3 thoughts on “what is this? Please come over to help answer _______ Yahoo Assistant said it is a virus”

  1. I can kill your best to upgrade Rising

    rundll32.exe files for details

    Process files: Rundll32 or Rundll32.exe
    Process Name: Microsoft Rundll32 R n进程类别:其他进程rn英文描述: rnrundll32.exe is a process which executes DLLs an places their libraries into the memory, so they can be used more by .This program is important for the stable and Secure Running of your computer and should not be.
    Chinese reference:
    rundll32.exe to run DLL files in memory, and they are used in applications. This program is very important for the normal operation of your system. Note: Rundll32.exe may also be W32.miroot.Worm virus. The virus allows attackers to access your computer, stealing passwords and personal data. The safety level of this process is recommended to delete immediately.
    produced: Microsoft Corp.
    belongs to: Microsoft Windows Operating System
    WINXEC (pchar (), sw_show);
    Don't add quotes):
    "rundll32 shell32, control_rundll" -run control panel
    "rundll32 shell32, openas_rundll" -Open the "Open Method" window
    "About" window
    "rundll32 shell32, control_rundll desk.cpl" -Open the "display attribute" window
    "rundll32 user," -Llay all windows
    "rundll32 user Sub -window
    "RUNDLL32 User," -The refresh the desktop
    "rundll32 shell, Explorer" -Reart Windows Explorer
    "RUNDLL32 KEYBOARD, Disable" -L "RUNDLL32 mouse, disable "-Make the mouse to fail
    " rundll32 user, " - exchange mouse button
    " rundll32 user, "-The position of the mouse (0,0)
    " rundll32 user, " -" - " -" - " - Open the "Map Network Drive" window
    "rundll32 user," -Open the "disconnecting network drive" window
    "rundll32 user," -D display bsod window, (bsod) = Blue Screen of
    DEATH , That is, the blue screen
    "rundll32 diskcopy," - Open the disk copying window
    "rundll32 rnaui.dll, rnawizard" -run "Internet connection wizard",
    For the Silent mode
    "rundll32 shell32," -Open "formatting disk (a)" window
    "rundll32 shell32, -1" -This Windows Explorer
    "Rundll32 shell32, 1" -Watch
    "Rundll32 Shell32, 0" -The retirement of the current user
    "rundll32 shell32, 2" Windows9x quickly restarts
    R n "rundll rnaui.dll, rnadial" myconnect " -run the" network connection "dialog box
    " rundll32 msprint2.dll, rundll_ "-Cose the printer and print test page
    " rundll32 user, " -" - " -" - " - Set the cursor flashing speed
    "rundll32 user," -The mouse double -click speed
    "rundll32 sysdm.cpl, _Rundll" -Search non -PNP device n functions in the control panel n
    winexec (RUNDLL32.exe Shell32.dll, Control_rundll, 9);
    {auxiliary option attribute-keyboard}
    winexec (rundll32.exe shell32.dll, Control_rundll), 9, 9.CPL, 9 ,,9CPL.
    {auxiliary option attribute-sound}
    winexec (rundll32.exe shell32.dll, Control_Rundll Access.cpl, 2,9);
    .exe shell32.dll, Control_rundll Access.cpl, 3, 9);
    {auxiliary option attribute-mouse}
    WINEXEC (rundll32.exe shell32.dll, Control_rundll Access.cpl, 4, 9); ); R n {auxiliary option attribute-conventional}
    winexec (Rundll32.exe shell32.dll, Control_rundll Access.cpl, 5, 9);
    {add/delete program attributes nwinexec (rundll32.exe shell32.dll, Control_rundll AppWiz.cpl, 1, 9);
    {Add/delete program attribute-Windows installer}
    winexx EC (RUNDLL32.exe Shell32.dll, Control_rundll AppWiz.cpl, 2, 9);
    {Add/delete program properties-startup disk}
    winexec (RUNDLL32.Exe shell32.dll, Control_rundll App 3, 9);
    {display attribute-background}
    winexec (rundll32.exe shell32.dll, control_rundll desk.cpl, 0, 9);
    {display attribute-screen protection program}
    winexec (rundll32.exe shell32.dll, control_rundll desk.cpl, 1, 9);
    {display attribute-appearance}
    WINEXEC (RUNDLL32.Exe shell32.dll, Control_rundll desk, 2 2 2, 2 9);
    {display attribute-setting}
    winexec (rundll32.exe shell32.dll, control_rundll desk.cpl, 3, 9); Rundll32.exe shell32.dll, Control_rundll Inetcpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.CPL,
    {Internet Properties-Security}
    winexec (RUNDLL32.dll32.dll, Control_runch 15 r n9);
    {Internet attribute-content}
    winexec (rundll32.exe shell32.dll, Control_rundll INetCPl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.CPL,
    {internet property-connection}}} rnwinexec(rundll32.exe shell32.dll, Control_RunDLL Inetcpl.cpl, 3, rn9); rn{Internet 属性-程序} rnwinexec(rundll32.exe shell32.dll, Control_RunDLL Inetcpl. CPL, 4,
    9);
    {interm Net Properties-Advanced}
    WINEXEC (RUNDLL32.Exe Shell32.dll, Control_Rundll Inetcpl.cpl.cpl.cpl.cpl.cpl.cpl.cpl.CPL, 5,
    9); Shell32.dll, Control_rundll Intl.cpl.cpl, 0, 9);
    {regional settings-digital}
    winexec (rundll32.exe shell32.dll, control_rundll intl.cpl.cpl.cpl.cpl.cpl.cpl. n {Regional setting attributes-currency}
    Winexec (RUNDLL32.exe Shell32.dll, Control_rundll INTL.CPL, 2,9);
    {regional settings-time}
    winexec (RUNDLL32.exe Shell32222 .dll, Control_rundll Intl.cpl.CPL, 3, 9);
    {area setting attribute-date}
    winexec (rundll32.exe shell32.dll, control_rundll intl.cpl, 4, 9);

    winexec (RUNDLL32.exe Shell32.dll, Control_rundll Joy.cpl, 0, 9);

    winexec (RUNDLL32.exe Shell32.dll, Control_rundll Joy.cpl, 1, 9); ) n {mouse attribute}
    winexec (rundll32.exe shell32.dll, Control_rundll Main.cpl, 9);
    {Multimedia attributes-audio}
    winexec .cpl, 0, 9);
    {Multimedia Properties-Video}
    winexec (RUNDLL32.Exe Shell32.dll, Control_rundll MMSys.cpl, 1, 9);
    winexec (RUNDLL32.exe Shell32.dll, Control_rundll MMSys .cpl, 2, 9);
    {Multimedia Properties-CD Music}
    WINEXEC (RUNDLL32.exe Shell32.dll, Control_rundll MMSys.cpl, 3, 9); } rnwinexec(rundll32.exe shell32.dll, Control_RunDLL Mmsys.cpl, 4, 9); rn{调制解调器属性} rnwinexec(rundll32.exe shell32.dll, Control_RunDLL Modem.cpl, 9) ;

    winexec (rundll32.exe shell32.dll, Control_rundll Netcpl.cpl.cpl.cpl.cpl.CPL, 9); 9);
    {scanner and digital camera attribute}
    winexec (rundll32.exe shell32.dll, control_rundll str.cpl.cpl.cpl.cpl, 9);
    {system attribute-conventional} nwinexec ( Rundll32.exe shell32.dll, Control_rundll Sysdm.cpl, 0, 9);
    {System attribute-device manager}
    winexec (Rundll32.exe shell32.dll, Control_rundll Sysdm.cpl, 1, 9) ;
    {system attribute-hardware configuration file}
    winexec (rundll32.exe shell32.dll, control_rundll sysdm.cpl, 2,9);
    {system attributes}
    winexec ( Rundll32.exe shell32.dll, Control_rundll Sysdm.cpl, 3, 9);
    {date/time attribute}
    winexec (rundll32.exe shell32.dll, control_rundll timedate.cpl, 9); ); n {power management attribute}
    winexec (rundll32.exe shell32.d LL, Control_rundll PowerCFG.CPL, 9);

    winexec (Rundll32.exe Shell32.dll, Control_rundll Telephon.cpl, 9); First declare a Cardinal type variable obtaining return value for judgment such as:
    : = winexec (rundll32.exe shell32.dll, Control_rundll
    telephon.cpl, 9); n0 program exceeds memory
    error_bad_format program is an illegal win32.exe program
    error_not_found specified file and did not find
    error_path_not_found. "Start -program -MS -DOS method", enter the DOS window, and then type "Rundll32.exe
    User.exe,", then press the carriage entry key. At this time, you will see that the machine is restarted! How about, is it very interesting?
    of course, the function of RUNDLL is not just restarting your machine. In fact, the RUNDLL person, as the name suggests, execute DLL, its function is to call the dynamic link library of Windows in a command column. The difference between RUNDLL32.exe and Rundll.exe is that the former is a 32 -bit link library, and then Those who are used in the 16 -bit chain library. Their command format is:
    rundll.exe,
    In three points: 1.dll file name cannot contain space, such as the file is located in C C : Program
    Files directory, you have to change this path to C: Program ~ 1; 2. The comma of the dtll file name and the DLL entry point must not be less, otherwise the program will make an error and will not give any information! 3. This is the most important point: Rundll cannot be used to call DLL containing the return value parameter, such as (), (), etc. in Win32API. In Visual
    BASIC, a instruction shell that executes external programs is provided:
    shell "command column"
    If it can cooperate with Rundll32.exe to make good use of the shell instructions, it will make your VB program formula. It is difficult to use other methods that are difficult to achieve in other methods: still taking restart as an example. The traditional method requires you to set up a module in the VB project, and then write a statement of Winapi, and finally call it in the program. And now only one sentence:
    shell "runll32.exe
    user.exe," just done it! Is it more convenient?
    In fact, Rundll32.exe has unique advantages in calling various Windows control panels and system options. Below, I will list the instructions I have collected on the Internet as follows (very useful, can save you a lot of time to call Windows
    api!), For everyone to quote in the programming design:
    command column: rundll32.exe shell32.dll, Control_rundll
    Function: Display control panel
    The command column: rundll32.exe shell32.dll, Control_rundll Access.cpl, 1
    function: display "display" Control Panel -Auxiliary Options -Keyboard "Options window
    command column: rundll32.exe shell32.dll, Control_rundll Access.cpl, 2
    Function: Display" Control Panel -Auxiliary Options -Sound "option window
    command column: rundll32.exe shell32.dll, control_rundll access.cpl, 3
    function: Display the "control panel -auxiliary option -display" option window
    command column: rundll32.exe shell32. DLL, Control_rundll Access.cpl, 4
    Function: Display the "Control Panel -Auxiliary Options -Mouse" option window
    command column: Rundll32.exe shell32.dll, Control_rundll Access.cpl, 5 5 5
    Function: Display the "Control Panel -Auxiliary Options -Traditional" option window
    command column: rundll32.exe shell32.dll, control_rundll sysdm.cpl @1 n function: execute "control panel -add new new new new new Hardware "wizard.
    command column: rundll32.exe shell32.dll, _Rundll
    Function: Execute the "Control Panel -Add New Printer" wizard.
    command column: rundll32.exe shell32.dll, control_rundll appwiz.cpl, 1
    function: Display "control panel -add/delete program -installation/uninstall" panel.
    Plip column: rundll32.exe shell32.dll, control_rundll appwiz.cpl, 2
    function: Display "Control Panel -Add/Delete Windows" panel.
    command column: rundll32.exe shell32.dll, control_rundll appwiz.cpl, 3
    function: Display the "control panel -add/delete program -start disk" panel.
    command column: rundll32.exe syncui.dll, briefcase_create
    function: Create a new "my briefcase" on the desktop.
    command column: rundll32.exe diskcopy.dll,
    function: Display the copy of the soft disk window
    command column: rundll32.exe apwiz.cpl, % 1
    function:
    n Display the "Create shortcut" dialog box, and the position of the created shortcut is determined by % 1 parameter.
    command column: rundll32.exe shell32.dll, control_rundll timedate.cpl, 0
    function: Display the "Date and Time" option window.
    command column: rundll32.exe shell32.dll, Control_rundll Timedate.cPl, 1
    Function: Show the "time zone" option window.
    command column: rundll32.exe rnaui.dll, rnadial [Name of a dial -up connection]
    Function:
    showing a dial -up window of a dial -up connection. If you have dial -up connection, the current connection window is displayed.
    command column: rundll32.exe rnaui.dll, rnawizard
    function: Display window of the "New Dial -up Connection" guide.
    command column: rundll32.exe shell32.dll, control_rundll desk.cpl, 0
    function: Display the "Display Properties -Background" option window.
    command column: rundll32.exe shell32.dll, control_rundll desk.cpl, 1
    function: Display "Display Properties -Screen Protection" option window.
    command column: rundll32.exe shell32.dll, control_rundll desk.cpl, 2
    function: Display the "Display Properties -Appearance" option window.
    command column: rundll32.exe shell32.dll, control_rundll desk.cpl, 3
    function: Display the "Display Properties -Properties" option window.
    command column: rundll32.exe shell32.dll, _Rundll
    Function: Display the "font" file clip of Windows.
    command column: rundll32.exe shell32.dll, Control_rundll Main.cpl @3
    Function: Also the "font" file clip of Windows.
    command column: rundll32.exe shell32.dll,
    function: Display the formatting soft disk dialog box.
    command column: rundll32.exe shell32.dll, control_rundll joy.cpl, 0
    function: Display "control panel -game controller -general" option window.
    command column: rundll32.exe shell32.dll, control_rundll joy.cpl, 1
    function: Display "control panel -game controller -advanced" option window.
    command column: rundll32.exe mshtml.dll, printhtml (html document)
    function: print HTML document.
    command column: rundll32.exe shell32.dll, Control_rundll MLCFG32.CPL
    Function: Display Microsoft Exchange general option window.
    command column: rundll32.exe shell32.dll, control_rundll main.cpl @0
    Function: Display the "Control Panel -Mouse" option.
    command column: rundll32.exe shell32.dll, Control_rundll Main.cpl @1
    Function: Display "Control Panel -Keyboard Properties -Speed" option window.
    command column: rundll32.exe shell32.dll, control_rundll main.cpl @1, 1
    function: Display "control panel -keyboard attribute -language" option window.
    command column: rundll32.exe shell32.dll, control_rundll main.cpl @2
    Function: Display the Windows "Printer" file clip.
    command column: rundll32.exe shell32.dll, control_rundll main.cpl @3
    Function: Display the Windows "font" file clip.
    command column: rundll32.exe shell32.dll, Control_rundll Main.cpl @4
    Function: Display the "Control Panel -Input Method -Input Method" option window.
    command column: rundll32.exe shell32.dll, Control_rundll mode.cpl, Add
    function: execute the "Add new modem" wizard.
    command column: rundll32.exe shell32.dll, control_rundll mms.cpl, 0
    function: Display "control panel -multimedia attribute -audio" property page.
    command column: rundll32.exe shell32.dll, control_rundll mms.cpl, 1
    function: Display "control panel -multimedia attribute -video" property page.
    command column: rundll32.exe shell32.dll, control_rundll mms.cpl, 2
    function: Display "Control Panel -Midi Properties -Midi" property page.
    command column: rundll32.exe shell32.dll, control_rundll mms.cpl, 3
    function: Display "Control Panel -Multimedia Properties -CD Music" attribute page.
    command column: rundll32.exe shell32.dll, control_rundll mms.cpl, 4
    function: Display the "control panel -multimedia attribute -device" attribute page.
    command column: rundll32.exe shell32.dll, control_rundll mms.cpl @1
    Function: Display the "Control Panel -Sound" option window.
    command column: rundll32.exe shell32.dll, control_rundll netcpl.cpl.cpl.cpl
    function: Display the "control panel -network" option window.
    command column: rundll32.exe shell32.dll, Control_rundll ODBCCP32.CPL
    Function: Display ODBC32 data management option window.
    command column: rundll32.exe shell32.dll, openas_rundll
    function: The "opening method" dialog box of the specified file (Drive: Pathfilename).
    command column: rundll32.exe shell32.dll, control_rundll password.cpl
    function: display the "control panel -password" option window.
    command column: rundll32.exe shell32.dll, Control_rundll PowerCFG.CPL
    Function: Display the "Control Panel -Power Management Properties" option window.
    command column: rundll32.exe shell32.dll, _Rundll

    function: display the Windows "printer" file clip. (Same as Rundll32.exe
    shell32.dll, Control_rundll Main.cpl @2)
    command column: rundll32.exe shell32.dll, control_rundll intl.cpl, 0
    function: Display "control panel. -Profacked attributes -regional settings "option window.
    command column: rundll32.exe shell32.dll, Control_rundll INTL.CPL, 1
    function: Display the "Control Panel -Regional Settings Properties -Digital" option window.
    command column: rundll32.exe shell32.dll, control_rundll intl.cpl.cpl, 2
    function: Display the "Control Panel -Area Setting Properties -Money" option window.
    command column: rundll32.exe shell32.dll, control_rundll intl.cpl.cpl, 3
    function: Display the "control panel -regional setting attribute -time" option window.
    command column: rundll32.exe shell32.dll, Control_rundll INTL.CPL, 4
    function: Display the "Control Panel -Regional Settings Properties -Date" option window.
    command column: rundll32.exe desk.cpl, [screen protection file name]
    function:
    Windows.
    command column: rundll32.exe shell32.dll, control_rundll sysdm.cpl, 0
    function: display "control panel -system attribute -traditional" property window.
    command column: rundll32.exe shell32.dll, control_rundll sysdm.cpl, 1
    function: display "control panel -system attribute -device manager" attribute window.
    Plip column: rundll32.exe shell32.dll, control_rundll sysdm.cpl, 2
    function: Display the "control panel -system attribute -hardware configuration file" attribute window.
    command column: rundll32.exe shell32.dll, control_rundll sysdm.cpl, 3
    function: display "control panel -system attribute -performance" property window.
    command column: rundll32.exe user.exe,
    function: forcibly turn off all programs and restart the machine.
    command column: rundll32.exe user.exe,
    function: forcibly turn off all programs and shut down.
    command column: rundll32.exe shell32.dll, Control_rundll Telephon.cpl
    Function: Display the "Dialing Properties" option window
    The command column: rundll32.exe shell32.dll, Control_rundll Themes.cpll R n Function: Display the "Desktop Main Trimine" option panel
    of course, not only, other programming languages ​​such as Delphi.Visualc can also use these functions of RUNDLL by calling external commands. Then describe it in detail. The flexible use of RUNDLL will definitely make your programming design easily, and the effect of half -effort

    Rundll.exe is the virus?

    Whether it is rundll32.exe or rundll.exe, it is useless to run independently, and the DLL file is specified behind the program. In the Windows task manager, we can only see the Rundll32.exe process, and its essence is the call DLL. We can use software and other software to view which DLL file it runs.

    The Trojan horses run by Rundll32.exe to load DLL forms, but in most cases, Rundll32.exe is a DLL file that loads the system. Don't worry too much. In addition, some virus Trojan uses similar or the same characteristics to the common process and the same characteristics of the system to hide users. Therefore, it is necessary to determine that the runningll32.exe is in the %% System32 directory. Note that the file name has not changed.

    It I believe that you often see some parameters given by those masters to simplify the operation, such as Rundll32.exe Shell32.dll, Control_rundll, replacing the lengthy "start → setting → control panel", As a rookie, we must be itchy in our hearts. How did they know the answer? How do we find the answer ourselves? The above command can be known that it is actually running the RUNDLL32.exe program, specifying it to load the shell32.dll file, and the behind the comma is the parameter of this DLL. After understanding its principle, you can dig out a lot of parameters that are rarely known for yourself.

  2. Please see below! Intersection Intersection Intersection Intersection Intersection Intersection Intersection Intersection Intersection Intersection Intersection Intersection

    Please uninstall Yahoo Assistant immediately. Don't use his own uninstallation program, otherwise there is no difference from uninstalled. To avoid interference, first turn off the pop -up window filtering function of the Windows XP SP2 itself (no one will say that the pop -up window filter of Yahoo Assistant is implemented by the SP2 related features that rely on Windows XP?!). rnrn结果,27项测试中,未能通过的有:第3项、第6项(1、2)、第8项、第9项、第10项、第11项、 Item 12, 16, item 17, item 20, item 21, 22, item 24, item 26, 27 (1, 2, 3), 15 The items (18), the projects that failed to filter account for 55%of the overall, and the types of failure accounted for 66%of the overall (Figure 5). That is to judge according to the percentage system, the filtering ability of Yahoo assistant's pop -up window has not been caught!

    The pop -up window filtering function of Windows XP SP2 is enabled, or a third -party browser with a pop -up window filtering function is used. The same project test results are completely different! I do n’t provide it for the time being. You can test comparison by yourself so that you can experience the ability of this “assistant”!

    2, "Cleaning the traces" to clean up who traces?

    It Figure 6 is the "Cleaning Traces" function test of Yahoo Assistant. Execute the result of "currently there is no URL!", But what is the result of opening the historical sidebar of the browser?

    Figure 6 "Traces Clean" to clean up.

    3, plug -in management experts do not have selfish
    In the plug -in management expert of Yahoo Assistant, of which only "Yahoo! Photo) was" humbly "; but opened the browser to open the browser Dialing dialog box, more than a dozen loading items implanted by Yahoo Assistant and Yahoo Assistant are in sight (Figure 7)! The plug -in plug -in, the plug -in, and the many play arts that have been implanted by yourself are not the plug -in. What logic is this? Intersection

    FIG. 7 "Plug -in Management Expert" aversion to the garbage plug -in you implanted

    5, "Cleaning IE Toolbar"

    What is the effect of "cleaning the IE toolbar". After cleaning up, the report "There is no toolbar that can be cleaned up!", But the one with a broom icon and several other buttons on the IE toolbar automatically implanted by Yahoo Assistant is unscathed (Figure 9). Isn't it its own third -party tools outside the system? The same is true of the toolbar button.

    It Figure 9 Yahoo Assistant's own toolbar is not a cleaning object.

    6, IE toolbar "reset" function cannot reset the toolbar button implanted by Yahoo assistant

    Since Yahoo Assistant refused to work, then IE itself uses IE itself Function settings to restore the toolbar button.

    In the custom toolbar dialog box, click "reset", those buttons that are forcibly implanted flashed, and immediately recovered (Figure 10).

    The basic functions of the system have been partially invalidated under the action of Yahoo Assistant!

    7. The effect on system stability

    In the virtual machine environment, directly enter "Tsinghua University" in the browser address bar for searching for 6 times. All are blue screen (Figure 11).

    . Although there may be some differences between the virtual machine environment and the real environment, the virtual machine has higher requirements for memory and the system resources are large. According to this It is determined that the distribution of Yahoo Assistant on system resources must have some negative effects (or some bugs), which will adversely affect the system when the demand for resources is greater.

    . The analysis of the writing of the system of Yahoo Assistant

    The "detailed technical principle" based on the online real -name website, let's see if the real situation is as informing on the website as informed on the website That's the way. Figure 12 is what it notified to the user. In the subsequent testing items, let's see what extent it "detailed", and where the user and the right to know are reflected.

    "Detailed Technical Principles" of the real name of the network in Figure 12

    In addition to the special program folder, Yahoo Assistant also saves its files in a hidden manner in Windows Program Files directory in order Quickly repair; implant the driver file in the system driver directory and ensure the security mode (even if you do not access the Internet!) You can also be loaded and cannot be directly deleted (Figure 13, Figure 14).

    ① File implantation after installing the real name of the network:
    ● Windows Program Files Directory is implanted with 37 files and 1 folder;
    .sys driver file.
    ● Program Files Directory Plant the directory named Yahoo Assistant, including 15 files and 1 folder.
    The total 53 files and 2 sub -folders are implanted.

    ② The file implantation of the file after installing Yahoo Assistant:
    ● Windows Program Files Directory is implanted with 30 files and 1 folder; .sys driver file.
    ● Program Files Directory Planted Directory is named Yahoo Assistant, including 79 files and 7 folders.
    The total of 114 files and 9 sub -folders.

    FIG. 13 Planted the system in a driver. The security mode can also take effect

    1, the files implanted to the system
    2, Figure 14 Windows resource manager cannot be unable to not be inability View hidden files and directory

    2, the registry items written in the written form
    In the incomplete statistics from the registry export before and after the installation, the content of the system registry was roughly roughly written. As follows (because of browsing webs and other operations, it will cause dynamic modification, so there may be some errors):

    In the real name of the network, 122 key items and 408 key values ​​are written in the registry; ;
    After installing the Yahoo assistant, the registry was written with 251 key items and 656 key values.
    . Unfortunately, uninstalling and restarting the registry items cannot be cleared in the correct way!

    3, automatic loading of multiple ways
    The network real name and Yahoo assistant statement to automatically loaded with standard system interfaces, and use these standard interfaces to the fullest!
    . The assistant of Yahoo adds CNSMIN, Helper.dll, Minimsgr, YASSISTSE, YLIVE and other automatic loading modules to the RUN key items under the registry HLM, and still exist after uninstallation and restart (Figure 15); r r r r r r r r r r r r

    驱 loaded the CNMINPK.SYS module through the driver mode to achieve the process hiding, and it cannot be detected through the MSCONFIG of the system itself; Realize cross installation, repair, loading;

    ⑷ The function of automatic loading is implemented by embedding the browser;

    ⑸ uninstall the repair options in the dialog box through each module to induce users to induce users While uninstalling a module, repair and automatically load other modules;

    ⑹ By bundling into some third -party installation programs, automatic installation and automatic loading are achieved during the installation process.

    FIG. 15 The module that is still automatically restarted after uninstallation

    4, the process of self -guard

    There will be three processes, of which the two processes displayed by Rundll32.exe can automatically cross -repair, that is, one process is the guardian process of another process. Therefore, using the Windows task manager cannot smoothly close them from memory. I believe most people have a deep understanding!

    FIG. 16 Create multiple processes and self -guard

    5, browser loading of the implant system

    Multiple browsers in the system. The user's browser has become a wealth base for several major companies. The rest is not bad, I didn't take the knife to grab the money directly

    6, the various unrelated buttons of the automatic implantation of the browser toolbar
    haha, after the installation, what yahoo! The messy button has installed it for you, and even the resource manager has not been let go.

    7, the control panel adds excess items in the list of delete procedures
    In when the Yahoo assistant is installed, the control panel will be added Program project.

    8, the system service table of the implant system

    In ICESWORD This security tool detection system service descriptor (SSDT), you can find that except the NtoskRNL.EXE system core, it can be found. It is the "CNSMINKP.SYS" of the online real name and Yahoo assistant. People who are programming know what level of this, and ordinary netizens are "not looking at it." It can be seen that Kung Fu really came home! (Figure 18)

    9. The automatic created thread conditions

    It from the figure can be seen that the number of threads automatically created by Yahoo Assistant and its modules is The proportion is surprising! This picture shows the creation of threads without opening any browser and other related windows (some need to be rolled to view) (Figure 19)

    10, message hook running in the background

    people who are interested can look at the hook type in the picture and see what the large number of hook functions used by Yahoo Assistant are doing. (Figure 20)

    12, Yahoo Assistant Yassist4.exe opens the local 1028 port, the effect is unknown (Figure 22)

    13, implanted Internet option settings
    r The n figure is the "advanced" settings implanted in the Internet option. Look, there is a "automatic upgrade" function, what new means or ideas, and then try it in your system? (Figure 23)

    . Analysis of the real name and Yahoo assistant uninstalling situation
    In someone wrote in the network card that Yahoo Assistant can now uninstall it cleanly through its uninstallation program. Is this really the case? Please see —
    1, "completely delete" and "completely uninstalled" uninstallation commitment
    as shown in the figure, regardless of the real name of the network or Yahoo assistant, the uninstallation program promised "the Yahoo Assistant completely deletes from the computer completely from the computer. "And" completely uninstall the real -name plug -in and close the real -name function. "
    The promise of the uninstallation interface (Figure 24)

    2, completely uninstalled incomplete

    Yahoo assistant successfully uninstalled and restarted in the resource manager. Windows cannot be seen in the resource manager. There are any files in the Program Files folder (even if you set the resource manager to display all files and display system files). But using the famous Total Commander file manager, I found a hidden file of ZSMOD.DLL!

    The hidden files that the resource manager cannot see after the resumption of the resumption (Figure 25)
    if the assistant is uninstalled and restarted There are 30 files and 1 folder!

    The Yahoo assistant uninstalled a large number of files hidden in the system directory after the restart (Windows resource manager cannot be checked in any way, Total Commander can be displayed) (Figure 26)

    ZSMOD.DLL searches for keywords in the registry editor. It can be found that this file is not a "forgotten" dead file, but a corresponding registry key value!

    The reserved key value in the registry after uninstalling the restart (Figure 27)

    After unloading Yahoo Assistant successfully and restarting, detect the BHO (browser help object), find in the system in the system Still retaining the two BHO objects, YDT and CNSHOOK.DLL!

    The browser help object module that is still preserved after uninstalling restart: (Figure 28)

    In uninstalled Yahoo assistant successfully and restarted the project, it is found that there is still Helper still existing Helper .dll, ydtmain.exe, CNSMIN three automatic loading program projects! (Figure 29)

    The kernel module that has been loaded by the system, and found that CNSMINKP.Sys, which is loaded in the form, is still successfully loaded! (Figure 30)

    In CNSMINKP.Sys to search in the registry editor, uninstall successfully and restarts three hidden service keys (pictured) in the registry after restarting and restarting. The operation is completely a scam, and its basic functions are not affected at all. At most, the small icons that can provide users with "service" to the user at most are gone! Of course, the cnsminkp.sys file in the system Drivers directory is still intact and it is not damaged! (Figure 31)

    In the system process. As shown in the figure, the three processes of the mutual -guarded RUNDLL32.exe are still there quietly!

    In this shows that the above is the truth of the so -called "deleting Yahoo Assistant from the computer completely"!

    Is really want to remove them completely? Yes, manually unload the two Yahoo Assistant that the two Yahoo assistants who have not been informed in the list of delete procedures (pay attention to see the relevant options clearly when uninstalling! The table was cleared. But the hidden files of Zsmod.dll in Windows Program Files folder and related registry keys will never be cleared! (Figure 32)

    3, the two modules installed with additional installation must be uninstalled separately

    FIG. 33 is the garbage that is forcibly installed if it is not clearly installed during installation. program. (Figure 33)

    4. During the uninstallation process, it is still trying to cross repair
    During the process of uninstalling these additional program modules, there is an option that has been selected by the word "uninstalled" by default:
    "Reserve the Internet assistant and other buttons after uninstalling the network"

    . If you only read the previous half sentence in the operation, you think you choose to "uninstall them", then you are wrong!

    It, it can be seen that Yahoo has studied very thoroughly on the psychological and computer usage habits of users, and everything that can be used is fully used! (Figure 34)

    . The legal, moral analysis of the comprehensive behavior of Yahoo Assistant
    1, the moral analysis of Yahoo Assistant and Yahoo Assistant Forcibly implant other program modules.
    The safety mode is not avoided by system drive. Even Windows provides a security mode with a network connection as a separate project, while Yahoo Assistant is green and red soap. Regardless of whether the user uses the network, it will be loaded without discussing it.

    2, Legal analysis of Yahoo Assistant and Yahoo Assistant

    In additional installation procedures to infringe the right to know;

    The modules that have not been permitted by the user and are repaired each other;

    It automatic infection, automatic planting, hiding themselves, occupying system resources, interfere with users' Internet activities, direct or indirectly bring bad data into the system, and bring adverse data into the system, directly or indirectly bring adverse data into the system. It is extremely difficult to remove and automatically loaded through multiple channels ... already has complete virus characteristics;

    3, Yahoo Assistant and Yahoo Assistant's impact on national security and cultural orientation

    The hard work of hard work and frugality turns to the peaceful evolution of the sound of the sound of the sound of the sound of the sound of the dogs and horses. R N dominating China's network security pulse, just master Yahoo assistant;
    to change the cultural orientation of Chinese netizens, just use Yahoo Assistant;
    to launch a network of network paralysis against China, just through Yahoo Assistant!

    All these, Yahoo Assistant is already doing it, and it is done well!

    You can check the picture on /whpd/print.asp?articleid=1310.

    Thisy rabbit has been updated twice a day in a day because Yahoo Assistant prevented the operation of the super rabbit system.

    "Yahoo Assistant" or "Yahoo Killer", you know when you watch it.
    I wish you success!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top