7bee-4484-bb1a-f30c45d535d9}><C:/WINDOWS/system32/ttQACQAC1035.dll>  []
    <{6167F471-EF2B-41DD-A5E5-C26ACDB5C096}><C:/Program Files/Internet Explorer/PLUGINS/WinSys8v.Sys>  []
    <{b669b098-7a40-42da-91f5-f3cadf9319e1}><C:/WINDOWS/system32/txRJHRJH1021.dll>  []
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Active Setup/Installed Components/Discoverr]
    <N/A><C:/WINDOWS/system32/Discovery.exe>  []
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/] 映像劫持
<C:/WINDOWS/system32/Discovery.exe> 和 <C:/xue.exe>劫持了一大堆的工具软件，这俩还有竞争
==================================
启动文件夹
[webspeed]
  <C:/Documents and Settings/All Users/「开始」菜单/程序/启动/webspeed.exe -->  [N/A]><N>
==================================
服务
[DCOM Service Process Manager / DCOMManager][Stopped/Auto Start]
  <C:/WINDOWS/system32/svchost.exe -k netsvcs-->c:/windows/inf/pcidevices8.inf><Microsoft Corporation>
[Windows ptug RunThem / ptug][Stopped/Auto Start]
  <C:/WINDOWS/System32/svchost.exe -k netsvcs-->C:/PROGRA~1/kopb/uyzl.dll><>
[Remote Procedure Call System(RPCS) / RpcS][Stopped/Auto Start]
  <C:/WINDOWS/system32/RpcS.exe><Microsoft Corporation>
[Perfor and Alell / Transfer Service][Stopped/Auto Start]
  <C:/WINDOWS/system32/Transfer Sebvice.exe><N/A>
==================================
驱动程序
[cqit / cqit][Stopped/Auto Start]
  </??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp33.tmp><N/A>
[dohs / dohs][Stopped/Auto Start]
  </??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmpDF.tmp><N/A>
[fpids32 / fpids32][Stopped/Auto Start]
  </??/C:/WINDOWS/system32/drivers/msosfpids32.sys><N/A>
[iCafe Manager / iCafe Manager][Stopped/Manual Start]
  </??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/usbhcid.sys><N/A>
[kbrhqjlb / kbrhqjlb][Running/Boot Start]
  </SystemRoot//SystemRoot/System32/drivers/kbrhqjlb.sys><N/A>
[mhfp / mhfp][Stopped/Auto Start]
  </??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp258.tmp><N/A>
[mnsf / mnsf][Stopped/Auto Start]
  </??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp265.tmp><N/A>
[msfpfis64 / msfpfis64][Stopped/Auto Start]
  </??/C:/WINDOWS/system32/drivers/msosmsfpfis64.sys><N/A>
[ZTE USB / MX_98Drv][Stopped/Auto Start]
[NPF / NPF][Stopped/Manual Start]
  </??/C:/WINDOWS/system32/drivers/EF.tmp><N/A>
[npkcrypt / npkcrypt][Stopped/Auto Start]
  </??/C:/Program Files/QQ2006/npkcrypt.sys><N/A>
[ntptdb / ntptdb][Stopped/Auto Start]
  </??/C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/ntptdb.sys><N/A>
[RESSDT / RESSDT][Stopped/Manual Start]
  </??/C:/WINDOWS/system32/ssdtdt.sys><N/A>
[Sc Manager / Sc Manager][Stopped/Manual Start]
  </??/C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/usbcams3.sys><N/A>
[vymwvk4 / vymwvk44][Running/Boot Start]
  </SystemRoot/System32/DRIVERS/vymwvk44.sys><N/A>
[kavell / kavell][Stopped/Manual Start]
  </??/C:/WINDOWS/system32/kavell.sys><N/A>
[PID: 956][C:/WINDOWS/Explorer.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:/WINDOWS/system32/xbcvxb.dll]  [N/A, ]
    [C:/WINDOWS/system32/msepbe.dll]  [N/A, ]
    [C:/WINDOWS/system32/ayFKKFKK1055.dll]  [N/A, ]
    [C:/WINDOWS/system32/ayJHVJHV1015.dll]  [N/A, ]
    [C:/WINDOWS/system32/txWWQWWQ1006.dll]  [N/A, ]
    [C:/WINDOWS/system32/ttNNBNNB1047.dll]  [N/A, ]
    [C:/WINDOWS/system32/ttEZZEZZ1046.dll]  [N/A, ]
    [C:/WINDOWS/system32/ttVUFVUF1011.dll]  [N/A, ]
    [C:/WINDOWS/system32/ttQACQAC1035.dll]  [N/A, ]
    [C:/Program Files/Internet Explorer/PLUGINS/WinSys8v.Sys]  [N/A, ]
    [C:/WINDOWS/system32/txRJHRJH1021.dll]  [N/A, ]
[PID: 1140][C:/WINDOWS/SVIQ.EXE]  [, 1.00]
    [C:/WINDOWS/system32/xbcvxb.dll]  [N/A, ]
    [C:/WINDOWS/system32/msepbe.dll]  [N/A, ]
    [C:/Program Files/Internet Explorer/PLUGINS/WinSys8v.Sys]  [N/A, ]
[PID: 1188][C:/WINDOWS/dc.exe]  [, 1.00]
[PID: 1416][C:/WINDOWS/system/Fun.exe]  [, 1.00]
==================================
Autorun.inf
[C:/]
[AutoRun]
Open=Discovery.exe
Shell/Open=打开(&O)
Shell/Open/Command=Discovery.exe
Shell/Open/Default=1
Shell/Explore=资源管理器(&X)
Shell/Explore/Command=Discovery.exe
==================================
进程特权扫描
特殊特权被允许： SeDebugPrivilege [PID = 1140, C:/WINDOWS/SVIQ.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 1188, C:/WINDOWS/DC.EXE]
特殊特权被允许： SeDebugPrivilege [PID = 1416, C:/WINDOWS/SYSTEM/FUN.EXE]
[QQgame]
  <C:/Documents and Settings/All Users/「开始」菜单/程序/启动/QQgame.exe -->  [N/A]><N>
==================================
浏览器加载项
+ brush Class            File not found: c:/windows/system32/solid.dll
+ CAdLogic Object            c:/program files/common files/cpush/cpush.dll
+ HTML Doucment            File not found: C:/WINDOWS/system32/mseval.dll
+ Invoke Class            File not found: C:/WINDOWS/system32/15b1.dll
+ Windows Word            File not found: C:/WINDOWS/system32/newtn.dll
+ {989D2FEB-5411-4565-8988-1DD2C5263377}            File not found: C:/WINDOWS/system32/SysInfo.dll
HKLM/Software/Microsoft/Internet Explorer/Toolbar           
+ msdxm.ocx            File not found: C:/msdxm.ocx

HKLM/System/CurrentControlSet/Services
+ DCOMManager    管理 DCOM 服务加载功能，该服务不能被删除。    Microsoft Corporation    c:/windows/inf/pcidevices8.inf
+ IPRIP            File not found: C:/WINDOWS/system32/wordms.dll
+ kkdc    在域控制器上此服务启用用户使用 Kerberos 授权协议登录网络。如果此服务在域控制器上被停用，用户将无法登录网络。如果此服务被禁用，任何依赖于它的服务将无法启用        File not found: C:/WINDOWS/lsass.exe
+ ms_2fax    Fax 2Client        File not found: C:/WINDOWS/system32/5b211.exe
+ ptug    网络管理服务，如果此服务被停止，有可能部分网络功能无法实现。        c:/program files/kopb/uyzl.dll
HKLM/System/CurrentControlSet/Services       
+ ALCXWDM            File not found: system32/drivers/ALCXWDM.SYS
+ cqit            File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp33.tmp
+ dohs            File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmpDF.tmp
+ mhfp            File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp258.tmp
+ mnsf            File not found: C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/tmp265.tmp
+ msfpfis64            c:/windows/system32/drivers/msosmsfpfis64.sys
+ NPF            File not found: C:/WINDOWS/system32/drivers/5A.tmp
+ npkcrypt            File not found: C:/Program Files/QQ2006/npkcrypt.sys
HKLM/Software/Microsoft/Command Processor/Autorun           
+ C:/WINDOWS/system32/sashost.exe            File not found: C:/WINDOWS/system32/sashost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Appinit_Dlls           
+ atehhz.dllawef.dll            File not found: atehhz.dllawef.dll
+ m            File not found: m
+ msoscqit01.dll            c:/windows/system32/msoscqit01.dll
+ msosdohs00.dll            c:/windows/system32/msosdohs00.dll
+ msosmhfp00.dll            c:/windows/system32/msosmhfp00.dll
+ msosmnsf01.dll            c:/windows/system32/msosmnsf01.dll
+ msosping01.dll            c:/windows/system32/msosping01.dll
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce           
+ eqaxsh54    Run a DLL as an App    Microsoft Corporation    c:/windows/system32/rundll32.exe
+ vymwvk44    Run a DLL as an App    Microsoft Corporation    c:/windows/system32/rundll32.exe
C:/Documents and Settings/All Users/「开始」菜单/程序/启动           
+ Adobe Gamma Loader.lnk    Adobe Gamma Loader    Adobe Systems, Inc.    c:/program files/common files/adobe/calibration/adobe gamma loader.exe
+ qqgame.exe            c:/documents and settings/all users/「开始」菜单/程序/启动/autorunsdisabled/qqgame.exe
+ webspeed.exe            c:/documents and settings/all users/「开始」菜单/程序/启动/autorunsdisabled/webspeed.exe
HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/Load           
+ C:/WINDOWS/inf/Other.exe            File not found: C:/WINDOWS/inf/Other.exe
HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/Run           
+ C:/WINDOWS/system32/config/Win.exe            File not found: C:/WINDOWS/system32/config/Win.exe
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run           
+ 011            File not found: C:/WINDOWS/system32/011.dll
+ 461b    Microsoft DirectMusic Interactive Engine    Microsoft Corporation    c:/windows/downloaded program files/461b.dll
+ zsmscc            File not found: C:/WINDOWS/system32/mycc080201.dll mymain
+ zsmscc            File not found: C:/WINDOWS/system32/mycc080201.dll mymain
+ zuoyue    Run a DLL as an App    Microsoft Corporation    c:/windows/system32/inf/svch0st.exe
+ zuoyue    Run a DLL as an App    Microsoft Corporation    c:/windows/system32/inf/svch0st.exe
HKCU/Software/Microsoft/Windows/CurrentVersion/Run           
+ ctfmon.exe    CTF Loader    Microsoft Corporation    c:/windows/system32/ctfmon.exe
+ dc            File not found: C:/WINDOWS/dc.exe
+ dc2k5            File not found: C:/WINDOWS/SVIQ.EXE
+ Fun            File not found: C:/WINDOWS/system/Fun.exe
+ imscmig            File not found: C:/WINDOWS/imscmig.exe