TROJ_AGENT.UOU
2018年5月10日
別名:
Trojan-Downloader.Win32.Todon.u (Kaspersky); Mal/DelpDldr-C (Sophos); TrojanDownloader:Win32/Small (Microsoft)
プラットフォーム:
Windows
危険度:
ダメージ度:
感染力:
感染確認数:
情報漏えい:
- マルウェアタイプ: トロイの木馬型
- 破壊活動の有無: なし
- 暗号化:
- 感染報告の有無: はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
詳細
ファイルサイズ 25,240 bytes
タイプ EXE
メモリ常駐 はい
発見日 2011年3月10日
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のファイルを作成します。
- {Drive Letter}:\autorun.inf
- %Program Files%\{Random filename}.inf
(註:%Program Files%フォルダは、プログラムファイルのフォルダで、いずれのオペレーティングシステム(OS)でも通常、 "C:\Program Files"、64bitのOS上で32bitのアプリケーションを実行している場合、 "C:\Program Files (x86)" です。.)
マルウェアは、感染したコンピュータ内に以下のように自身のコピーを作成します。
- %Program Files%\Common Files\System\{Random filename}.exe
- %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- {Drive Letter}:\{Random filename}.exe
- %Program Files%\{Random filename}.exe
(註:%Program Files%フォルダは、プログラムファイルのフォルダで、いずれのオペレーティングシステム(OS)でも通常、 "C:\Program Files"、64bitのOS上で32bitのアプリケーションを実行している場合、 "C:\Program Files (x86)" です。.)
他のシステム変更
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = 145
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\wscsvc
Start = 4
(註:変更前の上記レジストリ値は、「2」となります。)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\wuauserv
Start = 4
(註:変更前の上記レジストリ値は、「2」となります。)
HKEY_CURRENT_USER\Software\{Random key}
{Random registry value} = %Program Files%\Common Files\System\{Random filename}.exe
HKEY_CURRENT_USER\Software\{Random key}
{Random registry value} = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
マルウェアは、以下のレジストリキーを削除します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
AVP =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue =
その他
マルウェアは、以下の不正なWebサイトにアクセスします。
- http://head.{BLOCKED}ml.biz/update/wow.exe
- http://head.{BLOCKED}ml.biz/update/zt.exe
- http://head.{BLOCKED}ml.biz/update/jh.exe
- http://head.{BLOCKED}ml.biz/update/wm.exe
- http://head.{BLOCKED}ml.biz/update/tl.exe
- http://head.{BLOCKED}ml.biz/update/my.exe
- http://head.{BLOCKED}ml.biz/update/1.exe
- http://head.{BLOCKED}ml.biz/update/2.exe
- http://head.{BLOCKED}ml.biz/update/3.exe
- http://head.{BLOCKED}ml.biz/update/update.txt
- http://head.{BLOCKED}ml.biz/update/mh.exe
マルウェアは、以下のレジストリ値を作成します。
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{Anti-Virus Program Name} Debugger = %Program Files%\Common Files\Microsoft Shared\{Random File Name}.exe
注: {Anti-Virus Program Name} には、以下のいずれかが当てはまります。
- 360Safe.exe
- 360rpt.exe
- 360tray.exe
- AST.exe
- AgentSvr.exe
- AppSvc32.exe
- ArSwp.exe
- AvMonitor.exe
- CCenter.exe
- EGHOST.exe
- FTCleanerShell.exe
- FYFireWall.exe
- FileDsty.exe
- HijackThis.exe
- IceSword.exe
- Iparmor.exe
- KASMain.exe
- KASTask.exe
- KAV32.exe
- KAVDX.exe
- KAVPF.exe
- KAVPFW.exe
- KAVSetup.exe
- KAVStart.exe
- KISLnchr.exe
- KMFilter.exe
- KMailMon.exe
- KPFW32.exe
- KPFW32X.exe
- KPfwSvc.exe
- KRegEx.exe
- KRepair.com
- KVCenter.kxp
- KVMonXP.kxp
- KVMonXP_1.kxp
- KVScan.kxp
- KVSrvXP.exe
- KVStub.kxp
- KWatch.exe
- KWatch9x.exe
- KWatchX.exe
- KaScrScn.SCR
- KsLoader.exe
- KvDetect.exe
- KvReport.kxp
- KvXP.kxp
- KvXP_1.kxp
- KvfwMcl.exe
- MagicSet.exe
- NPFMntor.exe
- Navapsvc.exe
- Navapw32.exe
- PFW.exe
- PFWLiveUpdate.exe
- QHSET.exe
- QQDoctor.exe
- QQKav.exe
- Ras.exe
- Rav.exe
- RavMon.exe
- RavMonD.exe
- RavStub.exe
- RavTask.exe
- RegClean.exe
- RsAgent.exe
- Rsaupd.exe
- SREng.EXE
- SmartUp.exe
- SysSafe.exe
- TrojDie.kxp
- TrojanDetector.exe
- Trojanwall.exe
- UIHost.exe
- USBCleaner.exe
- UmxAgent.exe
- UmxAttachment.exe
- UmxCfg.exe
- UmxFwHlp.exe
- UmxPol.exe
- UpLive.exe
- WoptiClean.exe
- adam.exe
- autoruns.exe
- avconsol.exe
- avgrssvc.exe
- avp.com
- avp.exe
- ccSvcHst.exe
- iparmo.exe
- isPwdSvc.exe
- kabaload.exe
- kvol.exe
- kvolself.exe
- kvupload.exe
- kvwsc.exe
- loaddll.exe
- mcconsol.exe
- mmqczj.exe
- mmsk.exe
- nod32.exe
- nod32krn.exe
- nod32kui.exe
- rfwcfg.exe
- rfwmain.exe
- rfwsrv.exe
- rstrui.exe
- runiep.exe
- safelive.exe
- scan32.exe
- shcfg32.exe
- symlcsvc.exe
- upiea.exe
- vsstat.exe
- webscanx.exe
対応方法
対応検索エンジン: 9.850
VSAPI OPR パターンバージョン 5.883.00
VSAPI OPR パターンリリース日 2009年4月8日
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 3
Windowsをセーフモードで再起動します。
[ 詳細 ]
手順 4
変更されたレジストリ値を修正します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
事前に意図的に対象の設定を変更していた場合は、意図するオリジナルの設定に戻してください。変更する値が分からない場合は、システム管理者にお尋ねいただき、レジストリの編集はお客様の責任として行なって頂くようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
- From: Start = 4
To: Start = 2
- From: Start = 4
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc
- From: Start = 4
To: Start = 2
- From: Start = 4
手順 5
このレジストリ値を削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
- NoDriveTypeAutoRun = 145
- NoDriveTypeAutoRun = 145
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
- Debugger = %Program Files%\Common Files\Microsoft Shared\{Random filename}.exe
手順 6
不明なレジストリキーを削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- HKEY_CURRENT_USER\Software\{Random key}
- HKEY_CURRENT_USER\Software\{Random key}
手順 7
以下のファイルを検索し削除します。
[ 詳細 ]
コンポーネントファイルが隠しファイル属性の場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。 - {Drive Letter}:\autorun.inf
- %Program Files%\{Random filename}.inf
手順 8
コンピュータを通常モードで再起動し、最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、「TROJ_AGENT.UOU」と検出したファイルの検索を実行してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
ご利用はいかがでしたか? アンケートにご協力ください