Bcvsrv32.exe virus has appeared in our company, causing a large number of Windows servers and clients to be infected, and the Internet egress is blocked by a large number of junk data packets, a lot of need
Departments accessing foreign servers are affected, and the IT department receives a large number of service requests. However, according to the company's Windows Manager, The bcvsrv32.exe virus process is unavailable in normal mode.
The anti-virus software Norton cannot do anything, and it must be guided to the safe mode for processing. Therefore, the anti-virus process is slow, and new infected computers are constantly emerging.
One day, a Windows administrator asked me for help by phone and said that he had no skills. His site had multiple computers for treatment. It could not take more than one hour to go to my site.
To process the computer infected here. In addition, it must be handled in security mode, and cloud ...... I want to come to the Administrator's password. I connected it through the terminal service and looked at it. It really cannot be killed using the task manager.
Bcvsrv32.exe, but I had to go to the keyboard, mouse, and display and restart the computer several times, so I couldn't help but try another way. So I quickly went through Google,
Download the two management tools tlist.exeand pskill.exe(tlist.exe can be downloaded from win2000
Support
Toolsfound, pskill.exe can be downloaded from various hacker tool websites), tried, did not expect to solve the problem soon. So I wrote down the following mail and sent it to all
Windows administrator.
How to deal with the virus "bcvsrv32.exe" in one minute?
Someone say the virus "bcvsrv32.exe" can't be removed unless reboot the computer, but I find a easy way to deal with it.
Firstly, we need two tools named tlist and pskill. You can see them in the attachment.
Secondly, upload the two tools to the victim server. For example, you can put them to 9.184.83.79admin $.
And then, on the victim server, find out the process ID of "bcvsrv32.exe". and in this case I find the PID is 2776.
Let's begin! Key down the fllowing commands.
C: documents and settingsteserver> tlist 2776 | more
2776 bcvsrv32.exe
CWD: C: winntsystem32
Cmdline: C: winntsystem32bcvsrv32.exe-meltserver"9.184.83.79e $ bcvsrv3
2. EXE"
Virtualsize: 2073940 kb peakvirtualsize: 2074896 KB
Workingsetsize: 23172 kb peakworkingsetsize: 103448 KB
Numberofthreads: 1965
3096 win32startaddr: 0x00451060 lasterr: 0x00000000 state: waiting
1576 win32startaddr: 0x0040ba67 lasterr: 0x00000000 state: waiting
......
......
Please notice this line -- C: winntsystem32bcvsrv32.exe-meltserver "9.184.83.79e424bcvsrv32.exe". OK,
We can find the two bcvsrv32.exe files in this system.
E: bcvsrv32.exe can be deleted easily, but when you delete
C: winntsystem32bcvsrv32.exe, you will only see a promotion "Access
Deny ".
Note afterwards: in fact, the problem is here. If you do not deal with E: bcvsrv32.exefirst, you will find that bcvsrv32.exe will never be killed. The command line tool like tlist is used to solve the problem. That's easy!
Don't worry. It's the time to use the tool pskill. Follow me, please.
C: documents and settingsteserver> pskill 2776
Pskill v1.03-Terminates processes on local or remote systems
Copyright (c) 1999-2004 mark russinovich
Sysinternals-Www.sysinternals.com
Process 2776 killed.
Haha, the game is over. We can see all the processes on the server, and delete the file C: winntsystem32bcvsrv32.exe.
C: documents and settingsteserver> tlist
0 System Process
8 System
192 smss.exe
216 csrss.exe
240 Winlogon. exe
268 services.exe
280 LSASS. exe
384 termsrv.exe
500 svchost.exe
544 spoolsv. exe
616 msdtc.exe
792 defwatch.exe
812 svchost.exe
836 ibmasrex.exe
856 ibmasrsv.exe
868 jacservice.exe
884 llssrv.exe
940 tcpsvcs.exe
976 mnmsrvc.exe
1000 nhostsvc. exe
1300 ntfrs.exe
1336 regsvc.exe
1348 mstask.exe
1436 winmgmt.exe
1484 wins. exe
1492 nhstw32.exe
1508 svchost.exe
1532 dfssvc.exe
1620 nldrw32.exe
968 svchost.exe
2288 dllhost.exe
9076 DWRCS. exe
9148 nvidir.exe
9548 assumer.exe
10848 vptray.exe
2876 ss3dfo. scr
10980 cmd. exe
10176 nvidir.exe
9524 java.exe
1892 rtvscan.exe
10544 csrss.exe
10280 Winlogon. exe netdde agent
10924 assumer.exe Program Manager
9540 nhostsvc. exe
11032 nhstw32.exe netop host-running
9860 nldrw32.exe netopwindowsloader
10156 mmc.exe Computer Management
10712 vpc32.exe Symantec AntiVirus premiate Edition
9376 taskmgr.exe Windows Task Manager
10308 mmc.exe services
10956 cmd. exe c: winntsystem3220..exe
10772 conime.exe
10844 cmd. exe c: winntsystem320000.exe-tlist
10960 tlist.exe
10696 more.com
11092 tlist.exe
C: documents and settingsteserver> del C: winntsystem32bcvsrv32.exe
C: documents and settingsteserver>
By the way, we need reversing the changes made to the Registry. Please see this article, http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.bqj.html.
In fact, there is nothing special in this article, but I think a qualified Windows administrator must understand and be good at using support tools, resource kit and some hacker gadgets. In the so-called sense, to do a good job, you must first sharpen the tool.
========================================================== ======================
For reprinting in any form, please specify the source:
Email: beginner@yeah.net
Website: http://blog.chinaunix.net/index.php? Blogid = 739
========================================================== ======================