Manual removal of new gray pigeon variants (version 4th)

Original endurer

Versions 4th-supplement Kaspersky's response
3rd made some summary
Versions 2nd-supplement the virus name defined by rising as the DLL file of the gray pigeon
You can leave a message or go to the anti-virus forum of rising star Kaka: [original] manually killing the new variant Backdoor. Gpigeon. wzo for discussion.

Version 1st

 

This new gray pigeon variant is in

Clear QQ tail yuuikkj. EXE

.

At that time, I used IceSword to observe the module called by QQ. EXE and found a d: windowssvchosts.exe. The file name was suspicious.

The response to IceSword remote operations is slow, so the process module list exported by ProcView is described as follows:

 

--------------------------------------------------------------------------------

 

* You are using Windows XP (5.1.2600 Service Pack 2)
22:58:23 Process List
[System Process]
F: virusprocviewprocview.exe
D: WINDOWSsystem32tdll. dll
D: WINDOWSsystem32kernel32. dll
... (Skip irrelevant modules)
D: Program FilesTencentqqDShared. dll
D: WINDOWSsvchostsKey. DLL
... (Skip irrelevant modules)

 

--------------------------------------------------------------------------------

 

However, after the System Displays all files and folders, use WinRAR or D: svchostsKey is not visible in WINDOWS. DLL file, only svchostsKey is found. log, which may be a file that records users' keys on the keyboard.

View with IceSowrd, found in D: WINDOWS

--------------------------------------------------------------------------------

Svchosts. DLL
Svchosts.exe
SvchostsKey. DLL

--------------------------------------------------------------------------------

Three suspicious files.

{*

Test later
Svchosts. DLL reported as Backdoor. Gpigeon. wnw

SvchostsKey. DLL reported as Backdoor. Gpigeon. wnv

Subject: virus report email analysis result-streamline Ticket No.: 2179671

1. File Name: svchosts.exe
Virus name: Backdoor. Gpigeon. wzo

We will solve the problem in the newer version 18.19.21. Please upgrade your rising software to version 18.19.21 and open the monitoring center to completely eliminate the virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.

Use kasperskyof the virus database 11:17:36 to report svchosts.exe as a Trojan-Proxy.Win32.Agent.iu.
}

It is estimated that the FindFirst and other API functions have been hooked up.

Use IceSword to exit the D: WINDOWSsvchostsKey. DLL module, which is still invisible in WinRAR.

However, in IceSword, these three suspicious files cannot be packaged and backed up! IceSword does not seem to support file drag and drop. If you can call the system Shell right-click menu, you just need.

Copy to in the right-click menu of IceSword to Copy the three suspicious files to f: virus. However, since the target file name is not changed, although the file has been copied to f: virus, it is still invisible at the time.

Download the "automatically delete files next time" program to the http://endurer.ys168.com, manually put D: WINDOWSsvchosts. DLL, D: WINDOWSsvchosts.exe, and D: WINDOWSsvchostsKey. DLL is added to the list of files to be deleted, and then "modify all file names", D: WINDOWSsvchosts. DLL and D: WINDOWSsvchostsKey. DLL is successfully added. while D: WINDOWSsvchosts.exe fails to be renamed.

{* Endurer note: the "automatically delete files upon next startup" program version 0.0005 has added the right-click system Association menu function, which can be used for file packaging! *}

In this way, we can see in WinRAR the files D: WINDOWSsvchosts. DLL. bak and D: WINDOWSsvchostsKey. DLL. bak, both of which are packaged and backed up, and then "delete at next Boot ".

At this time, it is almost a.m.. Let the netizen unload Jiang min and install Kaspersky scan.

At noon today, we continue to deal with the netizens.

I used IceSword to only find svchostskey.login D: windows, but did not find svchosts.dll.bak?svchosts.exe and svchostsKey. DLL. bak. It is estimated that they were killed by the "automatically delete files at next startup" program.

Open the svchosts.dll1_svchosts.exe and svchostsKey. DLL files that f: virusand later use icesword.exe.

Use HijackThis to scan the concise log and finally see the startup items of the gray pigeon System Service:

 

--------------------------------------------------------------------------------

 

O23-Service: COM + System Applications-Unknown owner-D: WINDOWSsvchosts.exe (file missing)

 

--------------------------------------------------------------------------------

 

Note: this service name is better than the built-in service in Windows.

 

--------------------------------------------------------------------------------

 

COM + System Application: C: WINDOWSsystem32dllhost.exe/Processid: {02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

--------------------------------------------------------------------------------

 

The service name is followed by an English letter s.

Open Registry Editor, open registry editor, expand HKEY_LOCAL_MACHINESYSTEMCurrentControlSetService, find and delete the COM + System Applications subkey.

Summary:

1. Properly apply the free online virus detection function provided by anti-virus software providers to get twice the result with half the effort. In this example, the svchosts. DLL and svchostsKey. DLL files of the gray pigeon can be scanned and killed by rising. If rising online free virus scanning system is used first, the processing may not be so troublesome.

2. for programs that hide their own files and system services, such as the gray pigeon, it is better to deal with them in the secure mode (Remote Assistance can use the Secure Mode with network connection. In this example, since the user's computer cannot be started in safe mode, it takes a lot of effort to handle it in normal mode. Processing in the Command Prompt window is too slow.

3. IceSword is a powerful system detection and repair tool, but there are still some shortcomings:

1) it is used in remote assistance, and the response speed is slow. The icesworddelete option is used to delete the startup items of the gray pigeon System Service in the registration table, but the registration table editor regedit.exe is used at the end.

2) files and folders cannot be dragged or dragged, files cannot be renamed, and System Shell context menus cannot be called.

4. Due to the deficiency of IceSword version 1.12, for programs that hide their own files, such as gray pigeons, when using the Copy to function of IceSword to Copy a hidden file, it is best to change the file name or add it when specifying the target file name. bak extension, so that files can be displayed for file packaging and other operations.

5. The simple log and startup Item List generated by HijackThis 1.99.1 cannot list the module files called by the system process, this is not conducive to the discovery of DLL files and other forms of injection into other processes running viruses, Trojans and other malicious programs.

 

Trackback: aspx? PostId = 631778 "> http://tb.blog.csdn.net/TrackBack.aspx? PostId = 631778