WORM_KILLAV.AB
Symantec: Trojan.KillAV; Microsoft: Trojan:Win32/Startpage.RH
Windows 2000, Windows XP, Windows Server 2003
- マルウェアタイプ: ワーム
- 破壊活動の有無: なし
- 暗号化: なし
- 感染報告の有無: はい
概要
ワームは、リモートサイトから他のマルウェア、グレイウェアまたはスパイウェアにダウンロードされ、コンピュータに侵入します。 ワームは、悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。
ワームは、レジストリ値を変更し、システムファイルおよび読み取り専用属性のファイルを非表示にします。 ワームは、特定のレジストリ値を追加し、セキュリティ関連のアプリケーションを無効にします。
ワームは、リムーバブルドライブ内に自身のコピーを作成します。作成されたコピーのファイル名として、上記のドライブ上に存在するフォルダ名を使用します。
ワームは、ユーザが特定のWebサイトにアクセスできないように、感染コンピュータのHOSTSファイルを改変します。
詳細
侵入方法
ワームは、リモートサイトから他のマルウェア、グレイウェアまたはスパイウェアにダウンロードされ、コンピュータに侵入します。
ワームは、悪意あるWebサイトからユーザが誤ってダウンロードすることにより、コンピュータに侵入します。
インストール
ワームは、以下のコンポーネントファイルを作成します。
- %Program Files%\Common Files\BOSC.dll - detected as SPYW_SPYMYPC
(註:%Program Files%は、標準設定では "C:\Program Files" です。)
ワームは、以下の無害なファイルを作成します。
- %All Users%\Desktop\Intennet Exploner.lnk
- %All Users%\Desktop\¸Ä±äÄãµÄÒ»Éú.url
- %All Users%\Desktop\ÌÔ±¦¹ºÎïA.url
- %All Users%\Desktop\Ãâ·ÑµçÓ°C.url
- %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url
(註:%User Profile% フォルダは、Windows 98 および MEの場合、"C:\Windows\Profiles\<ユーザ名>"、Windows NTでは、"C:\WINNT\Profiles\<ユーザ名>"、Windows 2000, XP, Server 2003の場合は、"C:\Documents and Settings\<ユーザ名>" です。)
ワームは、感染したコンピュータ内に以下のように自身のコピーを作成します。
- %System Root%\VSPS\VSPS.exe
- %Startup%\juahwcsweo.exe
- %System%\qdlajbhqqq\explorer.exe
- %System%\mohquqcbsv\smss.exe
(註:%System Root%は、標準設定では "C:" です。また、オペレーティングシステムが存在する場所です。. %System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。)
ワームは、以下のフォルダを作成します。
- %System%\qdlajbhqqq
- %System Root%\VSPS
- %System%\mohquqcbsv
(註:%System%はWindowsの種類とインストール時の設定などにより異なります。標準設定では、Windows 98 および MEの場合、"C:\Windows\System"、Windows NT および 2000 の場合、"C:\WinNT\System32"、Windows XP および Server 2003 の場合、"C:\Windows\System32" です。. %System Root%は、標準設定では "C:" です。また、オペレーティングシステムが存在する場所です。)
他のシステム変更
ワームは、インストールの過程で、以下のレジストリ値を追加します。
HKEY_CLASSES_ROOT\exefile
NeverShowExt = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
HideDesktopIcons\NewStartPanel
{871C5380-42A0-1069-A2EA-08002B30309D} = 1
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
ModRiskFileTypes = ".exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
WriteProtect = 0
ワームは、インストールの過程で、以下のレジストリキーを追加します。
HKEY_CLASSES_ROOT\CLSID\{F986CC17-37C0-4585-B7D9-15F2161F0584}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Desktop\NameSpace\{F986CC17-37C0-4585-B7D9-15F2161F0584}
ワームは、以下のレジストリ値を変更し、システムファイルおよび読み取り専用属性のファイルを非表示にします。
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(註:変更前の上記レジストリ値は、「1」となります。)
ワームは、以下のレジストリ値を追加し、セキュリティ関連のアプリケーションを無効にします。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvDetect.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvfwMcl.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVMonXP_1.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvol.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvolself.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvReport.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVScan.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVSrvXP.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVStub.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvupload.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kvwsc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KvXP_1.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatch9x.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWatchX.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSMain.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kwstray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KWSUpd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
loaddll.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
logogo.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
MagicSet.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mcconsol.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmqczj.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
mmsk.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Navapw32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NAVSetup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
niu.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32krn.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
nod32kui.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
NPFMntor.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pagefile.pif
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
pfserver.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFW.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
PFWLiveUpdate.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qheart.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QHSET.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctor.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorMain.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQDoctorRtp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQKav.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCMgr.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCRTP.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCSmashFile.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQPCTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
QQSC.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
qsetup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Ras.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rav.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ravcopy.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMon.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavMonD.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavStub.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RavTask.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RegClean.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwcfg.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwmain.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwProxy.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rfwsrv.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsAgent.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Rsaupd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rsnetsvr.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
RsTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
rstrui.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
runiep.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safeboxTray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safelive.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
scan32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanFrm.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ScanU3.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SDGames.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SelfUpdate.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
servet.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
shcfg32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SmartUp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sos.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREng.EXE
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SREngPS.EXE
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stormii.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
sxgame.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
symlcsvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SysSafe.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
tmp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TNT.Exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojanDetector.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Trojanwall.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TrojDie.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
TxoMoU.Exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UFO.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UIHost.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAgent.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360rpt.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360Safe.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360safebox.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360sdrun.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
360tray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
799d.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
adam.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AgentSvr.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AntiU.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AoYun.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
appdllman.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AppSvc32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp2.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ArSwp3.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AST.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
atpup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
auto.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AutoRun.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
autoruns.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
av.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvastU3.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avconsol.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avgrssvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvMonitor.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.com
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
avp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
AvU3Launcher.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
CCenter.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ccSvcHst.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
cross.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Discovery.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
DSMain.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
EGHOST.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FileDsty.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
filmst.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FTCleanerShell.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
FYFireWall.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
ghost.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
guangd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
HijackThis.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
IceSword.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
iparmo.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Iparmor.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
irsetup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
isPwdSvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jisu.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kabaload.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KaScrScn.SCR
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASMain.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KASTask.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAV32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVDX.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPF.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVPFW.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KAVSetup.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kavstart.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kernelwind32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KISLnchr.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
kissvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMailMon.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KMFilter.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsd.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdave.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
knsdtray.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPFW32X.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KPfwSvc.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRegEx.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KRepair.com
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KsLoader.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KSWebShield.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
KVCenter.kxp
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxAttachment.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxCfg.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxFwHlp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UmxPol.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
upiea.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
UpLive.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
USBCleaner.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vsstat.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
wbapp.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
webscanx.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
WoptiClean.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
Wsyscheck.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XDelBox.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
XP.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zhudongfangyu.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zjb.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
zxsweep.exe
Debugger = "ntsd -d"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
~.exe
Debugger = "ntsd -d"
ワームは、以下のレジストリキーを削除します。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network\
{4D36E967-E325-11CE-BFC1-08002BE10318}
感染活動
ワームは、リムーバブルドライブ内に自身のコピーを作成します。作成されたコピーのファイル名として、上記のドライブ上に存在するフォルダ名を使用します。
HOSTSファイルの改変
ワームは、ユーザが以下のWebサイトにアクセスできないように、感染コンピュータのHOSTSファイルを改変します。
- iq123.com
- yijidh.com
- 250dh.cn
- 223.la
- kuku123.com
- 930930.com
- 9123.com
- hao123e.com
- 020.com
- youxi777.com
- 1616.net
- 1188.com
- urldh.com
- daohang.la
- pp55.com
- 9605.com
- 05505.cn
- 7055.net
- 0056.com
- 6655.com
- 1166.com
- 5kip.com
- 114xia.com
- 265dh.com
- 3567.com
- 6565.cn
- 666t.com
- 9223.com
- dduu.com
- hao123.cn
- 5snow.com
- 2523.com
- 5599.net
- tt98.com
- zhaodao123.com
- kuhao123.com
- 5151la.net
- 6h.com.cn
- zeibi.com
- 6e8e.com
- th123.com
- 9991.com
- hao123ol.com
- wu123.com
- t220.cn
- ttver.net
- 188HI.com
- go2000.com
- 5igb.com
- bb2000.net
- 9wa.com
- qq5.com
- 365j.com
- 7345.com
- 2760.com
- 361la.com
- haojs.com
- 5zd.com
- i8866.com
- 100wz.com
- 114hi.com
- 234.la
- 657.com
- 339.la
- 365wz.net
- 7792.com
- 9495.com
- dazuimao.com
- 71314.com
- 265.com
- gouwo.com
- huai456.com
- ku256.com
- my180.com
- 2522.cn
- 405.cn
- 44244.com
- 111dh.com
- 115ku.com
- 13387.com
- 163yes.com
- 256s.com
- 2676.com
- 3355.net
- 365lo.com
- 4168.com
- 4545.cn
- 4688.com
- 566.net
- 5666.net
- 5733.com
- 6461.cn
- 7356.com
- 800186.com
- 85851.com
- asp51.com
- 361dh.com
- 5566.net
- yulinweb.com
- 6296.com.cn
- mianfeia.com
- ai1234.com
- k369.com
- msncn.com
- ss256.com
- min513.com
- 88-888.com
- lggg.cn
- 7771.cn
- leeboo.com
- jjol.cn
- 5566.com
- 9166.net
- hao253.com
- 7b.com.cn
- haoei.com
- 77114.com
- 21310.cn
- weiduomei.net
- kk3000.cn
- 7241.cn
- 44384.com
- daohang1234.com
- 131.cc
- 223224.com
- 537.com
- 9348.cn
- bju123.cn
- i4455.com
- jia123.com
- 0666.com.cn
- 553.la
- 5566.org
- 37021.com
- 88488.com
- 99986.net
- 37021.net
- k986.com
- cc62.com
- 5518.cn
- 55620.com
- 52416.com
- 7357.cn
- 8c8c.net
- 9999q.com
- 123shi123.com
- yl234.cn
- 3322.com
- hao222.com
- 6313.com
- f127.com
- 5599cn.cn
- 99499.com
- 2548.cn
- 133.net
- ie30.com
- 8751.com
- se:home
- haidaowan.net
- 160dh.com
- 114115.com
- 1322.cn
- hh361.com
- 2800.cc
- 52daohang.com
- 186.me
- diyidh.com
- zaodezhu.com
- 7832.com
- 3073.com
- 2058.cc
- 3456.cc
- 7771.com
- q6789.com
- 7k.cc
- dianzi88.com
- 7802.com
- xinbut.com
- 59688.com
- gjj.cc
- youla.com
- ok1616.com
- i2345.cn
- gg8000.com
- daohang12345.cn
- inina.cn
- dowei.com
- 1515.net
- 41119.cn
- 21230.cn
- 97youku.com
- fast35.net
- m32.cn
- tom155.cn
- 668yo.com
- online.cq.cn
- shagua.cn
- 007247.cn
- 603467.cn
- 197326.cn
- wwwoj.cn
- xp22.cn
- 84022.cn
- 520593.cn
- 448789.cn
- 141321.cn
- 36gggg.cn
- 427842.cn
- niubihao123.cn
- ovooo.cn
- rtys520.net
- rtxzw.com
- uurenti.cc
- bo.dy288.com
- renti11.com
- 123.cd
- 336655.com
- 9978.net
- 520.com
- 6l.cn
- 420.cn
- v989.com
- 16551.com
- 2tvv.com
- m4455.com
- mylovewebs.com
- 5987.net
- 7999.com
- caipopo.com
- wndhw.com
- henku123.com
- qu123.com
- 94176.com
- u526.com
- haokan123.com
- uusee.net
- 9733.com
- 173com
- qnrwz.com
- 999w.com
- h935.com
- 33250.com
- tz911.net
- 639e.com
- 920xx.cn
- 13393.com
- tncdh.com
- sou185.com
- 3566.cc
- 580so.com
- 2001.cc
- hnhao123.com
- zz5.net.cn
- abc123.name
- ekan123.com
- 1266.cc
- hao123.cc
- 126.cc
- ie1788.com
- 58daohang.com
- 6dh.com
- 991.cn
- 114la.me
- 1133.cc
- ads8.com
- haoz.com
- jsing.net
- 123.sogou.com
- 3321.com
- 1155.cc
- hao123.com
- hao123.net
- 6700.cn
- 168.com
- uu881.com
- 6264.cn
- 606600.com
- 2345.com
- 5607.cn
- 1111116.com
- v7799.com
- ie7.com.cn
- 365t.cc
- 89679.com
- se:blank
- 35029.com
- 8d9a.cn
- 400zm.com
- 58816.com
- 727dh.cn
- hao123w.com
- 114td.com
- 28101.cn
- 03336.cn
- 79001.cn
- 133132.com
- 3434.com.cn
- 828dh.cn
- 64500.cn
- 22q.cc
- jj77.com
- vvyy.net
- ie567.com
- 5d5e.com
- 212dh.cn
- 911g.cn
- 1616.la
- tomatolei.com
- 96nn.com
- 5543.com
- 2288.org
- 3322.org
- 9966.org
- 8800.org
- 8866.org
- 7766.org
- 22409.com
- se-se.info
- 26043.com
- 34414.com
- gaoav1.info
- 0558114.com
- 3333dh.cn
- zjialin.com
- 22dao.com
- soupay.com
- langlangdoor.com
- 99cu.com
- 5555dh.cn
- wang123.net
- hxdlink
- haaoo123.com
- 3645.com
- hao123q.com
- tvsooo.com
- gaituba.com
- 45566.net
- 2298.cn
- iexx.com
- dh115.com
- 97sp.cn
- 39r.cn
- f8f8.cn
- 391kk.cn
- 266.cc
- jysoso.net
- wg510.cn
- 114d.org
- ie3721.com
- 2142.cn
- go2000.cc
- go2000.cn
- 99521.com
- yeooo.com
- haha123.com
- hao.360.cn
- 07707.cn
- yy2000.net
- 1111118.com
- 26281.com
- 960dh.cn
- 300.cc
- 163333333.com.cn
- kz300.cn
- i3525.cn
- 67881.net
- t2t2.net
- mm4000.cn
- 669dh.cn
- k58n.com
- haoha123.com
- ab99.com
- i2255.com
- 054.cc
- fffggqq.cn
- k2345.net
- vv33.com
- tuku6.com
- mmpp654.com
- 228dh.cn
- seibb.com
- 14164.com
- 552dh.cn
- hao969.com
- lalamao.com
- 21225.cn
- 5k5.net
- 65630.cn
- at46.cn
- 98928.cn
- ads.eorezo.com
- 661dh.cn
- 6320.com
- henbianjie.com
- xiushe.com
- 5mqxmq.com
- 989228.com
- i8844.cn
- g1476.cn
- 4j4j.cn
- 1777zzw5.com
- 989228.cn
- henbucuo.com
- 886dh.cn
- 2255.net
- 160yes.com
- u8s.cn
- 16711.com
- 626dh.cn
- rfwow.cn
- baiyici.cn
- lalamao.cn
- 136s.com
- huhuyy.cn
- 8diq.com
- d2fs.cn
- 0229.com
- yy4000.com
- 9934.cn
- 3883.net
- 151dh.com
- 26dh.cn
- kkwwxx.com
- t67.net
- 29dao.cn
- 58ju.com
- dnc8.net
- yl177.com.cn
- xj.cn
- 950990.cn
- 114.com.cn
- xxxip.cn
- 3628.com
- 265.cc
- 26.la
- 5654.com
- zg115.com
- 969dh.cn
- 111555.com.cn
- pic.jinti.com
- kk8000.com
- wokaokao.cn
- duoxxppmmkoo.com
- kanlink.cn
- 91youa.com
- shinia.cn
- pp9pp9.cn
- ma80.com
- 556dh.cn
- bu4.cn
- 8555.com
- e23.la
- flash678.cn
- yy4000.cn
- wo333.com
- mv700.com
- xcwhgx.cn
- 3s11.cn
- sp16888.com
- k7k7.com
- zzw5.com
- okdianying.com
- 789bb.com
- antuoo.com
- so06.com
- 665532.cn
- 7f7f.com
- k261.com
- fanbaidu.org.cn
- iu888.cn
- 977k.com
- 93w.com
- 68566.com.cn
- zhidao163.cn
- it958.cn
- lx8000.cn
- sc.cn
- ucuc.cc
- kkdowns.com
- 189189.com
- 0002.com
- 4737.cn
- 226dh.cn
- bb115.cn
- 06000.cn
- u87.cn
- sohao123.com
- k887.com
- hao602.com
- t7t7.net
- ku4000.cn
- v6677.cn
- hong666.com
- 4000a.com
- kk4000.cn
- 7767.com
- 11227.cn
- u9u9.net
- 28113.cn
- rr55.com
- a4000.cn
- yunfujkw.cn
- 886.com
- 2800.cer.cn
- zyyu.com
- 49la.com
- hi3000.cn
- sogouliulanqi.com
- 888ge.com
- 00333.cn
- 29wz.com
- soso126.com
- 180wan.com
- kan888.com
- 4929.cn
- v2233.com
- m345.cn
- tt265.net
- 18ttt.com
- 153.cc
- 00664.cn
- gugogo.com
- kk4000.com
- 185b.com
- uuent.com
- 6666dh.cn
- 25dao.com
- shangla.com
- 77177.cn
- about:blank
- haoq123.com
- baiduo.org
- lejiu.net
- dianxin.cn
- u7758.com
- dao234.com
- 85692.com
- xiaosb.com
- soso313.cn
- 939dh.com
- 85952.com
- 31346.com
- 71528.com
- 788dh.com
- 91695.com
- 5566x.com
- 131u.com
- 1149.cn
- 9281.net
- my115.net
- 4119.cn
- 9m1.net
- dh818.com
- iehwz.com
- wa200.com
- hao234.cc
- 6781.com
- 652dh.com
- 16811.com
- zhongshu.net
- 992k.com
- 71628.com
- 6701.com
- diyou.net
- iehao123.com
- laidao123.com
- yinfen.net
- wz4321.com
- shangqu.info
- 5121.net
- 668g.com
- 51150.com
- 53ff.com
- dada123.com
- you2000.com
- 884599.cn
- kuaijiong.com
- 398.cn
- 32387.com
- 82vv.com
- 09tao.com
- 977dh.com
- 598.net
- 211dh.com
- 9365.info
- wblive.com
- e722.com
- v232.com
- 7400.net
- 62106.com
- ll4xi.com
- 3932.com
- puZeng.com
- 97199.com
- 447.cc
- 0749.com
- 6656.net
- niebai.com
- 447.com
- uuchina.net
- hao123cn.info
- dao666.com
- 9813.org
- 91kk.com
- freedh.info
- yidaba.com
- 161111111.com
- 009dh.com
- qsxx.cn
- geyuan.net
- 8t8.net
- xorg.pl
- bij.pl
- qqnz.com
- srpkw.com
- gggdu.com
- baiduo.com
- wys99.com
- leilei.cc
- 3633.net
- fjta.com
- so11.cn
- 522dh.com
- 9249.com
- 3110.cn
- 300cc.com
- 7669.cn
- 5c6.com
- 7993.cn
- 8336.cn
- 03m.net
- ou33.com
- bv0.net
- 163333333.cn
- 45575.com
- 2637.cn
- skyhouse.com.cn
- 98453.com
- 65642.net
- 776la.com
- 256.CC
- 114king.cn
- yyyqq.com
- huhu123.com
- gyyx.cn
- 2888.me
- 4444dh.cn
- 191pk.com
- 118.com
- 57xswz.com
- how18.cn
- sohu12333333.com
- xz26.com
- 654v.com
- 280580.cn
- fjgqw.com
- 49558.cn
- pp8000.cn
- 265it.com
- soolaa.com
- 9899.cn
- 18143.com
- haoxyz.com
- 4555.net
- 10du.net
- 528988.com
- wahahaha123.com
- c256.cn
- chinaih.com
- mnv.cn
- 633dh.com
- ncjxx.com
- 51721.net
- 556w.com
- 114cc.net
- 5go.com.cn
- pp4000.com
- 8844.com
- dd335.cn
- qu163.net
- itwenba.cn
- dou2game.cn
- h220.com
- neng123.com
- pleoc.cn
- 6006.cc
- 987654.com
- 39903.com
- ddoowwnn.cn
- 788111.com
- zhidao001.com
- 5hao123.com
- 978.la
- 135968.cn
- bb112.com
- r220.cn
- 365kong.com
- woainame.cn
- okgouwu.cn
- hao006.com
- jipinla.com
- 99467.com
- wawamm.cn
- qian14.cn
- ip27.cn
- 56dh.cn
- 2966.com
- game333.net
- kukuwz.com
- 1-xiu.cn
- 92hao123.com
- lian9.cn
- 222q.cn
- jj98.com
- 73vv.com
- mubanw.com
- t262.com
- x1258.cn
- weishi66.cn
- hao990.com
- 68la.com
- sowang123.cn
- 3929.cn
- 5665.cn
- 81sf.com
- kz123.cn
- qq806.cn
- ffwyt.com
対応方法
手順 1
Windows XP および Windows Server 2003 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
この「WORM_KILLAV.AB」が作成、あるいは、ダウンロードした以下のファイルを検索し、検索した場合は削除してください。
- SPYW_SPYMYPC
手順 3
「WORM_KILLAV.AB」で検出したファイル名を確認し、そのファイルを終了します。
- 検出ファイルが、Windows のタスクマネージャに表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
セーフモードについては、こちらをご参照下さい。 - 検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。
手順 4
このレジストリ値を削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CLASSES_ROOT\exefile
- NeverShowExt = 1
- NeverShowExt = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
- WriteProtect = 0
- WriteProtect = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- ModRiskFileTypes = .exe
- ModRiskFileTypes = .exe
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
- {871C5380-42A0-1069-A2EA-08002B30309D} = 1
- {871C5380-42A0-1069-A2EA-08002B30309D} = 1
手順 5
変更されたレジストリ値を修正します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: ShowSuperHidden = 0
To: 1
- From: ShowSuperHidden = 0
手順 6
このレジストリキーを削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360Safe.exe
- 360Safe.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360rpt.exe
- 360rpt.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360safebox.exe
- 360safebox.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360sd.exe
- 360sd.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360sdrun.exe
- 360sdrun.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 360tray.exe
- 360tray.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- 799d.exe
- 799d.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AST.exe
- AST.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AgentSvr.exe
- AgentSvr.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AntiU.exe
- AntiU.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AoYun.exe
- AoYun.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AppSvc32.exe
- AppSvc32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ArSwp.exe
- ArSwp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ArSwp2.exe
- ArSwp2.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ArSwp3.exe
- ArSwp3.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AutoRun.exe
- AutoRun.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AvMonitor.exe
- AvMonitor.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AvU3Launcher.exe
- AvU3Launcher.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- AvastU3.exe
- AvastU3.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- CCenter.exe
- CCenter.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- DSMain.exe
- DSMain.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Discovery.exe
- Discovery.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- EGHOST.exe
- EGHOST.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- FTCleanerShell.exe
- FTCleanerShell.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- FYFireWall.exe
- FYFireWall.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- FileDsty.exe
- FileDsty.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- HijackThis.exe
- HijackThis.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- IceSword.exe
- IceSword.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Iparmor.exe
- Iparmor.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KASMain.exe
- KASMain.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KASTask.exe
- KASTask.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KAV32.exe
- KAV32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KAVDX.exe
- KAVDX.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KAVPF.exe
- KAVPF.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KAVPFW.exe
- KAVPFW.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KAVSetup.exe
- KAVSetup.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KISLnchr.exe
- KISLnchr.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KMFilter.exe
- KMFilter.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KMailMon.exe
- KMailMon.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KPFW32.exe
- KPFW32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KPFW32X.exe
- KPFW32X.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KPfwSvc.exe
- KPfwSvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KRegEx.exe
- KRegEx.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KRepair.com
- KRepair.com
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KSWebShield.exe
- KSWebShield.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KVCenter.kxp
- KVCenter.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KVMonXP.kxp
- KVMonXP.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KVMonXP_1.kxp
- KVMonXP_1.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KVScan.kxp
- KVScan.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KVSrvXP.exe
- KVSrvXP.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KVStub.kxp
- KVStub.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KWSMain.exe
- KWSMain.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KWSUpd.exe
- KWSUpd.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KWatch.exe
- KWatch.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KWatch9x.exe
- KWatch9x.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KWatchX.exe
- KWatchX.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KaScrScn.SCR
- KaScrScn.SCR
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KsLoader.exe
- KsLoader.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KvDetect.exe
- KvDetect.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KvReport.kxp
- KvReport.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KvXP.kxp
- KvXP.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KvXP_1.kxp
- KvXP_1.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- KvfwMcl.exe
- KvfwMcl.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- MagicSet.exe
- MagicSet.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- NAVSetup.exe
- NAVSetup.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- NPFMntor.exe
- NPFMntor.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Navapsvc.exe
- Navapsvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Navapw32.exe
- Navapw32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- PFW.exe
- PFW.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- PFWLiveUpdate.exe
- PFWLiveUpdate.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QHSET.exe
- QHSET.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQDoctor.exe
- QQDoctor.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQDoctorMain.exe
- QQDoctorMain.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQDoctorRtp.exe
- QQDoctorRtp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQKav.exe
- QQKav.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQPCMgr.exe
- QQPCMgr.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQPCRTP.exe
- QQPCRTP.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQPCSmashFile.exe
- QQPCSmashFile.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQPCTray.exe
- QQPCTray.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- QQSC.exe
- QQSC.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Ras.exe
- Ras.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Rav.exe
- Rav.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RavMon.exe
- RavMon.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RavMonD.exe
- RavMonD.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RavStub.exe
- RavStub.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RavTask.exe
- RavTask.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RegClean.exe
- RegClean.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RsAgent.exe
- RsAgent.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- RsTray.exe
- RsTray.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Rsaupd.exe
- Rsaupd.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SDGames.exe
- SDGames.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SREng.EXE
- SREng.EXE
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SREngPS.EXE
- SREngPS.EXE
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ScanFrm.exe
- ScanFrm.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ScanU3.exe
- ScanU3.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SelfUpdate.exe
- SelfUpdate.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SmartUp.exe
- SmartUp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SysSafe.exe
- SysSafe.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- TNT.Exe
- TNT.Exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- TrojDie.kxp
- TrojDie.kxp
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- TrojanDetector.exe
- TrojanDetector.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Trojanwall.exe
- Trojanwall.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- TxoMoU.Exe
- TxoMoU.Exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UFO.exe
- UFO.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UIHost.exe
- UIHost.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- USBCleaner.exe
- USBCleaner.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UmxAgent.exe
- UmxAgent.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UmxAttachment.exe
- UmxAttachment.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UmxCfg.exe
- UmxCfg.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UmxFwHlp.exe
- UmxFwHlp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UmxPol.exe
- UmxPol.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- UpLive.exe
- UpLive.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- WoptiClean.exe
- WoptiClean.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Wsyscheck.exe
- Wsyscheck.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- XDelBox.exe
- XDelBox.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- XP.exe
- XP.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- adam.exe
- adam.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- appdllman.exe
- appdllman.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- atpup.exe
- atpup.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- auto.exe
- auto.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- autoruns.exe
- autoruns.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- av.exe
- av.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- avconsol.exe
- avconsol.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- avgrssvc.exe
- avgrssvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- avp.com
- avp.com
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- avp.exe
- avp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ccSvcHst.exe
- ccSvcHst.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- cross.exe
- cross.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- filmst.exe
- filmst.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ghost.exe
- ghost.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- guangd.exe
- guangd.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- iparmo.exe
- iparmo.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- irsetup.exe
- irsetup.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- isPwdSvc.exe
- isPwdSvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- jisu.exe
- jisu.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kabaload.exe
- kabaload.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kavstart.exe
- kavstart.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kernelwind32.exe
- kernelwind32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kissvc.exe
- kissvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- knsd.exe
- knsd.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- knsdave.exe
- knsdave.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- knsdtray.exe
- knsdtray.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kvol.exe
- kvol.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kvolself.exe
- kvolself.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kvupload.exe
- kvupload.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kvwsc.exe
- kvwsc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- kwstray.exe
- kwstray.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- loaddll.exe
- loaddll.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- logogo.exe
- logogo.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- mcconsol.exe
- mcconsol.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- mmqczj.exe
- mmqczj.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- mmsk.exe
- mmsk.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- niu.exe
- niu.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nod32.exe
- nod32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nod32krn.exe
- nod32krn.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- nod32kui.exe
- nod32kui.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- pagefile.exe
- pagefile.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- pagefile.pif
- pagefile.pif
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- pfserver.exe
- pfserver.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- qheart.exe
- qheart.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- qsetup.exe
- qsetup.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ravcopy.exe
- ravcopy.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rfwProxy.exe
- rfwProxy.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rfwcfg.exe
- rfwcfg.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rfwmain.exe
- rfwmain.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rfwsrv.exe
- rfwsrv.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rsnetsvr.exe
- rsnetsvr.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- rstrui.exe
- rstrui.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- runiep.exe
- runiep.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- safeboxTray.exe
- safeboxTray.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- safelive.exe
- safelive.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- scan32.exe
- scan32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- servet.exe
- servet.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- shcfg32.exe
- shcfg32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- sos.exe
- sos.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- stormii.exe
- stormii.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- sxgame.exe
- sxgame.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- symlcsvc.exe
- symlcsvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- tmp.exe
- tmp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- upiea.exe
- upiea.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- vsstat.exe
- vsstat.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- wbapp.exe
- wbapp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- webscanx.exe
- webscanx.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- zhudongfangyu.exe
- zhudongfangyu.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- zjb.exe
- zjb.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- zxsweep.exe
- zxsweep.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- ~.exe
- ~.exe
手順 7
削除されたレジストリキーを修正します。
- レジストリエディタの左側のパネルにある以下のキーをダブルクリックします。
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Control>SafeBoot>Minimal - 上記キーのフォルダ[Minimal]上で右クリックし、[新規]-[キー]を選択します。新規作成するキー名に、以下の値を入力します。
{4D36E967-E325-11CE-BFC1-08002BE10318} - 新規で作成したキーの値の名前上で右クリックし、[修正]を選択します。[値のデータ]欄に下記を入力します。
DiskDrive - 次に、レジストリエディタの左側のパネルにある以下のキーをダブルクリックします。
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
Control>SafeBoot>Network - 上記キーのフォルダ[Network]上で右クリックし、[新規]-[キー]を選択します。新規作成するキー名に、以下の値を入力します。
{4D36E967-E325-11CE-BFC1-08002BE10318} - 新規で作成したキーの値の名前上で右クリックし、[修正]を選択します。[値のデータ]欄に下記を入力します。
DiskDrive - レジストリエディタを閉じます。
手順 8
不正プログラム/グレイウェア/スパイウェアがHOSTSファイルに追加した文字列を削除します。
手順 9
以下のフォルダを検索し削除します。
- %System%\qdlajbhqqq
- %System Root%\VSPS
- %System%\mohquqcbsv
手順 10
以下のファイルを検索し削除します。
- %All Users%\Desktop\Intennet Exploner.lnk
- %All Users%\Desktop\¸Ä±äÄãµÄÒ»Éú.url
- %All Users%\Desktop\ÌÔ±¦¹ºÎïA.url
- %All Users%\Desktop\Ãâ·ÑµçÓ°C.url
- %User Profile%\Favorites\&çÍ·×ÍøÖ·µ¼º½&.url
手順 11
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「WORM_KILLAV.AB」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
ご利用はいかがでしたか? アンケートにご協力ください