现在的恶意程序真是厉害

前几天单位用了一个公司做的电子屏，当时没有PC可以测试，便拿我的做试验，防护软件都初关掉，据说是有影响，关关吧，谁知用了以后没有关掉PC，次日一早来了偶用着PC就感觉不太一样，一看进程，好么。。多了两个：alexa.exe & shtu1.exe，断掉进程，重启，F8，安全模式，查杀。。。。。。。。。

完毕后重启，竟然还是有这两个进程，郁闷了。。。。。。。。

于是看看服务。。。是不是因为。。。。

果然，有一个服务叫做：AFBC6815，注释是什么为系统提供加速启动功能，偶想着，这不该啊。。名字也不会是这样的吧，禁用服务无效，刷新一下就还是运行启用。于是找到注册表里面的相应结点，删掉，导出的REG信息如下：

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFBC6815]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"="C:\\WINDOWS\\system32\\AFBC6815.EXE -service"
"DisplayName"="AFBC6815"
"ObjectName"="LocalSystem"
"Descrīption"="为系统提供加速启动功能。"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFBC6815\Security]
"Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\
  00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\
  00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\
  01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFBC6815\Enum]
"0"="Root\\LEGACY_AFBC6815\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
 

删掉后，然后重启到安全模式，搜索AFBC6815.*,然后全部改名，再进行查杀，重点是C盘windows下.完毕后重启，系统基本正常。。。。。