Rootkit Unhooker3.31.150.420 İ 
 
Rootkit UnhookerһµRK⹤ߣԶ˹ֶαIceSwordɿöࣨȻܻIceSwordȫ

Rootkit Unhooker :
Ӽͻָ
ǿĽ̼
ǿ
ؽɱ
APIӼ
ת

ɽʾx windows\system32\Ntdll32.dllȾWin32.troj.agent.s.412671
ȴ޷ɾڰȫģʽ½עɾҲСľк
ϵͳһΪInternet Connection ManagerInternetӣϵͳʵԶ̼أ
ԴļΪc:\windows\system32\internet.exe
ieһΪIEHELPER.DLLĲ
Ϊ˱֤ϵͳгפĵطҲڴˡ 
ʱx:\windows\system32\driverļһΪmspcidrv.sysϵͳ
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_DllsNTDLL32.DLLע⣬ô 
ͬʱҲHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects˸ʱԶNTDLL32.DLL
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ֱָc:\windows\system32.internet.exe
mspcidrv.sysغдϵͳ
ֱΪNtDeleteKeyNtDeleteValueKeyNtSetValueKeyHOOK
ʹĿĵעɾעɾעֵעֵʧȥˣ
Ϊ˱Internet Connection ManagerϵͳIEHELPER.DLLעᱻ
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_DllsµNTDLL32.DLLʵڴָĹؼ
ʵһϵͳ̵DLLļ
ڳʱΪһϵͳ̲߳exploreṛעмӣ
ֱĿĵעǱɾд, 
һеǣڵ£עɾͨĳЩ磺Rootkit Unhooker
д֤չܵΪ߳ԼҲҪģ
ʧЧԼעѱ£Ҳֻά֮ǰһν̲룬
Ա֤´οʱĿ 

Windowsͬʱctrl+alt+delexploreṛ
Ȼͬ ļ\½ѡв㰲װRootkit Unhooker
mspcidrv.sysҹķƳ
֮ ļ\½ѡע༭regedit
ֱɾڿɾˣinternet.exe mspcidrv.sysNtdll32.dll www.gprs5.comIEHELPER.DLLصĿ
OKˣȻ㻹Խx windows\system32\ɾinternet.exe mspcidrv.sysNtdll32.dllIEHELPER.DLLļ 



ôɱRootKit.Agent.wl 

ʹRootKit UnHookerԺ˵еWipe/Copy FileѡDirect File WipingȻѡ񲡶ļ
Do Operationֱļݡ״ݻ٣޷ٴСֱɾɡ 
ȰעеHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RGWatchɾ
