1) disable Windows XP system restore;
2) disable anti-malware to funtion: Malwarebyte' Anti-Malware, HijactThis, 360SuperKiller, Bitdefender Total Security 2008...etc
3) disable folder option to show hidden files and folders, hide protected operation system files
4) disable command prompt (cmd.exe)
5) hijack and insert code into ctfmon.exe and conime.exe
6) automatic enable DHCP router to access internet
file associate:
1) qxzv5.exe
2) ctfmon.exe
3) conime.exe
regestry related:
HKey_Local_Machine\Software\Microsoft\WindowNT\CurrentVersion\AppCompactFlags\Layers\
HKey_Local_Machine\Software\Microsoft\WindowNT\CurrentVersion\ImagefileExcutionOptions\ctfmon.exe
HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run\
HKey_Local_Machine\System\ControlSet002\Services\ShareAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedA\List\
HKey_Local_Machine\System\ControlSet003\Services\ShareAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApp\List\
HKey_Current_User\Software\Microsoft\Windows\ShellNoRoam\MUICache\
solution:1) Boot up computer using live CD: Bitdefender or Knoppix
2) clear all files in Temp folder and Temporary Internet Files under
a) windows,
b) Documents and Settings\Default Users\Local Settings\
c) Documents and Settings\LocalService\Local Settings\
d) Documents and settings\NetworkService\Local Settings\
e) Documents and settings\%current user%\Local Settings\
3) clear all files in System Volume Information in all hard drives
4) delete these files under windows\system32\
a) qxzv5.exe
b) ctfmon.exe
c) conime.exe
d) wiacmfgr.exe
e) alternative files name refer to PrevX
contact writer: Ngai Siew Kuen
e-mail:s_k_ngai
Subject:[From Blog] wiacmfgr.exe - malware dropper
No comments:
Post a Comment