Use people's weak security awareness to manually fix operating systems that cannot be started for MSN scammers and kill tools

On the 10th, MSN scammers swept across China, followed by rising11's exclusive killing tool, which swept the Chinese mainland: N-plus computers could not be started. I didn't care, because I have never been infected with viruses for seven or eight years. This morning, a buddy's machine couldn't get up. The symptoms are the same as those of the killer tool. So I even tried it. In less than half an hour, I finally got OK.
First, we are very lucky that the MSSQLServer on his machine is auto start. Although he was unable to log on to the system, the MSSQLServer service was started about one minute after the login interface appeared. So I asked him about the SA password and connected it with SQL analyzer. Run it:
Xp_cmdshell 'net start RemoteRegistry ', and then:
Xp_mongoshell 'net start RASMAN '. I thought I could remotely connect to a machine or remotely connect to regsitry ,. The former fails to log on, the latter only has two keys: localmachine and user, and has no read permission.
Then I looked at the manual anti-virus solution! That's exactly what I wrote. Code : Try
{
Microsoft. win32.registrykey = Microsoft. win32.registry. localmachine;
Key = Key. opensubkey ( @" SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon " , True );
String UI = Key. getvalue ( " Userinit " ). Tostring ();
Console. writeline ( " Userinit: " + UI );
Key. setvalue ( " Userinit " , @" C: \ windows \ system32 \ userinit.exe " );
Key. Close ();

Microsoft. win32.registrykey key2 = Microsoft. win32.registry. localmachine;
Key2 = Key2.opensubkey ( @" SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run " , True );
String Mm = Convert. tostring (key2.getvalue ( " Mmsystem " ));
Console. writeline (mm );
Key2.deletevalue ( " Mmsystem " );
Key2.close ();
}
Catch (Exception ex)
{
Console. writeline (Ex );
}

Specific manual antivirus method, here there is a: http://www.trendmicro.com/vinfo/zh-cn/virusencyclo/default5.asp? Vname = worm_funner.a
Compile the code into a fixme.exe. Then perform the following operations (all in SQL ):
Xp_mongoshell 'md D: \ juqiang'
Xp_mongoshell 'net share juqiang = D: \ juqiang/unlimited'
Then copy fixme.exe from my assumerto juqiang, and then return to the SQL:
Xp_cmdshell 'd: \ juqiang \ fixme.exe'
After running, restart the machine.

Haha, it's done!

If MSSQLServer is not enabled on his machine, I can use IPC $ to connect to the machine, but it is not as convenient as analyzer. Knowing the SA password is really nice. If you do a good job, you can fix the forgotten admin password. You just need to Use WMI. If you do something bad, you can do whatever you want.
When I first used sqldom to connect to a remote machine, I wanted to do something like a glacier. Later, I realized that the process I connected was inaccessible to the desktop. Therefore, the machine cannot be remotely controlled. So, let's go back to the next step and play on the command!