Kingsoft guard has been in the computer for a while, and has not seen any movements at ordinary times. Today, I checked the virus on the USB flash drive and finally got a little response. By the way, write down some experiences.
1. Some functions are invalid when running in a user account with non-administrator permissionsFor example, the V10 engine of the Kingsoft guard Trojan cannot be enabled.
2. Incomplete Real-time protection functions
Today, a colleague copied the data with a USB flash drive. Kingsoft guard checked that there were malicious programs in the USB flash drive. After clearing the USB flash drive, he checked the USB flash drive and found that there were still problems:
(1) autorun. inf for virus startup is not deleted
The content of autorun. inf is:
[Autorun]
Shellexecuteappssecret.exe
(2) The EXE files of Trojan viruses disguised as folders are not completely cleared. The following two items are missing.
File Description: G:/recycled.exe
Property:-sh-
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 1.00
Product: 1.00
Product Name: hav_online
Internal name: Task
Source File Name: task.exe
Creation Time: 22:44:34
Modification time: 7:50:56
Size: 112128 bytes, 109.512 KB
MD5: 65fee6921df6aedca88f5bda-bf1d543
Sha1: 8734bce69825b21f3573ca94398647bde49c6eb6
CRC32: 66169b58
File Description: G:/recycle.exe
Property:-sh-
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 1.00
Product: 1.00
Product Name: hav_online
Internal name: Task
Source File Name: task.exe
Creation Time: 22:44:34
Modification time: 7:50:56
Size: 112128 bytes, 109.512 KB
MD5: 65fee6921df6aedca88f5bda-bf1d543
Sha1: 8734bce69825b21f3573ca94398647bde49c6eb6
CRC32: 66169b58
This should be an old malicious program, and many anti-virus software can detect it:
Http://www.virustotal.com/file-scan/report.html? Id = Success
Antivirus |
Version |
Last update |
Result |
AhnLab-V3 |
2011.02.14.02 |
2011.02.14 |
Win32/Autorun. worm.20.128 |
AntiVir |
7.11.3.93 |
2011.02.15 |
TR/Vb. GHS |
Antiy-AVL |
2.0.3.7 |
2011.02.15 |
Trojan/win32.agent. gen |
Avast |
4.8.1351.0 |
2011.02.16 |
Win32: Agent-QTR |
Avast5 |
5.0.677.0 |
2011.02.16 |
Win32: Agent-QTR |
AVG |
10.0.0.1190 |
2011.02.16 |
Downloader. agent2.fuq |
BitDefender |
7.2 |
2011.02.16 |
Trojan. generic.1748385 |
Cat-quickheal |
11.00 |
2011.02.15 |
Trojandownloader. Agent. GHS |
ClamAV |
0.96.4.0 |
2011.02.16 |
Pua. Packed. PECompact-1 |
Commtouch |
5.2.11.5 |
2011.02.15 |
W32/downldr2.bdrf |
Comodo |
7701 |
2011.02.15 |
Trojware. win32.vb. ghs0 |
Drweb |
5.0.2.03300 |
2011.02.16 |
Backdoor. bulknet.419 |
Emsisoft |
5.1.0.2 |
2011.02.15 |
Virus. worm. VB! Ik |
Esafe |
7.0.20. |
2011.02.15 |
Win32.agent. GHS |
ETrust-vet |
36.1.8161 |
2011.02.15 |
Win32/sillyfdc. Di |
F-Prot |
4.6.2.117 |
2011.02.15 |
W32/downldr2.bdrf |
F-Secure |
9.0.16160.0 |
2011.02.16 |
Trojan. generic.1748385 |
Fortinet |
4.2.254.0 |
2011.02.16 |
- |
Gdata |
21 |
2011.02.16 |
Trojan. generic.1748385 |
Ikarus |
T3.1.1.97.0 |
2011.02.15 |
Virus. worm. VB |
Jiangmin |
13.0.900 |
2011.02.15 |
Trojandownloader. Agent. xly |
K7antivirus |
9.85.3859 |
2011.02.15 |
Trojan-downloader |
Kaspersky |
7.0.0.125 |
2011.02.16 |
Trojan-Downloader.Win32.Agent.btlp |
McAfee |
5.400.0.1158 |
2011.02.16 |
Generic. dx |
McAfee-GW-Edition |
2010.1c |
2011.02.15 |
Heuristic. lookslike. win32.suspicious. J! 83 |
Microsoft |
1.6502 |
2011.02.15 |
WORM: Win32/Vb. Ha |
NOD32 |
5878 |
2011.02.15 |
A variant of Win32/Autorun. VB. Vo |
Norman |
6.07.03 |
2011.02.15 |
W32/agent. edbt |
Nprotect |
September 2011-02-10.01 |
2011.02.15 |
Trojan-downloader/w32.agent. g0128.j |
Panda |
10.0.3.5 |
2011.02.15 |
Trj/keylogger. CV |
Pctools |
7.0.3.5 |
2011.02.16 |
Trojan-Downloader.Agent! CT |
Prevx |
3.0 |
2011.02.16 |
High risk spyware |
Rising |
23.45.01.06 |
2011.02.15 |
Worm. win32.vb. QP |
Sophos |
4.61.0 |
2011.02.15 |
Mal/VB-F |
SUPERAntiSpyware |
4.40.0.1006 |
2011.02.16 |
- |
Thehacker |
6.7.0.1.131 |
2011.02.15 |
Trojan/Downloader. Agent. GHS |
TrendMicro |
9.200.0.1012 |
2011.02.15 |
Worm_autorun.qh |
TrendMicro-housecall |
9.200.0.1012 |
2011.02.15 |
Worm_autorun.qh |
Vba32 |
3.12.14.3 |
2011.02.15 |
Trojandownloader. Agent. hor |
Vipre |
8433 |
2011.02.16 |
Trojan. win32.generic. Pak! Cobra |
ViRobot |
2011.2.15.4311 |
2011.02.15 |
Trojan. win32.downloader. g0128.c |
Virusbuster |
13.6.202.1 |
2011.02.15 |
Trojan. DL. Agent! 5 gauyxfgjfu |
If scan and removal rely on signatures, why are there no names of viruses or Trojans that have been cleared?
(3) No isolation zone? The cleared file cannot be retrieved.
3. Download protection automatically uploads files whose scan results are unknown.
I downloaded a self-written program from my mailbox. Without detecting any problems, Kingsoft guard automatically uploaded the Cloud analysis and did not ask if I agreed.
Setting the "No prompt is displayed when the scan result is unknown and the cloud security analysis task is automatically submitted" option under the -- Net shield -- Download protection does not seem to work. It will also be uploaded automatically if no hooks are found.
In addition, this download protection does not seem to check the files transmitted via QQ. A friend's computer won the bid because he accidentally opened the virus file sent via QQ. For details, see:
Http://blog.csdn.net/Purpleendurer/archive/2011/01/22/6159216.aspx