Solution to W32/Lovgate virus RPC restart

Virus Solution

Waking up: backing up important data in a timely manner is more effective than killing

Introduction: lovgate integrates worms, backdoors, and hackers to send emails via virus emails. It establishes a leak channel for users' computers by creating backdoors, by releasing a backdoor program to communicate with external remote Trojans, by releasing a password theft program to actively steal the computer password, and remotely spreading the LAN, all computer users are subject to virus control, network paralysis, information leakage, and other serious consequences.

I. Virus data

Name: W32/Lovgate. r @ M
Date detected:
Size: 97,280 bytes
Transmission channels: EMAIL transmission, RPC Vulnerability transmission, USB flash drives, and mobile hard drives, and network sharing.
Network transmission path: A New Lovgate Virus Variant. it searches for the nearby IP sharing directory through port 445 to weaken the password.
Password cracking: After successful password cracking, share the media directory, start the NETMANAGER. EXE Remote Management Program, and use it as a server to continue searching for adjacent IP addresses for Fast propagation.

2. When a virus is executed, the following files are generated:

Using system1_hxdef.exe
%Systempolicipolice.exe
%System%WinHelp.exe
%Systemw.netmeeting.exe (61,440 bytes)
Using system1_spollsv.exe (61,440 bytes)
% SysDir % IEXPLORE. EXE
% SysDir % kernel66.dll
%Sysdir1_ravmond.exe
% WinDir % SYSTRA. EXE
% SysDir % msjdbc11.dll
% SysDir % MSSIGN30.DLL
% SysDir % ODBC16.dll
% System % lmmibw.dll

C: COMMAND. EXE (added to the autorun. inf file, which is automatically transferred when you double-click the disk)

3. Generate files with suffixes COM, EXE, PIF, and SCR under the root directory of each disk. The common names are as follows:
Pass
Bak
Password
Email
Book
Letter
Important

4. Modify the registry and automatically load and run virus programs when the machine starts.

HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindows
"Run" = RAVMOND.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "Program In
Windows "= % SysDir % iw.e. EXE
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionunServices
"SystemTra" = % WinDir % SysTra. EXE
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "VFW
Encoder/Decoder Settings "= RUNDLL32.EXE MSSIGN30.DLL ondll_reg
The last line is the virus backdoor service.

5. automatically generate and load three services

1. Display name: _ reg
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices \ _ reg
Description: backdoor service is provided.

2. Display name: Windows Management Protocol v.0 (experimental)
ImagePath: Rundll32.exe msjdbc11.dll ondll_server
Startup: automatic
Description: Advanced Server, which performs a scheduled LAN scan.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWindows

3. Display name: Windows Management Network Service Extensions
ImagePath: NetManager.exe-exe_start
Startup: Automatic
Description: it is a remote management program that provides a backdoor service.

6. Because the virus will automatically detect the process, if it is found to be disabled, it will continue to generate a virus process. In addition, the thread will be inserted into EXPLORER. EXE or TASKMGR. EXE, and there is almost no way to manually close the virus process completely.

7. The virus will create an AUTORUN. INF file in each disk partition, with the COMMAND. COM or COMMAND. EXE Virus File. When double-clicking a disk, the system will call the COMMAND. COM/EXE virus file according to the instructions in the AUTORUN. INF file. As a result, the disk partition cannot be opened. Right-click to open.

8. Virus Detection of mobile disks, network ing disks, and disks with a drive letter exceeding E. If an EXE file is found, the virus will rename it, suffix it to. ZMX, and hide the file. The virus will create an EXE file with the same name, 125 KB, which is the virus body.

9. automatically delete anti-virus software processes. The virus detects the file names of some processes, and deletes all files if any. The main judgment file names include:
KV
KAV
Duba
NAV
Kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
Rising
Common anti-virus software and firewalls are available ......
Therefore, do not assume that your computer is absolutely secure after anti-virus software and firewall are installed !!! Be cautious !!!

10. Scan and kill lovegate viruses

1. Scan and kill in security mode or use the boot disk DOS to scan and kill at least twice.

SYMANTEC's exclusive killing tool download URL is:
Http://securityresponse.symantec.com/avcenter/FixLGate.com


The download URL of Rising's exclusive killer tool is:
Http://download.rising.com.cn/zsgj/RavLovGate.com
This is. com. It won't be renamed or disguised ....

2. the EXE will be renamed by virus, and re-enter the file directory to display all files, including the display suffix. Change the hidden. ZMX file to the. EXE file.

3. You cannot double-click a hard disk partition to open it. All files are displayed and AUTORUN. INF is deleted.
[Hkey_current_usersoftwaremicrosoftwindowscurrentversionpolicermountpoints2]
Find the {number} item with a subitem in the Registry (different machine numbers), and the target is the romReg key with a subitem such as shell/autorun, the key value is the name of the corresponding drive. After deleting the shell Sub-item, you can double-click the corresponding drive on my computer.

4. If the registry is incomplete after virus removal, you may be prompted to start what DLL files are missing. You can manually find the registry and delete the relevant registry.

5. Disable disk sharing and set a strong password for the System user.

6. patch the entire system. Do not ask me which one I use. Every security patch has its own value. Don't want to try again, just done all :)

7. Tips: Be careful when opening an email. Fear ~~~~~
If the mail is frequently sent, we recommend that you use www.hotmail.com to automatically scan for viruses.

==================================
D, e, f, and g disks (if any) cannot be opened directly by double-clicking. Windows cannot find COMMAND. EXE file. The file must be located. After C: windowsexplorer is located, an error "/StartExplorer" will be prompted each time it is opened, and the drive folder can still be opened. The virus writes an AutoRun. inf file under each drive:

Open = "X: command.exe"/StartExplorer (Note: X is the drive letter)

Therefore, if you do not have anti-virus, the virus will be activated every time you open the/D/E/F/G disk.
Rising is too stupid to help you solve this problem (even if you upgrade to the latest version, rising website exclusive kill will not be able to solve it, and there is no relevant instructions), you need to manually solve it.

Solution ):
==============================
Start
Run
Cmd (open a command prompt)
D:
Dir/a (No parameter A is invisible, and A shows all meanings)
At this time, you will find an autorun. inf file, about 49 bytes
Attrib autorun. inf-s-h-r removes the system, read-only, and hidden attributes of the autorun. inf file. Otherwise, the file cannot be deleted.
Del autorun. inf

This is not complete yet, because you double-click the drive letter that is not opened, but you get an error. To locate command.exe, The automatically run information has been added to the Registry.

Clear the information in the Registry as follows:
Start
Run
Regedit
Edit
Search
Command.exe
The first one found is the automatic running of the d disk, which deletes the entire shell Sub-key.
Use the same method for other disks.
11. Restart the RPC service

The symptoms of virus poisoning are a bit like a shock wave. The shock wave keeps restarting, stops RPC, and cannot restart with the attribute page in the service, resulting in a long start time for Windows; after the window is minimized, it is not displayed in the status bar; it cannot be copied or pasted; the second-level web page cannot be opened; the RPC service property page cannot be found, and so on. I want to re-enable the RPC service with a weekly discount.

 

My closing method is to choose "Administrative Tools> services> Remote Procedure Call> Properties". The default start category is "automatic", but the options are gray (unavailable ), click "Log on" to disable the hardware configuration file service and restart the system.

I checked a lot of information on the Internet and found out three ways to enable it:

Method 1: Modify the Registry

Run registry editor, open the HKEY_LOCAL_MACHINEsystemCurrentControl-SetServicesRpcSs branch, change the value of the Start entry from 4 to 2, set the Startup Type to automatic, and restart the system.

Method 2: run the "SC" command

In the "command prompt" window, type the "SC config RpcSs start = auto" command, and the system displays "SC ChangeServiceConfig SUCCESS", so that the RPC service can be successfully enabled.

Method 3: Use the fault recovery console

Take Windows 2003 as an example. Start with the installation disc. Go to the Windows 2003 installation page and press the "R" key to log on to the fault recovery console. In the fault recovery console, type the "enable RpcSs service_auto_start" command, and then type the "exit" command to restart the system and log on to the system in normal mode to enable the RPC service.

I fail to use the above methods. It seems that I have to solve it myself. I think some key values in the registry must be changed to enable this function.

Restore the backup registry to the disabled registry. The system prompts that the registry cannot be imported and cannot be imported. Cannot be enabled.

Convert the content of the two registries before and after being disabled (only the HKEY_LOCAL_MACHINESYSTEM branch is used) into Word documents, and then use the "compare and merge documents" function in Word, you can automatically find the differences between the two registries. Through comparative analysis, I found that the disabled Registry has the following branches:

1. HKEY_LOCAL_MACHINESYSTEMCurr-

EntControlSetHardwareProfiles001SystemCurrentControlSetEnumROOTLEGACY_RPCSS

2. HKEY_LOCAL_MACHINESYSTEMCurr-