This log is compiled from the SREng log for help, mainly manifested as pop-up advertisements. After receiving the email, I found that this thing is almost the same as the rogue software 0848\baisoa compiled some time ago. It seems that it is just an upgraded version without any new ideas.
Virus files and folders
%windir%\
%windir%\
%windir%\
%windir%\
%system%\{pchome}\.setupf\
Add registry startup key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
updatereal %windir%\ other
winsamps %windir%\
Startup item that impersonates Microsoft information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify]
ScCardLogn %windir%\
Add a BHO
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
[HKEY_CLASSES_ROOT\CLSID]
{DE7C3CF0-4B15-11D1-ABED-709549C10000} %windir%\
Solution:
1. The process of stopping
2. Delete all registry information added
3. Delete after restart, or use Unlocker to delete all virus files
PS:
1. Due to the virus variant, the actual situation may be different from the description in this article, but the removal method is certain.
2. Because it has the download horse characteristics, in addition, it may be accompanied by other viruses or rogue software
Virus files and folders
%windir%\
%windir%\
%windir%\
%windir%\
%system%\{pchome}\.setupf\
Add registry startup key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
updatereal %windir%\ other
winsamps %windir%\
Startup item that impersonates Microsoft information
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify]
ScCardLogn %windir%\
Add a BHO
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID]
[HKEY_CLASSES_ROOT\CLSID]
{DE7C3CF0-4B15-11D1-ABED-709549C10000} %windir%\
Solution:
1. The process of stopping
2. Delete all registry information added
3. Delete after restart, or use Unlocker to delete all virus files
PS:
1. Due to the virus variant, the actual situation may be different from the description in this article, but the removal method is certain.
2. Because it has the download horse characteristics, in addition, it may be accompanied by other viruses or rogue software