Io.pif Variant analysis Clear (and answer avzx*,kvdx*, such as random 7-bit letter DLL Trojan Group method _ virus killing

File:IO.pif
size:19456 bytes
Md5:90c509fa6a6c2fa798dbe1cfd7f0e4f1
Sha1:dbf721f48369cfbb2b88d0f5d707924a7fe185ec
crc32:9822e714

Generate the following file:
%program Files%\Common Files\services\svchost.exe
%system32%\directx10.dll
Generate a Autorun.inf and io.pif under each partition
To achieve through the U disk and other mobile storage transmission purposes

Call CMD to use the net stop command to stop the following services
McShield
Norton Antivirus Auto Protect Service
Windows firewall/internet Connection Sharing (ICS)
System Restore Service

End the following process
Regedit.exe
Taskgmr.exe
360tray.exe
360safe.exe
Phage
Mumak Star
WoptiClean.exe
EGHOST.exe
Iparmor.exe
Mailmon. Exe
KAVPFW.exe
RogueCleaner.exe

Order to find the following registry key value
?. AppPath key value of s-1-5-21-1801674531-1645522239-725345543-1003\software\jetcar\jetcar\general
Software\thunder Network\thunderoem\thunder_backwnd The path key value inside
?. Software\microsoft\windows\currentversion\app Paths\msmsgs. Exe
?. Software\microsoft\windows\currentversion\app Paths\IEXPLORE. Exe
?. Typepath key value of software\tencent\platform_type_list\1
To get the Internet Express, Thunder, MSN,IE,QQ installation path
If you find it, then start the appropriate file.
(Find the way to find the order, if you find an Internet Express installed, then start the Internet Express, no longer looking down)

Start the corresponding file to inject itself into the process space, connect the network, download Trojan horse.
Http://*.cn/hz/1.exe~http://*.cn/hz/20.exe
Under the%program files%\internet Explorer\Plugins.
Named random 8-digit combination of letters and numbers.

After the Trojan is implanted, the main generation of the following files (including but not limited to)
%program files%\internet explorer\plugins\syswin64.jmp
%program files%\internet Explorer\plugins\winsys64.sys
%program Files%\netmeeting\avpms.dat
%program Files%\netmeeting\avpms.exe
%program Files%\netmeeting\rav*mon.dat (* Random two-digit letter)
%program Files%\netmeeting\rav*mon.exe (* Random two-digit letter)
%systemroot%\ifc222.dll
%systemroot%\qiji.dll
%systemroot%\rx.dll
%systemroot%\sourro.exe
%systemroot%\winlogor.exe
%systemroot%\winnt.exe
%systemroot%\intent.exe
and the following random 7-digit combination file name of some Trojans
%system32%\avwlain.dll
%system32%\avwlamn.dll
%system32%\avwlast.exe
%system32%\avzxain.dll
%system32%\avzxamn.dll
%system32%\avzxast.exe
%system32%\kaqhacs.dll
%system32%\kaqhcaz.exe
%system32%\kaqhczy.dll
%system32%\kvdxacf.dll
%system32%\kvdxbis.exe
%system32%\kvdxbma.dll
%system32%\kvmxacf.dll
%system32%\kvmxcis.exe
%system32%\kvmxcma.dll
%system32%\rsjzafg.dll
%system32%\rsjzapm.dll
%system32%\rsjzasp.exe
%system32%\rsmyafg.dll
%system32%\rsmyapm.dll
%system32%\rsmyasp.exe

The stolen Trojan will steal the following network game account number and password (including but not limited to)
Dahua West Tour II
Magic Field
Perfect World
Machine warfare
Chinese
Warcraft
Asked
Journey
Blood and rivers
Miracle World
Qq

Downloaded Trojan has the function of preventing automatic Updates and the firewall of Microsoft
And will change the time into January 1, 2099.

Sreng log reflects the following (reproduced in this article, detailed see below)

Removal method:
First, clear the virus main program:

First, change the system time correctly
Download Sreng, download address: down.45it.com
Reboot the computer into Safe mode (reboot the system long by pressing F8 until prompted, then select Enter Safe mode)

Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. In the hint

When you determine the changes, click Yes and then determine

Right click on C disk (System disk) Click "Open" in the right mouse menu to open the disk

Delete
C:\Io.pif
C:\autorun.inf
%program Files%\Common Files\services\svchost.exe
%system32%\directx10.dll
Also right click on the other disk click on the right mouse button "Open" open the disk
Delete Io.pif and Autorun.inf

Second, to clear the download of the Trojan
1. or in Safe mode
Open Sreng
Start the Project registry delete the following items
[Hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\run]
<w><%SystemRoot%\WinRaR.exe> [n/A]
<wm><%SystemRoot%\winlogor.exe> []
<wl><%SystemRoot%\intent.exe> [n/A]
<mm><%SystemRoot%\sourro.exe> []
<zx><%SystemRoot%\winadr.exe> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<ravztmon><c:\program Files\netmeeting\ravztmon.exe> []
<avpms><c:\program Files\netmeeting\avpms.exe> []
<ravwdmon><c:\program Files\netmeeting\ravwdmon.exe> []
Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. In the hint

When you determine the changes, click Yes and then determine
Delete the following file%program files%\internet explorer\plugins\syswin64.jmp
%program files%\internet Explorer\plugins\winsys64.sys
%program Files%\netmeeting\avpms.dat
%program Files%\netmeeting\avpms.exe
%program Files%\netmeeting\rav*mon.dat (* Random two-digit letter)
%program Files%\netmeeting\rav*mon.exe (* Random two-digit letter)
%systemroot%\ifc222.dll
%systemroot%\qiji.dll
%systemroot%\rx.dll
%systemroot%\sourro.exe
%systemroot%\winlogor.exe
%systemroot%\winnt.exe
%systemroot%\intent.exe

2. Clear the random 7-bit DLL theft Trojan
(In fact, these are variants of *pri.dll and can still be purged by renaming)
is still in safe mode
Open the Sreng Startup entry registry
View the random 7-bit letter dll file under [Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]. Remember their names.
And then
Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. When you are prompted to determine the changes, click Yes and then determine


Open the C:\windows\system32 folder click the Search button above
Search for hidden files and folders in more advanced options

Search for random 7-bit DLLs that you've written down

Right-click these files to rename the names themselves. Remember, you better have the rules.
After restarting your computer

Open Sreng
Start the Project registry Delete the following items (that is, all the random 7-letter DLLs you saw in the startup project)
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
<{1E32FA58-3453-FA2D-BC49-F340348ACCE1}><C:\WINDOWS\system32\rsmyapm.dll> []
<{2C87A354-ABC3-DEDE-FF33-3213FD7447C2}><C:\WINDOWS\system32\kvdxbma.dll> []
<{3D47B341-43DF-4563-753F-345FFA3157D3}><C:\WINDOWS\system32\kvmxcma.dll> []
<{1960356A-458E-DE24-BD50-268F589A56A1}><C:\WINDOWS\system32\avwlamn.dll> []
<{12FAACDE-34DA-CCD4-AB4D-DA34485A3421}><C:\WINDOWS\system32\rsjzapm.dll> []
<{1859245F-345D-BC13-AC4F-145D47DA34F1}><C:\WINDOWS\system32\avzxamn.dll> []
<{37D81718-1314-5200-2597-587901018073}><C:\WINDOWS\system32\kaqhczy.dll> []
Double-click the Appinit_dlls key value to empty

and delete the DLL files that you just renamed


Note:%system32% is a variable path.
The default installation path in WINDOWS2000/NT is the default installation path in C:\winnt\system32,windows95/98/me c:\windows\system,windowsxp the default installation path is C:\ Windows\System32.

%systemroot%/ Windodws Directory

%programfiles%\ System program default installation directory