What is usp10.dll?
Usp10.dll is a character display script application interface related file.
Check and and file hashes
CRC32: 9DA76CA6
MD5: 06E2 217D 2AF7 50D6 69C8 AACE DD28 090B
SHA1: 7B9A 2876 45A6 A25B 8867 0229 49FE D6E6 816F 6A32
Principle of USP10.dll virus:
The normal USP10.dll is a character display script application interface related file, which exists in C:\WINDOWS\system32\USP10.dll, and may also exist in C:\WINDOWS\system32\dllcache\USP10.dll.
The usp10.dll trojan virus is started by using the window system directory priority.
First of all, this directory priority, windows system in the implementation of a file, first in the "current directory" to find the file to be executed, if the current directory does not exist in this file, it will go to windows\system32\ go look, if still If it doesn't exist, it will go to the windows\ directory to find it. If it still doesn't exist, it will look in the directory of the environment variable PATH. This is the windows directory priority.
Here I also want to tell you that an exe file execution will call a lot of DLLs in the system.
After understanding the priority of this directory and the system dll will be called when the exe application is executed, many friends may have thought about it. Why does this USP10.dll copy itself to the same directory of each executable file? Why? Is it named USP10.dll? Yes, copying itself is to let the executable file preempt the directory priority when it is executed. The name USP10.dll is because there is a USP10.dll in windows\system32\. Many applications will call this dll when it starts. This is this. The startup principle of the USP10.dll virus is gone. [1]
USP10.dll virus behavior 1 Release usp10.dll to use common software to traverse all the drives in the directory where the system is not located. If any file with exe suffix is ​​found in the directory, copy the %windir%asks\1 file and name it usp10.dll. Firmly grasp the usage habits of ordinary users, even if the system virus is reinstalled, it will restart 2 Calling TerminateProcess to end the resident process of security software, the list is as follows kavstart.exe kissvc.exe kmailmon.exe kpfw32.exe kpfwsvc.exe kwatch. Exe
Ccenter.exe ras.exe rstray.exe rsagent.exe ravtask.exe ravstub.exe
Ravmon.exe ravmond.exe avp.exe 360safebox.exe 360Safe.exe Thunder5.exe
Rfwmain.exe rfwstub.exe rfwsrv.exe
3 Adding an image hijacking of Thunder makes Thunder unable to start, as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Image File ExecuTIon OpTIons\Thunder5.exe
"Debugger" REG_SZ "svchost.exe"
4 Call the 360 ​​safe to uninstall the parameters to uninstall the 360 ​​safe. And by modifying the registry to close the 360 ​​monitor 5 create a thread to close the security software window such as the ice blade and change the display hidden file. If the current window's class is "AfxControlBar42s", send a WM_CLOSE message to this window, and simulate the keyboard's Enter key. .
Modify the following registry key to not show hidden files HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"Hidden" REG_DWORD 0
"SuperHidden" REG_DWORD 0
"ShowSuperHidden" REG_DWORD 0
6 release the virus to start, and try to directly replace the input method program ctfmon.exe
7 Download a large number of hacking Trojan viruses to the user's computer [2]
The data in the computer after the virus was saved from poisoning was not completely saved. Don't be lucky after poisoning. Don't think that the computer can be used anymore. Because it is a downloader, it means that the longer it is, the more viruses and Trojans it downloads, so you need to seek medical treatment promptly after getting sick.
Reinstalling the system is the best way to not touch other partitions after reinstallation. First open my computer, display hidden files and system files, download anti-virus software and the latest virus database offline upgrade package from others' computers, copy it to the machine and install it in the C drive, upgrade the anti-virus software to the latest virus database, Other partitions perform a full scan. The general virus will be killed. Do not use your computer for other things before the killing is completed. After cleaning the virus, it can be used normally.
Lizin added:
There are some digital processes in the task manager, such as 601081 40058 11358 58254. There is no .exe behind, it is related to usp10.dll, please pay attention.
Usp10.dll will enter Program Files or be added to other programs to break the program structure. For example: login QQ, if you set a password to remember, it will help you clear all passwords.
Usp10.dll download (usp10.dll file)
10G SFP+ transceivers include SR LR, ER, ZR, and CWDM, DWDM (40km and 80km) and BIDI series. This series of products adopt LC connector, compliant with IEEE802.3ae, SFF-8472 and SFF-8431, with features of Low Power Consumption, Small Size and High-speed. They are designed for applications of Data Centers, Metro Network, Wireless Network and Transmission network.
We can provide the 10G SFP+ transceivers that compatible with most of the branded switches, such as Cisco ,Juniper ,Dell ,Arista ,Huawei ,ZTE, Brocade and so on.
10G Sfp+ Transceiver,Sfp Ethernet Transceiver,Sfp Module Transceiver,10G Connector Sfp Transceiver
Shenzhen Adela Technology Co., Ltd. , http://www.adelafiber.com