How does ARP virus clear? arp Virus cleanup method

failure phenomenon: The machine can be normal before the Internet, suddenly appear can be authenticated, not the phenomenon of the Internet (can not ping the gateway), restart the machine or under the Msdos window to run the command arp-d, but also to restore the Internet for a period of time. Failure Reason:
This is caused by an APR virus spoofing attack.

The cause of the problem is generally due to ARP Trojan attack. When using a plug-in or virus program in a local area network, the virus that is carried will map the MAC address of the machine to the IP address of the gateway. To send a large number of ARP packets to the LAN, resulting in the same network of other machines in the address as a gateway, which is why the intranet is interworking when offline, the computer is not the reason for the Internet.

Interim handling Countermeasures:

Step one.
When you can access the Internet, enter the MS-DOS window, enter the command: Arp–a the correct MAC address IP corresponding to the gateway, record it. Note: If you are already unable to access the Internet, run a command arp–d the contents of the ARP cache, the computer can temporarily restore the Internet (if the attack is not stopped), once you can access the Internet will immediately disconnect (disable network card or unplug network cable), and then run Arp–a.


Step two.

If you already have the correct MAC address for the gateway, bind the gateway IP and the correct MAC manually when the Internet is not available to ensure that the computer is no longer affected by the attack. Manual binding allows you to run the following command under the MS-DOS window:
Arp–s Gateway IP Gateway Mac

For example, suppose the computer is in a network segment with a gateway of 218.197.192.254, and the native address is 218.197.192.1 running Arp–a on the computer after the output is as follows:

C:/Documents and Settings>arp-a
interface:218.197.192.1---0x2
Internet Address Physical Address Type
218.197.192.254 00-01-02-03-04-05 Dynamic

Where 00-01-02-03-04-05 is the corresponding MAC address of the Gateway 218.197.192.254, the type is dynamic and therefore can be changed. After being attacked, then using this command to view, it will be found that the MAC has been replaced by the attack machine Mac, if you want to find the attack machine, completely eradicate the attack, you can record the Mac at this time, to prepare for future lookups.

The manually bound commands are:

Arp–s 218.197.192.254 00-01-02-03-04-05

After binding, you can then use Arp–a to view the ARP cache

C:/Documents and Settings>arp-a
interface:218.197.192.1---0x2
Internet Address Physical Address Type
218.197.192.254 00-01-02-03-04-05 Static

At this point, the type becomes static (static) and is no longer affected by the attack. However, it is important to note that manual binding is invalidated after the computer shuts down and needs to be bound again. Therefore, to eradicate the attack, only to find the network segment of the virus infected computer, so that its antivirus can be resolved.

How to find the virus computer:

If you already have a MAC address for a virus computer, you can use the Nbtscan software to find the IP address of the MAC address in the network segment, which is the IP of the virus computer, and then report it to the Campus Network Center for seizure. Nbtscan use: Download Nbtscan.rar to the hard drive and unzip, then copy cygwin1.dll and nbtscan.exe two files to C:/windows/system32 (or system). Entering the Msdos window allows you to enter a command:
Nbtscan-r 218.197.192.0/24
(Assuming that the network segment is 218.197.192, the mask is 255.255.255.0; When you actually use this command, you should change the italic part to the correct network segment).

Note: When using Nbtscan, sometimes because some computers install firewall software, Nbtscan output is not complete, but in the computer's ARP cache can react, so when using Nbtscan, you can also view the ARP cache, The corresponding relationship between computer IP and Mac in the network segment can be obtained comparatively completely.