After being poisoned, release the following files to the computer:
C: \ windows \ system32 \ candoall.exe
C: \ windows \ system32 \ alldele. ini
C: \ windows \ system32 \ allinstall.exe
C: \ windows \ system32 \ allread. ini
C: \ windows \ system32 \ hideme. sys
C: \ windows \ system32 \ massltuas35.dll
C: \ windows \ system32 \ masxml32.dll
C: \ windows \ system32 \ passsd.exe
C: \ windows \ system32 \ cheap charge Member. url
C: \ windows \ system32 \ cheap charge drill. url
Also, there are a bunch of messy virus-related files in the temporary ie folder.
In the icesword (which can be downloaded from down.45it.com) Process List, the c: \ windows \ system32 \ candoall.exeprogress (hidden paths and iexplore.exe processes) displayed in the red letter are displayed.
Candoall.exe accesses the network through port 80 and repeatedly opens the main page http://www.investpoll.net.
The c: \ windows \ system32 \ hideme. sys function of this virus is okay. When xdelbox imports the above virus files through the clipboard, all reports that the files do not exist. Common methods (such as viewing files with WinRAR) cannot find these virus files.
After the move, the Registry changes as follows:
Hkey_classes_root \ alldll. allbho
Hkey_classes_root \ alldll. allbho.1
Hkey_classes_root \ CLSID \ {0ee2b1c1-0357-4505-a2e1-8e8e1a033ae5}
Hkey_classes_root \ CLSID \ {1798bea6-e891-46b7-a1f8-c15780d0a023}
Hkey_classes_root \ CLSID \ {6233543c-2323-456a-a169-2e9c5e6e977b}
Hkey_classes_root \ interface \ {E44384ED-10F7-49FD-A210-41C9BD4A119C}
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ command processor
"Autorun" = "C: \ WINDOWS \ system32 \ candoall.exe"
Hkey_classes_root \ typelib \ {04750f2d-de63-4790-90f4-c5ce892e5aa4 }\ 1.0 \ 0 \ Win32
@ = "C :\\ Windows \ system32 \ masxml32.dll"
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ mountpoints2 \ r
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ mountpoints2 \ {f7b74df2-e1a1-11db-8a2e-806d6172696f}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ shellnoroam \ bags \ 6 \ shell
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ hardware profiles \ 0001 \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {0045d4bc-5189-4b67-969c-83bb1906c421}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {00c6482d-c502-44c8-8409-fce54ad9c208}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {06849e9f-c8d7-4d59-b87d-784b7d6be0b3}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {08b0e5c0-4fcb-11cf-aaa5-00401c608501}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {1798bea6-e891-46b7-a1f8-c15780d0a023}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {5ca3d70e-1895-11cf-8e15-001234567890}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {761497bb-d6f0-462c-b6eb-d4daf1d92d43}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {8ff5e183-abde-46eb-b09e-d2aab95cabe3}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {92780b25-18cc-41c8-b9be-3c91_1a8263}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ext \ stats \ {F040E541-A427-4CF7-85D8-75E3E0F476C5}
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ hideme
Where:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ command processor
"Autorun" = "C: \ WINDOWS \ system32 \ candoall.exe"
This loading method is rare.
Manual antivirus process with icesword:
1. End the c: \ windows \ system32 \ candoall.exeand iexplore.exe process.
2. Delete the following files (detailed steps: Open icesword-file-find the virus file and delete it ):
C: \ windows \ system32 \ candoall.exe
C: \ windows \ system32 \ alldele. ini
C: \ windows \ system32 \ allinstall.exe
C: \ windows \ system32 \ allread. ini
C: \ windows \ system32 \ hideme. sys
C: \ windows \ system32 \ massltuas35.dll
C: \ windows \ system32 \ masxml32.dll
C: \ windows \ system32 \ passsd.exe
C: \ windows \ system32 \ cheap charge Member. url
C: \ windows \ system32 \ cheap charge drill. url
Clear the temporary ie folder.
3. Delete the above registry content added to the virus (see the front of this article, (Open icesword-registry-find the virus registry option to delete it in turn )).