前几天,机子中了Shell.exe病毒,怎么弄也无未法杀掉它,每次开机均会在system32下自动生成Shell.exe文件,瑞星也发现不了。还会通过U盘传播,弄得我几台电脑均中毒了,经个几天摸索,终于将此毒彻底干掉了,现将杀毒方法写出来,希望对有类似情况的兄弟们有所帮助,高手别笑哦!
中毒的几个典型征状是:
1. 让计算机无法显示隐藏文件
2. 每次开机,会在C:\windows\system32下自动生成Shell.exe和Shell.pci文件
3. 感染 C:\windows\system32下的spoolsv.exe文件,从而造成无法执行打印程序(无法看见打印机)
4.在C盘根目录下生成pass.dic文件
5. 当插入U盘时,会在U盘自动生成Shell.exe和Autorun.inf文件
==================================================================================================
杀毒方式一:瑞星杀毒
下载更新最新的瑞星杀毒软件,然后再全盘杀毒。如此做后,病毒会全部去除。但由于系统文件spoolsv.exe由于受病毒感染,也被瑞星杀掉了。仍然会无法执行打印程序。此时,如果仅仅将无毒的系统文件spoolsv.exe由复制过来,还是不行的,系统的print spooler服务程序注册信息已没有了,必须手工加入print spooler服务程序注册信息,将以下内容保存为 1.reg 文件,然后双击该文件,将此信息加入注册表。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"Description"="将文件加载到内存中以便迟后打印。"
"DisplayName"="Print Spooler"
"ErrorControl"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,e8,47,0c,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"Group"="SpoolerGroup"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,70,00,6f,00,6f,00,6c,00,73,00,76,00,2e,00,65,00,78,00,65,00,00,00
"
ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000110
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\Performance]
"Close"="PerfClose"
"Collect"="PerfCollect"
"Collect Timeout"=dword:000007d0
"Library"="winspool.drv"
"
Object List"="1450"
"Open"="PerfOpen"
"Open Timeout"=dword:00000fa0
"WbemAdapFileSignature"=hex:b6,69,32,f1,cc,60,91,0e,38,f9,a0,87,63,c5,0b,d8
"WbemAdapFileTime"=hex:40,bd,af,2c,cd,2b,c2,01
"WbemAdapFileSize"=dword:00020200
"WbemAdapStatus"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\Enum]
"0"="Root\\LEGACY_SPOOLER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
然后,再手工启动:Print spooler服务便可(“控制面板”—“管理工具”—“服务”里去启动“print spooler”)。
====================================================================================================================
Shell病毒清除方式二:手工杀毒:
由于中毒后,用计算机自带的资源管理器无法查看隐藏文件,所以必须用一个可以查看并能删除隐藏文件的工具, 将system32下的spoolsv.exe文件和Shell文件均删掉(删掉之前,先中止Shell.exe进程),硬盘根目录下可能有1.exe或2.exe病毒文件,同时也要清除(我是自编的一个工具).
然后将无毒的spoolsv.exe文件复制到system32目录下,重启计算机后,病毒不会再有了,同时打印功能也会自动恢复。这种方式更为简单,一分钟搞定.
