The Third Accounting competition page was analyzed and deleted by marservet.exe.

This article is collected by Neeao.
Reference to http://hi.baidu.com/killvir
File: servver.exe
File Size: 18,944 Bytes
CRC32: 262afaa4
MD5: 34f0bfbba5ad19e4b601e9be8ab614e6
SHA1: 71450abf37b49315075a3719a8373a59a5b96e2b
Kaspersky: Trojan-Downloader.Win32.Baser.w

The main sample analysis idea is the same, but the virus downloaded in the background has been replaced :-)
The following is the analysis and solution provided by the ikaka Forum:

The following is an analysis of the virus:
File: servver.exe
Size: 37888 bytes
MD5: 411AD11AC0FF5164C8B18AB4AD0D5739
SHA1: 04F46D6222232921CDC9882E8B82182DFB6479DA
CRC32: F57CD054

Generate the following file
Generate a copy of the System Disk
%System321_servver.exe
And generated under each disk partition
Autorun.infand servver.exe

Register as a service windows Ms
Refers to %system321_servver.exe
Start type: automatic
Display name: Telephots google
Service Description: provides support for plug-and-play devices.

An attempt was made to modify the key value of the registry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun, which was not implemented during the test.

Find "IE Execution Protection" in the search window, find it, and click "allow execution"
And send the WM_LBUTTONDOWN command to simulate the button
Find the "Rising Star Card and netshard Security Assistant-IE Leak Prevention Wall" in the window and find the "allow" button"
And send the WM_LBUTTONDOWN command to simulate the button

Find the drivers/klif. sys file.
If yes, use the command cmd/c date 1981-01-12 to change the date to January 12, 1981.
And change the date back after 15 s.

Call CreateProcess to open the process c: windowssystem32svchost.exe, and then call functions such as WriteProcessMemory to write virus code to the process for download.
Download the following files
Http: // ads. *. com/100.exe ~ Http: // ads. *. com/119.exe
To the % system32 % folder
The downloaded viruses include Trojans, such as vikings.
Among them, 117.exe can perform arp spoofing.
113.exe can infect htm files

Trojan can steal the account and password of the following online games (including but not limited)
Journey
Perfect World
QQ
...

The following processes or services (including but not limited to) can be terminated)
Noton AntiVirus Server
McTaskmanager
McShield
McAfeeFramework
Kvsrvxp
DefWatch
KPfwSvc
KWatchSvc
RavMon.exe
RavMonD.exe
...

Disable Automatic update and Windows Firewall.

After the trojan and virus are implanted, The sreng log is as follows:

Start the project
Registry
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<DiskMan32> <C: WINDOWSDiskMan32.exe> []
<Mppps> <C: WINDOWSmppds.exe> []
<AVPSrv> <C: WINDOWSAVPSrv.exe> []
<Cmdbcs> <C: WINDOWScmdbcs.exe> []
<MsIMMs32> <C: WINDOWSMsIMMs32.exe> []
<NVDispDrv> <C: WINDOWSNVDispDrv.exe> []
<WinSysM> <C: WINDOWSIGM.exe> [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
<MSDEG32> <LYLoader.exe> []
<MSDWG32> <LYLoadbr.exe> [N/A]
<MSDCG32> <LYLeador.exe> [N/A]
<MSDOG32> <LYLoador.exe> [N/A]
<MSDSG32> <LYLoadar.exe> [N/A]
<MSDMG32> <LYLoadmr.exe> [N/A]
<MSDHG32> <LYLoadhr.exe> [N/A]
<MSDQG32> <LYLoadqr.exe> [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
<AppInit_DLLs> <avwlbmn. dll> []
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{E418E9ED-9221-4661-B1F3-4AA35BD83832}> <C: Program FilesInternet assumerpluginswinsys88.sys> []
<{2960356A-458E-DE24-BD50-268F589A56A2}> <C: WINDOWSsystem32avwlbmn. dll> []
========================================
Service
[Telephots google/Windowsms] [Stopped/Auto Start]
<C: WINDOWSsystem32servver.exe> <N/A>
[Remote Help Session Manager/Rasautol] [Stopped/Auto Start]
<C: WINDOWSsystem32tsokele.exe> <N/A>
<Load> <C: WINDOWSuninstallundl132.exe> []
========================================
Running Process
[PID: 3084] [C: WINDOWSexplorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C: WINDOWSsystem32avwlbmn. dll] [N/A,]
[C: WINDOWSsystem32LYMANGR. DLL] [N/A,]
[C: WINDOWSsystem32DiskMan32. dll] [N/A,]
[C: WINDOWSsystem32mppds. dll] [N/A,]
[C: WINDOWSsystem32hjphl. dll] [N/A,]
[C: WINDOWSsystem32xtmaz. dll] [N/A,]
[C: WINDOWSsystem32MsIMMs32. dll] [N/A,]
[C: WINDOWSsystem32ojdcs. dll] [N/A,]
[C: Program FilesInternet assumerpluginswinsys88.sys] [N/A,]
========================================
Winsock provider
MSAPI Tcpip [TCP/IP]
C: WINDOWSsystem32qdshm. dll (, N/)
MSAPI Tcpip [UDP/IP]
C: WINDOWSsystem32qdshm. dll (, N/)
...

Solution:

1. Clear the virus main program
Download blade http://mail.ustc.edu.cn /~ Jfpan/download/IceSword122cn.zip
Sreng http://download.kztechs.com/files/sreng2.zip

Enable sreng
"Startup project"-"service"-"Win32 service application" point "Hide authenticated Microsoft projects ",
Select the following items, click "delete service", click "set", and then click "no" in the pop-up box ":

Telephots google/Windowsms

Restart the computer
Use an ice blade to delete the following files
%System321_servver.exe
And the autorun.infand servver.exe

Ii. Clear Trojans
I used to write much better. I will not repeat it here.
How does one refer to the previous auto.exe Trojan scan asp? Board = 28 & artid = 8362073 "> http://forum.ikaka.com/topic.asp? Board = 28 & artid = 8362073
And some recently popular Trojan scan summary http://forum.ikaka.com/topic.asp? Board = 28 & artid = 8371486
You can.
3. Download Weijin killing and repairing infected exe files
Http://download.jiangmin.info/jmsoft/VikingKiller.exe

4. Download http://www.vaid.cn/blog/attachment/iframekill.rarto repair the infected htmfile