svfqnty.exe 这个是有什么作用的

svfqnty.exe的文件特征如下：

1，MD5：83fac86b53b77ea204dd180e3fbead95

2，大小：25,529 字节，这么小的体积一看就知道应当是个下载者来的

3，属性：隐藏加系统文件

此病毒主要是盗QQ密码和游戏帐号密码,瑞星报Worm.Win32.AVKiller.aq

中毒症状：

1，复制svfqnty.exe和autoruns.inf到非系统目录，插入U盘U盘或移动硬盘时马上复制到U盘，当在别的电脑双击U盘时即感染电脑，达到传播的目的。由于病毒修改了注册表，无法直接在资源管理器中看到这2个文件，可以借助winrar来查看。

2，autoruns.inf代码如下

程序代码

[AutoRun]

open=svfqnty.exe

shell\open=打开(&O)

shell\open\Command=svfqnty.exe

shell\open\Default=1

shell\explore=资源管理器(&X)

shell\explore\Command=svfqnty.exe

3，程序入口：0041A3CC

程序被加壳。引用了KERNEL32.DLL，USER32.DLL，ADVAPI32.DLL，OLEAUT32.DLL，SHELL32.DLL等库的这些函数。

LoadLibraryA

GetProcAddress

VirtualProtect

VirtualAlloc

VirtualFree

ExitProcess

GetKeyboardType

RegQueryValueExA

SysFreeString

TlsSetValue

RegSetValueExA

lstrcmpiA

keybd_event

ShellExecuteA

OpenServiceA

URLDownloadToFileA

DeleteUrlCacheEntry

让我感到意外的是用URLDownloadToFileA来下载文件，这个函数现在不是大多数杀软都杀的吗？

4，如果你打开含有“病毒”或者“木马”字样的文件夹或者程序，病毒立马把文件夹或程序关闭，如费尔等，而当IE的标题包含这些字符时同样会关闭IE，所以我把标题的“病毒，木马”这些字符删除了。还会自动关闭病毒程序所在的文件夹C:\Program Files\Common Files\Microsoft Shared，C:\Program Files\Common Files\System等，甚至查看KPVTCTR.EXE的属性都被自动关闭,而当你在任务管理器中试图关闭kpvtctr.exe时，它反而把任务管理器关闭。双击非系统盘时首先关闭此盘，然后再打开。当查看HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows中app.ITIN的值时关闭注册表

5，删除文件夹菜单中“工具”－“文件夹选项”－“隐藏文件和文件夹”中的“显示所有文件和文件夹”，把”不显示隐藏的文件和文件夹“打勾，这样就无法看到隐藏的文件了

6，如果你的电脑开着瑞星监控和防火墙，关闭进程，同时无法再次启动防火墙的服务，rising pricess cimmunication center服务的属性无法修改，只要一打开就自动被关闭，且启动已经被修改成“禁用”，卡巴6一样。原来瑞星的驱动已经被干掉了

解决办法：

1，祭出权限大法，打开开始菜单，在“运行”中输入“regedit”进入注册表找到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options此项，点击右键，选择权限，把每个用户下的“拒绝”打勾。

跳转到

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

把这3项的权限一样设置为拒绝

2，干掉已经启动的病毒的dll和exe。

首先启动Wsyscheck.exe，此程序没有被劫持，也没有被关闭，启动后选择“禁止进程和文件创建”，

然后干掉这2个exe

然后启动我修改的那个费尔木马清除助手，下载到这里http://202.116.160.44/dachong/goldsword/article.asp?id=219

在路径里输入下列文件，选择第二项。默认c为系统盘

C:\windows\system32\rarjdpi.dll

C:\windows\system32\kvdxhma.dll

C:\windows\system32\rsztfpm.dll

C:\windows\system32\kawdczy.dll

C:\windows\system32\avwgemn.dll

C:\windows\system32\kvmxfma.dll

C:\windows\system32\rsmygpm.dll

C:\windows\system32\wsmsazx.dll

C:\windows\system32\avzxfmn.dll

C:\windows\system32\avwldmn.dll

C:\windows\system32\kvdxsfma.dll

C:\windows\system32\wsmsaax.exe

C:\windows\system32\wsmsacj.dll

C:\windows\system32\verclsids.exe

C:\windows\system32\rsztfsp.exe

C:\windows\system32\rsztffg.dll

C:\windows\system32\rsmygsp.exe

C:\windows\system32\rsmygfg.dll

C:\windows\system32\rarjdtl.exe

C:\windows\system32\rarjdni.dll

C:\windows\system32\kvmxfis.exe

C:\windows\system32\kvmxfcf.dll

C:\windows\system32\kvdxsfis.exe

C:\windows\system32\kvdxsfcf.dll

C:\windows\system32\kvdxhis.exe

C:\windows\system32\kvdxhcf.dll

C:\windows\system32\kawdccs.dll

C:\windows\system32\kawdcaz.exe

C:\windows\system32\bsmains.exe

C:\windows\system32\avzxfst.exe

C:\windows\system32\avwldst.exe

C:\windows\system32\avwldin.dll

C:\windows\system32\avwgest.exe

C:\windows\system32\avwgein.dll

C:\Program Files\meex.exe

C:\Program Files\DLD.DAT

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGwd.dll

C:\Program Files\Common Files\Microsoft Shared\MSInfo\SysWFGwd2.dll

C:\Documents and Settings\daokers\Local Settings\Temp\3222.exe

C:\Documents and Settings\daokers\Local Settings\Temp\2222.exe

C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll

C:\WINDOWS\Fonts\ardaase.fon

C:\WINDOWS\Fonts\ardasase.fon

C:\WINDOWS\Fonts\armease.fon

C:\WINDOWS\Fonts\avzxfin.dll

C:\WINDOWS\Fonts\chreaur.fon

C:\WINDOWS\Fonts\enweafx.fon

C:\WINDOWS\Fonts\gemoand.fon

C:\WINDOWS\Fonts\gezeand.fon

C:\WINDOWS\Fonts\msguasd.fon

C:\WINDOWS\Fonts\mswuasd.fon

C:\WINDOWS\Fonts\mszhasd.fon

C:\WINDOWS\Fonts\wymoafz.fon

d:\svfqnty.exe

d:\aitoruns.inf

e:\svfqnty.exe

e:\aitoruns.inf

................

3,重启系统

4，现在把修改的那些权限修改回来，修复注册表。

把HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options中除Your Image File Name Here without a path以外的值全部删除，

把HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows中app.ITIN的值清空

把HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks中的值只留下rising和shell32.dll2个，其余清空。

把HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run下的

kujxsac c:\program files\common files\system\kpvtctr.exe

svfqnty c:\program files\common files\microsoft shared\hkvaciq.exe

2个干掉

这时基本上把病毒赶出家门了，最后QQ可能需要卸载新安装，而瑞星也需要修复。

卸载qq,删除QQ目录，保留自己号码的那个文件夹，重装QQ

瑞星一样，卸载时选择删除安装目录，之后重装

把代码给你，你把它保存就行了。

[人物]

0=1133

1=1144

2=1127

3=1144

[Data0]

0=xwfzhdfeadbgjyopkopwebaoqwolfrqwrmtbojkegqywgjkegctkarjeg

1=jegctoibuheaopkfenjtbrxaebuctdtuldtzqkarlyfrqteomfygsdtkgmeefzxkzxknjezxaddosyrxkgmybtuhfnivnivrjeuptrivnjezxkrhfuhfohfrqwulazcdgjenjermbojensyncduxknivumbnhfuptoptuqwrlarmbosynlazhfgxknxkuxkglazsyombgsygxkglaujermbuivnivrcdrjeglazivgptrcdoptrjeoqwrjegjyaarmewwgivumbzjenmeadnhbvvzxkzsygjenctdtrjdkdncdnjeuqwojfulauptgptzmbnskrcdgivgqwrqwu

2=hfgstzmdzhfolaoqwrmbrhfzmeyeeveziwtwgsyujenptnlarcdzcdzsyoxknivgjeuptghfgivzlaoqwgcdoptuivzsyrxkzsyrcdnjerqwolaghfzptzivgivzcduxkzmbrmbombzlauivrivzlaujensynhfrptuptrcdrsyzqwzptgptgqwuqwzlagqwzjegmbzsygivgivzivzlansyolaucdumbgxknptucdnptuqfebzivrcdzcdglarsdkdocdrqwnlanmbnxkzptrhfuptosyrjegcdrhfucdzhfohfgsyulaoqwnxkr

3=jerjtgcaohfghfrhfrmboqwuhfusyrivglazivujeombuptrhfocdnqwzptrhfuivuivgptocduxkucdzsyucdgcdoivoivnmbolaocdumbocdnlazqwzlaosynqwzjeusyolanjezcduxkrcduqwosygsyujeuivnlarlaumbuqwnlarlaojerxkgptgptghfghfzptoxkolagcdgivoxkulaglarsyrptohfosygjeghfrhfohfglauqwnlazsyzjerhfnsynsyrqwnxkzqwzcdncdrptrjeghfuivoxkuxkuqwr

4=ptncvzhyoiwaoqkgjwockvoqynjbujbzsazjkrmybbzcwosvrjezivrhfrhbzxkucduxancdulaoxkgptzivzqwzmbrhfuqwrqwgsynjeuxkzqwolagmbuxkrptrmbuivzsyosyolaomboptgqwzptrxknsyojeohfnmbularmbzsyrmbuhfzqwzjegmbrivolaosyrhfuptzcdnxkgivoptncducdoxknivrqwolarhknxanlauhfoptosddzqfnhfgptnhfgqyuiwzlaohfrxkoifeuivoqwrptzivnhauhfrmbrlarhfn

5=jermkulfojbnparckzxkg

[Data1]

0=pwfoibkttyvtuhboiwzleybdvwgptrqenjyzqywojkegcvdgpwtrjkeojkeo

1=jyoqfgcarlvdzsdvbnlbfgqftkulvvvzcevgjfkuhkagxetzmfygmeyduqffvgxkzlazsdbeosdbbnmeftrcdrjezptgivoivumbnqwghfzmbumbzxkujermbzcdulanivuqwncdoqwnptohfzhfgmbuxkujeoqwzsynivzmbgmbzlarhfzmbuivglagsynivnptuqwoxknlansynpywghvdzikegpwvojktzltbrjfkrqyeuhdyupwvuqtvnmawujkvoqkbrmvyucbtnpetuivuhfgxyvnsyumboptucducdnivolaumbnxkomboifvyujdeagstyvzheftnqbwdgsdfrqfkzlvdrjdeaolan

2=sduqbghyujytwykbyayybbefkykbyzlvvtvwbvftvbvveygpkvvfkwetkkafkyetfkeumeekeywedfetdekyuctwtnpkkaykawdkkyfakayyvvzcttvtkvtawktkbkbwtttzhbydtbdbvbtaeosdkbdatdvvzcdrcttbtkktaetvbtwvuxaafavdawdafdabakvwvgxkoptrxkzjercdnqwzivrlaoxkoxkolaoqwolanjeuptulaglazhfombrcdocdzqwgmbrxkujezivgcduivuptnhfrjezqwncduhfulazivnmbujeocdgqwoxkzivujeoxkrxkuptoxkzmeekaeyyweddeateydwnpkkakkavfkkvbdvkeyfkzjyytydvytayyvbvbtyfauiwbawewwydwbfeybfbfyusdkwkdatdddbaebtkkaeumeeeeyvedtyeykyweeedghbbybebbyktvfatatwbgjytwdykfeyyavbkewkyfoqfetfyefdkgxawdaffabbakwebevkweoctabtvvtwazqfedfybfdbrxawtafyabbataetdadayrqfekfyefdtuqfevfyvfdtghbywbddbtdzhbywbdkbttuxkzptnhbywbdkbtbgptnptolanxkumbocdncdrqwrcdusynlarxkuqwzsygivzlauptnlauhfrqwr

3=jyohyocaoxkgsynxkocdzcdrptzcdusyzhfujenxkzjezjerhfrqwnsygxkuptglazhfosyghfgjenhfocdzjezhfnmbzqwrmbocduivnlaocdzxkzsygxkumbnjencdusyolazmbuqwgmboptrivuxkujezxkrivzqwrivuptzptrmbnhfncdrsynsynsyoqwgxkgivolaoxkocdnjeoxkocdrhfusyocdghfgsyujenptghfnxkosyohfzjezcdoivnxkrmbzqwusyrptrcdzjenxkghfucdgqwrjerptgptolan

4=qfziezjtoskkrhbfohvuhyfnxeuqauikrjagjaupattzhkuxenxkombnjygxaujyncdgqwrqwoptumbgivgjerlarlancdoivrsyumbnqwrmbrjeoptzjeghfrcdnhfnmbglaulanptumboptujeuhfosyuptgmbzlaghfohfosyzptoivulazptolazhfgjagqynsfrjvnmvnldzmvnikgmaoiezqeoskzlygjtncwrcvzlfgptzxknjtoptoptusyglauhfrlaocdghfzptohfoxanctrmezjyrqfgmyfgckvuqbfuqfzcdz

5=iwnhtnpvolvbupaockrcdg

[Data2]

0=xvdnqvwfdyrxaoxaomededyrjencanifosayzxfkzxvagpatrptuptz

1=myrpknlfoqbkriwydnmdfgmeakzcdocetzqafucweosvvrivriwfbgcttynjezhfuhfglagivzsyghefdopavarmbgptnxknlaoxkrlazjenhfnjeosygjerlanxkustyaoqwnmbnpatwucdocdnjerhfrptoivgcdnlaohfocdgcdgxkgcdgqwohfglazptucdrlagxkrptusygsyosyrxkumbrsyzsyuxkzcdrxkoxkzxkojegptzxkucdgqwocdgsyrxknjegmbulaujeuivoqwgsdwkujeuptghfolagjeuivnmbrqwrxkockdenckvvgmbulanqwn

2=qbuckrmdumbzqwghfrcdncdghfnptuivnxknmbzhfgivrivuxkrlaulagxkzsygjegxkncdujegjezmboivzlarivucdoptuptoptnivrmbrptzlarqwghfoqwzjezxkombrqwnhfoqwosyglagcdojeucdoivohfghfuxkzcdnivnjeoxkrptuxkzxkohfrlaocdojezivrptnqwuqwnptrqwzxkncdnqwghfglausyuxkolaosyrxkrhfuivgcdgxkghbybzxknivnivgjeojerjerjenivgmbzmbglauhfghfzxkg

3=qbrsknlfumbuqwucdrlazptzmbrivrcdrhfuhfohfohfuivzcdgivuptzsynivzsynxkrqwohfuxkohfnmbolagsyuqwojerqwnxknsyghfojeosyoqwnptnqwzivzcdgivuqwnxknptrivzqwohfgjegsynivgivnlaoptglarxkzqwoptucdrqwuqwusyrmbrhfnhfzlaujegjeuxkzxkzivnmbnqwnsyrqwzptnivgmbzcdoxkzqwoivocdnqwnlazjeumbzmbzivzptrptgmbzjerxknhfnjeoivgjerqwrmbr

4=xvghdoqeupkdnldojwzlwbnjerpbzxersaomtosyrleomkrlanhfzivojegptombzqfrmegjeujenxkrqwrhfrivrptnlaujeuxkzqwosyzsyglvrqwujeuiwzhfulagivzhfnhfuivujenqwzsyzsyoqwnxkzlarcducdoivrhfgjezlaoivrivgivzlagcdoxkrjeosynjerlazlarqwrcdzptzmbulazlagjeumboxknqwoqwolansyoqwrivnivrptocttnivrivrhfucdoivuxkoxkohfohfnpawolwkgcduptzmbz

5=lwrpfojtrqvulwziwzptr

[Data3]

0=hdtzibkttyvtojyzhbnhwyybytuivumdzskgmtboqywgjkegxfkzxfkzcvdo

1=xwnqfnqeglvdnxabdohdyzpkbeoiwwwghvdnmwtrmavuidarjbdriwfboqffvrjeosyuqfavzjyffnmeftnivrivgqytgjegptuxkrivrcdzmbzivzjkvnptuxkgcdgjegptzivrhfnlaumbnptuhfzjezcdgcdnxkojeuxkrqwzhfrlanivzcdoptnxkgsygcdnptrsyojeglaosynqayrhvdzsbaojktzcvaojfkgxdfzxfwucvagcvagswenqtaombritfocbknitwnsfygptgsyrsftgcdomboptocdocdnqwzhfgjezlarxknifvygxvkbglwaeolwaeupatfuctbrmevzsdfzckdwgjeu

2=mduxvnqerhbyabdwbtbwwkaytftbeednxaadavfawdafaabezpkvvfkwetkkafkyetfkeziwwywfkwbawebwyfupkfkulvvwtvwbkvvtewvwttffoxaafavfawbvavyvybaaazctavwtvtetwbkzhbyvbdebttzjezlvvdvwwvftvbdvebrmeeteywedwetwekebydyuhfrsyoivojeghfosyghfnjytbykwyaaeybyvbfyfywrqwuxknxkrhfuivuhfzmbgsdkwdawdvwydedwebfbdkrcdocdzjerxkojeoivnivuhfrcdujenmbncdnhfzjeoivucdnhfnjeuhfrptolarxkucdoxkzjeojeucdgmbzjeuhfnsygpkkfbkaaykvvkbwkavyoiwwfwwfbywwbdabwtkywojyytydvytayyvbvbtyfagsdkedaddvwdktavktktvzsdkwkdatdddbaebtkkaersddddtfdkatdtvtbdddkopkkvkakkvbfytefefdkriwbtfwekvwwydaevtewkujytvyktyawzlvftvbbveevafyeywafyopkvekwwkfvnpkvfkwakfazhfrhbyabdybtkzmedfetfekarxawtaffabfusdkedawdvvrqwglaglvfkvbyvevnjegivrhfnivnivocdzivrsyzcdzptzptombnqwgmboxkrmbgxkzlarcduivu

3=xwrjtupvzxkrivnqwghfzxkohfzmbzqwzptzptuptgcdzxknhfzptglanqwoxkoptrivzivgjeocdnjezhfzxkzcduptuxkombocdnsyuxkgptzlanmbgmbuhfzqwgivrcdrmbrjerivnqwocdujercdrmbghfzcdghfnptgivuhfrsynptgivglauxkrhfuivzjeucdulaosyuxkoptgptuqwrivrqwgxkuivzivnhfrmbrlaoqwzhfzptrsynsyohfgcdgivoqwncdnjezsyrivuhfuqwzmbrxkzcdrqwzptulaz

4=carlbupvzpvvrqfwupyzqewojvuqanhvzjarjaglwaazqtzidrhfgjenhbglvuiwzlazivnhknjenptoqwgcdrivoxkgsygxyuivohfnptujegcdglazsyrxknmbzptzhfoxkuptzptrqwzhfrhfzqwgmboivzlazivuqwrqwrsyujezhfuqwrmbnxkusyzxbzsanldzhknqkzhaojwnqazxeohdolfoxwzlanjtuhtohdrqeucdgsyrmdosyrqwzjeolauqwoqwrivzcduhfoxkolvnctzsdnxauhbuxvtglwbnifwoctgmbn

5=lfzxbzmdzjykoheoqbgsyn

鹏仔微信 15129739599 鹏仔QQ344225443 鹏仔前端 pjxi.com 共享博客 sharedbk.com