本文记录了解决名为cskcqt05和kgsfcghl91两种顽固病毒的过程。通过使用SREng、Autoruns及ProcessExplorer等工具,并结合手动删除注册表项和文件的方法最终清除了病毒。
杀出来一堆病毒,其中 cskcqt05,kgsfcghl91比较难搞。卡巴(不是我的电脑中毒,所以不是Avast) 报kgsfcghl91但一杀电脑就充启。
这两个病毒都是以驱动型式加载,重启到安全模式也没有办法使用杀毒软件或其他工具删除。不过,好像cskcqt05这个病毒可以用SREng在禁用掉,但禁不掉kgsfcghl91。
我也不知道这都是什么病毒,网上搜不到任何东西,使用工具一通乱杀,最后总算搞定。使用的工具有SREng, Autoruns 和 ProcessExplorer,别忘了安全模式哦。
建议的删除方法:到注册表里搜索所有 cskcqt05 和 kgsfcghl91,把搜到的所有项统统删除。如果删不掉,请在该项上点右键,在权限里把所有权限都加上。然后重启电脑,把病毒体统统干掉:
C:/windows/system32/p1gzft0.dll //木马
C:/windows/system32/cskcqt05.dll //木马
C:/windows/system32/cskcqt05.dllmmc.pkm
C:/windows/system32/drivers/cskcqt05.sys //木马
C:/windows/system32/drivers/kgsfcghl91.sys //木马
另外,还在C:/Windows/目录下发现了一堆病毒和可疑文件:
C:/windows/30000.exe //木马
C:/windows/flashcnn.exe
C:/windows/my_70201.exe
C:/windows/my_70302.exe //木马
C:/windows/mysetup1021.exe //广告软体
C:/windows/setup306.exe //CNNIC的东东
C:/windows/setup307.exe //CNNIC的东东
C:/windows/setupol0165.exe
这是kgsfcghl91的注册表里的东西:
WindowsRegistryEditorVersion
5.00
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
]
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
�0
]
"
Service
"
=
"
kgsfcghl91
"
"
Legacy
"
=
dword:
00000001
"
ConfigFlags
"
=
dword:
00000000
"
Class
"
=
"
LegacyDriver
"
"
ClassGUID
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}
"
"
DeviceDesc
"
=
"
kgsfcghl91
"
"
Capabilities
"
=
dword:
00000000
"
Driver
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}/0033
"
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
�0LogConf
]
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
�0Control
]
"
ActiveService
"
=
"
kgsfcghl91
"
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/kgsfcghl91
]
"
Type
"
=
dword:
00000001
"
Start
"
=
dword:
00000000
"
ErrorControl
"
=
dword:
00000001
"
ImagePath
"
=
hex(
2
):
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
33
,
00
,
32
,
00
,
5c
,
00
,
44
,
00
,
52
,
00
,
49
,
00
,
56
,
00
,
45
,
00
,
52
,
00
,
53
,
00
,
5c
,
00
,
6b
,
00
,
67
,
00
,
73
,
00
,
66
,
00
,
63
,
00
,
67
,
00
,
68
,
00
,
6c
,
00
,
39
,
00
,
31
,
00
,
2e
,
00
,
73
,
00
,
79
,
00
,
73
,
00
,
00
,
00
"
DisplayName
"
=
"
kgsfcghl91
"
"
Group
"
=
"
SystemBusExtender
"
"
AutorunsDisabled
"
=
dword:
00000000
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/kgsfcghl91/
Security
]
"
Security
"
=
hex:
01
,
00
,
14
,
80
,
90
,
00
,
00
,
00
,
9c
,
00
,
00
,
00
,
14
,
00
,
00
,
00
,
30
,
00
,
00
,
00
,
02
,
00
,
1c
,
00
,
01
,
00
,
00
,
00
,
02
,
80
,
14
,
00
,
ff
,
01
,
0f
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
01
,
00
,
00
,
00
,
00
,
02
,
00
,
60
,
00
,
04
,
00
,
00
,
00
,
00
,
00
,
14
,
00
,
fd
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
ff
,
01
,
0f
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
20
,
02
,
00
,
00
,
00
,
00
,
14
,
00
,
8d
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
0b
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
fd
,
01
,
02
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
23
,
02
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/kgsfcghl91/
Enum
]
"
0
"
=
"
Root/LEGACY_KGSFCGHL91/0000
"
"
Count
"
=
dword:
00000001
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_KGSFCGHL91
]
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_KGSFCGHL91
�0
]
"
Service
"
=
"
kgsfcghl91
"
"
Legacy
"
=
dword:
00000001
"
ConfigFlags
"
=
dword:
00000000
"
Class
"
=
"
LegacyDriver
"
"
ClassGUID
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}
"
"
DeviceDesc
"
=
"
kgsfcghl91
"
"
Capabilities
"
=
dword:
00000000
"
Driver
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}/0033
"
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_KGSFCGHL91
�0LogConf
]
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/kgsfcghl91
]
"
Type
"
=
dword:
00000001
"
Start
"
=
dword:
00000000
"
ErrorControl
"
=
dword:
00000001
"
ImagePath
"
=
hex(
2
):
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
33
,
00
,
32
,
00
,
5c
,
00
,
44
,
00
,
52
,
00
,
49
,
00
,
56
,
00
,
45
,
00
,
52
,
00
,
53
,
00
,
5c
,
00
,
6b
,
00
,
67
,
00
,
73
,
00
,
66
,
00
,
63
,
00
,
67
,
00
,
68
,
00
,
6c
,
00
,
39
,
00
,
31
,
00
,
2e
,
00
,
73
,
00
,
79
,
00
,
73
,
00
,
00
,
00
"
DisplayName
"
=
"
kgsfcghl91
"
"
Group
"
=
"
SystemBusExtender
"
"
AutorunsDisabled
"
=
dword:
00000000
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/kgsfcghl91/
Security
]
"
Security
"
=
hex:
01
,
00
,
14
,
80
,
90
,
00
,
00
,
00
,
9c
,
00
,
00
,
00
,
14
,
00
,
00
,
00
,
30
,
00
,
00
,
00
,
02
,
00
,
1c
,
00
,
01
,
00
,
00
,
00
,
02
,
80
,
14
,
00
,
ff
,
01
,
0f
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
01
,
00
,
00
,
00
,
00
,
02
,
00
,
60
,
00
,
04
,
00
,
00
,
00
,
00
,
00
,
14
,
00
,
fd
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
ff
,
01
,
0f
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
20
,
02
,
00
,
00
,
00
,
00
,
14
,
00
,
8d
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
0b
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
fd
,
01
,
02
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
23
,
02
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
[
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/kgsfcghl91
]
"
ImagePath
"
=
hex(
2
):
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
33
,
00
,
32
,
00
,
5c
,
00
,
44
,
00
,
52
,
00
,
49
,
00
,
56
,
00
,
45
,
00
,
52
,
00
,
53
,
00
,
5c
,
00
,
6b
,
00
,
67
,
00
,
73
,
00
,
66
,
00
,
63
,
00
,
67
,
00
,
68
,
00
,
6c
,
00
,
39
,
00
,
31
,
00
,
2e
,
00
,
73
,
00
,
79
,
00
,
73
,
00
,
00
,
00
"
Type
"
=
dword:
00000001
"
ErrorControl
"
=
dword:
00000001
"
DisplayName
"
=
"
kgsfcghl91
"
"
Group
"
=
"
SystemBusExtender
"
"
Start
"
=
dword:
00000000
这是CSKCQT05的注册表文件,这是已经干掉此病毒后搜索CSKCQT05得到的,实际应该比这多,可能和上面的一样:
WindowsRegistryEditorVersion
5.00
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_CSKCQT05
]
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/EnumRoot/LEGACY_CSKCQT05
]
"
NextInstance
"
=
dword:
00000001
注:这个不完整,参照上面
KGSFCGHL91
的,或直接搜索吧,把搜到的东东全干掉。
如果您发现了上面的不足,或者更好的解决方法,在下先谢谢了。
一通乱杀,不怎么专业,整理的也欠佳,多多反馈,谢谢。
参考:
反病毒利器Autoruns和ProcessExplorer - 本人推荐使用的查毒杀毒辅助工具
这两个病毒都是以驱动型式加载,重启到安全模式也没有办法使用杀毒软件或其他工具删除。不过,好像cskcqt05这个病毒可以用SREng在禁用掉,但禁不掉kgsfcghl91。
我也不知道这都是什么病毒,网上搜不到任何东西,使用工具一通乱杀,最后总算搞定。使用的工具有SREng, Autoruns 和 ProcessExplorer,别忘了安全模式哦。
建议的删除方法:到注册表里搜索所有 cskcqt05 和 kgsfcghl91,把搜到的所有项统统删除。如果删不掉,请在该项上点右键,在权限里把所有权限都加上。然后重启电脑,把病毒体统统干掉:
C:/windows/system32/p1gzft0.dll //木马
C:/windows/system32/cskcqt05.dll //木马
C:/windows/system32/cskcqt05.dllmmc.pkm
C:/windows/system32/drivers/cskcqt05.sys //木马
C:/windows/system32/drivers/kgsfcghl91.sys //木马
另外,还在C:/Windows/目录下发现了一堆病毒和可疑文件:
C:/windows/30000.exe //木马
C:/windows/flashcnn.exe
C:/windows/my_70201.exe
C:/windows/my_70302.exe //木马
C:/windows/mysetup1021.exe //广告软体
C:/windows/setup306.exe //CNNIC的东东
C:/windows/setup307.exe //CNNIC的东东
C:/windows/setupol0165.exe
这是kgsfcghl91的注册表里的东西:
WindowsRegistryEditorVersion
5.00
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
]
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
�0
]
"
Service
"
=
"
kgsfcghl91
"
"
Legacy
"
=
dword:
00000001
"
ConfigFlags
"
=
dword:
00000000
"
Class
"
=
"
LegacyDriver
"
"
ClassGUID
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}
"
"
DeviceDesc
"
=
"
kgsfcghl91
"
"
Capabilities
"
=
dword:
00000000
"
Driver
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}/0033
"
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
�0LogConf
]
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_KGSFCGHL91
�0Control
]
"
ActiveService
"
=
"
kgsfcghl91
"
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/kgsfcghl91
]
"
Type
"
=
dword:
00000001
"
Start
"
=
dword:
00000000
"
ErrorControl
"
=
dword:
00000001
"
ImagePath
"
=
hex(
2
):
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
33
,
00
,
32
,
00
,
5c
,
00
,
44
,
00
,
52
,
00
,
49
,
00
,
56
,
00
,
45
,
00
,
52
,
00
,
53
,
00
,
5c
,
00
,
6b
,
00
,
67
,
00
,
73
,
00
,
66
,
00
,
63
,
00
,
67
,
00
,
68
,
00
,
6c
,
00
,
39
,
00
,
31
,
00
,
2e
,
00
,
73
,
00
,
79
,
00
,
73
,
00
,
00
,
00
"
DisplayName
"
=
"
kgsfcghl91
"
"
Group
"
=
"
SystemBusExtender
"
"
AutorunsDisabled
"
=
dword:
00000000
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/kgsfcghl91/
Security
]
"
Security
"
=
hex:
01
,
00
,
14
,
80
,
90
,
00
,
00
,
00
,
9c
,
00
,
00
,
00
,
14
,
00
,
00
,
00
,
30
,
00
,
00
,
00
,
02
,
00
,
1c
,
00
,
01
,
00
,
00
,
00
,
02
,
80
,
14
,
00
,
ff
,
01
,
0f
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
01
,
00
,
00
,
00
,
00
,
02
,
00
,
60
,
00
,
04
,
00
,
00
,
00
,
00
,
00
,
14
,
00
,
fd
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
ff
,
01
,
0f
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
20
,
02
,
00
,
00
,
00
,
00
,
14
,
00
,
8d
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
0b
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
fd
,
01
,
02
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
23
,
02
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/kgsfcghl91/
Enum
]
"
0
"
=
"
Root/LEGACY_KGSFCGHL91/0000
"
"
Count
"
=
dword:
00000001
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_KGSFCGHL91
]
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_KGSFCGHL91
�0
]
"
Service
"
=
"
kgsfcghl91
"
"
Legacy
"
=
dword:
00000001
"
ConfigFlags
"
=
dword:
00000000
"
Class
"
=
"
LegacyDriver
"
"
ClassGUID
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}
"
"
DeviceDesc
"
=
"
kgsfcghl91
"
"
Capabilities
"
=
dword:
00000000
"
Driver
"
=
"
{8ECC055D-047F-11D1-A537-0000F8753ED1}/0033
"
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_KGSFCGHL91
�0LogConf
]
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/kgsfcghl91
]
"
Type
"
=
dword:
00000001
"
Start
"
=
dword:
00000000
"
ErrorControl
"
=
dword:
00000001
"
ImagePath
"
=
hex(
2
):
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
33
,
00
,
32
,
00
,
5c
,
00
,
44
,
00
,
52
,
00
,
49
,
00
,
56
,
00
,
45
,
00
,
52
,
00
,
53
,
00
,
5c
,
00
,
6b
,
00
,
67
,
00
,
73
,
00
,
66
,
00
,
63
,
00
,
67
,
00
,
68
,
00
,
6c
,
00
,
39
,
00
,
31
,
00
,
2e
,
00
,
73
,
00
,
79
,
00
,
73
,
00
,
00
,
00
"
DisplayName
"
=
"
kgsfcghl91
"
"
Group
"
=
"
SystemBusExtender
"
"
AutorunsDisabled
"
=
dword:
00000000
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/kgsfcghl91/
Security
]
"
Security
"
=
hex:
01
,
00
,
14
,
80
,
90
,
00
,
00
,
00
,
9c
,
00
,
00
,
00
,
14
,
00
,
00
,
00
,
30
,
00
,
00
,
00
,
02
,
00
,
1c
,
00
,
01
,
00
,
00
,
00
,
02
,
80
,
14
,
00
,
ff
,
01
,
0f
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
01
,
00
,
00
,
00
,
00
,
02
,
00
,
60
,
00
,
04
,
00
,
00
,
00
,
00
,
00
,
14
,
00
,
fd
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
ff
,
01
,
0f
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
20
,
02
,
00
,
00
,
00
,
00
,
14
,
00
,
8d
,
01
,
02
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
0b
,
00
,
00
,
00
,
00
,
00
,
18
,
00
,
fd
,
01
,
02
,
00
,
01
,
02
,
00
,
00
,
00
,
00
,
00
,
05
,
20
,
00
,
00
,
00
,
23
,
02
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
,
01
,
01
,
00
,
00
,
00
,
00
,
00
,
05
,
12
,
00
,
00
,
00
[
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/kgsfcghl91
]
"
ImagePath
"
=
hex(
2
):
53
,
00
,
79
,
00
,
73
,
00
,
74
,
00
,
65
,
00
,
6d
,
00
,
33
,
00
,
32
,
00
,
5c
,
00
,
44
,
00
,
52
,
00
,
49
,
00
,
56
,
00
,
45
,
00
,
52
,
00
,
53
,
00
,
5c
,
00
,
6b
,
00
,
67
,
00
,
73
,
00
,
66
,
00
,
63
,
00
,
67
,
00
,
68
,
00
,
6c
,
00
,
39
,
00
,
31
,
00
,
2e
,
00
,
73
,
00
,
79
,
00
,
73
,
00
,
00
,
00
"
Type
"
=
dword:
00000001
"
ErrorControl
"
=
dword:
00000001
"
DisplayName
"
=
"
kgsfcghl91
"
"
Group
"
=
"
SystemBusExtender
"
"
Start
"
=
dword:
00000000
这是CSKCQT05的注册表文件,这是已经干掉此病毒后搜索CSKCQT05得到的,实际应该比这多,可能和上面的一样:
WindowsRegistryEditorVersion
5.00
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_CSKCQT05
]
"
NextInstance
"
=
dword:
00000001
[
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/EnumRoot/LEGACY_CSKCQT05
]
"
NextInstance
"
=
dword:
00000001
注:这个不完整,参照上面
KGSFCGHL91
的,或直接搜索吧,把搜到的东东全干掉。
如果您发现了上面的不足,或者更好的解决方法,在下先谢谢了。
一通乱杀,不怎么专业,整理的也欠佳,多多反馈,谢谢。
参考:
反病毒利器Autoruns和ProcessExplorer - 本人推荐使用的查毒杀毒辅助工具
扫一扫
1109
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
