Use people's weak security awareness to manually fix operating systems that cannot be started for MSN scammers and kill tools

Source: Internet
Author: User
Tags mssqlserver
On the 10th, MSN scammers swept across China, followed by rising11's exclusive killing tool, which swept the Chinese mainland: N-plus computers could not be started. I didn't care, because I have never been infected with viruses for seven or eight years. This morning, a buddy's machine couldn't get up. The symptoms are the same as those of the killer tool. So I even tried it. In less than half an hour, I finally got OK.
First, we are very lucky that the MSSQLServer on his machine is auto start. Although he was unable to log on to the system, the MSSQLServer service was started about one minute after the login interface appeared. So I asked him about the SA password and connected it with SQL analyzer. Run it:
Xp_cmdshell 'net start RemoteRegistry ', and then:
Xp_mongoshell 'net start RASMAN '. I thought I could remotely connect to a machine or remotely connect to regsitry ,. The former fails to log on, the latter only has two keys: localmachine and user, and has no read permission.
Then I looked at the manual anti-virus solution! That's exactly what I wrote. Code : Try
{
Microsoft. win32.registrykey = Microsoft. win32.registry. localmachine;
Key = Key. opensubkey ( @" SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon " , True );
String UI = Key. getvalue ( " Userinit " ). Tostring ();
Console. writeline ( " Userinit: " + UI );
Key. setvalue ( " Userinit " , @" C: \ windows \ system32 \ userinit.exe " );
Key. Close ();

Microsoft. win32.registrykey key2 = Microsoft. win32.registry. localmachine;
Key2 = Key2.opensubkey ( @" SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run " , True );
String Mm = Convert. tostring (key2.getvalue ( " Mmsystem " ));
Console. writeline (mm );
Key2.deletevalue ( " Mmsystem " );
Key2.close ();
}
Catch (Exception ex)
{
Console. writeline (Ex );
}

Specific manual antivirus method, here there is a: http://www.trendmicro.com/vinfo/zh-cn/virusencyclo/default5.asp? Vname = worm_funner.a
Compile the code into a fixme.exe. Then perform the following operations (all in SQL ):
Xp_mongoshell 'md D: \ juqiang'
Xp_mongoshell 'net share juqiang = D: \ juqiang/unlimited'
Then copy fixme.exe from my assumerto juqiang, and then return to the SQL:
Xp_cmdshell 'd: \ juqiang \ fixme.exe'
After running, restart the machine.

Haha, it's done!

If MSSQLServer is not enabled on his machine, I can use IPC $ to connect to the machine, but it is not as convenient as analyzer. Knowing the SA password is really nice. If you do a good job, you can fix the forgotten admin password. You just need to Use WMI. If you do something bad, you can do whatever you want.
When I first used sqldom to connect to a remote machine, I wanted to do something like a glacier. Later, I realized that the process I connected was inaccessible to the desktop. Therefore, the machine cannot be remotely controlled. So, let's go back to the next step and play on the command!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.