今天打开 Windows Defender 看了一下,在隔离项目下有个SuperUtilBar,文件名是toolsp.exe。在Google搜了一下,CA公司对该流氓软件有很详细的描述。 http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453101952 从描述来看,是百度出品的东东,真是没品的家伙啊,我以前就中过它的招。把相关信息记录如下:
可执行文件%program_files%/superutilbar/uninst.exe%program_files%/common files/system/updaterun.exe, temp.exe, bar.exe%windows%/toolsp.exe
DLL文件 %system%/wbem/vicqr.dll%system%/wbem/ocmor.dll%system%/wbem/kblfu.dll%system%/lqbag.dll%system%/agyst.dll%system%/advport.dll%program_files%/superutilbar/superutilbar.dll注册表项 HKEY_CLASSES_ROOT/6781.toolbar HKEY_CLASSES_ROOT/6781.toolbar.1 HKEY_CLASSES_ROOT/6781.toolbar.1/clsid HKEY_CLASSES_ROOT/6781.toolbar/clsid HKEY_CLASSES_ROOT/6781.toolbar/curver HKEY_CLASSES_ROOT/6781.toolbarloader HKEY_CLASSES_ROOT/6781.toolbarloader.1 HKEY_CLASSES_ROOT/6781.toolbarloader.1/clsid HKEY_CLASSES_ROOT/6781.toolbarloader/clsid HKEY_CLASSES_ROOT/6781.toolbarloader/curver HKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03} HKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03}/inprocserver32 HKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03}/inprocserver32 threadingmodelHKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03}/progid HKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03}/programmable HKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03}/typelib HKEY_CLASSES_ROOT/clsid/{03465ff5-00ae-411a-9c34-960ed566ec03}/versionindependentprogid HKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2} HKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2}/inprocserver32 HKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2}/inprocserver32 threadingmodelHKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2}/progid HKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2}/programmable HKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2}/typelib HKEY_CLASSES_ROOT/clsid/{6cfd436c-7aad-4e50-992f-c0c87a94cad2}/versionindependentprogid HKEY_CLASSES_ROOT/typelib/{03d0c547-ebad-43d9-8b57-de16e7a93b52} HKEY_CLASSES_ROOT/typelib/{03d0c547-ebad-43d9-8b57-de16e7a93b52}/0.0 HKEY_CLASSES_ROOT/typelib/{03d0c547-ebad-43d9-8b57-de16e7a93b52}/0.0/0 HKEY_CLASSES_ROOT/typelib/{03d0c547-ebad-43d9-8b57-de16e7a93b52}/0.0/0/win32 HKEY_CLASSES_ROOT/typelib/{03d0c547-ebad-43d9-8b57-de16e7a93b52}/0.0/flags HKEY_CLASSES_ROOT/typelib/{03d0c547-ebad-43d9-8b57-de16e7a93b52}/0.0/helpdir HKEY_LOCAL_MACHINE/software/microsoft/internet explorer/toolbar {03465ff5-00ae-411a-9c34-960ed566ec03}HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/explorer/browser helper objects/{6cfd436c-7aad-4e50-992f-c0c87a94cad2} HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/uninstall/êµóãëñë÷¹¤¾ßìõ HKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/uninstall/êµóãëñë÷¹¤¾ßìõ displaynameHKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/uninstall/êµóãëñë÷¹¤¾ßìõ displayversionHKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/uninstall/êµóãëñë÷¹¤¾ßìõ publisherHKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/uninstall/êµóãëñë÷¹¤¾ßìõ uninstallstringHKEY_LOCAL_MACHINE/software/microsoft/windows/currentversion/uninstall/êµóãëñë÷¹¤¾ßìõ urlinfoabout
