W32.Gosys

W32.Gosys Description

W32.Gosys is a malicious Worm that spreads via computer networks. W32.Gosys opens a back door on the compromised computer and may cause additional damage to the system by recording keystrokes, updating itself and downloading files to execute commands. Once installed, W32.Gosys creates files in main Windows OS directories. W32.Gosys also creates/modifies certain registry entries so that it runs whenever Windows starts. Please use an automatic removal tool below to terminate W32.Gosys from the system before damage occurs.

W32.Gosys Automatic Detection Tool (Recommended)

Is your PC infected with W32.Gosys? To safely & quickly detect W32.Gosys, we highly recommend you run the malware scanner listed below.

Download SpyHunter's* Malware Scanner to detect W32.Gosys What happens if W32.Gosys does not let you open SpyHunter or blocks the Internet?

File System Modifications

The following files were created in the system:

#	File Name
1	%UserProfile%\\Application Data\\mrsys.exe %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67CTM7\\3picsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\GTYN8HUZ\\cmsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\W9UNG1MR\\2picsys[1].gif
2	%UserProfile%\\Application Data\\stsys.exe %System%\\blsys.bln %System%\\cmsys.cmn %System%\\explorer.exe %Windir%\\2clksys1.ptn %Windir%\\2clksys2.ptn %Windir%\\2clksys3.ptn %Windir%\\2clksys4.ptn %Windir%\\2dclsys1.ptn %Windir%\\2entsys1.ptn %Windir%\\2entsys2.ptn %Windir%\\2picsys.cpn %Windir%\\3clksys1.ptn %Windir%\\3clksys2.ptn %Windir%\\3clksys3.ptn %Windir%\\3clksys4.ptn %Windir%\\3dclsys1.ptn %Windir%\\3entsys1.ptn %Windir%\\3entsys2.ptn %Windir%\\3picsys.cpn %Windir%\\blsys.bln %Windir%\\spoolsv.exe %Windir%\\svchost.exe

File Name

%UserProfile%\\Application Data\\mrsys.exe %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\4H67CTM7\\3picsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\GTYN8HUZ\\cmsys[1].gif %UserProfile%\\Local Settings\\Temporary Internet Files\\Content.IE5\\W9UNG1MR\\2picsys[1].gif

%UserProfile%\\Application Data\\stsys.exe %System%\\blsys.bln %System%\\cmsys.cmn %System%\\explorer.exe %Windir%\\2clksys1.ptn %Windir%\\2clksys2.ptn %Windir%\\2clksys3.ptn %Windir%\\2clksys4.ptn %Windir%\\2dclsys1.ptn %Windir%\\2entsys1.ptn %Windir%\\2entsys2.ptn %Windir%\\2picsys.cpn %Windir%\\3clksys1.ptn %Windir%\\3clksys2.ptn %Windir%\\3clksys3.ptn %Windir%\\3clksys4.ptn %Windir%\\3dclsys1.ptn %Windir%\\3entsys1.ptn %Windir%\\3entsys2.ptn %Windir%\\3picsys.cpn %Windir%\\blsys.bln %Windir%\\spoolsv.exe %Windir%\\svchost.exe

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”ShowSuperHidden” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”LO” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”BL” = “c:\tools\regshot.exe”HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\”NF” = “0″HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Svchost\Process\”BL” = “c:\tools\regshot.exe”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\”StubPath” = “%UserProfile%\Local Settings\Application Data\mrsys.exe MR”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Shell” = “%Windir%\explorer.exe, c:\windows\system32\explorer.exe”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”Explorer” = “c:\windows\system32\explorer.exe RO”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\”Svchost” = “c:\windows\svchost.exe RO”