SoFunction
Updated on 2025-04-08

, specializes in killing viruses

File: 
Size: 33495 bytes
File Version: 0.00.0204
Modified: December 29, 2007, 21:23:18
MD5: 4B2BE9775B6CA847FB2547DD75025625
SHA1: 2660F88591AD4DA8849A3A56F357E7DFB9694D45
CRC32: 2A485241
Writing Language: VB

1. After the virus runs, the following copies and files are derived:


Quote:
%systemroot%\Debug\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
D:\
D:\


2. Improve your own permissions and try to end the process with the following keywords

Quote:
360tray*
ravmon*
ccenter*
trojdie*
kpop*
ssistse*
agentsvr*
kv*
kreg*
iefind*
iparmor*
uphc*
rulewize*
fygt*
rfwsrv*
rfwma*
**



3. Tamper with many file association methods, so that viruses will be started after opening these files.

Quote:
HKLM\SOFTWARE\Classes\.bfc\ShellNew\Command: "%SystemRoot%\system32\ %SystemRoot%\system32\,Briefcase_Create %2!d! %1"
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: ""C:\Program Files\Internet Explorer\""
HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\: "%SystemRoot%\system32\ ,InvokeDunFile %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\print\command\: " %SystemRoot%\system32\,PrintHTML "%1""
HKLM\SOFTWARE\Classes\inffile\shell\Install\command\: "%SystemRoot%\System32\ setupapi,InstallHinfSection DefaultInstall 132 %1"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\: "%SystemRoot%\system32\ %SystemRoot%\system32\,OpenAs_RunDLL %1" (You can start the virus if you open an unknown program, sweat...)
HKLM\SOFTWARE\Clients\StartMenuInternet\\shell\open\command\: ""C:\Program Files\common~1\""

(Modify the IE pointing file on the start program)
HKLM\SOFTWARE\Classes\.lnk\ShellNew\Command: " ,NewLinkHere %1"
HKLM\SOFTWARE\Classes\Applications\\shell\open\command\: ""C:\Program Files\Internet Explorer\" %1"
HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: " ,Control_RunDLL "%1",%*"
HKLM\SOFTWARE\Classes\ftp\shell\open\command\: ""C:\Program Files\Internet Explorer\" %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\: ""C:\Program Files\Internet Explorer\" -nohome"
HKLM\SOFTWARE\Classes\htmlfile\shell\opennew\command\: ""C:\Program Files\common~1\" %1"
HKLM\SOFTWARE\Classes\HTTP\shell\open\command\: ""C:\Program Files\common~1\" -nohome"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\: " ,OpenURL %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: " ,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\scriptletfile\Shell\Generate Typelib\command\: ""C:\WINDOWS\system32\" C:\WINDOWS\system32\,GenerateTypeLib "%1""
HKLM\SOFTWARE\Classes\telnet\shell\open\command\: " ,TelnetProtocolHandler %l"
HKLM\SOFTWARE\Clients\StartMenuInternet\: ""
...


Add winfiles' new file association to point to C:\WINDOWS\
And tamper with the exe file association HKLM\SOFTWARE\Classes\.exe\: "winfiles"


4. Modify


Quote:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The {shell} value is 1


5. Connect to the Internet to steal the account password of games such as Legend World

Cleaning method:


1. Decompress Icesword and change the name to Run
Process column ends %systemroot%\

Click the file button in the lower left corner to delete the following file
%systemroot%\Debug\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
%systemroot%\
D:\
D:\
2. Change the sreng extension to bat and run

System Repair - File Association Repair


3. Repair the system
Open the system disk and run %systemroot%\system32\
Restore the registry modified by the virus


Quote:
HKLM\SOFTWARE\Classes\.lnk\ShellNew\Command: " ,NewLinkHere %1"
HKLM\SOFTWARE\Classes\Applications\\shell\open\command\: ""C:\Program Files\Internet Explorer\" %1"
HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: " ,Control_RunDLL "%1",%*"
HKLM\SOFTWARE\Classes\cplfile\shell\cplopen\command\: " ,Control_RunDLL "%1",%*"
HKLM\SOFTWARE\Classes\htmlfile\shell\open\command\: ""C:\Program Files\Internet Explorer\" -nohome"
HKLM\SOFTWARE\Classes\htmlfile\shell\opennew\command\: ""C:\Program Files\Internet Explorer\" %1"
HKLM\SOFTWARE\Classes\HTTP\shell\open\command\: ""C:\Program Files\Internet Explorer\" -nohome"
HKLM\SOFTWARE\Classes\InternetShortcut\shell\open\command\: " ,OpenURL %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: " ,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\scrfile\shell\install\command\: " ,InstallScreenSaver %l"
HKLM\SOFTWARE\Classes\telnet\shell\open\command\: " ,TelnetProtocolHandler %l"
HKLM\SOFTWARE\Classes\telnet\shell\open\command\: " ,TelnetProtocolHandler %l"
HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\"
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: ""C:\Program Files\Internet Explorer\""
HKLM\SOFTWARE\Classes\Drive\shell\find\command\: "%SystemRoot%\"
HKLM\SOFTWARE\Classes\dunfile\shell\open\command\: "%SystemRoot%\system32\ ,InvokeDunFile %1"
HKLM\SOFTWARE\Classes\htmlfile\shell\print\command\: " %SystemRoot%\system32\,PrintHTML "%1""
HKLM\SOFTWARE\Classes\inffile\shell\Install\command\: "%SystemRoot%\System32\ setupapi,InstallHinfSection DefaultInstall 132 %1"
HKLM\SOFTWARE\Classes\Unknown\shell\openas\command\: "%SystemRoot%\system32\ %SystemRoot%\system32\,OpenAs_RunDLL %1"


Delete HKLM\SOFTWARE\Classes\winfiles entire subkey
Modify HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The {shell} value is