Gray pigeon is a very popular Trojan horse in China. Its versions and variants have also seen many types over time.
A Trojan is a client generated by the gray pigeon software. once it enters the "host" computer,
Attackers can steal zombie information, including key records and file transfer.
Therefore, the gray pigeon is a malicious virus.
For the trojan client, it is the core of its implementation function.
How to discover and delete the client and the files generated by the client has become the top priority of the solution.
This article describes how to manually discover and destroy a gray pigeon from the sample area of the Forum by taking the variant of gray pigeon 2007 as an example.
1. Virus ontology file: The qq.exe icon is a Word document icon, which is obviously a disguise
2. An error occurred while enabling the SReng scan, such:
3. Fix the entry point errors and continue scanning to obtain logs such as attachments.
4. view the System32 folder in IceSword and find the two files released by the virus.
However, the two files cannot be found directly in the system32 window in Windows.
5.in fact, The ati2sgag.exe process hides the two files and ends the process first.
6. The two files can be found in the System32 folder. Delete them.
The logs generated by SREng are as follows:
Reference:
Copy content to clipboard
Code:
2008-10-06,17: 19: 12
System Repair Engineer 2.6.12.1018
Http://www.KZTechs.com (Smallfrogs)
Windows XP Professional Service Pack 2 (Build 2600)
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
<Ctfmon.exe> <C: WINDOWSsystem32ctfmon.exe> [(Verified) Microsoft Windows Publisher]
<KavPFW> <"C: Program FilesKingsoftKingsoft Internet Security V9.0KPFW32. EXE"-startup> [(Verified) kingsoft corporation]
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]
<Load> <> [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<IMJPMIG8.1> <"C: WINDOWSIMEimjp8_1IMJPMIG.EXE"/Spoil/RemAdvDef/Migration32> [(Verified) Microsoft Windows Publisher]
<PHIME2002ASync> <C: WINDOWSsystem32IMETINTLGNTTINTSETP. EXE/SYNC> [(Verified) Microsoft Windows Publisher]
<PHIME2002A> <C: WINDOWSsystem32IMETINTLGNTTINTSETP. EXE/IMEName> [(Verified) Microsoft Windows Publisher]
<VMUserServices> <C: Program FilesVirtual Machine Additionsvmusrvc.exe> [(Verified) Microsoft Corporation]
<KavStart> <"C: Program FilesKingsoftKingsoft Internet Security V9.0KAVStart.exe"-startup> [(Verified) kingsoft corporation]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
<Shell> <assumer.exe> [(Verified) Microsoft Windows Publisher]
<Userinit> <C: WINDOWSsystem32userinit.exe> [(Verified) Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
<AppInit_DLLs> <> [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
<UIHost> <logonui.exe> [(Verified) Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components> {26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer> <% systemroot=system32shmgrate.exe OCInstallUserConfigIE> [File is missing]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components> {881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express> <% systemroot1_system32shmgrate.exe OCInstallUserConfigOE> [File is missing]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components {2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup> <% systemroot=system32egsvr32.exe/s/n/I:/UserInstall % SystemRoot % system32hemeui. dll> [File is missing]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components {44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6> <"% ProgramFiles % Outlook Expresssetup50.exe"/APP: OE/CALLER: WINNT/user/install> [File is missing]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components {44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01> <rundll32.exe advpack. dll, LaunchINFSection C: WINDOWSINFmsnetmtg. inf, NetMtg. Install. PerUser. NT> [(Verified) Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components {5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7> <rundll32.exe advpack. dll, LaunchINFSection C: WINDOWSINFmsmsgs. inf, BLC. QuietInstall. PerUser> [(Verified) Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components {6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player> <rundll32.exe advpack. dll, LaunchINFSection C: WINDOWSINFwmp. inf, PerUserStub> [(Verified) Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components {7790769C-0471-11d2-AF11-00C04FA35D02}]
<Address Book 6> <"% ProgramFiles % Outlook Expresssetup50.exe"/APP: WAB/CALLER: WINNT/user/install> [File is missing]
========================================
N/
========================================
[Human Interface Device Access/HidServ] [Stopped/Disabled]
<C: WINDOWSSystem32svchost.exe-k netsvcs --> % SystemRoot % System32hidserv. dll> <N/A>
[Kingsoft Internet Security Common Service/KISSvc] [Running/Auto Start]
<C: Program FilesKingsoftKingsoft Internet Security V9.0KISSvc. EXE> <Kingsoft Corporation>
[Kingsoft Personal Firewall Service/KPfwSvc] [Running/Auto Start]
<"C: Program FilesKingsoftKingsoft Internet Security V9.0KPfwSvc. EXE"> <Kingsoft Corporation>
[Kingsoft Antivirus KWatch Service/KWatchSvc] [Running/Auto Start]
<"C: Program FilesKingsoftKingsoft Internet Security V9.0KWatch. EXE"> <Kingsoft Cor
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
