dimanche 30 septembre 2012

Manually remove: Win32.TrojDownloader.NsPassT

Tools you will need:


 First, you will need to run XueTr. Once you open it up you'll see a process marked in red with name "svchost" ,right click on this process and press Force Kill.

- svchost - PID (1088)

 Rename the 'autoruns.exe' to (ex: autor9.exe)
click on the [Image Hijacks] ,and UNCHECK EVERYTHING found on the "Image Hijacks" tab.This is where the malware puts entries to stop you from launching cleaning tools. (this is why I had you rename autoruns).

• Image Hijack Registry keys : 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File ExecutionOptions\

 Make sure you delete all the following files :



the virus export function explore to Get ShellExecuteA, and call the "explorer" and open the current directory for each drive.
A service DLL in a SVCHOST process exports ServiceMain function as its entry point for starting services,
if the name is not ServiceMain such SchedServiceMain , SvchostEntry , W32Time,SvchostEntry then it must be configured in the registry as the data for the following value:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\service\Parameters]
in order to be executed on startup with full OS privileges.

So let's take a look at how it works :
















 Our next step we will need to download the files that we have deleted and copy it to system directory :

schedsvc.dll
srsvc.dll
w32time.dll
wiaservc.dll
appmgmts.dll

Delete Windows Hosts file entries that can be found under %SystemRoot%\system32\drivers\etc\hosts

 Now, restart your computer and relax.