Preface:
This is the experience I last year. In the information that I opened the previous collection, I found the night that made me sad. Recently OICQ is also used, and I don't know if there is this kind of Trojan now. Now I published, I hope that people who ride on Trojans will go down as soon as possible :)
1. Open the registry and delete the following key values:
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run] "NetConfig" = "c: //winnt//system32//spolsv.exe"
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Sq] "LastConfigInformation" = "NetConfig"
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Runonce] "WinIn" = "c: //winnt//winin.exe"
2. Delete the following files:% windir% / winin.exe - Fertility, the following two files are its children. :-)% WINDIR% / System32 / Spolsv.exe% WINDIR% / System32 / Spolsv.dll
3, file analysis: (1), winin.exe, by the registry content, after the system starts complete, it will run once, its main task is to detect whether spolsv.exe and spolsv.dll exist. If there is no existence, you will be resend, huh, huh: -) (2), spolsv.dll, use "Quick View", it can be seen, it exports two functions, STARTHOOK and Endhook. I don't have to say more for the role of their functions. (3), spolsv.exe, I think this file, but it is not enough to do some thieves.
4. Comments: (1) The virus spreads through email. Open the email, the attachment is automatically downloaded. (2) The virus has a serious bug, running under Windows NT4.0, which will be self-lame, pop up the error dialog box. Its title is Shareqq. As for this phenomenon under Win9X, I don't know.
If you have any questions, you can leave me a message on my homepage http://coolslob.fykj.com/