(2007-03-03)
Because of a spyware, it took me two days to complete it.
Actually there are two ...... Oh, no, it's three. However, the one on one of the machines has been killed by me yesterday, but on the other, these two machines are really cool. :(
Fortunately, they finally got rid of it.
The two spyware types are ssqpq. dll and tuvsqol. dll.
There are several symptoms:
1. The machine suddenly fails to access from the network or log on to the machine. An error is returned:
"The system cannot allow you to log on because the following error occurs: network requests are not supported. Please try again or ask your system administrator !"
Only force restart is allowed. After restart, it can be solved temporarily.
2. You cannot access the machine's shared resources, including the system's default management and sharing (with the last share name $). An error occurs:
"67 system errors occurred. The network name cannot be found"
3. Unknown network data communication.
Solution Process:
1. The process analysis tool is called by WinLogon and explorer, so it cannot be killed.
2. After analysis by the automatic run check tool, we find that the running methods are as follows:
Register as Winlogon notify package (For details, refer to the 11 th floor of this post in csdn), so that you can run it at Windows Startup and use the DLL method called by WinLogon, in this way, it cannot be killed during running, because Winlogon is a system process and cannot be stopped. At the same time, it also modifies the registration items in the registry at any time, so even if it changes the registry, it will also change back, and it will still appear after restart. It does not work even if you enter the security mode.
In addition, it also registers as BHO and injects it into explorer to implement double insurance. The registry project is also updated all the time.
3. Finally, according to the file monitoring tool, it will constantly check the files on the hard disk. If the files have been modified, it will be restored.
Apart from the different names, the two spyware have almost identical features (later we found that tuvsqol. dll is more powerful than ssqpq ).
Because my system disk is in NTFS format, or I just need to start it with a Ubuntu live disc and delete the two files, however, it seems that there is no solution except reinstalling the system or installing a dual system.
I found n more materials on the Internet and did not see any related solutions. For example, I wrote a program using movefileex, but it seems that the execution of Winlogon is not valid until the file is restarted and deleted, or spyware has a countermeasure.
As a last resort, I had to attack the virus, write a Windows Service, clear related items in the Registry cyclically, and then restart the server. After trying twice, the two spyware will not run again.
Then, remove the S/H/R attributes of the two files and then delete them. Then, I scanned the registration carefully and confirmed that there was no residue.
In addition, we also found a spoolvc.exe service, which is obviously also a spyware. I don't know if the first two eggs are under it. In short, disabling and deleting files is a positive solution.
BTW: Although there is no pandatv icon, it seems like a new variant of pandatv, according to colleagues who have killed pandatv for half a month in the company.