Technical Analysis
============
After the trojan is run, copy it to the system directory:
% WINDOWS % \ System \ smss.exe
And release the DLL:
% WINDOWS % \ System \ hook. dll
Release the driver foxkb. sys at the current location:
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ foxkb]
The trojan hides its own processes and manages them in the task manager, procexp, and other processes.ProgramIs invisible.
Create a startup Item:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Qqrest" = "% WINDOWS % \ System \ smss.exe"
Rewrite every 5 seconds.
Clear steps
============
1. Use icesword to end the Trojan process:
% WINDOWS % \ System \ smss.exe
2. delete the file (if you are prompted that the file cannot be deleted, download the file Trojan force deletetool from down.45it.com to force delete the file ):
% WINDOWS % \ System \ smss.exe
% WINDOWS % \ System \ hook. dll
3. Delete the trojan startup Item (detailed steps: Open Sreng-startup project-Registry): The Sreng software can also be downloaded at down.45it.com.
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Qqrest" = "% WINDOWS % \ System \ smss.exe"
4. Delete the driver information added by the Trojan horse in the Registry (detailed steps: Open Sreng-Start Project-driver ):
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ foxkb]
5. Delete the driver file released by the trojan. (If you are prompted that the file cannot be deleted, go to down.45it.com to download the file for force deletion ):
Foxkb. sys
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
