Jinshan Poison Bully Anti-Virus expert Dai Guangjin said, "Magic Domain Thieves" Variant MS (WIN32.TROJ.ONLINEGAMES.MS) is not a common game theft Trojan, it can be a special way to escape the killing of antivirus software, and because the virus itself has a flaw, so the user once in the recruit, the system in the boot process will not be able to display the desktop, so that users can not see the desktop icon, but A blank desktop.
Expert introduction, after the virus runs, will copy itself into the system directory, and release a virus file C:windows\system32\wsttrs.dll (win32.troj.onlinegames.nb.12288), then the virus body will delete itself.
Once the user infects the virus, the virus will look for network game "magic Domain" and so on the game process, and use the hook to read the user input game account and information, the obtained information through the Wsttrs.dll file to upload the way the website to the Trojan growers designated the site up, so that the user's game account loss.
Jinshan Poison PA from 5th began to discover a number of variants of the virus, and up to now, Jinshan poison PA Customer Service Center has received hundreds of of users call for help. In response to the transmission characteristics of the virus, Jinshan poison PA Antivirus Center in time to carry out a virus sample analysis, poison bully users as long as the upgrade virus to 2007.04.07.16, you can kill the virus at present all variants. In addition, for non-drug users, Jinshan poison PA Anti-Virus engineer to provide you with a set of manual removal scheme, you can eliminate the virus in accordance with the elimination method in the scheme.
Manual solution for the "Magic domain Rogue" variant ms
1. In Windows XP and above systems:
When you can't get to the desktop, bring up the Windows Task Manager (ctrl+alt+delete), switch to the Process tab, and then locate the Wsttrs.exe process, right-click to end the process, and display the desktop as normal.
2. In Windows2000 and other systems:
Need to enter the Safe mode with network connection, upgrade poison PA to the latest version (2007.04.07.16), the Windows directory for virus search, after the killing, restart the system can normally display the desktop.
3. When neither of these scenarios succeeds, it is possible that the latest variant of the virus should go into Safe mode, open Registry Editor, and navigate to HKEY_LOCAL_MACHINE\Software Microsoft \windows\currentversion\runonce (Note that RunOnce is not run)
Find Startup items that are located in the system disk windows or under the Winnt folder of the system disk.
For example: Wstthrsc:windowswsttrs.exe
or Wstthrsc:winntwsttrs.exe.
Delete the change key value, and to Jinshan poison PA Submit the file, restart the system can be.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
