Manually detects and removes viruses such as pigeon backdoor. gpigeon (version 3rd)

Source: Internet
Author: User

EndurerOriginal

2005.11.24 No.3The version supplements Kaspersky's response to the three gray pigeon files.

2005.11.192Supplement Rising's reply to the file C:/Windows/system.exe of the suspicious service cryptographic servicesini.

2005.11.16 th1Version

I went to a friend's house tonight and used his computer to access the Internet. Before opening QQ, I often use anti-virus software to scan the memory and Windows system folders (this is a good habit of _ ^ ). This computer uses Windows XP SP1, which is equipped with the rising star card I sent. As a result, gray pigeons and other viruses are detected in the memory! As shown in (to get a virus sample, I set "Ignore" in the settings of rising to "detect a virus").

Rising anti-virus Assistant
Windows XP (5.1.2600 Service Pack 1)
File Name virus name
Csrss.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Winlogon.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Services.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Lsass.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Svchost.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Svchost.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Svchost.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Svchost.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Spoolsv.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Alg.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Iexplore. EXE> C:/Windows/system. dll backdoor. gpigeon
Iexplore. EXE> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Ccenter. EXE> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Svchost.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
EXPLORER. EXE> C:/Windows/EXPLORER. EXE worm. Mail. fanbot
EXPLORER. EXE> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Igfxtray.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Hkw..exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Soundman. EXE> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Realsched.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Ravtimer. EXE> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Ctfmon.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Switchnet.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Greenbrowser.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Winrar.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Notepad.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
Rav.exe> C:/Windows/system_hook.dll backdoor. gpigeon. TFs
C:/Windows/system32/d11host.exe Trojan. dl.98link
C:/Windows/system32/gliedown. dll. Bak backdoor. Agent. aen
C:/Windows/system. dll backdoor. gpigeon
C:/Windows/system_hook.dll backdoor. gpigeon. XB

This friend told me that rising's real-time monitoring occupies a large amount of system resources. Therefore, the real-time monitoring module was not installed when rising was installed. Then, check the "boot scan" item in "custom task" in the detailed settings of rising. "Scan boot guide area at system startup" and "scan system memory at system startup" are not selected. My friend said that rising started slowly, so he didn't use this item.

On a Windows 2000/XP computer, the gray pigeon usually has a system service startup Item.

Using hijackthis scan (you can download hijackthis in http://endurer.ys168.com's tools/system analysis and fixes), you found a suspicious system service item (did rising not report it ?) :

O23-service: cryptographic servicesini-unknown owner-C:/Windows/system.exe

* 2005.11.192Supplement: Rising's reply to the file C:/WINDOS/system. EXE of the suspicious service cryptographic servicesini:

Sender: Send@rising.net.cn Sent at: 11:49:35

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: system.exe
:) Virus name: Backdoor. gpigeon. tkf

We will solve the problem in a newer version of 17.54.0. Please upgrade your rising software to 17.54.0 and turn on the monitoring center for full anti-virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.

Stop and disable it. For more information, see [system repair series] How to stop system services

Start to find a virus sample. First, set the system to display all files and folders without hiding the extensions of known files. For more information, see [System Recovery series] how to display all files and folders.

Pack and back up virus samples

However

EXPLORER. EXE> C:/Windows/EXPLORER. EXE worm. Mail. fanbot

The virus file in is the Windows Shell ---- C:/Windows/EXPLORER. EXE. How can it be a virus, strange.

Manually delete viruses. You can delete all C:/Windows/system_hook.dll files.

To delete C:/Windows/system_hook.dll, we can try tools such as killbox, however, I used the "modify all file names" and "delete at next startup" function of "Rising Antivirus assistant" to solve this problem. (Both of them can be downloaded from the http://endurer.ys168.com ).

Clear the temporary ie folder. For more information, see [System Recovery series] how to clear temporary ie folders

Disable system restoration. For more information, see [System Recovery series] how to disable or enable Windows XP System Restoration

Restart the computer, and then scan the system with rising stars. No virus is detected.

* 2005.11.24 No.3Version supplement: Kaspersky's response to the three gray pigeon files:

System.exe is backdoor. win32.hupigon. nz.

System. dll and system_dll.dll are backdoor. win32.hupigon. scsi.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.