After poisoning release the following files to the computer in recruit:
C:\WINDOWS\system32\candoall.exe
C:\WINDOWS\system32\alldele.ini
C:\WINDOWS\system32\allinstall.exe
C:\WINDOWS\system32\allread.ini
C:\WINDOWS\system32\hideme.sys
C:\WINDOWS\system32\MASSLTUAS35. Dll
C:\WINDOWS\system32\masxml32.dll
C:\WINDOWS\system32\passsd.exe
C:\WINDOWS\system32\ low price full membership. URL
C:\WINDOWS\system32\ Low price filling drill. URL
Also, a bunch of messy virus-related files in the IE Temp folder.
The C:\WINDOWS\system32\candoall.exe process (hidden) and iexplore.exe process are visible in the IceSword (available to down.45it.com downloads) process list.
Candoall.exe through 80-port access to the network, repeatedly open http://www.investpoll.net/this homepage.
The C:\WINDOWS\system32\hideme.sys function of this virus is also OK, when Xdelbox import the above virus file through Clipboard, all report file does not exist. The commonly used methods, such as viewing files with WinRAR, can not find these virus files.
After the recruitment of the registry changes are as follows:
Hkey_classes_root\alldll.allbho
Hkey_classes_root\alldll.allbho.1
HKEY_CLASSES_ROOT\CLSID\{0EE2B1C1-0357-4175-A2E1-8E8E1A033AE5}
HKEY_CLASSES_ROOT\CLSID\{1798BEA6-E891-46B7-A1F8-C15780D0A023}
HKEY_CLASSES_ROOT\CLSID\{6233543C-2323-456A-A169-2E9C5E6E977B}
HKEY_CLASSES_ROOT\INTERFACE\{E44384ED-10F7-49FD-A210-41C9BD4A119C}
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun" = "C:\\windows\\system32\\candoall.exe"
Hkey_classes_root\typelib\{04750f2d-de63-4790-90f4-c5ce892e5aa4}\1.0\0\win32
@= "C:\\windows\\system32\\masxml32.dll"
Hkey_current_user\software\microsoft\windows\currentversion\explorer\mountpoints2\r
hkey_current_user\software\microsoft\windows\currentversion\explorer\mountpoints2\{ F7B74DF2-E1A1-11DB-8A2E-806D6172696F}
Hkey_current_user\software\microsoft\windows\shellnoroam\bags\6\shell
Hkey_local_machine\system\currentcontrolset\hardware profiles\0001\software\microsoft\windows\currentversion\ Internet Settings
hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{0045d4bc-5189-4b67-969c-83bb1906c421}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{00C6482D-C502-44C8-8409-FCE54AD9C208}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{08b0e5c0-4fcb-11cf-aaa5-00401c608501}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{1798BEA6-E891-46B7-A1F8-C15780D0A023}
hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{5ca3d70e-1895-11cf-8e15-001234567890}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}
hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{92780b25-18cc-41c8-b9be-3c9c571a8263}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{F040E541-A427-4CF7-85D8-75E3E0F476C5}
Hkey_local_machine\system\currentcontrolset\services\hideme
which
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
"AutoRun" = "C:\\windows\\system32\\candoall.exe"
This loading method is still rare.
Using IceSword () manual Anti-Virus process:
1, end C:\WINDOWS\system32\candoall.exe and iexplore.exe process.
2, delete the following files (detailed steps: Open the Ice Blade (IceSword)-file-in turn, find the virus file deletion can be):
C:\WINDOWS\system32\candoall.exe
C:\WINDOWS\system32\alldele.ini
C:\WINDOWS\system32\allinstall.exe
C:\WINDOWS\system32\allread.ini
C:\WINDOWS\system32\hideme.sys
C:\WINDOWS\system32\MASSLTUAS35. Dll
C:\WINDOWS\system32\masxml32.dll
C:\WINDOWS\system32\passsd.exe
C:\WINDOWS\system32\ low price full membership. URL
C:\WINDOWS\system32\ Low price filling drill. URL
Clear the IE Temp folder.
3, delete the virus added to the above registry content (see the front of this article, (Open the Ice Blade (IceSword)-Registry-the virus registry to find the option to delete it)).