File:
Size: 19456 bytes
MD5: 90C509FA6A6C2FA798DBE1CFD7F0E4F1
SHA1: DBF721F48369CFBB2B88D0F5D707924A7FE185EC
CRC32: 9822E714
Generate the following file:
%Program Files%\Common Files\Services\
%system32%\
Generate a and
Achieve the purpose of propagation through mobile storage such as USB disk
Call Cmd to stop the following services using the net stop command
mcshield
Norton Antivirus Auto Protect Service
Windows Firewall/Internet Connection Sharing (ICS)
System Restore Service
End the following process
Phage
* star
Look up the following registry key values in order
?.S-1-5-21-1801674531-1645522239-725345543-1003\Software\JetCar\JetCar\General's AppPath key value
SOFTWARE\Thunder Network\ThunderOem\thunder_backwndPath key value
?.Software\Microsoft\Windows\CurrentVersion\App Paths\
?.Software\Microsoft\Windows\CurrentVersion\App Paths\
?.Software\TENCENT\PLATFORM_TYPE_LIST\1 TypePath key value
To obtain the installation paths of Internet Express, Thunder, MSN, IE, QQ respectively
If found, start the corresponding file
(The search method is sequential search. If the Internet Express is found, start the Internet Express and no longer searches)
After starting the corresponding file, inject itself into the process space, connect to the network, and download the *.
http://*.cn/hz/~http://*.cn/hz/
Go to %Program Files%\Internet Explorer\PLUGINS
Named as a random 8-digit letter and number combination.
After the * is implanted, the following files are mainly generated (including but not limited to)
%Program Files%\Internet Explorer\PLUGINS\
%Program Files%\Internet Explorer\PLUGINS\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%SystemRoot%\
And some *s with the following random 7-digit letter combination file names
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
The account stealing * will steal the following online game accounts and passwords (including but not limited to)
The Big Journey II
Demonic Domain
Perfect World
Aircraft warfare
China
World of Warcraft
Asked
Journey
Hot bloody rivers
World of Miracle
QQ
The downloaded * has the function of prohibiting automatic updates and Microsoft's firewall.
And the time will be changed to January 1, 2099
The sreng log is reflected as follows (this article is omitted when reprinting, see below for details)
Cleaning method:
1. Main program for clearing viruses:
First change the system time correctly
Download Sreng, download address: down.
Restart the computer and enter safe mode (restart the system and hold F8 until the prompt appears, and then select Enter safe mode)
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". In the prompt
When confirming the change, click Yes and OK
Right-click on the C disk (system disk) Click "Open" in the right-click menu to open the disk
delete
C:\
C:\
%Program Files%\Common Files\Services\
%system32%\
Also right-click on other disks Click "Open" in the right-click menu to open the disk
Delete and
2. Clear the downloaded *
1. Still in safe mode
Open sreng
Start the project Register: Delete the following project
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<w><%SystemRoot%\> [N/A]
<wm><%SystemRoot%\> []
<wl><%SystemRoot%\> [N/A]
<mm><%SystemRoot%\> []
<zx><%SystemRoot%\> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ravztmon><C:\Program Files\NetMeeting\> []
<avpms><C:\Program Files\NetMeeting\> []
<ravwdmon><C:\Program Files\NetMeeting\> []
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". In the prompt
When confirming the change, click Yes and OK
Delete the following file %Program Files%\Internet Explorer\PLUGINS\
%Program Files%\Internet Explorer\PLUGINS\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%SystemRoot%\
2. Clear random 7-digit dll * horse
(In fact, these are * variants, and you can still use the renaming method to clear it)
Still in safe mode
Open sreng Start project registry
Check out the random 7-digit dll files below [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] and remember their names
Then
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". When prompted to confirm the change, click Yes and OK
Open C:\windows\system32 folder and click the search button above
More advanced options: Search for hidden files and folders
Search for the random 7-digit dlls you wrote down separately
Right-click to rename these files separately. Remember the names of the files yourself. It is best to be regular.
After restarting the computer
Open sreng
Start the project Register: Delete the following items (that is, all the random 7-digit DLL items you just saw in the startup project)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{1E32FA58-3453-FA2D-BC49-F340348ACCE1}><C:\WINDOWS\system32\> []
<{2C87A354-ABC3-DEDE-FF33-3213FD7447C2}><C:\WINDOWS\system32\> []
<{3D47B341-43DF-4563-753F-345FFA3157D3}><C:\WINDOWS\system32\> []
<{1960356A-458E-DE24-BD50-268F589A56A1}><C:\WINDOWS\system32\> []
<{12FAACDE-34DA-CCD4-AB4D-DA34485A3421}><C:\WINDOWS\system32\> []
<{1859245F-345D-BC13-AC4F-145D47DA34F1}><C:\WINDOWS\system32\> []
<{37D81718-1314-5200-2597-587901018073}><C:\WINDOWS\system32\> []
Double-click AppInit_DLLs to change the key value of the device to empty
And delete the dll files that were just renamed
Note: %System32% is a variable path.
The default installation path in Windows 2000/NT is C:\Winnt\System32, the default installation path in Windows 95/98/me is C:\Windows\System, and the default installation path in Windows XP is C:\Windows\System32.
%SystemRoot%/ WINDODWS directory
%ProgramFiles%\ �
Size: 19456 bytes
MD5: 90C509FA6A6C2FA798DBE1CFD7F0E4F1
SHA1: DBF721F48369CFBB2B88D0F5D707924A7FE185EC
CRC32: 9822E714
Generate the following file:
%Program Files%\Common Files\Services\
%system32%\
Generate a and
Achieve the purpose of propagation through mobile storage such as USB disk
Call Cmd to stop the following services using the net stop command
mcshield
Norton Antivirus Auto Protect Service
Windows Firewall/Internet Connection Sharing (ICS)
System Restore Service
End the following process
Phage
* star
Look up the following registry key values in order
?.S-1-5-21-1801674531-1645522239-725345543-1003\Software\JetCar\JetCar\General's AppPath key value
SOFTWARE\Thunder Network\ThunderOem\thunder_backwndPath key value
?.Software\Microsoft\Windows\CurrentVersion\App Paths\
?.Software\Microsoft\Windows\CurrentVersion\App Paths\
?.Software\TENCENT\PLATFORM_TYPE_LIST\1 TypePath key value
To obtain the installation paths of Internet Express, Thunder, MSN, IE, QQ respectively
If found, start the corresponding file
(The search method is sequential search. If the Internet Express is found, start the Internet Express and no longer searches)
After starting the corresponding file, inject itself into the process space, connect to the network, and download the *.
http://*.cn/hz/~http://*.cn/hz/
Go to %Program Files%\Internet Explorer\PLUGINS
Named as a random 8-digit letter and number combination.
After the * is implanted, the following files are mainly generated (including but not limited to)
%Program Files%\Internet Explorer\PLUGINS\
%Program Files%\Internet Explorer\PLUGINS\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%SystemRoot%\
And some *s with the following random 7-digit letter combination file names
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
%system32%\
The account stealing * will steal the following online game accounts and passwords (including but not limited to)
The Big Journey II
Demonic Domain
Perfect World
Aircraft warfare
China
World of Warcraft
Asked
Journey
Hot bloody rivers
World of Miracle
The downloaded * has the function of prohibiting automatic updates and Microsoft's firewall.
And the time will be changed to January 1, 2099
The sreng log is reflected as follows (this article is omitted when reprinting, see below for details)
Cleaning method:
1. Main program for clearing viruses:
First change the system time correctly
Download Sreng, download address: down.
Restart the computer and enter safe mode (restart the system and hold F8 until the prompt appears, and then select Enter safe mode)
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". In the prompt
When confirming the change, click Yes and OK
Right-click on the C disk (system disk) Click "Open" in the right-click menu to open the disk
delete
C:\
C:\
%Program Files%\Common Files\Services\
%system32%\
Also right-click on other disks Click "Open" in the right-click menu to open the disk
Delete and
2. Clear the downloaded *
1. Still in safe mode
Open sreng
Start the project Register: Delete the following project
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<w><%SystemRoot%\> [N/A]
<wm><%SystemRoot%\> []
<wl><%SystemRoot%\> [N/A]
<mm><%SystemRoot%\> []
<zx><%SystemRoot%\> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ravztmon><C:\Program Files\NetMeeting\> []
<avpms><C:\Program Files\NetMeeting\> []
<ravwdmon><C:\Program Files\NetMeeting\> []
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". In the prompt
When confirming the change, click Yes and OK
Delete the following file %Program Files%\Internet Explorer\PLUGINS\
%Program Files%\Internet Explorer\PLUGINS\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%Program Files%\NetMeeting\rav* (* is a random two-digit letter)
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%SystemRoot%\
2. Clear random 7-digit dll * horse
(In fact, these are * variants, and you can still use the renaming method to clear it)
Still in safe mode
Open sreng Start project registry
Check out the random 7-digit dll files below [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] and remember their names
Then
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". When prompted to confirm the change, click Yes and OK
Open C:\windows\system32 folder and click the search button above
More advanced options: Search for hidden files and folders
Search for the random 7-digit dlls you wrote down separately
Right-click to rename these files separately. Remember the names of the files yourself. It is best to be regular.
After restarting the computer
Open sreng
Start the project Register: Delete the following items (that is, all the random 7-digit DLL items you just saw in the startup project)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{1E32FA58-3453-FA2D-BC49-F340348ACCE1}><C:\WINDOWS\system32\> []
<{2C87A354-ABC3-DEDE-FF33-3213FD7447C2}><C:\WINDOWS\system32\> []
<{3D47B341-43DF-4563-753F-345FFA3157D3}><C:\WINDOWS\system32\> []
<{1960356A-458E-DE24-BD50-268F589A56A1}><C:\WINDOWS\system32\> []
<{12FAACDE-34DA-CCD4-AB4D-DA34485A3421}><C:\WINDOWS\system32\> []
<{1859245F-345D-BC13-AC4F-145D47DA34F1}><C:\WINDOWS\system32\> []
<{37D81718-1314-5200-2597-587901018073}><C:\WINDOWS\system32\> []
Double-click AppInit_DLLs to change the key value of the device to empty
And delete the dll files that were just renamed
Note: %System32% is a variable path.
The default installation path in Windows 2000/NT is C:\Winnt\System32, the default installation path in Windows 95/98/me is C:\Windows\System, and the default installation path in Windows XP is C:\Windows\System32.
%SystemRoot%/ WINDODWS directory
%ProgramFiles%\ �