Finally found the complete solution dl1.exe virus

Finally found the complete solution dl1.exe virus _ Common Tools

Last Update:2017-01-18 Source: Internet

Author: User

Tags delete key safe mode win32

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Dl1.exe is the virus called worm.win32.delf.cc (dove) in the Mission management process!

The symptoms of this virus are:
1. Breach of Safe mode
2. Cannot Show hidden files
3. End common anti-virus software and common anti-virus tool process
4. Monitoring window
5.IFEO Image Hijacking
6. Can be transmitted through mobile storage

After virus runs
Under C:\Program files\common Files\Microsoft Shared\msinfo\, release a DLL with a file name that is also a combination of 8 digits and letters and a DAT file with the same name
This is C:\Program Files\Common Files\Microsoft Shared\msinfo\41115bdd.dll.
This DLL is inserted into the explorer process
End (including but not limited to) the following processes
360rpt.exe
360Safe.exe
360tray.exe
Adam.exe
AgentSvr.exe
AppSvc32.exe
Autoruns.exe
Avgrssvc.exe
AvMonitor.exe
Avp.com
Avp.exe
CCenter.exe
CcSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
IceSword.exe
Iparmo.exe
Iparmor.exe
IsPwdSvc.exe
Kabaload.exe
Kascrscn.scr
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
Krepair.com
KsLoader.exe
Kvcenter.kxp
KvDetect.exe
KvfwMcl.exe
Kvmonxp.kxp
Kvmonxp_1.kxp
Kvol.exe
Kvolself.exe
Kvreport.kxp
Kvscan.kxp
KVSrvXP.exe
Kvstub.kxp
Kvupload.exe
Kvwsc.exe
Kvxp.kxp
Kvxp_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
Loaddll.exe
MagicSet.exe
Mcconsol.exe
Mmqczj.exe
Mmsk.exe
NAVSetup.exe
Nod32krn.exe
Nod32kui.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
Rfwcfg.exe
RfwMain.exe
RfwProxy.exe
Rfwsrv.exe
RsAgent.exe
Rsaupd.exe
Runiep.exe
Safelive.exe
Scan32.exe
Shcfg32.exe
SmartUp.exe
SREng.exe
Symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
Trojdie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.EXE.exe
WoptiClean.exe
Zxsweep.exe
Common anti-virus software and some security tools that he killed.
These exe are then Ifeo for image hijacking pointing to C:\Program Files\Common Files\Microsoft Shared\msinfo\41115bdd.dat

Monitor a window with the following words to turn it off immediately if it finds a window with the following words
Trojan
Wooden Horse
Virus
Antivirus
Kill Poison
Drug search
Antivirus
Anti-virus
Specially killed
To kill
Kaspersky
Jiangmin
Rising
Kaka Community
Jinshan Poison PA
Jinshan Community
360 Security
Malicious software
Rogue Software
Report
Alarm
Kill soft
Kill software
Anti-hackers

All of these monitoring and closing windows are done by C:\Program Files\Common Files\Microsoft Shared\msinfo\41115bdd.dll that insert the explorer process.
More ruthless than a panda, so you can't find a process.
And then in Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks
Add the following registry entry <{15bd4111-4111-5bdd-115b-111bd1115bdd}><c:\program Files\Common Files\Microsoft Shared\MSINFO\ 41115bdd.dll> [n/A]
To boot up
And that DLL will monitor this registry entry if it is deleted, restore immediately

Delete key
HKLM\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\NETWORK\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\MINIMAL\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\{4D36E967-E325-11CE-BFC1-08002BE10318}
Break Safe Mode

Modify Hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\checkedvalue drops? x00000000
So that the hidden file cannot be displayed

Release 8668122F.exe (Bone language: This file name is different on each computer) and Autorun.inf to other partitions except the system partition

Then download a self-extracting file Dl1.exe to the Temp folder via the Explorer Process link Network
Self-Extracting file Release C:\WINDOWS\system\20290.exe
C:\WINDOWS\system\ad1309.exe
C:\WINDOWS\system\DiskFree_hy1.5.exe
C:\WINDOWS\system\dodolook027.exe and other documents
It's got a drive, a Trojan, and rogue software.
After all the files have been run
Added the following files

C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\tolnfo47.sys
C:\WINDOWS\system32\drivers\vilpew30.sys
C:\WINDOWS\system32\drivers\ykagjt85.sys
C:\WINDOWS\system32\1b.dll
C:\WINDOWS\system32\48a69
C:\WINDOWS\system32\60e4.exe
C:\WINDOWS\system32\7df9.dll
C:\WINDOWS\system32\91b6.dll
C:\WINDOWS\system32\b60.dll
C:\WINDOWS\system32\bpjlgv91.dll
C:\WINDOWS\system32\df91.dll
C:\WINDOWS\system32\f91b.exe
C:\WINDOWS\system32\ieagent.exe
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\MSRundll.exe
C:\WINDOWS\system32\ntprint.dIl
C:\WINDOWS\system32\tolnfo47.dll
C:\WINDOWS\system32\tolnfo47.ini
C:\WINDOWS\system32\vilpew30.dll
C:\WINDOWS\system32\wingjt85.bin
C:\WINDOWS\system32\wingjt85.dll
C:\WINDOWS\system32\winkx.dll
C:\WINDOWS\system32\winlgv91.bin
C:\WINDOWS\system32\winpew30.bin
C:\WINDOWS\system32\winpew30.dll
C:\WINDOWS\system32\ykagjt85.dll
C:\WINDOWS\system32\cewrndm.dll
C:\WINDOWS\system32\tolnfo47.dll
C:\WINDOWS\system32\vilpew30.dll
C:\WINDOWS\system32\b60.dll
C:\WINDOWS\03.bmp
C:\WINDOWS\3fa.exe
C:\WINDOWS\41115BDD.hlp
C:\WINDOWS\fa7c.txt
C:\Program files\internet explorer\plugins\system2.jmp
C:\Program files\internet Explorer\plugins\systemkb.sys
It's got two software, one is Adpush software, and one is disk free.

==========================================================

Dl1.exe Virus Deletion method

First: Go to Task Manager, end the process of Explorer.exe
Then: Use winrar to open C:\Program Files\Common Files\Microsoft Shared\MSInfo
The way to open it is to start the WinRAR program first, and then click on the--> level to open the above directory, in MSInfo there will be a eight-bit EXE executable file such as: CF62255D.dll and CF62255D.exe. To delete it
Third: Start Explorer.exe
Four: Open the registry (Start--> run-->regedit--> carriage return)
Under Hkey_local_machine\software\microsoft\windowsnt\currentversion\image File Execution Options is a list of disabled antivirus software, Delete the name of the relevant antivirus software to run it.
Five: Run your computer on some anti-virus software, upgrade, overall antivirus, OK.
The virus is called worm.win32.delf.cc (dove). There may be variants, and the CC will turn into something else.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More