For the recent emergence of Death.exe virus and its variants of manual killing methods do not kill tools _ virus

Virus symptoms:

Antivirus software is disabled, hidden files can not be displayed, start command msconfig can not run, a lot of assistive software also can not run, run EXE and SCR files after the virus infection

Manual killing of the software used:

Sreng Software and Xdelbox software

　　
Quote:
Virus Name: trojan-downloader.win32.agent.****
Virus type: Trojan Horse
Virus md5:2ccd81d7d358778b11de9303e0097d2d
Packers type: UPX
Written language: Borland Delphi 6.0-7.0



Virus Run


Build process:

　　
Code:
C:\WINDOWS\system32\Death.exe
C:\WINDOWS\system32\Supervise.exe



Releasing files
　　
Code:
C:\WINDOWS\system32\Supervise.exe (This Supervise.exe calls Net.exe an infection of the local domain network and creates the file:%system32%\death.sishen, which writes the virus information into this file)
(This process will also Supervise.exe open port connection network download Trojan!!! That's disgusting.)
C:\WINDOWS\system32\Death.SiShen
C:\WINDOWS\system32\Death.exe (This process generates Supervise.exe files)
C:\WINDOWS\system32\Death.SiShen



And a anto hidden file under each packing directory.

Double-click the hard drive will also cause the virus to run please click on the right button-open

Modify the Registration Form


　　
Code:
[Hkcu\software\microsoft\windows\currentversion\run]
"Supervise.exe" = "C:\WINDOWS\system32\Supervise.exe"
[Hkcu\software\microsoft\windows\currentversion\run]
"Death.exe" = "C:\WINDOWS\system32\Death.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" =dword:00000000


Search for windows that attempt to turn off antivirus and assistive software

Attempt to turn off antivirus and assistive software processes

Search for an infected. exe/.scr file except the system disk.
The infected. exe/.scr file is replaced directly. Size is: 81,928 bytes. All of the. exe/.scr files cannot be recovered. After running the infected EXE file, the virus will be released!

Can be spread through regional networks (Death.exe)


Manual removal Method:


1: Shut down System Restore empty IE Temp folder

2: Into Safe mode

Terminate process Death.exe Process

3: With Xdelbox software hook on the suppression of regeneration after the deletion of the following files:


　　
Code:
C:\WINDOWS\system32\Death.exe
C:\WINDOWS\system32\Supervise.exe
C:\WINDOWS\system32\Death.SiShen
C:\WINDOWS\system32\Death.SiShen



4: Open the Sreng software to remove the following startup in startup:


　　
Code:
[Hkcu\software\microsoft\windows\currentversion\run]
"Supervise.exe" = "C:\WINDOWS\system32\Supervise.exe"
[Hkcu\software\microsoft\windows\currentversion\run]
"Death.exe" = "C:\WINDOWS\system32\Death.exe".



------Sreng Software in system repair-----------all

-----or open the registry to start running--regedit-modifier straight
Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall, Modify the CheckedValue key value to 1

------Some of the virus variants will directly delete this checkedvalue, just like the following, you can build one again (step: Delete this CheckedValue key value, right-click New--dword value-named "CheckedValue" , modify the key value to 1)

--Back up


------Manually delete the auto hidden file below each disk

------reboot (not to point to the infected EXE, SCR file!!) ）


------Safe Mode anti-virus software Scan Delete virus residue infection files and cooperate with 360 repair system

--Reset OK