样本来源:http://bbs.2dai.com/viewthread.php?tid=550418&extra=page%3D1

释放文件
X:\info.exe
X:\autorun.inf
C:\WINDOWS\system32\drivers\IsDrv118.sys
C:\WINDOWS\system32\drivers\IsDrv120.sys
C:\WINDOWS\system32\SysSafe.exe
C:\Documents and Settings\mopery\Local Settings\Temp\~DFXXXX.tmp

autorun.inf
内容为
[autorun]
open=info.exe
shell\open=sb_(&o)
shell\open\command=info.exe
shell\open\default=1
shellexecute=info.exe

执行命令
net stop cryptsvc

结束进程
iexplore.exe
system repair engineer
winspeed
cmd.exe
notepad.exe
icesword
login

删除文件
X:/*.*gho

修改注册表
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
被修改为
"Shell"="Explorer.exe C:\info.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
被修改为
"Start Page"="http://www.baidu.com.cn/"

[HKCU\Software\microsoft\windows\currentversion\explorer\advanced]
"hidden"=dword:00000002
恐怕这作者对 显示隐藏文件和文件夹 的注册表不熟悉吧?

添加注册表
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"B-A-I-D-U-C-O-M"="C:\info.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sreng.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syssafe.exe]
"Debugger"="C:\info.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe]
"Debugger"="C:\info.exe"

添加与修改注册表
[HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
被修改为
"Start"=dword:00000004
[HKLM\system\controlset001\services\cryptsvc]
"start"=dword:00000004
[HKLM\SYSTEM\CurrentControlSet\Services\kwatchsvc]
"Start"=dword:00000004
[HKLM\system\controlset001\services\kwatchsvc]
"Start"=dword:00000004
[HKLM\SYSTEM\CurrentControlSet\Services\rsravmon]
"Start"=dword:00000004
[HKLM\system\controlset001\services\rsravmon]
"Start"=dword:00000004
[HKLM\SYSTEM\CurrentControlSet\Services\rsppsys]
"Start"=dword:00000004
[HKLM\system\controlset001\services\rsppsys]
"Start"=dword:00000004
[HKLM\SYSTEM\CurrentControlSet\Services\avp]
"Start"=dword:00000004
[HKLM\system\controlset001\services\avp]
"Start"=dword:00000004

删除注册表
[HKLM\system\controlset001\control\safeboot\network\tcpip]
[HKLM\system\controlset001\control\safeboot\network\streams drivers]
[HKLM\system\controlset001\control\safeboot\network\dmboot.sys]
[HKLM\system\controlset001\control\safeboot\network\srservice]
[HKLM\system\controlset001\control\safeboot\network\sr.sys]
[HKLM\system\controlset001\control\safeboot\network\sermouse.sys]
[HKLM\system\controlset001\control\safeboot\network\rpcss]
[HKLM\system\controlset001\control\safeboot\network\pci configuration]
[HKLM\system\controlset001\control\safeboot\network\dmio.sys]
[HKLM\system\controlset001\control\safeboot\network\cryptsvc]
[HKLM\system\controlset001\control\safeboot\network\boot file system]
[HKLM\system\controlset001\control\safeboot\network\boot bus extender]
[HKLM\system\controlset001\control\safeboot\network\base]
[HKLM\system\controlset001\control\safeboot\network\appmgmt]
[HKLM\system\controlset001\control\safeboot\minimal\srservice]
[HKLM\system\controlset001\control\safeboot\minimal\sermouse.sys]
[HKLM\system\controlset001\control\safeboot\minimal\vga.sys]
[HKLM\system\controlset001\control\safeboot\minimal\primary disk]
[HKLM\system\controlset001\control\safeboot\minimal\rpcss]
[HKLM\system\controlset001\control\safeboot\minimal\pci configuration]
[HKLM\system\controlset001\control\safeboot\minimal\netlogon]
[HKLM\system\controlset001\control\safeboot\minimal\filter]
[HKLM\system\controlset001\control\safeboot\minimal\file system]
[HKLM\system\controlset001\control\safeboot\minimal\eventlog]
[HKLM\system\controlset001\control\safeboot\minimal\dmserver]
[HKLM\system\controlset001\control\safeboot\minimal\dmload.sys]
[HKLM\system\controlset001\control\safeboot\minimal\dmio.sys]
[HKLM\system\controlset001\control\safeboot\minimal\dmboot.sys]
[HKLM\system\controlset001\control\safeboot\minimal\dmadmin]
[HKLM\system\controlset001\control\safeboot\minimal\cryptsvc]
[HKLM\system\controlset001\control\safeboot\minimal\boot file system]
[HKLM\system\controlset001\control\safeboot\minimal\base]
[HKLM\system\controlset001\control\safeboot\minimal\appmgmt]
[HKLM\system\controlset001\control\safeboot\minimal\vgasave.sys]
[HKLM\system\controlset001\control\safeboot\minimal\sr.sys]
[HKLM\system\controlset001\control\safeboot\minimal\winmgmt]
[HKLM\system\controlset001\control\safeboot\minimal\boot bus extender]
[HKLM\system\controlset001\control\safeboot\minimal\system bus extender]

修改系统时间
1993-09-12

解决方法
安全模式操作

删除文件
X:\info.exe
X:\autorun.inf
C:\WINDOWS\system32\drivers\IsDrv118.sys
C:\WINDOWS\system32\drivers\IsDrv120.sys
C:\WINDOWS\system32\SysSafe.exe

清空
C:\Documents and Settings\mopery\Local Settings\Temp\

修改注册表
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"

[HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002

删除注册表
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"B-A-I-D-U-C-O-M"="C:\info.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sreng.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syssafe.exe]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe]
[HKLM\SYSTEM\CurrentControlSet\Services\kwatchsvc]
[HKLM\system\controlset001\services\kwatchsvc]
[HKLM\SYSTEM\CurrentControlSet\Services\rsravmon]
[HKLM\system\controlset001\services\rsravmon]
[HKLM\SYSTEM\CurrentControlSet\Services\rsppsys]
[HKLM\system\controlset001\services\rsppsys]
[HKLM\SYSTEM\CurrentControlSet\Services\avp]
[HKLM\system\controlset001\services\avp]

修改回系统的时间..