How to manually clear the disk drive virus Trojan

Disk drive Trojans have recently become a hot topic in the field of security, it is reported that since the March, "Disk machine" Trojan Horse has been updated several times, infection rate and destructive power is gradually increased. The virus after the operation to shut down and prevent 360 security guards and Kabbah, rising, Jinshan, Jiangmin and other security software operation, in addition to delete the system contains "360" the words of the document. After infection, the process will be more smss.exe and Lsass.exe process, the use of Task Manager will cause the computer restart, and automatically download a large number of Trojans to the local machine.

According to the analysis, the Trojan uses the method of shutting down the security software and in the past, it is through a heap of spam messages, leading to the crash of security procedures, even icesword (ice blade) has not been spared. After it is run, it will generate Smss.exe,lsass.exe, Netcfg.dll and other files under the System32 COM directory and generate dsnq.dll files under System32, and then write a file to the startup item of the Start menu in the shutdown moment;

It is important to note that the virus uses an extremely virulent form of infection that infects all executables (*.exe) in other directories other than the SYSTEM32 directory, causing files to be infected and unable to recover some files. For detailed symptoms, please click here (Second page).

Since all executables (*.exe) are unable to run, we will manually detect the disk drive Trojan, the following steps:

1, by renaming the System32 and Dllcache directory under the Cmd.exe temporarily renamed Cm.dll (for the sake of security, the author used the WinRAR resource management function), and then restart the system to see.

Renaming with WinRAR's resource management function

2, after the reboot system, check the system32 and Dllcache directory. found that after the renaming of the Cm.dll are still in, but the System32 directory appeared a strange Cmd.exe (see the following picture). This Cmd.exe logo is different from the normal Cmd.exe, this is the virus is found from the I386 directory!

3, regardless of these, first see whether the virus file can be manually deleted (if that Cmd.exe works, then Netapi000.sys can load, the virus will run), the result of all virus files can be one by one deleted.

4, delete the System32 directory under the exception of the Cmd.exe. Change the Cm.dll in the System32 and Dllcache directories back to Cmd.exe.

Note: This test computer has only one partition, which is handled here and is finished. However, multi-partition system (general users will have multiple partitions), the non-system partition will also have a virus, remember to delete several other partitions in the virus, open the other partition point of the right mouse button-> open into, rather than directly double-click. The most important, or to use the latest virus anti-virus software overall anti-virus, remember!