2. Tech
  3. Today's machine in the machine: Trojan.psw.lmir.pj.enc

Today's machine in the machine: Trojan.psw.lmir.pj.enc

xiaoxiao2021-03-06  99

I can't see the drive letter when I open "My Computer" today, and the small earth in the upper right corner is turning. . . Repeatedly so ~ _ ~, bitter. .

Method of destroying this virus: Trojan virus (using Delphi writing, UPX compression)

After the virus is running, there is the following behavior: First, copy itself to the% sysdir% directory, the file name is "svch0st_.exe".

Second, modify the registry:

1.HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / RUN Add Data Item: "SVCH0ST_.EXE" data value is: "svch0st_.exe"

2.HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CURRENTVERSION / WINLOGON Modify Data Item: "Shell" The data value after: "Explorer.exe SVCH0ST_.exe" (the correct data value is "Explorer.exe")

Third, the following anti-virus software and monitoring software process: Symantec AntiVirus Enterprise version Jiangmin anti-virus software kv2004: real-time monitoring Rising anti-virus software Tianwang firewall personal version of Tianwang firewall Enterprise version Mark Star Eghost Mailmon Uninstall "Password anti-theft expert comprehensive version"

Fourth, release the file "lsas.bmp" and "stak.bmp", these two files are actually two dynamic library files. "Stak.bmp" provides an interface to intercept the "OpenProcess" API, causing other processes that cannot open the "svch0st_.exe" process, so the "SVCH0ST_.exe" process cannot be ended. "Lsas.bmp" is used to hook mouse and keyboard hooks to steal game "Legend" information.

Oh, this virus is not strong, but it is very annoying when it is. When you open "My Computer", you can't see the drive letter. The Microsoft's small earth is turning, waiting for 10,000 years. . .

It is a planet (of course, it will use the computer, and this virus is ^ _ ^) will be painful.

I give an anti-virus method as follows:

First end the name: SVCH0ST_.EXE.

Then go to the Winnt directory (Win9x is a Windows) search name: svch0st_.exe; lsas.bmp; stak.bmp removes all of the files found.

Then, the registry: hkey_local_machine / Software / Microsoft / Windows NT / CURRENTVERSION / WINLOGON "shell" is modified to: "Explorer.exe"

Get it. Open "My Computer", the small earth in the upper right corner is never turned.

转载请注明原文地址:https://www.9cbs.com/read-123639.html

9cbs

New Post(0)