Home > Others

syswin7z.jmp syswin7z.sys Trojan Virus Manual Deletion method _ virus killing

Source: Internet
Author: User
Tags manual win32
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Virus name: Trojan-psw.win32.qqpass.ajo (Kaspersky)
Virus alias: WORM.WIN32.PABUG.CF (Rising), win32.troj.qqpasst.ah.110771 (Poison PA)
Virus size: 32,948 bytes
Adding Shell way: UPX
Sample MD5:772F4DFC995F7C1AD6D1978691190CDE
Sample sha1:e9d2bcc5666a3433d5ef8cc836c4579f03f8b6cc
Associated virus:
Transmission mode: Through malicious Web page transmission, other Trojan download, USB drive and mobile hard disk transmission


Technical analysis
==========


After the Trojan is run, copy itself to:
  
Code:
%ProgramFiles%\Internet explorer\plugins\syswin7z.jmp
%ProgramFiles%\Internet Explorer\plugins\winsys8z.sys


To create Shellexecutehooks startup information:


Code:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{f81f75c9-f974-4772-b72d-f28cbcd98c5f}" = ""

[Hkey_classes_root\clsid\{f81f75c9-f974-4772-b72d-f28cbcd98c5f}\inprocserver32]
@= "%ProgramFiles%\Internet Explorer\plugins\syswin7z.sys"
Code:
[HKEY_CURRENT_USER\SOFTWARE\TENCENT\DETA3]
"Ft"


Locate the native E disk and generate it in its root directory:
Autorun.inf and Autorun.exe files, trying to spread through a USB drive.

Trojan virus running automatically from the user QQ randomly select friends, composed of temporary discussion group. It will send the content to the group's friends as "Www.fxxxxx.cn/1651.rar here are my photos help me to the top remember to reply to me oh click on the download" message. Other users in the discussion group may be infected by opening a file in the link. Trojans will visit the network to download other viruses, trojans or [url=http://www.pxue.com/tag/93/1.html] malware programs [/url] to the temp directory and run.


Cleanup steps
==========

1. Delete the shellexecutehooks created by the Trojan (Start menu-run-enter "regedit" into the registry in turn to find instructions and follow the prompts):
Code:
  
Code:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
' {f81f75c9-f974-4772-b72d-f28cbcd98c5f} '

[hkey_classes_root\clsid\{f81f75c9-f974-4772-b72d-f28cbcd98c5f}]


2. Restart your computer

3. Delete Trojan file:
  
Code:
%ProgramFiles%\Internet explorer\plugins\syswin7z.jmp
%ProgramFiles%\Internet Explorer\plugins\winsys8z.sys

If e disk exists, delete:
  
Code:
E:\Autorun.inf
E:\Autorun.exe


4. Delete Registry information (Start menu-run-enter "regedit" to enter the registry in order to find instructions and follow the prompts):
  
Code:
[HKEY_CURRENT_USER\SOFTWARE\TENCENT\DETA3]

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
define trojan horse virus trojan virus scanner trojan virus on iphone trojan horse virus example virus worm trojan horse trojan horse virus removal trojan worm virus removal

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More