This article is reproduced from:
https://www.cnblogs.com/lingyun_k/archive/2007/04/01/695895.html
Author: lingyun_k Please indicate the statement when reprinting.
Internet access today, NOD32 frequently warns, that is, a lot of virus Trojan horses listed in the title, in fact, should be a virus, NOD32 can not be completely eliminated.
Virus source
http://quxiuu.com/mimimi/jink.exe , the file name of jink.exe will change at any time, such as: jinl.exe, jinf.exe, jinj.exe, etc.
Virus characteristics
The virus should be a Trojan horse, Because I found that the Terminal Services service is started and cannot be stopped. Generally, I have to stop some unused system services after installing the system. Terminal Services is one of them; I don't know which webpage was opened, which caused the virus to keep going to C: \Documents and Settings\Administrator\Local Settings\Temp directory to write files, these files are jinl.exe, jinf.exe, jinj.exe, jink.exe, and the file names are random.
virus analysis
First, I checked the startup items and found that there are more startup items such as Servere, c0nime, crasos, rundl132, winlog0n, and servicer. The executable files corresponding to these startup items are in the C:\Documents and Settings\Administrator\Local Settings\Temp directory; I Clear these startup items first, then go to the C:\Documents and Settings\Administrator\Local Settings\Temp directory, delete all files in this directory, and finally leave the following files (Gjzo0.dll, LgSy0.dll, Msxo0.dll, Qqzo0.dll, Rav20.dll, Rav30.dll, Wmzo0.dll) can not be deleted, these should be some dynamic link library files used by the Trojan.
The next step is to analyze the process where the Trojan is located, open the process manager (Note: I use the process manager in the Window Optimizer), check the process list, no suspicious process is found, it is estimated that it is embedded in the system process; generally Viruses and Trojans like to parasitize these system processes, such as EXPLORER.EXE, IEXPLORE.EXE, SVCHOST.EXE, etc., but I started to carefully analyze the list of modules used by these processes. Sure enough, Gjzo0 was found in the EXPLORER.EXE process. .dll,LgSy0.dll,Msxo0.dll,Qqzo0.dll,Rav20.dll,Rav30.dll,Wmzo0.dll These modules
remove viruses
Since I have found the hiding place of the Trojan, it is very simple to kill it. I first open the Window task manager, find the EXPLORER.EXE process and end it (the desktop and taskbar will disappear at this time, do not minimize the task Manager), and then delete Gjzo0.dll, LgSy0.dll, Msxo0.dll, Qqzo0.dll, Rav20.dll, Rav30.dll, Wmzo0.dll in the Temp directory, because the desktop and taskbar have disappeared at this time It may be troublesome to delete, but you just need to find an application that can open the file dialog, so I explained earlier that you should not minimize the task manager, we can use the file browsing dialog that pops up in the new task menu of the task manager Find the Temp file in the box, delete these files one by one (note: select all files in the file type drop-down box below the file browsing dialog box, only executable files are displayed by default), and finally in Task Manager -> File -> New task -> Find the EXPLORER.EXE file under the system Windows (WIN2000, NT is WINNT) folder, click OK, and the Trojan will be completely removed.
Note: The Trojan virus does not infect the EXPLORER.EXE file, because the WINDOWS system has a mechanism to protect system files; if the file is infected, copy one to a normal machine and execute it.
Internet access today, NOD32 frequently warns, that is, a lot of virus Trojan horses listed in the title, in fact, should be a virus, NOD32 can not be completely eliminated.
Virus source
http://quxiuu.com/mimimi/jink.exe , the file name of jink.exe will change at any time, such as: jinl.exe, jinf.exe, jinj.exe, etc.
Virus characteristics
The virus should be a Trojan horse, Because I found that the Terminal Services service is started and cannot be stopped. Generally, I have to stop some unused system services after installing the system. Terminal Services is one of them; I don't know which webpage was opened, which caused the virus to keep going to C: \Documents and Settings\Administrator\Local Settings\Temp directory to write files, these files are jinl.exe, jinf.exe, jinj.exe, jink.exe, and the file names are random.
virus analysis
First, I checked the startup items and found that there are more startup items such as Servere, c0nime, crasos, rundl132, winlog0n, and servicer. The executable files corresponding to these startup items are in the C:\Documents and Settings\Administrator\Local Settings\Temp directory; I Clear these startup items first, then go to the C:\Documents and Settings\Administrator\Local Settings\Temp directory, delete all files in this directory, and finally leave the following files (Gjzo0.dll, LgSy0.dll, Msxo0.dll, Qqzo0.dll, Rav20.dll, Rav30.dll, Wmzo0.dll) can not be deleted, these should be some dynamic link library files used by the Trojan.
The next step is to analyze the process where the Trojan is located, open the process manager (Note: I use the process manager in the Window Optimizer), check the process list, no suspicious process is found, it is estimated that it is embedded in the system process; generally Viruses and Trojans like to parasitize these system processes, such as EXPLORER.EXE, IEXPLORE.EXE, SVCHOST.EXE, etc., but I started to carefully analyze the list of modules used by these processes. Sure enough, Gjzo0 was found in the EXPLORER.EXE process. .dll,LgSy0.dll,Msxo0.dll,Qqzo0.dll,Rav20.dll,Rav30.dll,Wmzo0.dll These modules
remove viruses
Since I have found the hiding place of the Trojan, it is very simple to kill it. I first open the Window task manager, find the EXPLORER.EXE process and end it (the desktop and taskbar will disappear at this time, do not minimize the task Manager), and then delete Gjzo0.dll, LgSy0.dll, Msxo0.dll, Qqzo0.dll, Rav20.dll, Rav30.dll, Wmzo0.dll in the Temp directory, because the desktop and taskbar have disappeared at this time It may be troublesome to delete, but you just need to find an application that can open the file dialog, so I explained earlier that you should not minimize the task manager, we can use the file browsing dialog that pops up in the new task menu of the task manager Find the Temp file in the box, delete these files one by one (note: select all files in the file type drop-down box below the file browsing dialog box, only executable files are displayed by default), and finally in Task Manager -> File -> New task -> Find the EXPLORER.EXE file under the system Windows (WIN2000, NT is WINNT) folder, click OK, and the Trojan will be completely removed.
Note: The Trojan virus does not infect the EXPLORER.EXE file, because the WINDOWS system has a mechanism to protect system files; if the file is infected, copy one to a normal machine and execute it.