From chinaunix.net
This article is originally submitted, not to publish for any reason, recently seen that there is a friend to mention the XP to SP2, you must first remove the XP's Internet assistant, so I think of this article, I will send it, welcome, please indicate The original author is just a line ============================================ =============== 3721 virus killed method for removing Comments author: Tianyuan, qq: 354887 reprint please specify the time within the network recently received a user to report on certain sites It will be prompted to install a plugin called 3721 Chinese real-name, some users are unknown "Installation" options, causing the virus to remain in the hard disk. Although the Tianyuan is a network administrator, it is indeed a lot of use of the Windows operating system. It has never used this plug-in named 3721, but it is anxious to be anxious, so promise. After several efforts, I finally got it down. The following is killing the virus experience and a viral solution. The Tianyuan uses a WindowsXP machine, access the site provided by the user, downloads and executes the plugin. The plugin is Chinese, and then restart the machine after installing the machine and takes effect with the uninstall. Through the contrast observation before and after installation / uninstallation, its residentity, self-protection and a large amount of loss of system performance, let the Tianyuan determine that the plugin is indeed a virus! Virus attack phenomenon: automatically redirect the browser's "Search" function to a website called www.3721.com, the site is the Chinese station, and cannot be modified; forcibly add "Scenario chat" on the user IE, "Internet Acceleration "Successful icons; constantly refresh the registry related key value to achieve the purpose of successful resignation and a large consumption user host resource; load the machine load, and bring the process protection function, it is difficult to kill under normal Windows startup 5. With an automatic upgrade function, each time the user uses IE to use IE, the virus will be upgraded in the background; virus itself: self-contained unloading function; this virus is to hide its own purpose, paralyzed download plug-in users, provide uninstall program. However, according to the use of the Tianyuan, after the uninstalled, the virus program still resides, still loaded, still monitoring, rewriting the registry; uses a network upgrade method; the virus is used to prevent the user and anti-virus software The way to upgrade regularly, this is similar to the recent other Windows mainstream viruses, but it is worth mentioning that the virus has public viral upgrade sites www.3721.com, and the site style is like the portal, the service site, with extreme Large deceptive; loading in the driving mode; this feature can be said to be a technical leap in the virus since the recent period, using the driving mode to load the hook mode, under Windows is extremely difficult to kill (detailed technical discussion ); Provide search services for keyword queries to enter Chinese after entering Chinese in the browser address bar.
The shock of the Summary Pocket star virus also automatically connects the user's machine to Update.microsoft.com to download the patch, it seems that the new virus is increasingly liked to provide some alternative features; passive way to spread: Use some Site came to spread, rather than actively infecting other machines, this is similar to the current popular "beauty pictures" virus. From the initiative to passively, it can be said to be a new feature of some viruses this year; virus detailed analysis: When the user visits the site, pop up a control download window prompts the user to download and install, the surface is called himself to provide Chinese real-name services, and attract users to install; Modify user files and registry during the installation process; add files: Add to understand the network real name details in Documents and Settings / All Users / "Start" menu / program / network real name / directory. URL 86 bytes cleaning up .ur1 100-byte Internet assistant .ur 99 byte uninstall network real name .Lnk 1,373 byte repair browser .ur1 103 bytes Add assis.ico 5,734 bytes CNS02.Dat 1,652 bytes CNSHOOK .dll 56, 320 bytes cnsmin.cab 116, 520 bytes cnsmin.dll 179, 712 byte cnsmin.inf 378 byte SMS.ico "6,526 bytes Yahoomsg.ico 5,734 bytes Add cnsminkp.sys Add cnsminkp.sys Add cnsminkp.sys registry key: increase HKEY_LOCAL_MACHINE / SOFTWARE / 3721 primary keys, key attribute value consists of many children and; increased {B83FC273-3522-4CC6-92EC-75CC86678DA4} {D157330A-9EF3-49F8 at HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CLSID primary key -9A67-4141AC41ADD4} Two sub-keys 3.
Increased in the HKEY_LOCAL_MACHINE / SOFTWARE / Classes / primary key CnsHelper.CH CnsHelper.CH.1 CnsMinHK.CnsHook CnsMinHK.CnsHook.1 four sub-keys at 4 increase HKEY_LOCAL_MACHINE / SOFTWARE / Classes / Interface / primary key {1BB0ABBE-2D95-4847- 5. B9D8-6F90DE3714C1} subkey increases at HKEY_LOCAL_MACHINE / SOFTWARE / Classes / TypeLib / primary key {A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927} {AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267} in HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet increasing the Explorer / AdvancedOptions / primary key! increase in the CNS subkey HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / primary key {00000000-0000-0001-0001-596BAEDD1289} {0F7DE07D-BD74-4991-9D5F-ECBB8391875D} {5D73EE86 -05F1-49ed-B850-E423120EC338} {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} {FD00D911-7529-4084-9946-A29F1BDF4FE5} five subkey CustomizeSearch increase in HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / primary key OcustomizeSearch SearchAssistant OsearchAssistant increased four subkeys {D157330A-9EF3-49F8-9A67-4141AC41ADD4} subkey HKEY_LOCAL_MACHINE / at HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Explorer / ShellExecuteHooks / primary key Software / Microsoft / Windows / CURRENTVERSION / RUN / Under Add CNSMINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunOf / Windows / CurrentVersion / Runonce Add EK_ENTRY subkey (prompt, this button will take effect when the machine is started, producing the most headache part, the text will be described) HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Uninstall / under increased CnsMin subkey HKEY_CURRENT_USER / Software / under increased 3721 subkey HKEY_CURRENT_USER / Software / Microsoft / Internet Explorer / Main / under increased CNSAutoUpdate CNSEnable CNSHINT CNSLIST CNSMENU CNSRESET After restarting the computer, the EK_ENTRY under the RunOnce mentioned above takes effect, generates the most evil CNSMinkp key value in the registry, and generates CNSMinkp.sys in the Windows / System32 / Drivers directory of the system disk. Document, the nightmares start.
Since Win2K / XP is started (including security mode), all drivers below Windows / System32 / Drivers are automatically run, so CNSMinkp.sys is loaded, and one of this driver is to ensure Windows / Downloaded Program Files. CNSHOK.DLL and CNSMIN.DLL under the directory and it is not deleted; CNSHOOK.DLL's role is to provide Chinese real name features, and the cnsmin.dll role is to reside in the IE process. In order to ensure the highest priority, CNSMin uses a timer function to repeatedly install the hook, thus causing system performance, on the machine of the Tianyuan test, the performance is about 20%. And because hook forced to hook, when the user uses a breakpoint debugger, it will cause frequent errors, which causes Winzip operation and unable to shut down. (For detailed technical details, see the topic " [Reserved] 3721 Report Mechanism Simple Research With a so-called "uninstaller", but the program / registry key value of the core part is still not deleted. Moreover, the virus uses various technical means with extremely powerful anti-deletion characteristics. Windows system boots (including security mode) will load CNSMinkp.sys under Windows / System32 / Drivers, which filter the driver to filter the deletion of itself and related important files and registry. Whenever you try to delete the critical file of 3721 and the registry key, return a true, so that Windows thinks deletion has been successful, but the files and registry are actually there. Technical highlights: The Tianyuan has to admit that 3721 This viral plug-in can be called the most difficult virus facing it since the NMS. In recent years, the virus has several major breakthroughs: CiH infection can be upgraded BIOS, red code opens Windows sharing expansion results, Meliza let us know what is to see the virus of the source program, MSSQLSERVER worm let us pay attention to computer viruses The attack is not only the node and network equipment, and the shock wave virus let us realize the terrible, beautiful picture virus when there is a safe vulnerability when using the same operating system, let us know the power of combining the art and software vulnerability, and this The 3721 virus first shows the powerful anti-deletion characteristics of virus, which can be said to be a virus that cannot be killed in a Windows environment. Although this is a one-quality virus, there is no damage to the system, but according to the history of viruses, it is foreseen that this kind of perfect anti-deletion technology will soon be utilized by other viruses and will soon be utilized by other viruses. A virus that combines network infection with powerful anti-deletion functions may have the largest test of anti-virus software under the Windows platform. And this experience, also let me realize that Microsoft's Windows operating system is humanized, beautiful, and fools behind the crisis.
As an IT peer, I personally expressed admiration for all the techniques used by the 3721 virus authors, but the Pandora's magic box of the new virus has been opened: in the history of the current virus, only a few viruses have been used under Windows NT. The program under System32 / Drivers will be transmitted automatically, but those viruses themselves are not perfect, which will cause the Windows NT system frequent blue screen dead machine, like 3721 plug-in virus so perfectly load, reside other processes, only Consuming host resources, monitoring registry and key files do not lead to errors in the system, and there are the first time at home and abroad. It is more mature than those viruses than before; if the Tianyuan and everyone have been explored, did not play SP2 or above Patch's Win2K How to download the SP4 re-installation patch like this. Due to the CNSMinkp.sys boot started under the drivers directory, if you want to load it, only after Windows is started, the invoking table overwrite the corresponding CNSMinkp key value or delete the file, but because CNSMinkp.sys is filtered to itself Related Important Documents and Delete Operations for Registry. Whenever you try to delete the critical file of 3721 and the registry key, return a true, so that Windows thinks deletion has been successful, but the files and registry are actually there. Make the registry could not modify / files could not be deleted, so that our traditional killing viruses and Trojan's countermeasures were unable. Residing IE processes, automatically upgraded, ensuring that the virus has extremely powerful vitality, wants to come to new killings, and the virus will immediately upgrade. Although there are other browsers such as Mozilla, in Windows, most users are generally installed with IE due to Microsoft's bundling strategies and compatibility. The Internet is used to find IE. When you find the 3721 information, I use IE. In this way, 3721 will upgrade itself to the latest version in front of the user to prevent the possibility of being killed, and add to the virus. Difficulty. Perhaps the virus will upgrade in the shortest time after it is issued. With other "practical" features. The Tianyuan remembers that some viruses have encountered some viruses when they were in DOS. They automatically run a cute screen protected, or automatically clean up the functions such as the temporary folder; later in the Windows platform. Over the virus attack "Today is the XX Historical Examination" today, Today, XX Historical Outlook, "The 3721 virus is provided with a so-called Chinese domain name and English domain name. Features. With the development of viruses, this band-covered, fun and deceptive viruses will be more and more. For example, the nearest mail virus is sent to the name of Microsoft, or in the reply format starting in RE, the development of the virus is propagated from the original infection, the spread of vulnerabilities, and the back door communication will gradually transition to deception, more and more viruses The importance of social engineering is recognized. Perhaps in the near future, there will be a virus / Trojan with simple online game / P2P software. Polar deceptive: This plug-in can be used under Win98, but the use of its own uninstallation can be relatively perfectly uninstalled, while uninstalling the program under Win2K / XP platform is almost useless. It can be seen that the virus writer is extremely proficient in social engineering: When a person has a table, he knows time; and when he has two tables, there is no judgment time. When this virus cannot be deleted when this virus cannot be deleted, the Win98 users will indicate that there is no problem with any problem with any problem. The opposition of the two opinions affects the judgment of the bystanders. The participation of business behavior. It is said that the virus is written by a company, in order to further promote its products, increase its visits and apply for users.
At this point, the user is required to download the XX plug-in with some porn sites, and then make it easy to use the plugin pop-up window. The Tianyuan can't help but think of a dope. In the year, a company company staff (of course, it is also possible to be a staff member of the company), often calling a large-scale enterprise unit, and there is no other middle-text field name has been robbed by XX, if not paying money will Result in the XX consequences cloud cloud. Brotherhood seems to have experienced by this company: The company's employees call to a college network center. At first, it was recommended that it applied for Chinese domain names, and its director is very interested, but due to the price of the price. The second time, I became intimidation by persuasion, saying that the Chinese name has been registered by the XX private school. If the school does not pay the money, there will be a terrible consequences. Who wants to eat soft and not eat hard, return to: "You call you here, you also know that in China, XX University is a state recognition, and your company does not have any official proven In the case, I will open the private school for our school Chinese domain name. If you can see your irregularity, then if I privately pay the name of the NXX national leader, is it a personal site is also your company is also accepting? Similar to the company, we have a consistent practice we have to find a legal way to solve the legal way! "The answer is very wonderful. Of course, the consequences of this matter are not. It is not difficult to see from related reports, computer crimes gradually begin to facilitate economic fields. Viruses and business combining private computers in violation of private computers, is a change in virus writing by personal behavior to business behavior, and the history of viral development has opened a new chapter. Virus killing plan: Due to the "teaching and fishing" in the network tube, the Tianyuan has written the virus to kill the process, and everyone discusses. The first round: When I saw this virus, I felt this, the ordinary Trojan. According to the old rules, first delete the key value in the registry, then delete the virus file, then restart the machine, wait 10,000 things OK. At first glance, the registry is completely did not change, and the deleted file is also there. Outcome: The virus wins, the sky defeated the second round: changed a machine and uninstall help tool to facilitate monitoring of registry / files. My next is the Software of Ashampoo Uninstaller Suite, which can monitor the registry / file / important profile. OK, install the 3721 plugin again, record the change / file change / file of the registry. (It is worth noting that because the registry Run and Runon's key is taken in the next startup, after restarting, it is necessary to compare the change of the file / registry to obtain exact results). Then compare the record, all of the 3721 added, and the added file is also recorded. After that, I plan to start, delete files, and registry using security mode, so I wrote a save.reg file to delete the relevant key value in the registry (write the reg file in the network management note, the heroes, there is a introduction, wait At the end of the article, I provide that the REG file for your reference), wrote a save.bat to delete the relevant file, put it in the root directory of the C drive. Restart the machine and enter the security mode, I will import the registry with the regedit / s save.reg, and then delete the relevant file with Save.bat. Restart the machine, but found that the document still exists, the registry does not have successful modification. Usually the way Trojan / virus is completely invalid, which makes me produce the feeling of the enemy. Opening: The virus wins, the sky defeated the third round: Restart the machine, this time I use manual way to delete the file.
Discover the problem - CNSHOKP.SYS in the System32 / Drivers directory, the cnshook.dll and cnsmin.dll under the Windows / Downloaded Program Files directory are "unable to delete". This may be a bit improper, accurately saying that there is no error report after deleting, but the file still exists. So I use Google to find a clue - I have found a article (name and url to see the previous article), so I understand that this is CNSMINKP.sys. So, as long as it does not load it, don't you load it? ? But I tried 2K and XP security mode to load the drive under System32 / Drivers, and if you want to cancel the loading, you need to modify the registry, but because the registration correlation value is modified after loading CNSMinkp.sys is invalid. Resulting in the loading of the program that cannot contain the program of CNSMinkp.sys. Of course, friends with floppy drives can use the floppy disk to delete the file, but if you use the macrower that is the same as the sky? Remember that the article on the Green Alliance is what is mentioned - "Call currently can't crack". In this step, the Tianyuan also tried various methods. I tried to change the file name of these files, the result was not successful; I tried to replace the file with the redirection, such as Dir *> cnsminkp.sys, the result is unsuccessful; I tried to use the Copy Con
[-HKEY_LOCAL_MACHINE / SOFTWARE / 3721] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CLSID / {B83FC273-3522-4CC6-92EC-75CC86678DA4}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CLSID / {D157330A-9EF3-49F8-9A67-4141AC41ADD4 }] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CnsHelper.CH] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CnsHelper.CH.1] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CnsMinHK.CnsHook] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / CnsMinHK. CnsHook.1] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / Interface / {1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Classes / TypeLib / {A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}] [- HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / TYPELIB / {AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / AdvanceDOptions /!
CNS] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {00000000-0000-0001-0001-596BAEDD1289}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Uninstall / CnsMin] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {00000000-0000-0001-0001-596BAEDD1289}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {0F7DE07D-BD74-4991-9D5F-ECBB8391875D}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {5D73EE86-05F1-49ed-B850-E423120EC338}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {FD00D911-7529-4084-9946-A29F1BDF4FE5}] [-HKEY_CURRENT_USER / Software / 3721] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / OCustomizeSearch] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / search / OSEARCHASSISTANT] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / S earch / CustomizeSearch] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / SearchAssistant] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Explorer / ShellExecuteHooks / {D157330A-9EF3-49F8-9A67-4141AC41ADD4}] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / CnsMin] [-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunOnce / EK_Entry] [-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / Main / CNSAutoUpdate] [-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / Main / CNSEnable] [-HKEY_USERS / S-1-5 -21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / main / cnshint] [-HKEY_USERS / S-1-5-21-78