Trojan-PSW.Win32.QQPass.cdw analysis(2)

Add date: 07/08/2008 Publishing date: 07/08/2008 Hits: 56

Total 3 pages, Current page:2, Jump to page:

¡¡¡¡¡¡¡¡[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
¡¡¡¡¡¡¡¡\ Windows \ CurrentVersion \ Explorer
¡¡¡¡¡¡¡¡\ Browser Helper Objects]
¡¡¡¡¡¡¡¡Registration tabular value: “{74381DEC-D78B-43E4-BA5D-5244F669EBE4}”
¡¡¡¡¡¡¡¡Type: REG_SZ
¡¡¡¡¡¡¡¡String of character: ""
¡¡¡¡¡¡¡¡Description: Increase virus document fjOs0r.dll to browser auxiliary object BHO,
¡¡¡¡¡¡¡¡Arrives when the user starts IE loads UnixSys08.Sys
Note: %System32% are an invariable way. The virus decides the current System folder through the inquiry operating system
Position.
¡¡¡¡
¡¡¡¡¡¡¡¡%Windir% ¡¡¡¡¡¡¡¡¡¡ ¡¡¡¡¡¡¡¡¡¡ WINDODWS in table of contents
¡¡¡¡¡¡¡¡%DriveLetter%¡¡ ¡¡¡¡¡¡¡¡¡¡¡¡¡¡ Logical driver root directory
¡¡¡¡¡¡¡¡%ProgramFiles%¡¡ ¡¡ ¡¡¡¡¡¡¡¡¡¡ The system program default installs the table of contents
¡¡¡¡¡¡¡¡%HomeDrive% ¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡ Current start system in district
¡¡¡¡¡¡¡¡%Documents and Settings% ¡¡¡¡¡¡Current user documents root directory
¡¡¡¡¡¡¡¡%Temp% ¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡\ Documents and Settings
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡ ¡¡¡¡¡¡¡¡¡¡¡¡¡¡\ current user \ Local Settings \ Temp
¡¡¡¡¡¡¡¡%System32% ¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡System's System32 folder
¡¡¡¡¡¡¡¡
¡¡¡¡¡¡¡¡In Windows2000/NT tacitly approves installs the way is C:\Winnt\System32
¡¡¡¡¡¡¡¡in windows95/98/me tacitly approves installs the way is C:\Windows\System
¡¡¡¡¡¡¡¡in windowsXP tacitly approves installs the way is C:\Windows\System32¡¡¡¡
¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡

¡¡¡¡¡¡¡¡
--------------------------------------------------------------------------------
Elimination plan:
1st, uses the peaceful day defense line 2008 to be possible to eliminate this virus thoroughly (recommendation),
¡¡ ¡¡Welcome to peaceful day website downloading: www.antiy.com¡¡
2nd, the manual elimination please defer to the behavioral analysis deletion correspondence document, resumes the system-related establishment.
¡¡ (1) uses the ATOOL unloading to pour into to related advancement UnixSys08.Sys, concrete operations
¡¡ ¡¡ As follows:
¡¡ ¡¡ Opens ATOOL→ the tool menu -> search to handle the DLL item -> to input UnixSys08.Sys,
¡¡ ¡¡ Click search -> click unloading, when presents “you whether can unload includes unixsys08.sys
¡¡ ¡¡ When loads the movement all dll document, elects “is (Y) then.
¡¡ (2) deletion virus grows document:
¡¡ ¡¡ %Program Files% \ Internet Explorer
¡¡ ¡¡ \ PLUGINS \ UnixSys08.Sys
¡¡ ¡¡ %Program Files% \ Internet Explorer
¡¡ ¡¡ \ PLUGINS \ UnixSys32.Jmp
¡¡ (3) deletion virus increases registry item:
¡¡ ¡¡ Deletion [HKEY_LOCAL_MACHINE \ SOFTWARE
¡¡ ¡¡ \ Classes \ CLSID] under {74381DEC-D78B-
¡¡ ¡¡ 43E4-BA5D-5244F669EBE4} sub-key
¡¡ ¡¡ Deletion [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft
¡¡ ¡¡ \ Windows \ CurrentVersion \ Explorer
¡¡ ¡¡ \ Browser Helper Objects] under
¡¡ ¡¡ {74381DEC-D78B-43E4-BA5D-5244F669EBE4} sub-key
¡¡ ¡¡ Deletion [HKEY_LOCAL_MACHINE \ SOFTWARE
¡¡ ¡¡ \ Microsoft \ Windows \ CurrentVersion
¡¡ ¡¡ \ Explorer \ ShellExecuteHooks] under

Other pages: : <<Prev * 1 * 2 * 3 * Next>>

Prev:The machine dog presents the new variety downloading many kinds of evil intention procedures

Next:Everybody may kill the poisonous small move to throw off the big wooden horse

Comment:

Category: Home > the virus to be related