How to kill recycle.exe (Trojan-Dropper.Win32.VB.rj) Virus

Source: Internet
Author: User

1. Virus description:
The virus is transmitted through a USB flash drive. After running the task, copy the virus to the system directory and release a gray pigeon Trojan. To enhance concealment, the generated virus files include the recycle bin and security
Installation Program Two icons.

Ii. Basic information about viruses:
Virus: Trojan-Dropper.Win32.VB.rj
Virus alias: None
Virus Type: Virus
Hazard level: 3
Infected platform: Windows
Virus size: 458,752 (bytes)
Sha1: b86e419783b2d1ca9a5d4ea7de4711cf3da7a83b
Shelling type: None
Development tools: Microsoft Visual Basic 5.0/6.0

3. Virus behavior:
1. the following file is generated after the virus runs:
% WinDir % \ svchost.exe (458752 bytes, recycle bin icon)
% WinDir % \ ravfree.exe (307640 bytes, installer icon, gray pigeon Trojan)
% ProgramFiles % \ common files \ microsoft shared \ msinfo \ servieces.exe (307640 bytes, installation program diagram
mark, gray pigeon Trojan)
% WINDIR % \ system32 \ _servieces.exe (307640 bytes, installer icon, gray pigeon Trojan)
2. Modify the registry and add a startup Item:
Key Path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Name: shell
key value: assumer.exe % WinDir % \ svchost.exe
3. Add a service for the gray pigeon Trojan:
service name: system starmize
display name: System starmize
Description: system startup optimization
executable file path: % ProgramFiles % \ common files \ microsoft shared \ msinfo \ servieces.exe
Startup Type: Automatic
4. modify the system time. Run the cmd.exe/c Date 1980-01-01 command to change the system time to January 1, 1980.
for mobile devices such as USB flash drives, the USB flash drive is named recycle.exe and written to autorun. inf to spread with the USB flash drive.
6. The gray pigeon Trojan Horses released by the virus are connected to the Trojan horse
and controlled by the Trojan horse.
7. Monitor your files and startup items to prevent deletion.

Iv. solution:
1. Delete the startup item in the registry. Modify the Registry to delete the virus startup Item and Delete % WinDir % \ svchost.exe in the key value:
Key Path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Key: Shell
Key Value: assumer.exe % WinDir % \ svchost.exe
2. restart the computer and enter safe mode.
3. delete a virus file. Delete the following files:
% Windir % \ svchost.exe
% Windir % \ ravfree.exe
% ProgramFiles % \ common files \ microsoft shared \ msinfo \ servieces.exe
% Windir % \ system32 \ _servieces.exe
4. Delete the service added by the virus. Open super patrol and use the service management function to delete the service named system starmize.
5. modify the system time.

5. Suggestions for preventing the virus:
Because the virus is transmitted through a USB flash drive, we recommend that you use the USB flash drive of the Super patrol to immune the USB flash drive and abolish the automatic operation function of the system. In
When you insert a USB flash drive into a computer, you must disinfect the USB flash drive before using it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.