Analysis and Removal of foxrar.exe Trojans

This is a new Trojan. So far, there is no better solution on the Internet.
The following two files are infected: rundll32.exeand iw.e.exe.
Details:
Assume that the system is winxp + sp2 and the logon username is buzdwj.
1. There is a folder under the C: Documents and Settingsuzdwjlocal settingsemplate directory named eww.pdf (I didn't record it at the time, that is, the English letters starting with e plus numbers ), the folder contains four files: 1.dll,2.exe, 3.dll,4. dll. it should be noted that 2.exe may be a Trojan Startup File, but the specific evidence is required. 1.dll,3.dlland 4.dllare all Trojan Files implanted into rundll32.exe and cannot be deleted directly.
In addition, there is a folder named content. IE5. I forgot the specific location, which contains a file index. dat. This also needs to be marked and then processed.
2. In the C: windows Directory
First, it contains a folder named webwork, which contains several dll files that are prohibited from being deleted. It is suspected to be associated with files in other places, which are mutually protected.
Second, there is a folder with the same name as the template directory. The four files are the same, but these files are useless and can be deleted directly. There is also a directory whose name I forgot. Four files, one exe and three dll, can also be deleted directly. It is estimated that the two are mainly used to attract others' attention and conceal the real Trojan Files.
3. There is a file named 823o01c1. dll, which is implanted into C: program filesinternet ‑eiexplore.exe.
In the system32 directory, there are several files with names mixed with numbers and letters, which are trojan files. The specific name is missing, and several other folders also need to be cleaned up. Pay special attention to the dllcache folder, which belongs to the System-protected folder. You must choose Folder Options> View> to hide the protected operating system file ", remove the check box before this.
5. There are tens of thousands of files named IMEXXXX. tmp In the emp directory, where XXXX is a hexadecimal number. These are temporary files generated by Trojan Files and need to be cleared.
3. Registry: added webwork related options.
Solution:
It is naturally icesword, hijackthis method, but this time, only these two tools are not easy to use, and another windows Process Management v4.0 version is used as an aid. Clean up the items that can be removed as much as possible, end the injected process, and then switch to the security mode, and use the above three tools to clear the file system and Registry respectively. Replace ie.e.exeand rundll32.exe. Reboot. Successful.
(I have not found any suspicious files on a disk other than drive C, but it is not excluded that trojan files exist on other disks .)
 
Afterwards: the personal machine may fail to complete the thorough confirmation after the trojan scan and removal due to other reasons. However, I have preliminarily confirmed that the trojan files have been removed or files temporarily threatening system security have not been attacked. If you have any friends infected with this trojan, you can send me an email.