1 services.exe-services-process Introduction Process file: services or services.exe Process name: Windows Service Controller Process type: other processes English description: Services.exe is a part of the Microsoft Windows operating system and manages the operation of starting and stopping services. this process also deals with the automatic starting of services during the computers boot-up and the stopping of servicse Durin Chinese reference: Services.exe is part of Microsoft's Windows operating system. Used to manage start and stop services. This process also processes services that run when the computer is started and shut down. This program is very important to the normal operation of your system. Note: services may also be w32.randex. R (stored in the % SystemRoot % \ system32 \ directory) and sober. P (stored in the % SystemRoot % \ Connection Wizard \ status \ directory) Trojans. This trojan allows attackers to access your computer and steal passwords and personal data. The security level of the process is recommended to be deleted immediately. Prepared by: Microsoft Corp. Microsoft Windows Operating System System Process: Yes Background Program: Yes Network Problems: No Common Errors: N/ Memory usage: N/ Security grade (0-5): 0 Spyware: No Advertising software: No Virus: No Trojan: No This backdoor is not bad. It's a bit Bt. A total of 14 files, 3 shortcut icons, and 2 folders are generated. Secret is changed from the default exefile to winfiles, and then the winfiles key value is created to associate the EXE file with the Trojan. That is, after being poisoned, the attribute of any EXE file changes from "application" to "EXE file" Of course, the clearing method is also very simple, but you need to pay attention to the steps: 1. Registry: use the registry Repair Tool first, or directly use Regedit to correct the following parts: 1. system. ini (the NT System is in the Registry: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon) Modify shell = assumer.exe 1 to shell = assumer.exe 2. Run the following command under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run: Torjan program ---------- c: \ winnt \ services.exe Delete 3. hkey_classes_root \. exe Change the default value of winfiles to exefile. 4. Delete the following two key values: Hkey_classes_root \ winfiles HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ winfiles 2. restart the system and delete the following files. When opening each partition, open "my computer" and Right-click the partition and select "open. Or directly execute the attached kV. BAT to delete the following files. C: \ antorun. inf (if you have multiple partitions, check whether the file exists in other partitions and delete them together) % ProgramFiles % \ common files \ iw.e. pif % ProgramFiles % \ internat Explorer \ iexplore.com % Windir % \ 1.com % Windir % \ exeroute.exe % Windir % \ assumer.com % Windir % \ finder.com % Windir % \ mswinsck. ocx % Windir % \ services.exe % Windir % \ system32 \ command. pif % Windir % \ system32 \ dxdiag.com % Windir % \ system32 \ finder.com % Windir % \ system32 \ msconfig.com % Windir % \ system32 \ regedit.com % Windir % \ system32 \ rundll32.com Delete the following folders: % Windir % \ debug % Windir % \ system32 \ ntmsdata 1. Virus Assessment 1. Virus Chinese name: SCO bomb Variant N 2. Virus English name: worm. Novarg. n 3. Virus alias: worm. Mydoom. m 4. Virus size: 28832 bytes 5. Virus Type: Worm 6. Virus risk level:★★★★ 7. virus transmission path: Email 8. Virus dependent system: Windows 9x/NT/2000/XP 2. Destruction of Viruses 1. A worm virus spread through email. After being infected, it searches for an email address on the user's local machine and sends a virus email to the virus; 2. Use the suffix of the email address searched on the local machine as a keyword to search for related email addresses on four search engines, such as Google and Yahoo, and send virus emails to spread itself. 3. A large number of search requests have slowed down the four search engines. 4. For machines infected with the virus, IE browser, oe software, and outlook software cannot be used normally. 5. A large number of virus emails are sent out, which seriously consumes network resources and may cause LAN congestion. Iii. Technical Analysis 1. Use UPX to compress the worm. After running, copy yourself to the % WINDOWS % directory named java.exe. Release a backdoor virus in the same directory named services.exe. 2. Add the startup key values of these two files under the Registry Startup item "\ CurrentVersion \ Run": JavaVM and service to enable automatic startup of viruses. 3. Disable IE, Oe, and outlook software to make it unavailable. 4. search for the email address on the local machine: Read the WAB file name currently used by the current system from the registry, and search for the email address in it; search for the Temporary Internet Directory (Local Settings \ Temporary Internet Files) to extract the email address from the file. traverse all hard disks with drive letters from drive C to drive Z, and try to extract the email address from the following extension files :. ADB ,. ASP ,. dbx, .htm ,. PHP ,. pl ,. sht ,. TBB, .txt ,. wab. 5. after the virus finds the email address, the virus contains "mailto + % email address found by the local system %", "Reply + % email address found by the local system %", "{| contact + | E |-| | mail} + % email address found by the local system % "is a keyword, you can use the following four search engines to search for email addresses: search.lycos.com, search.yahoo.com, www.altavista.com, and www.google.com. By using this method, the virus can find many available email addresses. 6. the attachment name of a virus email is README, instruction, transcript, mail, letter, file, text, attachment, etc. The extension of the virus attachment is cmd, bat, COM, EXE, PIF, SCR, zip. Iv. Virus solutions: 1. Upgrade Rising Inc. will perform an emergency upgrade on the same day. The upgraded software version is 16.37.10. This version of Rising antivirus software can thoroughly detect and kill the "SCO bomb Variant N" virus, users of the standard and online versions of Rising antivirus software can directly log on to the rising star website (http://www.rising.com.cn/) to download the upgrade package to upgrade, or use the intelligent upgrade function of Rising antivirus software. 2. Use the kill tool In view of the characteristics of the virus, rising company for the hands of no antivirus software users provide free virus exclusive tool, users can go to: http://it.rising.com.cn/service/technology/tool.htm web site free download use. 3. Use the online anti-virus and downloaded version Users can also use rising company's online antivirus and download version of the product to clear the virus, these two products are paid by mobile phone, users can log on to the http://online.rising.com.cn/use online antivirus products, or log onto the http://go.rising.com.cn/use the downloaded edition. 4. Call for help If you have other questions about the virus, you can call Rising anti-virus emergency number: 010-82678800 at any time to seek help from anti-virus experts! 5. manually clear (1) process name in the end system: services.exeand java.exe (in the % WINDOWS % directory) (2) Delete two virus data files in the temporary directory of the system: mlitgb. log and Zincite. log. (3) Delete the virus registry key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run "JavaVM" = % WINDOWS % \ java.exe And HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run "Services" = % WINDOWS % \ services.exe Note: % WINDOWS % refers to the Windows directory of the system. In Windows 9x/ME/XP, the default value is: C: \ Windows. The default value is c: \ WINNT in Win2k. Note: % WINDIR % indicates the installation directory of windows. In Windows 95/98/ME/XP, the default directory is c: \ windows, in Windows, the default directory is c: \ WINNT. 5. Security suggestions: 1. Establish good security habits. For example, do not open emails or attachments of unknown origins, do not use websites that are not familiar with the website, or do not execute software that has been downloaded from the Internet without antivirus processing, these necessary habits make your computer safer. 2. Disable or delete unnecessary services in the system. By default, Many operating systems install some auxiliary services, such as FTP clients, telnet, and web servers. These services provide convenience for attackers and are of little use to users. deleting them can greatly reduce the possibility of attacks. 3. Update security patches frequently. According to statistics, 80% of Network Viruses spread through system security vulnerabilities, such as worms, shock waves, and shock waves. Therefore, we should regularly download the latest security patches on the Microsoft website, to prevent unexpected events. 4. Use a complex password. Many network viruses attack the system by guessing simple passwords. Therefore, using complex passwords will greatly increase the computer's security factor. 5. Quickly isolate infected computers. When your computer detects viruses or exceptions, you should immediately disconnect the network to prevent the computer from getting more infections, or become a source of transmission, and then infect other computers again. 6. Learn about viruses. In this way, you can detect new viruses and take appropriate measures to protect your computer from virus damage at critical moments. If you have some knowledge about the registry, You can regularly check whether the self-boot items of the Registry have suspicious key values. If you know some memory knowledge, you can often check whether there are suspicious programs in the memory. 7. It is best to install professional anti-virus software for comprehensive monitoring. With the increasing number of viruses, anti-virus software is an increasingly economic choice. However, after installing anti-virus software, frequent upgrades, frequent opening of some major monitoring metrics (such as email monitoring), memory monitoring, and other issues must be reported to ensure computer security. 8. The user should also install the personal firewall software for anti-black. Due to the development of the network, hacker attacks on users' computers are becoming more and more serious. Many network viruses use hacking methods to attack users' computers. Therefore, users should also install personal firewall software, set the security level to medium and high to effectively prevent cyberattacks. |