病毒来源：某网友提供；自己虚拟机里木马下载器也曾下载到，最近的求救已经呈现逐渐增多趋势
详细分析：

File: 1.1
Size: 43543 bytes
MD5: 9139FD02F496B0F8205E13F55D6814A0
SHA1: 2F1DE9E0B851FDB9B7FC8EA368B7A87B38A13E4C
CRC32: F564476E

1.1是个dll 用rundll32.exe加载后
生成如下文件
C:\WINDOWS\system32\1.1
C:\WINDOWS\system32\718.50（随机文件名）

病毒采用独占技术 无法删除 复制或者重命名

删除键
HKLM\SYSTEM\ControlSet001\Control\SafeBoot 破坏安全模式

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下面 添加
键值C:\WINDOWS\system32\rundll32.exe 1.1 s
达到开机启动的目的

在
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System下面添加
键值项Disabecmd 数据为0x00000001 屏蔽cmd

监控如下进程或者阻止如下dll加载，如果发现立即结束并将其删除
mmskskin.dll
kkclean.dll
VirUnk.def
AntiActi.dll
Rsaupd.exe
Iereset.dll
Libclsid.dat
KnetWch.sys
CleanHis.dll
WoptiClean.sys
kakaliv.def
libdll.dat
kkinst.ini
Ras.exe
ishelp.exe
trojandetector.exe
KAConfig.dll
KAVPassp.dll
hsfw.dll
wopticlean.exe
360safe.exe

并且通过监控子窗口查找如下字符，如果找到则将其进程结束并删除文件
Smallfrogs
Kingsoft
Antivirus
Antispyware
TrojanDetector
Micropoint

后来研究发现文件并未被完全删除而是被移到了%temp%文件夹下 并且命名为_*.TMP
*代表数字

修改hosts文件屏蔽常见杀毒软件的升级
61.152.244.167 114.vnet.cn
61.152.244.167 auto.search.msn.com
61.152.244.167    www.hao123.com
61.152.244.167      hao123.com
61.152.244.167    www.360safe.com
61.152.244.167      360safe.com
222.73.126.115      update.360safe.com
61.152.244.167      dl.360safe.com
61.152.244.167      bbs.360safe.com
61.152.244.167    www.btbaicai.com
61.152.244.167      btbaicai.com
61.152.244.167    www.pctutu.com
61.152.244.167    www.7322.com
61.152.244.167    www.5566.net
61.152.244.167    www.9991.com
61.152.244.167      9991.com
61.152.244.167      forum.ikaka.com
61.152.244.167    www.ikaka.com
222.73.126.115      update.ikaka.com
61.152.244.167      forum.jiangmin.com
222.73.126.115      update.jiangmin.com
61.152.244.167      post.baidu.com
222.73.126.115      update.rising.com.cn
61.152.244.167      online.rising.com.cn
222.73.126.115          center.rising.com.cn   
61.152.244.167      up.duba.net
61.152.244.167      shadu.baidu.com
61.152.244.167      security.symantec.com
61.152.244.167      shadu.duba.net
61.152.244.167      online.jiangmin.com
61.152.244.167      cn.mcafee.com
61.152.244.167    www.ahn.com.cn
61.152.244.167    www.kaspersky.com.cn
61.152.244.167    www.pcav.cn
61.152.244.167      mopery.hits.io
61.152.244.167    www.luosoft.com
61.152.244.167      luosoft.com
61.152.244.167    www.im286.com
61.152.244.167      bbs.htmlman.net
61.152.244.167      10000.286er.com
61.152.244.167      im286.net
61.152.244.167      cool.47555.com
61.152.244.167      ju.qihoo.com
61.152.244.167      bbs.chinaz.com
222.73.126.115 dnl-cn1.kaspersky-labs.com
...(卡巴斯基升级网站几乎都被屏蔽）
61.152.244.167      ishare.sina.com.cn
61.152.244.167    www.google.com
61.152.244.167      google.com
61.152.244.167    www.google.cn
61.152.244.167    www.sogou.com
61.152.244.167    www.yahoo.com.cn
61.152.244.167      cn.yahoo.com
222.73.210.148    www.comewz.com
61.152.244.167    www.iask.com
61.152.244.167      iask.com
61.152.244.167      search.tom.com
61.152.244.167      page.so.163.com
61.152.244.167    www.soso.com
61.152.244.167      sou.china.com
61.152.244.167     toolsbar.kuaiso.com
61.152.244.167   www.kuaiso.com
61.152.244.167    m2126.com

连接网络下载木马
并生成如下文件
C:\WINDOWS\system32\56789a.lmn
C:\WINDOWS\system32\hijklmn.123
C:\WINDOWS\system32\VOHATM.dll

解决方法：
1.使用Icesword（冰刃）找到C:\WINDOWS\system32\1.1
C:\WINDOWS\system32\718.50（随机文件名）
文件
右键 强制删除

2.打开sreng
启动项目    注册表 删除如下项目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
      <A><C:\WINDOWS\system32\rundll32.exe 1.1 s>    [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
      <{B852FC96-B852-30DA-1EB8-FC9630DA741E}><C:\WINDOWS\system32\VOHATM.dll>    []
重启计算机 删除
C:\WINDOWS\system32\VOHATM.dll
C:\WINDOWS\system32\56789a.lmn
C:\WINDOWS\system32\hijklmn.123
3.开始 运行 输入regedit 展开
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
将Disabecmd 的键值项删除

该病毒是一个恶性的类似AV终结者的病毒 由于他常由一些木马下载器下载，下载后他主要执行破坏计算机安全软件的作用，之后其他一些木马和病毒会纷至踏来，所以及时升级杀毒软件和防火墙，打全系统补丁，提防此类病毒的入侵