After being poisoned, release the following files to the computer where you were infected:
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\Low price charge membership.url
C:\WINDOWS\system32\Low-price rechargeable drill.url
Also, there are a bunch of messy virus-related files in the IE temporary folder.
IceSword (can be downloaded in down.) The C:\WINDOWS\system32\process (hidden) and process displayed in the red text can be seen in the process list.
Access the network through port 80 and open/this homepage repeatedly.
The C:\WINDOWS\system32\ function of this virus is OK. When XDELBOX imports the above virus files through the clipboard, the file does not exist. Commonly used methods (such as using WINRAR to view files) cannot find these virus files.
The registry changes after being attacked are as follows:
HKEY_CLASSES_ROOT\
HKEY_CLASSES_ROOT\.1
HKEY_CLASSES_ROOT\CLSID\{0EE2B1C1-0357-4175-A2E1-8E8E1A033AE5}
HKEY_CLASSES_ROOT\CLSID\{1798BEA6-E891-46B7-A1F8-C15780D0A023}
HKEY_CLASSES_ROOT\CLSID\{6233543C-2323-456A-A169-2E9C5E6E977B}
HKEY_CLASSES_ROOT\Interface\{E44384ED-10F7-49FD-A210-41C9BD4A119C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
"AutoRun"="C:\\windows\\system32\\"
HKEY_CLASSES_ROOT\TypeLib\{04750F2D-DE63-4790-90F4-C5CE892E5AA4}\1.0\0\win32
@="C:\\windows\\system32\\"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\R
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b74df2-e1a1-11db-8a2e-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\6\Shell
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0045D4BC-5189-4B67-969C-83BB1906C421}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00C6482D-C502-44C8-8409-FCE54AD9C208}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1798BEA6-E891-46B7-A1F8-C15780D0A023}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5CA3D70E-1895-11CF-8E15-001234567890}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F040E541-A427-4CF7-85D8-75E3E0F476C5}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hideme
in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
"AutoRun"="C:\\windows\\system32\\"
This kind of loading method is rare.
Manual antivirus process using IceSword():
1. End C:\WINDOWS\system32\ and the process.
2. Delete the following files (detailed steps: Open IceSword - File - Find the virus file to delete it in turn):
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\Low price charge membership.url
C:\WINDOWS\system32\Low-price rechargeable drill.url
Clear the IE temporary folder.
3. Delete the above registry content added by the virus (see the previous part of this article, (Open IceSword - Register - Find the virus registry option to delete it in turn)).
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\Low price charge membership.url
C:\WINDOWS\system32\Low-price rechargeable drill.url
Also, there are a bunch of messy virus-related files in the IE temporary folder.
IceSword (can be downloaded in down.) The C:\WINDOWS\system32\process (hidden) and process displayed in the red text can be seen in the process list.
Access the network through port 80 and open/this homepage repeatedly.
The C:\WINDOWS\system32\ function of this virus is OK. When XDELBOX imports the above virus files through the clipboard, the file does not exist. Commonly used methods (such as using WINRAR to view files) cannot find these virus files.
The registry changes after being attacked are as follows:
HKEY_CLASSES_ROOT\
HKEY_CLASSES_ROOT\.1
HKEY_CLASSES_ROOT\CLSID\{0EE2B1C1-0357-4175-A2E1-8E8E1A033AE5}
HKEY_CLASSES_ROOT\CLSID\{1798BEA6-E891-46B7-A1F8-C15780D0A023}
HKEY_CLASSES_ROOT\CLSID\{6233543C-2323-456A-A169-2E9C5E6E977B}
HKEY_CLASSES_ROOT\Interface\{E44384ED-10F7-49FD-A210-41C9BD4A119C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
"AutoRun"="C:\\windows\\system32\\"
HKEY_CLASSES_ROOT\TypeLib\{04750F2D-DE63-4790-90F4-C5CE892E5AA4}\1.0\0\win32
@="C:\\windows\\system32\\"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\R
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b74df2-e1a1-11db-8a2e-806d6172696f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\6\Shell
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0045D4BC-5189-4B67-969C-83BB1906C421}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00C6482D-C502-44C8-8409-FCE54AD9C208}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1798BEA6-E891-46B7-A1F8-C15780D0A023}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5CA3D70E-1895-11CF-8E15-001234567890}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F040E541-A427-4CF7-85D8-75E3E0F476C5}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hideme
in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
"AutoRun"="C:\\windows\\system32\\"
This kind of loading method is rare.
Manual antivirus process using IceSword():
1. End C:\WINDOWS\system32\ and the process.
2. Delete the following files (detailed steps: Open IceSword - File - Find the virus file to delete it in turn):
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\Low price charge membership.url
C:\WINDOWS\system32\Low-price rechargeable drill.url
Clear the IE temporary folder.
3. Delete the above registry content added by the virus (see the previous part of this article, (Open IceSword - Register - Find the virus registry option to delete it in turn)).