[zeroua]

Секция O24

Цитата:

O24 Section This section corresponds to Windows Active Desktop Components. Active Desktop Components are local or remote html files that are embedded directly onto your desktop as a background. Infections use this method to embed messages, pictures, or web pages directly on to a users desktop. Common examples of infections that use this method are the SmitFraud family of rogue anti-spyware programs. These infections use Active Desktop Components to display fake security warnings as the background of a user's desktop. Other infections that use this method can be found at the following links: AVGold Raze AntiSpyware AlfaCleaner TopAntiSpyware The registry key associated with Active Desktop Components is: Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components Each specific component is then listed as a numeric subkey of the above Key starting with the number 0. For example: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1\ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2\ Example listings of Desktop Component entries used by SmitFraud variants are: Example Listing O24 - Desktop Component 0: (Security) - %windir%\index.html O24 - Desktop Component 1: (no name) - %Windir%\warnhp.html As it is possible someone has purposely configured an Active Desktop Component, if you see one that is unfamiliar it is advised that you ask the user if they purposely added it. When fixing these entries, HijackThis will only remove the Desktop Component in the registry. The actual HTML file being referenced, though, will not be deleted. Therefore, if the component is malware related you should manually delete this file.