Desktop does not show the icon of the theft Trojan removal method _ virus killing

Source: Internet
Author: User
Tags safe mode win32
Last week, the Jinshan Anti-Virus center intercepted a theft "magic Domain", "perfect World" and "Hao Side game platform" for the purpose of the Trojan virus, the virus named win32.troj.onlinegames.ms.18432, since the advent of the Thursday has been derived from a number of variants. Jinshan Customer Service Center received a large number of user complaints, reflecting system restart can not display the desktop. Jinshan Poison PA (Virus Library version 2007.04.07.16) has been able to killing all the current variants of the virus.

Virus Analysis Report:
This is a steal "magic Domain", "perfect World" and "Hao Square game platform" account for the purpose of the Trojan, it uses a special method to escape the killing of antivirus software, may be the virus author of the program Bugs cause the system to restart, can not display the desktop normally.

1: Copy Files
When the virus runs, it copies itself into the system directory.
C:\WINDOWS\system32\wsttrs.exe
and release a virus file
C:\WINDOWS\system32\wsttrs.dll (win32.troj.onlinegames.nb.12288)
After the virus realized since the deletion

2: Add Startup Items
The virus adds a startup entry to the registry to start with Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
"Wsttrs" = "C:\WINDOWS\wsttrs.exe"
May be the Trojan author's negligence, it is this next boot automatically loaded program causes the system can not display the desktop.

3: Turn off antivirus software
The virus will look for antivirus windows and close the window. If you find that the antivirus main program is closed, it is the signal of virus intrusion.

4: Steal account number
The virus will look for network game "Magic Domain" game process, and use the hook to read the user input game account and information, and to get the information through the Wsttrs.dll file to the website upload the way to the Trojan growers designated the site up, so that the user's game account loss.

The following is a manual solution for the virus:
1. In Windows XP and above systems:
When you can't get to the desktop, bring up the Windows Task Manager (ctrl+alt+delete), switch to the Process tab, and then locate the Wsttrs.exe process, right-click to end the process, and display the desktop as normal.





2, in Windows 2000 and other systems
Restart the system, continuous rapid press F8, in the Boot menu, select the Safe mode with network connection to start, online upgrade to the latest version of the virus (2007.04.07.16), the Windows directory for the virus, after the killing, restart the system can normally display the desktop.
3, when the above two schemes can not be successful, it is possible that the latest variant of the virus, should enter Safe mode, open Registry Editor, locate to hkey_local_machine\software\microsoft\windows\currentversion\ RunOnce (Note that RunOnce is not run), locate the startup program located in system disk \ Windows or under the System disk \winnt folder.
For example:
wstthrs C:\windows\wsttrs.exe
Or
wstthrs C:\winnt\wsttrs.exe
Delete the key value, according to the program path provided in the registry, locate the virus file, press CTRL+X cut, press CTRL + V to paste the virus file on the desktop (or elsewhere), and then visit up.duba.net to submit the file to Jinshan poison Pa. Finally, delete the sample file and reboot the system.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.