Rapid Diagnosis and solution of robot dog Virus

Recently, a machine-dog virus that can penetrate the restoration software and hardware recovery card has been rampant (it is indeed very popular recently ). The virus uses the pcihdd. sys drive file to seize control of the hard disk of the Restoration software. And modify the userinit.exe file to hide itself. This virus is a typical network architecture trojan virus. After the virus passes through the restoration software, it saves itself in the system and regularly downloads various trojan programs from the specified website to intercept user account information.

　[Fault symptom]

The robot dog virus is a trojan download device. The virus uses the disk device stack of the hook system to achieve penetration, which is extremely harmful. It can be restored by penetrating any software and hardware under current technical conditions! It basically cannot be resisted by restoration. You can check whether it has been poisoned in the following aspects .:

Userinit.exe will be modified under system32after the 1st version of the virus. You can view the version information. The file is in the system32 folder of the system directory, right-click to view the properties. if the version label of the file is not displayed in the Properties window, it indicates that the robot dog is in use. if the version label is available, it is normal.

2. view the generated pcihdd under the DRVERS directory. the sys Driver file loads the "cmdbcs, mppds, upxdnd, winform, msccrt, avpsrv, msimms32, dbghlp32, diskman32" Startup item on the startup item, and generates the above files in the windows directory, after the machine is restarted, the above settings will be saved.

[Operating principle]

A robot dog is a Trojan Downloading device that automatically downloads Trojans and viruses from the network after infection, endangering the security of your account. Hosts file to enable startup.

　　[Quick search on HiPER]

From the Internet monitoring of HiPER, you can see that the Intranet host is connected to the following IP addresses:

58.221.254.103

218.30.64.194

60.190.118.211

60.191.124.236

　　[Solution on PC]

For poisoned users, it is recommended that the virus host be disconnected from the Internet for antivirus purposes, recover the system image or redo the system.

　　[Solutions on HiPER]

In "Advanced Configuration"-"Business Management" of the aitai device, the aitai router can use the URL to disable "tomwg.com" and "8s7.net", and then use the IP address to filter out the following IP addresses:

58.221.254.103

218.30.64.194

60.190.118.211

60.191.124.236

1) WebUI Advanced Configuration Group Management: Creates a working group named "all" (which can be customized) that contains all IP addresses of the entire network segment (192.168.0.1 -- 192.168.0.254 ).

Note: here, the user's LAN segment is 192.168.0.0/24. You should specify the Group IP address segment according to the actual IP address segment used.

2) WebUI Advanced Configuration business management business policy configuration, establish the url filter policy "f_1" (you can customize the name), shield the domain name whose destination address is tomwg.com, configure and save it.

3) In the WebUI Advanced Configuration business management business policy list, you can view the "f_1" policy created in the previous step ("dns" and "dhcp" are the policies automatically generated by the system to allow dns and dhcp packets, which do not need to be modified ), at the same time, the system automatically generates a policy named "grp1_other", which shields all outgoing packets. To ensure the normal operation of other Internet connections, you need to edit this policy action as "allowed ".

4) in the preceding table, click "grp1_other", edit the action from "forbidden" to "Allowed" in the following table items, and save the action.

5) Repeat Step 2 to disable other virus URL and IP addresses.

6) in WebUI advanced configuration-Business Management-global configuration, deselect "allow other users", select "enable business management", and save.

3. Note:

1) No command-generated business management policy exists before configuration. Otherwise, the business management policy generated on the Web interface may be abnormal or ineffective.

2) if a Working Group already exists and a policy is configured in business management, all users of the CIDR block must be allocated to the relevant group in WebUI advanced configuration-group management, then, in WebUI-Advanced Configuration-Business Management, set the Internet-related virus link url or IP address of each group to prohibit access.