Expert discussion: Detailed Analysis and Removal of malicious program ZhelatinT

This article is from Kingsoft

The virus will spread through emails and cause network congestion.

Virus behavior:

The virus will create two files in the windowssystem32 directory:

1 = %sys32dir%dllh8jkd1q8.exe
2 = javassys32dir#kernelwind32.exe
 

Create a win32.exe file in the user's secret folder, with the path % profile % Local SettingsTempwin32.exe

Create a Registry Startup entry:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Virus tries to disable the task manager.

Solution:

1. Use Kingsoft cleaning experts to solve the malware

2. Alternatively, use a third-party process manager (the system's task manager may have been disabled) to end the virus process.

Dllh8jkd1q8.exe
Kernelwind32.exe
 

Manually delete the following three files

%Sys32dir%dllh8jkd1q8.exe
Sys32dir1_kernelwind32.exe
% Profile % Local SettingsTempwin32.exe
 

 

3. If the cleaning expert restarts after cleaning, other cleaning tools still report viruses, possibly due to two reasons:

A. There may be the latest variants. Please submit the full logs of the cleaning experts to the Forum;

B. it may be a false positive of the removal tool. According to the drug overlord virus analyst's appraisal, there is a high possibility of false positive. The software has the suspicion of stealing Kingsoft cleaning expert's malicious software library. Kingsoft analysts deliberately created a trap, I didn't expect the product to be hooked up.

498) this. style. width = 498; ">