W32.Gosys
W32.Gosys is a malicious Worm that spreads via computer networks. W32.Gosys opens a back door on the compromised computer and may cause additional damage to the system by recording keystrokes, updating itself and downloading files to execute commands. Once installed, W32.Gosys creates files in main Windows OS directories. W32.Gosys also creates/modifies certain registry entries so that it runs whenever Windows starts. Please use an automatic removal tool below to terminate W32.Gosys from the system before damage occurs.
File System Modifications
- The following files were created in the system:
# File Name 1 %UserProfile%\\Application Data\\mrsys.exe %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67CTM7\\3picsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\GTYN8HUZ\\cmsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\W9UNG1MR\\2picsys[1].gif 2 %UserProfile%\\Application Data\\stsys.exe %System%\\blsys.bln %System%\\cmsys.cmn %System%\\explorer.exe %Windir%\\2clksys1.ptn %Windir%\\2clksys2.ptn %Windir%\\2clksys3.ptn %Windir%\\2clksys4.ptn %Windir%\\2dclsys1.ptn %Windir%\\2entsys1.ptn %Windir%\\2entsys2.ptn %Windir%\\2picsys.cpn %Windir%\\3clksys1.ptn %Windir%\\3clksys2.ptn %Windir%\\3clksys3.ptn %Windir%\\3clksys4.ptn %Windir%\\3dclsys1.ptn %Windir%\\3entsys1.ptn %Windir%\\3entsys2.ptn %Windir%\\3picsys.cpn %Windir%\\blsys.bln %Windir%\\spoolsv.exe %Windir%\\svchost.exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\"LO" = "0"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\"BL" = "c:\tools\regshot.exe"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\"NF" = "0"HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Svchost\Process\"BL" = "c:\tools\regshot.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\"StubPath" = "%UserProfile%\Local Settings\Application Data\mrsys.exe MR"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\"StubPath" = "%UserProfile%\Local Settings\Application Data\mrsys.exe MR"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "%Windir%\explorer.exe, c:\windows\system32\explorer.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Explorer" = "c:\windows\system32\explorer.exe RO"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"Svchost" = "c:\windows\svchost.exe RO"
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.