Simple analysis, trial and removal of the Third-eye network monitoring software

Overall feeling: the interface is very beautiful, has many functions, and the operation interface is more user-friendly, but the performance is very poor, and it is not a general difference, especially the pictures transmitted during real-time on-control values, no algorithm optimization was made at all, and it was preliminarily determined that it was written by VB.

The following is a simple analysis, not including all files generated by installing the client, and I installed a trial version, which may be different from the official version.

We would like to tell you that using this software is not good for the company. It only gives employees more severe negative resistance to the company!
Severe spof such as BS!

Key Value modified by the installer

HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run
HKEY_LOCAL_MACHINE/system/controlset001/services/sharedaccess/parameters/firewallpolicy/standardp

Rofile/authorizedapplications/List
HKEY_LOCAL_MACHINE/system/controlset003/services/ntgcpsvc

// The following key values have kidnapped TCP, UDP, and other protocols, and replaced some system files. You need to copy files from other machines to restore the SPI interception mode.
HKEY_LOCAL_MACHINE/system/controlset003/services/Winsock2/parameters/protocol_catalog9/catalog_en

Tries/000000000001
HKEY_LOCAL_MACHINE/system/controlset003/services/Winsock2/parameters/protocol_catalog9/catalog_en

Tries/000000000002
HKEY_LOCAL_MACHINE/system/controlset003/services/Winsock2/parameters/protocol_catalog9/catalog_en

Tries/000000000003
HKEY_LOCAL_MACHINE/system/controlset003/services/Winsock2/parameters/protocol_catalog9/catalog_en

Tries/000000000004
HKEY_LOCAL_MACHINE/system/controlset003/services/Winsock2/parameters/protocol_catalog9/catalog_en

Tries/000000000005

Automatic Running item
C:/winnt/system32/imjmipg.exe the service is registered as ntgcpsvc after the restart.
Disable the ntgcpsvc service from the service and delete the auto-start item.

Use 360 security guard or other tools to end the following processes
Igfxtax.exe
Spols.exe
Imjmipg.exe

Main File Access
C:/winnt/system32/spols.exe
C:/winnt/system32/dskpart.exe
C:/winnt/system32/igfxtax.exe

C:/winnt/system32/expiorer. xdc
C:/winnt/system32/comnctt. xdc

C:/winnt/system32/expand. dat MDB File
C:/winnt/system32/atraxce. dat MDB File
C:/winnt/system32/msvbvm5.dat MDB File

When clearing the hard disk, remember to clear QQ records and IE index. DAT files.
Index. dat is located in the following three directories, with Internet access records
C:/Documents and Settings/Administrator/cookies
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/content. ie5
C:/Documents and Settings/Administrator/Local Settings/history. ie5