Usr6 Posted October 17, 2013 Report Share Posted October 17, 2013 Utilitare necesare:Process explorer: Process ExplorerDll unloader: NoVirusThanks DLL UnInjector: unload DLLs within a selected processAutoruns: Autoruns for WindowsSample: (obtinut via https://rstforums.com/forum/76543-intrebare.rst#post492576 )Program de dat flood ip adress.exe MD5: 5acd5a6130b43c94ddb3418959f4c39c~110Kprocess:C:\WINDOWS\mstwain32.exedropped files:c:\WINDOWS\mstwain32.exe ~110K MD5: 5acd5a6130b43c94ddb3418959f4c39cc:\WINDOWS\cmsetac.dll ~33K MD5: 034e1f7e1d643572dc843ab535f6d60ec:\WINDOWS\ntdtcstp.dll ~7K MD5: 67587e25a971a141628d7f07bd40ffa0persistence:initial nu apare listat in autoruns sau regeditHKCU\Software\Microsoft\Windows\CurrentVersion\Runmstwain32 C:\WINDOWS\mstwain32.exeEliminare:pasul 1process explorer> suspend mstwain32.exepasul 2rename mstwain32.exe to mstwain32.expasul 3unload and delete dllsc:\WINDOWS\ntdtcstp.dllc:\WINDOWS\cmsetac.dllpasul 4process explorer> kill mstwain32.exepasul 5delete mstwain32.expasul 6remove persistence> autorunsHKCU\Software\Microsoft\Windows\CurrentVersion\Runmstwain32 File not found: C:\WINDOWS\mstwain32.exe Quote Link to comment Share on other sites More sharing options...
rata Posted November 9, 2013 Report Share Posted November 9, 2013 buna treaba.. Quote Link to comment Share on other sites More sharing options...