File size: 57108 bytes
MD5: 9207fdee2f25a834d4e7151475fc7f45
SHA1: 37e51a5632fd615432840fd480abd9ba175a0505
Virus name: Trojan-Downloader.Win32.QQHelper.vn <Kaspersky Name>
The virus sample is automatically copied to the % SYSTEMroot % and % WINDIR % directories.
Code: % SYSTEMroot % \ nttstat.exe
% WINDIR % \ nttstat.exe
% WINDIR % \ d6.exe
% WINDIR % \ ft001.exe
% WINDIR % \ KB9269O4. log
X: \ Documents and Settings \ your USERNAME \ Application Data \ Cuckoo \ Host. dat
It is also a virus that uses IFEO hijacking.
Code: HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options
<Assumer.exe> <% SYSTEMroot % \ nttstat.exe>
I:
% WINDIR % \ d6.exe:
Code: % Program Files % \ Common Files \ CPUSH \ Uninst.exe
% Program Files % \ Common Files \ CPUSH \ cpush. dll
X: \ Documents and Settings \ your USERNAME \ Local Settings \ Temp \ nsa1A. tmp
% WINDIR % \ ft001.exe releases the following virus:
Code: % SYSTEMroot % \ drivers \ gpkcsw. sys
% SYSTEMroot % \ gpkcsw. dll
% SYSTEMroot % \ hydlvr. dll
X: \ Documents and Settings \ your USERNAME \ Local Settings \ Temp \ tmp1B. CAB
X: \ Documents and Settings \ your USERNAME \ Local Settings \ Temp \ tmp1B. tmp
X: \ Documents and Settings \ your USERNAME \ Local Settings \ Temp \ tmp1c. tmp
X: \ Documents and Settings \ your USERNAME \ Local Settings \ Temp \ tmp1d. tmp
With the sreng log:
Driver Code: [gpkcsw/gpkcsw] [Stopped/Boot Start]
<\ SystemRoot \ system32 \ drivers \ gpkcsw. sys> <Microsoft Corporation>
========================================
Browser add-on Code: [CAdLogic Object]
{11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C: \ Program Files \ Common Files \ CPUSH \ cpush0.dll,>
========================================
Code of the running process: [PID: 432] [C: \ windows \ Explorer. EXE]
[C: \ windows \ KB9269O4. log] [N/A,]
[PID: 432] [C: \ windows \ nttstat.exe] [N/A,]
[PID: 432] [C: \ windows \ system32 \ nttstat.exe]
[PID: 1076] [C: \ windows \ system32 \ RUNDLL32.exe]
[C: \ windows \ system32 \ hydlvr. dll]
Solution:
1. Start --- run --- regedit --- expand in sequence:
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options
Delete:
<Assumer.exe>
2. Run ICESWORD --- settings --- disable thread creation --- stop virus Process Code: % WINDIR % \ d6.exe
3. Use ICESWORD --- settings --- prohibit thread creation --- force uninstall the inserted process Explorer. EXE <2> and
Code: RUNDLL32.exe
C: \ windows \ KB9269O4. log
C: \ windows \ nttstat.exe
C: \ windows \ system32 \ hydlvr. dll
4. Run SRENG --- Start Project --- Service --- driver --- Delete Service Code: [gpkcsw/gpkcsw] [Stopped/Boot Start]
<\ SystemRoot \ system32 \ drivers \ gpkcsw. sys> <Microsoft Corporation>
5. Close all browsing windows and unnecessary programs
Run SREng2, use: system repair-browser add-on-select the following items to delete
Code: C: \ Program Files \ Common Files \ CPUSH \ cpush0.dll
6. Use ICESWORD --- file --- to delete the following virus files
% SYSTEMroot % \ nttstat.exe
% WINDIR % \ nttstat.exe
% WINDIR % \ d6.exe
% WINDIR % \ ft001.exe
% WINDIR % \ KB9269O4. log
% SYSTEMroot % \ drivers \ gpkcsw. sys
% Program Files % \ Common Files \ CPUSH \ delete a folder
% SYSTEMroot % \ gpkcsw. dll
% SYSTEMroot % \ hydlvr. dll
X: \ Documents and Settings \ your USERNAME \ Local Settings \ Temp \ clear folder
X: \ Documents and Settings \ your USERNAME \ Application Data \ Cuckoo \ Host. dat