Home > Cloud Computing > Cloud Security

How to kill an accelerator trojan in 832823.cn

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Software Promotion viruses are really effective. (But not confirmed)
901100
Mypass123
Mypass
Admin123
Mypc123
Mypc
Love
Pw123
Login
Login
Owner
Home
Zxcv
Yxcv
Qwer
Asdf
Temp123
Temp
Test123
Test
Fuck
Fuckyou
Root
Ator
Administrator
Patrick
123abc
1234 qwer
123123
121212
111111
Alpha
2600
2003
2002
Enable
Godblessyou
Ihavenopass
123asd
Super
Computer
Server
123qwe
Sybase
Abc123
Abcd
Database
Passwd
Pass
88888888
11111111
000000
54321
654321
123456789
1234567
Limit 20
5201314
Admin
12345
12345678
Mein
Letmein
2112
Baseball
Qwerty
7777
5150
Fish
1313
Shadow
1111
Mustang
Pussy
Golf
123456
Harley
6969
Password
1234
When a user is poisoned in the LAN, http: // */abc is automatically executed. to download http: // */abc. cab file, which means that the accelerator control of 832823.cn will be loaded when any webpage is opened.
Become a new Trojan downloader
After the above virus Trojan is implanted
The sreng log of the poisoned machine is as follows:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<Upxdnd> <% systemroot1_upxdnd.exe> []
<WinForm> <% systemroot1_winform.exe> []
<MsIMMs32> <% systemroot=msimms32.exe> []
<GenProtect> <% systemroot1_genprotect.exe> []
<Cmdbcs> <% systemroot1_cmdbcs.exe> []
<AVPSrv> <% systemroot1_avpsrv.exe> []
<NVDispDrv> <% systemroot1_nvdispdrv.exe> []
<WinSysW> <% systemroot=swchost.exe> []
<KVP> <% systemroot1_system32driverssvchost.exe> []
<Kvsc3> <% systemroot=kvsc3.exe> []
<WinSysM> <% systemroot1_igm.exe> []
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
<Comrepl32> <% systemroot1_system32comcomrepl32.exe> []
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{383D0D27-789F-4543-9760-D4E199623476}> <% systemroot % system32ikewriyriu. dll> [Microsoft Corporation]
<{5bd31697-4503-4133-820e-fdac57af00e2}> <% Program Files % Internet assumerpluginsnvsys74.sys> []
<{09F8A0EB-ED61-4714-B0AD-7EAFF5361A8B}> <% systemroot % system32zhjtrx. dll> []
========================================
Running Process
[PID: 1684000000000000systemroot00000000er.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[% Program Files % Internet assumerpluginsnvsys74.sys] [N/A,]
[% Systemroot % system32zhjtrx. dll] [N/A,]
[% Systemroot % system32upxdnd. dll] [N/A,]
[% Systemroot % system32AVPSrv. dll] [N/A,]
[% Systemroot % system32MsIMMs32. dll] [N/A,]
[% Systemroot % system32WinForm. dll] [N/A,]
[% Systemroot % system32Kvsc3. dll] [N/A,]
[% Systemroot % system32cmdbcs. dll] [N/A,]
[% Systemroot % system32NVDispDrv. dll] [N/A,]
[% Systemroot % system32GenProtect. dll] [N/A,]
[% Systemroot % system32ikewriyriu. dll] [Microsoft Corporation, 5.1.2600.3099]
========================================
Winsock provider
MSAPI Tcpip [TCP/IP]
% Systemroot % system32sqmapi32. dll (, N/)
MSAPI Tcpip [UDP/IP]
% Systemroot % system32sqmapi32. dll (, N/)
......
Solution:
If a user in the LAN encounters an accelerator control loading 832823.cn when opening any web page, he/she needs to find the corresponding poisoned machine. After finding it, you can perform the following operations:
Anti-Virus operation.
Sreng: http://download.kztechs.com/files/sreng2.zip
1. Clear the virus main program
1. Enable sreng
Start the project registry to delete the following items
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
<Comrepl32> <% systemroot1_system32comcomrepl32.exe> []
2. double-click my computer, tools, Folder Options, view, Click Show Hidden Files or folders, and clear the hooks before "Hide protected operating system files (recommended. Pending
Click Yes to confirm the change.
Delete the following files
%Systemroot1_system32comcomrepl32.exe
% Systemroot % system32configAppEventw. cfg
% Systemroot % system32driverspcibus. sys
2. remove viruses and download Trojans (because trojans on servers connected by viruses are updated almost every day, the following methods are for reference only)
1. Enable sreng
Start the project registry to delete the following items
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<Upxdnd> <% systemroot1_upxdnd.exe> []
<WinForm> <% systemroot1_winform.exe> []
<MsIMMs32> <% systemroot=msimms32.exe> []
<GenProtect> <% systemroot1_genprotect.exe> []
<Cmdbcs> <% systemroot1_cmdbcs.exe> []
<AVPSrv> <% systemroot1_avpsrv.exe> []
<NVDispDrv> <% systemroot1_nvdispdrv.exe> []
<WinSysW> <% systemroot=swchost.exe> []
<KVP> <% systemroot1_system32driverssvchost.exe> []
<Kvsc3> <% systemroot=kvsc3.exe> []
<WinSysM> <% systemroot1_igm.exe> []
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{383D0D27-789F-4543-9760-D4E199623476}> <% systemroot % system32ikewriyriu. dll> [Microsoft Corporation]
<{5bd31697-4503-4133-820e-fdac57af00e2}> <% Program Files % Internet assumerpluginsnvsys74.sys> []
<{09F8A0EB-ED61-4714-B0AD-7EAFF5361A8B}> <% systemroot % system32zhjtrx. dll> []
In System Repair advanced repair, choose reset winsock to restart the computer.
After restart
Double-click my computer, tools, Folder Options, view, Click Show Hidden Files or folders, and clear the hooks before "Hide protected operating system files (recommended. In the prompt
Click Yes and then confirm
Delete the following files
% Program Files % Internet assumerpluginsnvsys74.sys
% Program Files % Internet assumerpluginsnvsys74.tao
% Program Files % Internet assumerpluginsnvwin75.jmp
% Systemroot % system32driverspcibus. sys
%Systemroot1_system32driverssvchost.exe
% Systemroot % system32AVPSrv. dll
% Systemroot % system32cmdbcs. dll
% Systemroot % system32djatl. dll
% Systemroot % system32GenProtect. dll
% Systemroot % system32gjatl. dll
% Systemroot % system32ikewriyriu. dll
% Systemroot % system32Kvsc3. dll
% Systemroot % system32MsIMMs32. dll
% Systemroot % system32msplay32. dll
% Systemroot % system32NVDispDrv. dll
% Systemroot % system32sqmapi32. dll
% Systemroot % system32upxdnd. dll
% Systemroot % system32WinForm. dll
% Systemroot % system32wlatl. dll
% Systemroot % system32zhjtrx. dll
% Systemroot % system32zxatl. dll
%Systemroot1_avpsrv.exe
%Systemroot1_cmdbcs.exe
%Systemroot1_genprotect.exe
%Systemroot1_igm.exe
%Systemroot1_kvsc3.exe
%Systemroot1_msimms32.exe
%Systemroot1_nvdispdrv.exe
%Systemroot1_swchost.exe
%Systemrootcmdupxdnd.exe
%Systemroot1_winform.exe
% Systemroot % system32sqmapi32. dll
2. Fixed infected html and other webpage files
Iframkill of CSI is recommended.
: Http://www.vaid.cn/blog/read.php? 9
3. We recommend that the majority of network administrators shield this IP Address: 60.190.101.206

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to kill self in dayz how to kill file how to kill cookies how to kill sql process how to kill python program how to remove zeus trojan how to detect trojan horse
Related Article
How does personal cloud security guarantee data security?
Model-driven cloud security-automating cloud security with cl...
Cloud security to achieve effective prevention of the future ...
Focus on three major cloud security areas, you know?
Decrypting Cisco type 5 password hashes
Using redis to write webshell

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More