手工干净的撤除指示为Worm.Pabug.ck或Worm.Pabug.co
Worm.Pabug.ck是计算机病毒亦称Worm.Pabug.co,吸管或者QQPass.48436、特洛伊人PSW.Win32.QQPass.jh或者DeepScan.Generic.Malware.SP! dldPk! g.01C03DEE. 因为恶意吸管使一些常用的抗病毒软件失去能力和无法打开安全应用,病毒具有高系统风险。 其他报告了被传染的症状包括无法更新病毒签名,无法访问或装载抗病毒网站或者论坛。 所有这些作用稍微艰苦导致了撤除或消毒作用过程为Worm.Pabug.ck/co病毒。
蠕虫不能自已繁殖。 它是可能的系统可能被传染,当用户下载一份可执行文件从电子邮件、信使、委员会和下载中心并且跑文件时。 或者,它是可能的其他恶意代码安装它(蠕虫、病毒和特洛伊马)。 是吸管的蠕虫,当执行,将创造以下文件时:
%systemroot% \ system32 \ gfosdg.exe或者jusodl.exe
%systemroot% \ system32 \ gfosdg.dll或者jusodl.dll
%systemroot% \ system32 \ severe.exe
%systemroot% \ system32 \司机\ mpnxyl.exe或pnvifj.exe
%systemroot% \ system32 \司机\ conime.exe
%systemroot% \ system32 \ hx1.bat
%systemroot% \ system32 \ noruns.reg
X:\OSO.exe
X:\autorun.inf
x代表非系统硬盘。 %systemroot%文件夹通常是C:\Windows在多数系统(因此道路向被传染的文件是C:\Windows\System为视窗95/98/Me, C:\WinNT\System32为Windows NT/2000或者C:\Windows\System32为Windows XP)。
在旁边,吸管也增加以下价值到窗口登记键输入通过执行noruns.reg然后删除一次做的文件自动地跑自己,每当窗口开始。
[HKEY_CURRENT_USER \软件\微软\窗口\ CurrentVersion \政策\探险家]
“NoDriveTypeAutoRun” =dword :b5
在变动之上驱动的自动奔跑方法。
[HKEY_LOCAL_MACHINE \软件\微软\窗口\ CurrentVersion \跑]
“jusodl” = “C:\WINDOWS\system32\severe.exe”
“pnvifj” = “C:\WINDOWS\system32\jusodl.exe”
或
“mpnxyl” = “C:\WINDOWS\system32\gfosdg.exe”
“gfosdg” = “C:\WINDOWS\system32\severe.exe”
[HKEY_LOCAL_MACHINE \软件\微软\视窗NT \ CurrentVersion \ Winlogon]
“壳” = “explorer.exe C:\WINDOWS\system32\drivers\conime.exe”
[HKEY_LOCAL_MACHINE \软件\微软\视窗NT \ CurrentVersion \图像文件施行选择]
调试器=窗口系统文件夹\司机\ pnvifj.exe
或
“调试器” =” C:\WINDOWS\system32\drivers\mpnxyl.exe”
上述登记价值是为根据安全节目的executables文件名字,因此的儿童登记钥匙,当这些安全软件被双击时,病毒文件跑。 儿童登记钥匙包括:
+ 360Safe.exe
+ adam.exe
+ avp.com
+ avp.exe
+ IceSword.exe
+ iparmo.exe
+ kabaload.exe
+ KRegEx.exe
+ KvDetect.exe
+ KVMonXP.kxp
+ KvXP.kxp
+ MagicSet.exe
+ mmsk.exe
+ msconfig.com
+ msconfig.exe
+ PFW.exe
+ PFWLiveUpdate.exe
+ QQDoctor.exe
+ Ras.exe
+ Rav.exe
+ RavMon.exe
+ regedit.com
+ regedit.exe
+ runiep.exe
+ SREng.EXE
+ TrojDie.kxp
+ WoptiClean.exe
蠕虫终止跟随的连续过程。 目标(如下所示)是抗病毒软件、防火墙、系统过程和其他恶意代码。 用于`网中止’和使用sc.exe的命令配置这些服务禁止的用法以命令“设置[service_name] start=disabled”
srservice
sharedaccess
KVWSC
KVSrvXP
kavsvc
RsRavMon
RsCCenter
病毒从跑也终止并且停止以下过程:
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
EGHOST.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe
It also modifies HOSTS file to keep the user from connecting specifiec addresses. Generally, the addresses are homepages of Internet security sites and antivirus engine updates servers. So the infected system’s user can’t get information or engine updates to scan and remove the malicious code.
Following is the addresses that are blocked:
127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
The virus is may also affect USB flash drive or portable hard disk, by autorun OSO.exe. All non system partition will contains OSO.exe and autorun.inf virus files too. Beside, system time may be changed too to cause some anti virus programs to expire.
How to Remove and Disinfect Worm.Pabug.ck or Worm.Pabug.co Manually
To run antivirus program that has been disabled, you can try to rename the antivirus executable file name to another file name, and then run the new file name.
Terminate and end the following processes (tasks) using Task Manager (alternative you can use procexp):
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\conime.exe
Remove the registry key added by virus under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key using Registry Editor or Autoruns (for Autoruns, remember to first select Options -> Hide Microsoft Entries to avoid mistaken delete valid entries). This process will allow anti virus or security software or system utilities such as IceSword, SREng and etc to be able to function properly again:
+ 360Safe.exe c:\windows\system32\drivers\mpnxyl.exe
+ adam.exe c:\windows\system32\drivers\mpnxyl.exe
+ avp.com c:\windows\system32\drivers\mpnxyl.exe
+ avp.exe c:\windows\system32\drivers\mpnxyl.exe
+ IceSword.exe c:\windows\system32\drivers\mpnxyl.exe
+ iparmo.exe c:\windows\system32\drivers\mpnxyl.exe
+ kabaload.exe c:\windows\system32\drivers\mpnxyl.exe
+ KRegEx.exe c:\windows\system32\drivers\mpnxyl.exe
+ KvDetect.exe c:\windows\system32\drivers\mpnxyl.exe
+ KVMonXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ KvXP.kxp c:\windows\system32\drivers\mpnxyl.exe
+ MagicSet.exe c:\windows\system32\drivers\mpnxyl.exe
+ mmsk.exe c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.com c:\windows\system32\drivers\mpnxyl.exe
+ msconfig.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFW.exe c:\windows\system32\drivers\mpnxyl.exe
+ PFWLiveUpdate.exe c:\windows\system32\drivers\mpnxyl.exe
+ QQDoctor.exe c:\windows\system32\drivers\mpnxyl.exe
+ Ras.exe c:\windows\system32\drivers\mpnxyl.exe
+ Rav.exe c:\windows\system32\drivers\mpnxyl.exe
+ RavMon.exe c:\windows\system32\drivers\mpnxyl.exe
+ regedit.com c:\windows\system32\drivers\mpnxyl.exe
+ regedit.exe c:\windows\system32\drivers\mpnxyl.exe
+ runiep.exe c:\windows\system32\drivers\mpnxyl.exe
+ SREng.EXE c:\windows\system32\drivers\mpnxyl.exe
+ TrojDie.kxp c:\windows\system32\drivers\mpnxyl.exe
+ WoptiClean.exe c:\windows\system32\drivers\mpnxyl.exe
Remove the following auto run on Windows startup registry entries located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key by using Registry Editor or SREng (System Repair Engineer)
“mpnxyl”=”C:\WINDOWS\system32\gfosdg.exe”
“gfosdg”=”C:\WINDOWS\system32\severe.exe”
Also navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, double click on it and remove the text behind “Explorer.exe” in the value data, so that it will become looked like as below:
“shell”=”Explorer.exe”
Next delete all files planted by the virus. Note that even if you right click on these infected files may trigger the infection process, so it’s recommended to use IceSword or WinRAR to delete these files:
%systemroot%\system32\gfosdg.exe
%systemroot%\system32\gfosdg.dll
%systemroot%\system32\severe.exe
%systemroot%\system32\drivers\mpnxyl.exe
%systemroot%\system32\drivers\conime.exe
%systemroot%\system32\hx1.bat
%systemroot%\system32\noruns.reg
X:\OSO.exe
X:\autorun.inf
X mean all non system partitions, including your USB flash drive and portable hard disk.
System Recovery and Clean Up
Navigate to the following registry keys and add back the original value.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
“CheckedValue”=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“NoDriveTypeAutoRun” value is vary depending on system, normally by default it will set as 91 (in HEX value)
Next remove all contents added by the worm in Hosts file. Use Notepad to open %systemroot%\system32\drivers\etc\hosts, and remove the entries or lines specified above. If you’re using SREng, simply click on “System Recovery” -> “Hosts file”, then click “Replace” and then “Save”.
Finally, you will need to recover or repair or reinstall the anti virus program, if it has been damaged.
IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.
Share and contribute or get technical support and help at My Digital Life Forums.
Related Articles
- Create Your Own Removal Tool
- Uninstall and Remove Norton Products Completely with Norton Removal Tool
- Download Latest Kaspersky Virus Removal Tool v7.0.0.223
- Google Adsense Infected by Trojan.Qhost.WU
- How to Use Windows Malicious Software Removal Tool (MRT.EXE) in Vista, XP, 2000 and 2K3
- Malicious Software Removal Tools by Microsoft
- Spyware Doctor 3.5 for Windows Review by NewsFactor
- Best Spyware Removal and Anti-Spyware Software Reviews
- Beware of Spyware While Browsing Edison Chen’s Sex Scandal Photos
- How to Hard Reset (Clean Boot) Eten Glofiish M800
Entries (RSS)