syswin7z.jmp syswin7z.sys Trojan Virus Manual Deletion method _ virus killing

Source: Internet
Author: User
Tags manual win32

Virus name: Trojan-psw.win32.qqpass.ajo (Kaspersky)
Virus alias: WORM.WIN32.PABUG.CF (Rising), win32.troj.qqpasst.ah.110771 (Poison PA)
Virus size: 32,948 bytes
Adding Shell way: UPX
Sample MD5:772F4DFC995F7C1AD6D1978691190CDE
Sample sha1:e9d2bcc5666a3433d5ef8cc836c4579f03f8b6cc
Associated virus:
Transmission mode: Through malicious Web page transmission, other Trojan download, USB drive and mobile hard disk transmission


Technical analysis
==========


After the Trojan is run, copy itself to:
  
Code:
%ProgramFiles%\Internet explorer\plugins\syswin7z.jmp
%ProgramFiles%\Internet Explorer\plugins\winsys8z.sys


To create Shellexecutehooks startup information:


Code:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{f81f75c9-f974-4772-b72d-f28cbcd98c5f}" = ""

[Hkey_classes_root\clsid\{f81f75c9-f974-4772-b72d-f28cbcd98c5f}\inprocserver32]
@= "%ProgramFiles%\Internet Explorer\plugins\syswin7z.sys"
Code:
[HKEY_CURRENT_USER\SOFTWARE\TENCENT\DETA3]
"Ft"


Locate the native E disk and generate it in its root directory:
Autorun.inf and Autorun.exe files, trying to spread through a USB drive.

Trojan virus running automatically from the user QQ randomly select friends, composed of temporary discussion group. It will send the content to the group's friends as "Www.fxxxxx.cn/1651.rar here are my photos help me to the top remember to reply to me oh click on the download" message. Other users in the discussion group may be infected by opening a file in the link. Trojans will visit the network to download other viruses, trojans or [url=http://www.pxue.com/tag/93/1.html] malware programs [/url] to the temp directory and run.


Cleanup steps
==========

1. Delete the shellexecutehooks created by the Trojan (Start menu-run-enter "regedit" into the registry in turn to find instructions and follow the prompts):
Code:
  
Code:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
' {f81f75c9-f974-4772-b72d-f28cbcd98c5f} '

[hkey_classes_root\clsid\{f81f75c9-f974-4772-b72d-f28cbcd98c5f}]


2. Restart your computer

3. Delete Trojan file:
  
Code:
%ProgramFiles%\Internet explorer\plugins\syswin7z.jmp
%ProgramFiles%\Internet Explorer\plugins\winsys8z.sys

If e disk exists, delete:
  
Code:
E:\Autorun.inf
E:\Autorun.exe


4. Delete Registry information (Start menu-run-enter "regedit" to enter the registry in order to find instructions and follow the prompts):
  
Code:
[HKEY_CURRENT_USER\SOFTWARE\TENCENT\DETA3]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.