File size:57108 bytes
Md5:9207fdee2f25a834d4e7151475fc7f45
sha1:37e51a5632fd615432840fd480abd9ba175a0505
Virus name: trojan-downloader.win32.qqhelper.vn <kaspersky naming >
After running virus samples, automatic replica to%systemroot% and%windir% directory
%systemroot%\nttstat.exe
%windir%\nttstat.exe
%windir%\d6.exe
%windir%\ft001.exe
%windir%\kb9269o4.log
X:\Documents and Settings\ your username \application Data\cuckoo\host.dat
It is also a virus that uses Ifeo to hijack.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
<Explorer.exe><%SYSTEMroot%\nttstat.exe>
As shown in Figure I:
%windir%\d6.exe releases the virus as follows:
%program Files%\Common Files\cpush\uninst.exe
%program Files%\Common Files\cpush\cpush.dll
X:\Documents and Settings\ your username \local Settings\temp\nsa1a.tmp
%windir%\ft001.exe releases the virus as follows:
%systemroot%\drivers\gpkcsw.sys
%systemroot%\gpkcsw.dll
%systemroot%\hydlvr.dll
X:\Documents and Settings\ your username \local Settings\temp\tmp1b.cab
X:\Documents and Settings\ your username \local Settings\temp\tmp1b.tmp
X:\Documents and Settings\ your username \local Settings\temp\tmp1c.tmp
X:\Documents and Settings\ your username \local Settings\temp\tmp1d.tmp
attached Sreng log:
Driver Program
[GPKCSW/GPKCSW] [Stopped/boot Start]
<\systemroot\system32\drivers\gpkcsw.sys><microsoft corporation>
==================================
Browser add-ins
[Cadlogic Object]
{11f09afd-75ad-4e51-ab43-e09e9351ce16} <c:\program Files\Common Files\cpush\cpush0.dll, >
==================================
Running processes
[pid:432] [C:\windows\Explorer.EXE]
[C:\windows\KB9269O4.log] [N/A,]
[pid:432] [C:\windows\nttstat.exe] [N/A,]
[pid:432] [C:\windows\system32\nttstat.exe]
[pid:1076] [C:\windows\system32\RUNDLL32.exe]
[C:\windows\system32\hydlvr.dll]
Solving Method:
1. Start---Run---regedit---expand sequentially:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Delete:
<Explorer.exe>
2. Run IceSword---Settings---prevent the thread from being created---abort the virus process
3. Use the IceSword---settings---prevent thread creation---Force uninstall to be inserted process explorer.exe< as shown in figure II >
RUNDLL32.exe
C:\windows\KB9269O4.log
C:\windows\nttstat.exe
C:\windows\system32\hydlvr.dll
4. Run Sreng---Start Project---service---driver---Delete service
[GPKCSW/GPKCSW] [Stopped/boot Start]
<\systemroot\system32\drivers\gpkcsw.sys><microsoft corporation>
5. Close all browsing windows and some unnecessary programs
Running SRENG2, using: System repair-Browser add-in--Select the following items to delete
C:\program files\common files\cpush\cpush0.dll
6. Use the icesword---file---Delete the following virus files
%systemroot%\nttstat.exe
%windir%\nttstat.exe
%windir%\d6.exe
%windir%\ Ft001.exe
%windir%\kb9269o4.log
%systemroot%\drivers\gpkcsw.sys
%program files%\common Files\cpush\ Delete Folder
%systemroot%\gpkcsw.dll
%systemroot%\hydlvr.dll
X:\documents and settings \ your username \local settings\temp\ empty folder
X:\documents and settings\ your username \application data\ Cuckoo\host.dat