This virus uses the substitution service and so on to start itself, uses the SoundMan.exe this more familiar procedure to confuse the person. and has the function of ending antivirus software and downloading virus.
Virus releases the following files
%systemroot%\system32\ineters.exe
%systemroot%\system32\soundman.exe (pseudo SoundMan.exe, and the icon is the same as the real SoundMan.exe)
%systemroot%\system32\tthh3.ini
The digital signature of all documents is tomato garden
Write Auto.exe and Autorun.inf files if new Removable Storage access is available
Call cmd to turn off multiple services through net stop command
Shared access
Kpfwsvc
Kwatchsvc
McShield
Notron AntiVirus Server
End the following process
Shstat.exe
Runiep.exe
Ras.exe
MPG4C32.exe
Imsins.exe
Iparmor.exe
360safe.exe
360tray.exe
Kmailmon.exe
Kavstart.exe
Avp.exe
Ccenter.exe
\hidden\showall\checkedvalue values for 0x00000006 masks show hidden files
Delete the following file (in order to delete the old version of the virus file)
%systemroot%\system32\updeta.exe
%systemroot%\system32\ineters.exe
%systemroot%\system32\soundman.exe
%systemroot%\system32\ttzhh.ini
%systemroot%\system32\hz3.ini
%systemroot%\system32\hz2.ini
%systemroot%\system32\1035.ini
%systemroot%\system32\tthh.ini
%systemroot%\system32\tthh1.ini
%systemroot%\system32\tthh2.ini
%systemroot%\system32\alcwzrd.exe
%systemroot%\system32\notepd.exe
Activate the Guest account in your computer
and add an account named Microsoft
Write the following information into the%systemroot%\1.inf
[Version]
Signature= "$WINDOWS nt$"
[Defaultinstall.services]
Addservice=helpsvc,,my_addservice_name
[My_addservice_name]
Displayname=help and Support
Description= enables help and Support Center to run on this computer. If the service is stopped, help and support
The center will not be available. If you disable a service, any services that are directly dependent on this service will not start.
servicetype=0x10
starttype=2
Servicebinary=%11%\ineters.exe
Errorcontrol=0
and install the service
The original helpsvc (Help Center) service image file was replaced with a virus%systemroot%\system32\ineters.exe
Remove the startup project for the following security software
Hkey_local_machine\software\microsoft\windows\currentversion\run\360safetray
Hkey_localmachine\software\microsoft\windows\currentversion\run\kavstart
Hkey_current_user\software\microsoft\windows\currentversion\run\kavpfw
Hkey_local_machine\software\microsoft\windows\currentversion\run\vptray
Hkey_local_machine\software\microsoft\windows\currentversion\run\kav
Hkey_local_machine\software\microsoft\windows\currentversion\run\runeip
Hkey_local_machine\software\microsoft\windows\currentversion\run\ravtask
Hkey_local_machine\software\microsoft\windows\currentversion\run\rfwmain
Connect network Download Other viruses
Download the address below
Http://www.*.cn/tthh3/gx.jpg
Http://www.*.cn/tthh3/qq.jpg
Http://www.*.cn/tthh3/omin.jpg
Http://www.*.cn/tthh3/crt.jpg
Http://www.*.cn/tthh3/f1.jpg
Http://www.*.cn/tthh3/f2.jpg
Http://www.*.cn/tthh3/f3.jpg
(essentially EXE files, but some links are invalidated)
Connect http://www.webye163.cn/ip/ip.asp Get the IP address of the infected machine
and get the default gateway address through the Route.exe Print command
Write it in C:\ip.txt
This information may then be used for ARP spoofing and other operations ...
Several of the downloaded viruses have worms that can scan 135 of ports in a nearby network segment. (
Specifically the behavior of the virus does not look very much)
The Sreng log scanned after downloading is as follows
Start Project
Registration Form
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[1]
==================================
Service
[Help and Support/helpsvc] [Stopped/auto Start]
%WINDIR%
\pchealth\helpctr\binaries\pchsvc.dll>
The added file may have
%systemroot%\system32\alcmtr.exe
%systemroot%\system32\alcwzrd.exe
%systemroot%\system32\qoq.exe
Workaround:
First, clean the virus files and the registry entries that they create
1. Open Sreng
Start the Project registry delete the following items
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[1]
2. Open IceSword
Click the file button in the lower left corner
Delete the following file
%systemroot%\system32\ineters.exe
%systemroot%\system32\soundman.exe
%systemroot%\system32\tthh3.ini
%systemroot%\system32\alcmtr.exe
%systemroot%\system32\alcwzrd.exe
%systemroot%\system32\qoq.exe
Second, the repair system
1. Please copy the following code into Notepad and save as a 1.reg file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Advanced\folder\hidden\showall]
"Regpath" = "Software\\microsoft\\windows\\currentversion\\explorer\\adva
2. Start-run input regedit
Expand Hkey_local_machine\system\currentcontrolset\services\helpsvc
Double-click image Path to edit the numeric data
%systemroot%\system32\svchost.exe-k Netsvcs
Are you sure
Note: SoundMan.exe only in%systemroot% (that is, windows/winnt directory) is the normal procedure, if the System32 folder, then most of the virus, please pay attention to screening. True SoundMan.exe:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.