“Trojan-PSW.Win32.OnLineGames.uw”的意思、由来-中文百科全书

基本信息

病毒名称

Trojan-PSW.Win32.OnLineGames.uw

中文名称

盗窃者

病毒类型

木马类

文件 MD5

48dfe0f0633d321670dfdecb144673e7

公开范围

完全公开

危害等级

文件长度

脱壳前 41,343 字节，脱壳后200,704 字节

感染系统

Win9X以上系统

开发工具

Microsoft Visual C++ 6.0

加壳工具

NsPacK V3.7 -> LiuXingPing [Overlay]

行为分析

1 、衍生下列副本与文件：

%Program Files%\\bxiedby.inf

%Program Files%\\meex.exe

%WinDir%\\cmdbcs.exe

%WinDir%\\Kvsc3.exe

%WinDir%\\mppds.exe

%WinDir%\\upxdnd.exe

%System32%\\5E15.dll

%System32%\\10J20.dll

%System32%\\cmdbcs.dll

%System32%\\Kvsc3.dll

%System32%\\mppds.dll

%System32%\wiztlbb.dll

%System32%\wiztlbu.exe

%System32%\wizwmgjs.dll

%System32%\wizwmgjs.exe

%System32%\\RemoteDbg.dll

%System32%\\upxdnd.dll

%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe

%Program Files%\\Common Files\\System\\ccqwyxt.exe

2 、新建下列应用程序注册表执行映射键值：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\

CurrentVersion\\Image File Execution Options\\360rpt.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\360Safe.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\360tray.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\adam.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\AgentSvr.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\AppSvc32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\ArSwp.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\AST.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\autoruns.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\avconsol.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\avgrssvc.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\AvMonitor.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\avp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\avp.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\CCenter.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\ccSvcHst.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\EGHOST.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\FileDsty.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\FTCleanerShell.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\FYFireWall.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\HijackThis.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\IceSword.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\iparmo.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\Iparmor.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\isPwdSvc.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\kabaload.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KaScrScn.SCR\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KASMain.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KASTask.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KAV32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KAVDX.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KAVPF.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KAVPFW.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KAVSetup.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KAVStart.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KISLnchr.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KMailMon.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KMFilter.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KPFW32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KPFW32X.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KPfwSvc.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KRegEx.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KRepair\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KsLoader.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KVCenter.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KvDetect.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KvfwMcl.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KVMonXP.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KVMonXP_1.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\kvol.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\kvolself.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KvReport.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KVScan.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KVSrvXP.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KVStub.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\kvupload.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\kvwsc.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KvXP.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KvXP_1.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KWatch.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Opions\\KWatch9x.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\KWatchX.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\loaddll.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\MagicSet.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\mcconsol.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Executin Options\\mmqczj.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\mmsk.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\avapsvc.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\avapw32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\od32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\od32krn.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\od32kui.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\PFMntor.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\PFW.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\PFWLiveUpdate.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\QHSET.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\QQDoctor.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\QQKav.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\Ras.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\Rav.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\RavMon.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\RavMonD.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\RavStub.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\RavTask.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\RegClean.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\rfwcfg.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\rfwmain.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\rfwsrv.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\RsAgent.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\Rsaupd.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\runiep.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\safelive.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\scan32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\shcfg32.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\SmartUp.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\SREng.EXE\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\symlcsvc.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\SysSafe.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\TrojanDetector.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\Trojanwall.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\TrojDie.kxp\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UIHost.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UmxAgent.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UmxAttachment.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UmxCfg.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UmxFwHlp.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UmxPol.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\upiea.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\UpLive.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\USBCleaner.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\vsstat.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\webscanx.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\

Image File Execution Options\\WoptiClean.exe\\Debugger

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

3 、新建下列注册表自动运行键值：

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\Description

Value: String: " 允许 Administrators 组的成员进行远程调试。 "

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\DisplayName

Value: String: "Remote Debug Service"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\ImagePath

Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes

%WinDir%System32\\rundll32.exe RemoteDbg.dll,input.

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\bxiedby

Value: String: "%Program Files%\\Common Files\\System\\ccqwyxt.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cmdbcs

Value: String: "%WinDir%\\cmdbcs.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Kvsc3

Value: String: "%WinDir%\\Kvsc3.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\mppds

Value: String: "%WinDir%\\mppds.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\oatrfhf

Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\upxdnd

Value: String: "%WinDir%upxdnd.exe"

4 、修改下列注册表键值：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\

CurrentVersion\\Prefetcher\\LastTraceFailure

New: DWORD: 4 (0x4)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\

CurrentVersion\\Prefetcher\\TracesProcessed

New: DWORD: 50 (0x32)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\

CurrentVersion\\Prefetcher\\TracesSuccessful

New: DWORD: 49 (0x31)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\

Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\\CheckedValue

New: DWORD: 0 (0)

Old: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\helpsvc\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\SharedAccess\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\wuauserv\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\helpsvc\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wuauserv\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

5 、删除下列注册表键值：

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\

Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\

Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@

Value: String: "DiskDrive"

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\

Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\

Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@

Value: String: "DiskDrive"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\

Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\

Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@

Value: String: "DiskDrive"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\

Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\

Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@

Value: String: "DiskDrive"

6、访问下列服务器地址，下载病毒体到本机运行：

(5*.5*.5*.9*)qq.5*0*f/81/11.exe

qq.5*0*f/*j/yj*6*9.txt( 读取此文件，以获得病毒更新地址 )

www.5*60*.cn/xzz/xxxxxxxx.exe

注： % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 ， windows95/98/me 中默认的安装路径是 C:\\Windows\\System ， windowsXP 中默认的安装路径是 C:\\Windows\\System32 。

清除方案

1 、使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1)使用安天木马防线断开网络，结束病毒进程：

ccqwyxt.exe

irijjmn.exe

(2)删除病毒衍生文件：

%Program Files%\\bxiedby.inf

%Program Files%\\meex.exe

%WinDir%\\cmdbcs.exe

%WinDir%\\Kvsc3.exe

%WinDir%\\mppds.exe

%WinDir%\\upxdnd.exe

%System32%\\5E15.dll

%System32%\\10J20.dll

%System32%\\cmdbcs.dll

%System32%\\Kvsc3.dll

%System32%\\mppds.dll

%System32%\wiztlbb.dll

%System32%\wiztlbu.exe

%System32%\wizwmgjs.dll

%System32%\wizwmgjs.exe

%System32%\\RemoteDbg.dll

%System32%\\upxdnd.dll

%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe

%Program Files%\\Common Files\\System\\ccqwyxt.exe

(3)删除下列注册表键值：

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\RemoteDbg\\Description

Value: String: " 允许 Administrators 组的成员进行远程调试。 "

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\RemoteDbg\\DisplayName

Value: String: "Remote Debug Service"

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\RemoteDbg\\ImagePath

Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes

%WinDir%System32\\rundll32.exe RemoteDbg.dll,input.

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\bxiedby

Value: String: "%Program Files%\\Common

Files\\System\\ccqwyxt.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\cmdbcs

Value: String: "%WinDir%\\cmdbcs.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\Kvsc3

Value: String: "%WinDir%\\Kvsc3.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\mppds

Value: String: "%WinDir%\\mppds.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\oatrfhf

Value: String: "%Program Files%\\Common Files\\

MicrosoftShared\\irijjmn.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Run\\upxdnd

Value: String: "%WinDir%upxdnd.exe"

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\

CurrentVersion\\Image File Execution Options\\*.*

( 此外为列出的新建的键值 )\\Debugger

(4)恢复注册表修改项：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\

CurrentVersion\\Prefetcher\\LastTraceFailure

New: DWORD: 4 (0x4)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\

CurrentVersion\\Prefetcher\\TracesProcessed

New: DWORD: 50 (0x32)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\

CurrentVersion\\Prefetcher\\TracesSuccessful

New: DWORD: 49 (0x31)

Old: DWORD: 0 (0)

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\

CurrentVersion\\Explorer\\Advanced\\Folder\\

Hidden\\SHOWALL\\CheckedValue

New: DWORD: 0 (0)

Old: DWORD: 1 (0x1)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\

Services\\helpsvc\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\

Services\\SharedAccess\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\

Services\\wuauserv\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\helpsvc\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\SharedAccess\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 3 (0x3)

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\

Services\\wuauserv\\Start

New: DWORD: 4 (0x4)

Old: DWORD: 2 (0x2)

词条	Trojan-PSW.Win32.OnLineGames.uw
释义	该病毒运行后，衍生病毒文件到多个目录下，添加注册表多处启动项，并修改文件执行映射以启动病毒体。病毒体连接网络下载其它病毒体到本机运行，下载的病毒病毒体多为网络游戏盗号程序。由于该病毒修改了多处程序执行映射，可能会造成用户应用程序不能运行。此病毒可通过移动存储体传播。基本信息(病毒名称中文名称病毒类型文件 MD5 公开范围危害等级文件长度感染系统开发工具加壳工具) 行为分析清除方案基本信息病毒名称 Trojan-PSW.Win32.OnLineGames.uw 中文名称盗窃者病毒类型木马类文件 MD5 48dfe0f0633d321670dfdecb144673e7 公开范围完全公开危害等级 4 文件长度脱壳前 41,343 字节，脱壳后200,704 字节感染系统 Win9X以上系统开发工具 Microsoft Visual C++ 6.0 加壳工具 NsPacK V3.7 -> LiuXingPing [Overlay] 行为分析 1 、衍生下列副本与文件： %Program Files%\\bxiedby.inf %Program Files%\\meex.exe %WinDir%\\cmdbcs.exe %WinDir%\\Kvsc3.exe %WinDir%\\mppds.exe %WinDir%\\upxdnd.exe %System32%\\5E15.dll %System32%\\10J20.dll %System32%\\cmdbcs.dll %System32%\\Kvsc3.dll %System32%\\mppds.dll %System32%\wiztlbb.dll %System32%\wiztlbu.exe %System32%\wizwmgjs.dll %System32%\wizwmgjs.exe %System32%\\RemoteDbg.dll %System32%\\upxdnd.dll %Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe %Program Files%\\Common Files\\System\\ccqwyxt.exe 2 、新建下列应用程序注册表执行映射键值： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\ CurrentVersion\\Image File Execution Options\\360rpt.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\360Safe.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\360tray.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\adam.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\AgentSvr.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\AppSvc32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\ArSwp.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\AST.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\autoruns.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\avconsol.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\avgrssvc.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\AvMonitor.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\avp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\avp.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\CCenter.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\ccSvcHst.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\EGHOST.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\FileDsty.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\FTCleanerShell.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\FYFireWall.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\HijackThis.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\IceSword.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\iparmo.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\Iparmor.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\isPwdSvc.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\kabaload.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KaScrScn.SCR\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KASMain.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KASTask.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KAV32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KAVDX.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KAVPF.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KAVPFW.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KAVSetup.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KAVStart.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KISLnchr.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KMailMon.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KMFilter.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KPFW32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KPFW32X.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KPfwSvc.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KRegEx.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KRepair\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KsLoader.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KVCenter.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KvDetect.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KvfwMcl.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KVMonXP.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KVMonXP_1.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\kvol.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\kvolself.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KvReport.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KVScan.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KVSrvXP.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KVStub.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\kvupload.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\kvwsc.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KvXP.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KvXP_1.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KWatch.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Opions\\KWatch9x.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\KWatchX.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\loaddll.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\MagicSet.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\mcconsol.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Executin Options\\mmqczj.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\mmsk.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\avapsvc.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\avapw32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\od32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\od32krn.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\od32kui.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\PFMntor.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\PFW.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\PFWLiveUpdate.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\QHSET.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\QQDoctor.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\QQKav.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\Ras.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\Rav.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\RavMon.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\RavMonD.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\RavStub.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\RavTask.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\RegClean.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\rfwcfg.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\rfwmain.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\rfwsrv.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\RsAgent.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\Rsaupd.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\runiep.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\safelive.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\scan32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\shcfg32.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\SmartUp.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\SREng.EXE\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\symlcsvc.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\SysSafe.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\TrojanDetector.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\Trojanwall.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\TrojDie.kxp\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UIHost.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UmxAgent.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UmxAttachment.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UmxCfg.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UmxFwHlp.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UmxPol.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\upiea.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\UpLive.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\USBCleaner.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\vsstat.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\webscanx.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ Image File Execution Options\\WoptiClean.exe\\Debugger Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" 3 、新建下列注册表自动运行键值： HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\Description Value: String: " 允许 Administrators 组的成员进行远程调试。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\DisplayName Value: String: "Remote Debug Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RemoteDbg\\ImagePath Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes %WinDir%System32\\rundll32.exe RemoteDbg.dll,input. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\bxiedby Value: String: "%Program Files%\\Common Files\\System\\ccqwyxt.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cmdbcs Value: String: "%WinDir%\\cmdbcs.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Kvsc3 Value: String: "%WinDir%\\Kvsc3.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\mppds Value: String: "%WinDir%\\mppds.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\oatrfhf Value: String: "%Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\upxdnd Value: String: "%WinDir%upxdnd.exe" 4 、修改下列注册表键值： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\ CurrentVersion\\Prefetcher\\LastTraceFailure New: DWORD: 4 (0x4) Old: DWORD: 0 (0) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\ CurrentVersion\\Prefetcher\\TracesProcessed New: DWORD: 50 (0x32) Old: DWORD: 0 (0) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\ CurrentVersion\\Prefetcher\\TracesSuccessful New: DWORD: 49 (0x31) Old: DWORD: 0 (0) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\\CheckedValue New: DWORD: 0 (0) Old: DWORD: 1 (0x1) HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\helpsvc\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\SharedAccess\\Start New: DWORD: 4 (0x4) Old: DWORD: 3 (0x3) HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\wuauserv\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\helpsvc\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Start New: DWORD: 4 (0x4) Old: DWORD: 3 (0x3) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wuauserv\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) 5 、删除下列注册表键值： HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\ Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\ Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@ Value: String: "DiskDrive" HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\ Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\ HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\ Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@ Value: String: "DiskDrive" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\ Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\ HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\ Minimal\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@ Value: String: "DiskDrive" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\ Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\ HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\ Network\\{4D36E967-E325-11CE-BFC1-08002BE10318}\\@ Value: String: "DiskDrive" 6、访问下列服务器地址，下载病毒体到本机运行： (5.5.5.9)qq.50f/81/11.exe qq.50f/j/yj69.txt( 读取此文件，以获得病毒更新地址 ) www.560.cn/xzz/xxxxxxxx.exe 注： % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 ， windows95/98/me 中默认的安装路径是 C:\\Windows\\System ， windowsXP 中默认的安装路径是 C:\\Windows\\System32 。清除方案 1 、使用安天木马防线可彻底清除此病毒 ( 推荐 ) 2 、手工清除请按照行为分析删除对应文件，恢复相关系统设置。 (1)使用安天木马防线断开网络，结束病毒进程： ccqwyxt.exe irijjmn.exe (2)删除病毒衍生文件： %Program Files%\\bxiedby.inf %Program Files%\\meex.exe %WinDir%\\cmdbcs.exe %WinDir%\\Kvsc3.exe %WinDir%\\mppds.exe %WinDir%\\upxdnd.exe %System32%\\5E15.dll %System32%\\10J20.dll %System32%\\cmdbcs.dll %System32%\\Kvsc3.dll %System32%\\mppds.dll %System32%\wiztlbb.dll %System32%\wiztlbu.exe %System32%\wizwmgjs.dll %System32%\wizwmgjs.exe %System32%\\RemoteDbg.dll %System32%\\upxdnd.dll %Program Files%\\Common Files\\Microsoft Shared\\irijjmn.exe %Program Files%\\Common Files\\System\\ccqwyxt.exe (3)删除下列注册表键值： HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\RemoteDbg\\Description Value: String: " 允许 Administrators 组的成员进行远程调试。 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\RemoteDbg\\DisplayName Value: String: "Remote Debug Service" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\RemoteDbg\\ImagePath Value: Type: REG_EXPAND_SZ Length: 53 (0x35) bytes %WinDir%System32\\rundll32.exe RemoteDbg.dll,input. HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\bxiedby Value: String: "%Program Files%\\Common Files\\System\\ccqwyxt.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\cmdbcs Value: String: "%WinDir%\\cmdbcs.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\Kvsc3 Value: String: "%WinDir%\\Kvsc3.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\mppds Value: String: "%WinDir%\\mppds.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\oatrfhf Value: String: "%Program Files%\\Common Files\\ MicrosoftShared\\irijjmn.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run\\upxdnd Value: String: "%WinDir%upxdnd.exe" HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\ CurrentVersion\\Image File Execution Options\\.* ( 此外为列出的新建的键值 )\\Debugger (4)恢复注册表修改项： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\ CurrentVersion\\Prefetcher\\LastTraceFailure New: DWORD: 4 (0x4) Old: DWORD: 0 (0) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\ CurrentVersion\\Prefetcher\\TracesProcessed New: DWORD: 50 (0x32) Old: DWORD: 0 (0) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WindowsNT\\ CurrentVersion\\Prefetcher\\TracesSuccessful New: DWORD: 49 (0x31) Old: DWORD: 0 (0) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Explorer\\Advanced\\Folder\\ Hidden\\SHOWALL\\CheckedValue New: DWORD: 0 (0) Old: DWORD: 1 (0x1) HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\ Services\\helpsvc\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\ Services\\SharedAccess\\Start New: DWORD: 4 (0x4) Old: DWORD: 3 (0x3) HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\ Services\\wuauserv\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\helpsvc\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\SharedAccess\\Start New: DWORD: 4 (0x4) Old: DWORD: 3 (0x3) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\ Services\\wuauserv\\Start New: DWORD: 4 (0x4) Old: DWORD: 2 (0x2)
随便看	灿烂中华文明：艺术卷灿烂中华文明(军事卷) 灿然灿然一新灿若繁星灿若明霞灿若烟花(法文) 灿熙灿型杂交水稻灿艺术中心苍苍朮地榆汤苍安水电站苍巴席自然村苍白苍白宝螺苍白秤钩风苍白的茧苍白的时刻苍白的正义苍白杜鹃苍白凤头百灵苍白过路黄苍白鸡油菌苍白密螺旋体