※此工具僅適用於Windows XP/NT/2000/2003,請先於一台電腦上使用後沒有問題再於其他有感染的電腦上使用 操作步驟如下: 1. 到安全模式下執行kavoremove.exe 刪除檔案如下(假如存在): 。所有磁區的autorun.inf、ntdelete.com、ntdelect.com 。%windir%\system32\下的 kavo.exe、ubs.exe、poor.exe、shareb.exe、goods.exe、taso.exe、winpows.exe、fly.exe、kavo0~9.dll、taso0~9.dll 。%windir%\system\ 下的 kavo.exe、ubs.exe、poor.exe、shareb.exe、goods.exe、taso.exe、winpows.exe、fly.exe、kavo0~9.dll、taso0~9.dll 。Documents and Settings\Administrator\Local Settings\Temp\*.* 。%windir%\temp\下的 kavo.exe、ubs.exe、poor.exe、shareb.exe、goods.exe、taso.exe、winpows.exe、fly.exe 2. 執行Fixreg.exe刪除以下機碼(刪除機碼前,請務必先備份): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kava HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\tasa HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\kava HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\tasa HKEY_CLASSES_ROOT\CLSID\{47994C89-1857-4D33-B196-263ED6FA4CFF} HKEY_CLASSES_ROOT\CLSID\{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3} HKEY_CLASSES_ROOT\CLSID\{E996F10E-FCAF-41CC-94C8-B8BF7D6F80AC} HKEY_CLASSES_ROOT\CLSID\{B058B02A-AC93-4FBA-900B-FA44D9B92805} HKEY_CLASSES_ROOT\CLSID\{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0} HKEY_CLASSES_ROOT\CLSID\{749E4FEF-6AFF-41A6-AED8-364222D455A7} HKEY_CLASSES_ROOT\CLSID\{27E1C1B0-7117-4582-8565-682E569810D2} HKEY_CLASSES_ROOT\CLSID\{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3} HKEY_CLASSES_ROOT\CLSID\{5D7ED61B-DB3E-44EC-BED5-40307384FF81} HKEY_CLASSES_ROOT\CLSID\{894C0068-46AC-4F59-A140-EDE0DABA776C} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{27E1C1B0-7117-4582-8565-682E569810D2} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5D7ED61B-DB3E-44EC-BED5-40307384FF81} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{47994C89-1857-4D33-B196-263ED6FA4CFF} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{FBF3B337-FEB6-403B-BBE2-2B67CB6563E3} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{E996F10E-FCAF-41CC-94C8-B8BF7D6F80AC} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B058B02A-AC93-4FBA-900B-FA44D9B92805} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{79FC744E-75CA-49B0-8F02-AEAE4CAACBE0} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{749E4FEF-6AFF-41A6-AED8-364222D455A7} HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{894C0068-46AC-4F59-A140-EDE0DABA776C} 3. 雙擊「恢復隱藏檔機碼.exe」修改隱藏檔的機碼,就可以顯示隱藏檔,修改機碼如下: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden為1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue為1 4.利用Gateway設備封鎖下述網址:(若您對Gateway設備設定有疑慮,請洽Gateway設備廠商詢問,謝謝您~) http://www.*ofttw.com/ http://www.microsofttw.com/ 待病毒問題解決後,請您立即利用OfficeScan的病毒爆發防範設定來防寫常見的病毒檔案名稱: msdll.dll;mdll.dll;e1.exe;logo1_.exe;rundl132.exe;kavo.exe;kavo0.dll;kavo1.dll;kavo2.dll;kavo3.dll;kavo4.dll;kavo5.dll;kavo6.dll;kavo7.dll;kavo8.dll;kavo9.dll;fly32.dll;fly32.exe;autorun.inf;ntdelete.com;ntdelect.com;ubs.exe;poor.exe;poor32.dll;shareb32.dll;sharb.exe