Remove the trojan of services.exe-Solution

Source: Internet
Author: User
Tags microsoft website

Finally, it is confirmed that the Winsock is damaged, and the Winsock can be repaired ~~~ '

Http://blog.fjstu.net/user1/shulinyg/archives/2006/3112.html

Remove the trojan of services.exe
[19:41:05 | by: Lu Songlin★]
 

1 services.exe-services-process Introduction

Process file: services or services.exe
Process name: Windows Service Controller
Process type: other processes
English description:
Services.exe is a part of the Microsoft Windows operating system and manages the operation of starting and stopping services. this process also deals with the automatic starting of services during the computers boot-up and the stopping of servicse Durin
Chinese reference:
Services.exe is part of Microsoft's Windows operating system. Used to manage start and stop services. This process also processes services that run when the computer is started and shut down. This program is very important to the normal operation of your system. Note: services may also be w32.randex. R (stored in the % SystemRoot % \ system32 \ directory) and sober. P (stored in the % SystemRoot % \ Connection Wizard \ status \ directory) Trojans. This trojan allows attackers to access your computer and steal passwords and personal data. The security level of the process is recommended to be deleted immediately.
Prepared by: Microsoft Corp.
Microsoft Windows Operating System
System Process: Yes
Background Program: Yes
Network Problems: No
Common Errors: N/
Memory usage: N/
Security grade (0-5): 0
Spyware: No
Advertising software: No
Virus: No
Trojan: No

This backdoor is not bad. It's a bit Bt. A total of 14 files, 3 shortcut icons, and 2 folders are generated. Secret is changed from the default exefile to winfiles, and then the winfiles key value is created to associate the EXE file with the Trojan. That is, after being poisoned, the attribute of any EXE file changes from "application" to "EXE file"
Of course, the clearing method is also very simple, but you need to pay attention to the steps:
1. Registry: use the registry Repair Tool first, or directly use Regedit to correct the following parts:
1. system. ini (the NT System is in the Registry: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon)
Modify shell = assumer.exe 1 to shell = assumer.exe
2. Run the following command under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run:
Torjan program ---------- c: \ winnt \ services.exe Delete
3. hkey_classes_root \. exe
Change the default value of winfiles to exefile.
4. Delete the following two key values:
Hkey_classes_root \ winfiles
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ winfiles
2. restart the system and delete the following files. When opening each partition, open "my computer" and Right-click the partition and select "open. Or directly execute the attached kV. BAT to delete the following files.
C: \ antorun. inf (if you have multiple partitions, check whether the file exists in other partitions and delete them together)
% ProgramFiles % \ common files \ iw.e. pif
% ProgramFiles % \ internat Explorer \ iexplore.com
% Windir % \ 1.com
% Windir % \ exeroute.exe
% Windir % \ assumer.com
% Windir % \ finder.com
% Windir % \ mswinsck. ocx
% Windir % \ services.exe
% Windir % \ system32 \ command. pif
% Windir % \ system32 \ dxdiag.com
% Windir % \ system32 \ finder.com
% Windir % \ system32 \ msconfig.com
% Windir % \ system32 \ regedit.com
% Windir % \ system32 \ rundll32.com
Delete the following folders:
% Windir % \ debug
% Windir % \ system32 \ ntmsdata

 

1. Virus Assessment

1. Virus Chinese name: SCO bomb Variant N
2. Virus English name: worm. Novarg. n
3. Virus alias: worm. Mydoom. m
4. Virus size: 28832 bytes
5. Virus Type: Worm
6. Virus risk level:★★★★
7. virus transmission path: Email
8. Virus dependent system: Windows 9x/NT/2000/XP

2. Destruction of Viruses

1. A worm virus spread through email. After being infected, it searches for an email address on the user's local machine and sends a virus email to the virus;

2. Use the suffix of the email address searched on the local machine as a keyword to search for related email addresses on four search engines, such as Google and Yahoo, and send virus emails to spread itself.

3. A large number of search requests have slowed down the four search engines.

4. For machines infected with the virus, IE browser, oe software, and outlook software cannot be used normally.

5. A large number of virus emails are sent out, which seriously consumes network resources and may cause LAN congestion.

Iii. Technical Analysis

1. Use UPX to compress the worm. After running, copy yourself to the % WINDOWS % directory named java.exe. Release a backdoor virus in the same directory named services.exe.

2. Add the startup key values of these two files under the Registry Startup item "\ CurrentVersion \ Run": JavaVM and service to enable automatic startup of viruses.

3. Disable IE, Oe, and outlook software to make it unavailable.

4. search for the email address on the local machine: Read the WAB file name currently used by the current system from the registry, and search for the email address in it; search for the Temporary Internet Directory (Local Settings \ Temporary Internet Files) to extract the email address from the file. traverse all hard disks with drive letters from drive C to drive Z, and try to extract the email address from the following extension files :. ADB ,. ASP ,. dbx, .htm ,. PHP ,. pl ,. sht ,. TBB, .txt ,. wab.

5. after the virus finds the email address, the virus contains "mailto + % email address found by the local system %", "Reply + % email address found by the local system %", "{| contact + | E |-| | mail} + % email address found by the local system % "is a keyword, you can use the following four search engines to search for email addresses: search.lycos.com, search.yahoo.com, www.altavista.com, and www.google.com. By using this method, the virus can find many available email addresses.

6. the attachment name of a virus email is README, instruction, transcript, mail, letter, file, text, attachment, etc. The extension of the virus attachment is cmd, bat, COM, EXE, PIF, SCR, zip.

Iv. Virus solutions:

1. Upgrade
Rising Inc. will perform an emergency upgrade on the same day. The upgraded software version is 16.37.10. This version of Rising antivirus software can thoroughly detect and kill the "SCO bomb Variant N" virus, users of the standard and online versions of Rising antivirus software can directly log on to the rising star website (http://www.rising.com.cn/) to download the upgrade package to upgrade, or use the intelligent upgrade function of Rising antivirus software.

2. Use the kill tool
In view of the characteristics of the virus, rising company for the hands of no antivirus software users provide free virus exclusive tool, users can go to: http://it.rising.com.cn/service/technology/tool.htm web site free download use.

3. Use the online anti-virus and downloaded version
Users can also use rising company's online antivirus and download version of the product to clear the virus, these two products are paid by mobile phone, users can log on to the http://online.rising.com.cn/use online antivirus products, or log onto the http://go.rising.com.cn/use the downloaded edition.

4. Call for help
If you have other questions about the virus, you can call Rising anti-virus emergency number: 010-82678800 at any time to seek help from anti-virus experts!

5. manually clear
(1) process name in the end system: services.exeand java.exe (in the % WINDOWS % directory)
(2) Delete two virus data files in the temporary directory of the system: mlitgb. log and Zincite. log.
(3) Delete the virus registry key:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
"JavaVM" = % WINDOWS % \ java.exe
And HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
"Services" = % WINDOWS % \ services.exe
Note: % WINDOWS % refers to the Windows directory of the system. In Windows 9x/ME/XP, the default value is:
C: \ Windows. The default value is c: \ WINNT in Win2k.

Note: % WINDIR % indicates the installation directory of windows. In Windows 95/98/ME/XP, the default directory is c: \ windows, in Windows, the default directory is c: \ WINNT.

5. Security suggestions:

1. Establish good security habits. For example, do not open emails or attachments of unknown origins, do not use websites that are not familiar with the website, or do not execute software that has been downloaded from the Internet without antivirus processing, these necessary habits make your computer safer.

2. Disable or delete unnecessary services in the system. By default, Many operating systems install some auxiliary services, such as FTP clients, telnet, and web servers. These services provide convenience for attackers and are of little use to users. deleting them can greatly reduce the possibility of attacks.

3. Update security patches frequently. According to statistics, 80% of Network Viruses spread through system security vulnerabilities, such as worms, shock waves, and shock waves. Therefore, we should regularly download the latest security patches on the Microsoft website, to prevent unexpected events.

4. Use a complex password. Many network viruses attack the system by guessing simple passwords. Therefore, using complex passwords will greatly increase the computer's security factor.

5. Quickly isolate infected computers. When your computer detects viruses or exceptions, you should immediately disconnect the network to prevent the computer from getting more infections, or become a source of transmission, and then infect other computers again.

6. Learn about viruses. In this way, you can detect new viruses and take appropriate measures to protect your computer from virus damage at critical moments. If you have some knowledge about the registry, You can regularly check whether the self-boot items of the Registry have suspicious key values. If you know some memory knowledge, you can often check whether there are suspicious programs in the memory.

7. It is best to install professional anti-virus software for comprehensive monitoring. With the increasing number of viruses, anti-virus software is an increasingly economic choice. However, after installing anti-virus software, frequent upgrades, frequent opening of some major monitoring metrics (such as email monitoring), memory monitoring, and other issues must be reported to ensure computer security.

8. The user should also install the personal firewall software for anti-black. Due to the development of the network, hacker attacks on users' computers are becoming more and more serious. Many network viruses use hacking methods to attack users' computers. Therefore, users should also install personal firewall software, set the security level to medium and high to effectively prevent cyberattacks.

 
Read full text (3390) | Reply (3) | reference announcement (0) | Edit
 
  • Previous Article: I haven't written a blog post for several days
  • Next: Several network test commands that must be learned
 
Re: remove the Trojan of services.exe
[15:34:24 | by: lvsonglin (visitor)]
 
Assoc. EXE = exefile (there is a space between assocand .exe)
FTYPE exefile = "% 1" % *
 
Personal Homepage | reference | return | Delete | Reply
 
 
Re: remove the Trojan of services.exe
[20:39:20 | by: lusong forest (tourist)]
 

My computer has been poisoned,

Haha

Stubborn virus, very depressed

Not afraid now

 
Personal Homepage | reference | return | Delete | Reply
 
 
Re: remove the Trojan of services.exe
[20:20:23 | by: lusong forest (tourist)]
 

Add and modify the registry value, and put it to the best operation.

5. renew"
6. Check the iexplore.combench information and change the iexplore.combench In the content to iexplore.exe"
7. Check the zookeeper information, and change the existing zookeeper to zookeeper. EXE"
8. find "iexplore. PIF, similar to "% ProgramFiles % \ common files \ iw.e. PIF information, change this content to "C: \ Program Files \ Internet Explorer \ ipolice.exe"
9. delete the file association information and startup item added by the virus:
[Hkey_classes_root \ winfiles]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Torjan program" = "% WINDOWS % \ services.exe"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices]
"Torjan program" = "% WINDOWS % \ services.exe"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"Shell" = "assumer.exe 1"
Change
"Shell" = "assumer.exe"

10. These are the information of a VB library file (mswinsck. ocx) released by the virus. You do not have to delete them:
Hkey_classes_root \ mswinsock. Winsock
Hkey_classes_root \ mswinsock. winsock.1
Hkey_classes_root \ CLSID \ {248dd896-bb45-11cf-9abc-0080c7e7b78d}
Hkey_classes_root \ CLSID \ {248dd897-bb45-11cf-9abc-0080c7e7b78d}
Hkey_classes_root \ interface \ {248dd892-bb45-11cf-9abc-0080c7e7b78d}
Hkey_classes_root \ interface \ {248dd893-bb45-11cf-9abc-0080c7e7b78d}
Hkey_classes_root \ typelib \ {248dd890-bb45-11cf-9abc-0080c7e7b78d}

Note: because the virus has modified a lot of associated information, do not perform any extra operations before the virus files are deleted to avoid virus activation.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.