Use Cortana software to diagnose rogue software VVisit

Use Cortana software to diagnose rogue software VVisit
Fault description

Yesterday, the company's network was very slow, and my colleagues simply browsed web pages. We decided to take a look at the Network Analysis System with corai. The procedure is as follows:

Deploy the kelai Network Analysis System

Locate fault sources during analysis

Select the endpoint view and select the IP node traffic ranking. 23's traffic actually accounts for 99% of the total traffic, and this machine is a printer server, which is currently not used at all. If there is a problem with this machine, it needs to be analyzed.

Analyze abnormal behaviors

Go to the browser node and find that 98% is http traffic,

Then, go to the log view and analyze the http URL,

In a short time, there were as many as 2217 items. Some URLs were selected for access and these websites were found to be disorganized. It is true that this machine has remote user login, but it will not go to such a complex website. Are you sure you want to check the task manager? I am the only user, and I have never opened these websites. Is it poisoned?

Virus analysis

Go to the data packet view to view the data packet content, such:

Remember the source port number. Enter netstat-aon in the command line to associate it with the process number, and then open the Task Manager. The process using this process number turns out to be firefox and firefox? There must be no Firefox on this machine. Why. Shut down the process first. After the process is turned off, the traffic in. 23 is obviously reduced, but the traffic will not be found again soon. What's the matter? When I opened the process, I saw firefox again. What should I do? A colleague came over and said, try to delete it in the registry, regedit, and find and delete all firefox. (Rely on, previously never dared to change regedit, the teacher said that it is best not to move, there will be problems with chaos. This colleague is engaged in sales. He understands this and is dizzy)
Restart, and the traffic is really not big. Fortunately, it will take a while to see that the traffic is broken again, and firefox appears again. What should I do?

Solution and summary

With one finger, go to the Internet and find a process viewer. Then I got a ProcessExplorerV11.21 Chinese version. It was quite helpful. I saw the firefox process and found that its parent process was a VVisit. What is this? Check the previous rogue software on the Internet. Kill it, delete all VVisit in the registry, restart, search for VVisit in the hard disk, and delete all VVisit. (It cannot be deleted because it is not deleted in the Registry and directly deleted in the hard disk)
Check the kelai analysis system. The traffic is normal and the network is running properly. OK, end!