Automatic Detection and Prevention of virus and Trojan horse in a variant robot dog

Recently, the virus of a variant robot-dog Trojan is rampant. This virus uses the disk device stack of the hook system to achieve penetration, which is extremely harmful. It can be restored by penetrating any software and hardware under the current technical conditions! It is basically impossible to * restore and resist. All restoration products currently known cannot prevent penetration infection and transmission of the virus.

The robot dog virus is a trojan download device. After infection, it automatically downloads Trojans and viruses from the network, endangering the security of your account. Hosts file to enable startup.

How to identify whether a robot virus exists
The key to whether the virus is infected is in the Userinit.exe file. The file is in the system32 folder of the system directory. Right-click the file to view its properties. if the version label of the file is not displayed in the Properties window, indicates that the robot dog virus has been detected. If a version label exists, it is normal.

Self-check method:

1. enable the "view hidden files" function-open any windows window-tools-Folder option-check "Show System Folder content"-Remove "Hide protected operating system files" check-select "show all "files and folders-Click OK to save the changes

 

2. open the windows c: windows and c: windowssystem32 respectively, right-click each window and choose "View"> "details"> "Modify date" in the window bar to sort the files in the order of "latest-oldest" date update, and set the creation date to 2008-1 ~ Note that the extension between and is "exe/dat/ini". The following is the file name of the robot dog. For your reference: (the current number is x.exeor xx.exe, A single letter such as a.exe/c.exe or C: WINDOWSsystem32explorer.exe appears.-Congratulations! Explorer.exe should be in the C: WINDOWS directory, and the virus appears in C: WINDOWSsystem32 !)

Check whether there is PCIHDD. SYS in c: windowssystem32drivers.

Del C: WINDOWSdfasbhpco.exe
Del C: WINDOWSqveschyt.exe
Del C: WINDOWSlqvvieps. dll
Del C: WINDOWSehbppvct. dat
Del C: WINDOWSDbgHlp32.exe
Del C: WINDOWSupxdnd.exe
Del C: WINDOWSdfasbhpco.exe. hiv
Del C: WINDOWSdghjxbnr. dat
Del C: WINDOWSsystem3223.exe
Del C: WINDOWSsystem32explorer.exe
Del C: WINDOWSsystem32WIN. INI
Del C: WINDOWSsystem32DbgHlp32. dlL
Del C: WINDOWSsystem32upxdnd. dll
Del C: WINDOWSsystem32etsrv. dll
Del C: WINDOWSsystem32BOLE. INI
Del C: WINDOWSsystem32sgrefg. dll
Del C: WINDOWSyuuoahmm. dat
Del C: WINDOWSxjcouxwy. dll
Del C: WINDOWSmwnptmtoa.exe. hiv
Del C: WINDOWSmyfuatg. dll
Del C: WINDOWSmwnptmtoa.exe
Del C: WINDOWSjoxykwqv.exe
Del C: WINDOWSxwizrokv. dat
Del C: WINDOWSsystem32tahqyfdj. dll
Del C: WINDOWSsystem32mswwwdj32. dll

3.check whether a file or shortcut named "cmdx.exe" exists in the -start-up process. If yes-delete, if you cannot delete the file, open the corresponding folder, find the file, and grant the current user full permissions to the file. Then delete the file.

My self-help method: (I have been busy all night, and basically cleaned up the two machines)

1. Upgrade the local Norton virus database to the latest version.-enable real-time protection.-scan the C drive for antivirus.-or use other antivirus software to upgrade to the latest version.

2. download the latest rising card assistant-install-scan for antivirus Trojans

3. Enable the built-in firewall of the Local System

4. Start-windowsupdate-upgrade all Microsoft patches-ie7 is optional-do not perform this upgrade when genuine verification is required

5. create a bat execution file by yourself, and add the suspicious file to the deletion command, named "kill. put bat in the root directory of the c drive and restart the system. Press F8 to bring up the Startup menu and select "safe mode with command line" to enter the system (it will be slow and patient) -Enter c: kill in the doscommand window. bat-press enter to execute the command, and then restart the command to check whether the operation is complete-that is, whether the operation is deleted or not. The following is the file content, which can be modified and created based on your actual situation: (because Trojan Horse cleverly sets many files to hide system read-only attributes, if direct del fails, the first half is to remove these attributes from all suspicious files regardless of 3721 and then del)

C: windowssystem32attrib-H-S-r c: WINDOWSsystem32explorer.exe
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32WIN. INI
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32DbgHlp32. dlL
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32upxdnd. dll
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32etsrv. dll
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32BOLE. INI
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32sgrefg. dll
C: windowssystem32attrib-H-S-r c: WINDOWSyuuoahmm. dat
C: windowssystem32attrib-H-S-r c: WINDOWSxjcouxwy. dll
C: windowssystem32attrib-H-S-r c: WINDOWSmwnptmtoa.exe. hiv
C: windowssystem32attrib-H-S-r c: WINDOWSmyfuatg. dll
C: windowssystem32attrib-H-S-r c: WINDOWSmwnptmtoa.exe
C: windowssystem32attrib-H-S-r c: WINDOWSjoxykwqv.exe
C: windowssystem32attrib-H-S-r c: WINDOWSxwizrokv. dat
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32tahqyfdj. dll
C: windowssystem32attrib-H-S-r c: WINDOWSsystem32mswwwdj32. dll

Del C: WINDOWSdfasbhpco.exe
Del C: WINDOWSqveschyt.exe
Del C: WINDOWSlqvvieps. dll
Del C: WINDOWSehbppvct. dat
Del C: WINDOWSDbgHlp32.exe
Del C: WINDOWSupxdnd.exe
Del C: WINDOWSdfasbhpco.exe. hiv
Del C: WINDOWSdghjxbnr. dat
Del C: WINDOWSsystem3223.exe
Del C: WINDOWSsystem32explorer.exe
Del C: WINDOWSsystem32WIN. INI
Del C: WINDOWSsystem32DbgHlp32. dlL
Del C: WINDOWSsystem32upxdnd. dll
Del C: WINDOWSsystem32etsrv. dll

Del C: WINDOWSsystem32BOLE. INI
Del C: WINDOWSsystem32sgrefg. dll
Del C: WINDOWSyuuoahmm. dat
Del C: WINDOWSxjcouxwy. dll
Del C: WINDOWSmwnptmtoa.exe. hiv
Del C: WINDOWSmyfuatg. dll
Del C: WINDOWSmwnptmtoa.exe
Del C: WINDOWSjoxykwqv.exe
Del C: WINDOWSxwizrokv. dat
Del C: WINDOWSsystem32tahqyfdj. dll
Del C: WINDOWSsystem32mswwwdj32. dll

In addition

1. Upgrade the antivirus software virus database in time, complete system vulnerabilities, and enable "Web page monitoring" and "email monitoring" when accessing the Internet.
2. Enable anti-virus software "Mobile storage access anti-virus" to prevent viruses from using mobile devices (such as USB flash drives and mobile hard drives) to intrude into users' computing machines and completely protect computer system security.
3. Disable the automatic playback function of the system to prevent viruses from entering the computer from mobile storage devices such as USB flash drives, MP3 files, and mobile hard disks.
4. We recommend that you use a soft keyboard to enter your account and password when logging on to your online game account or online banking account.
5. Prevent ARP viruses on the LAN.

Appendix
1. to disable the automatic playback function, run gpedit in the "run" box of the "Start" menu. run the msc command to find the "manage template" function under "Computer Configuration" and "user configuration" in "group policy, open the "Disable automatic playback" setting in the "System" menu, select "enabled" in its properties, select "All Drives", and then click "OK" to save the settings.

2, update the system vulnerability patches, especially web Trojan common vulnerabilities: MS06-014 and MS07-017.

MS06-014 Chinese version of the system patch:
Http://www.microsoft.com/china/technet/security/bulletin/MS06-014.mspx
MS06-014 English version of the system patch:
Http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
MS07-017 Chinese version of the system patch:
Http://www.microsoft.com/china/technet/security/bulletin/MS07-017.mspx
MS07-017 English version of the system patch:
Http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx