terrain
Hardware: 10 computers, most of the mainstream configurations 3 to 4 years ago.
Operating system: a Windows XP, two Windows 2000 Server, the rest is Windows2000 Professional, WINDOWS2000 PROFESSIONAL
Common software: a design computer, commonly used graphic processing software; two financial computers, common financial software; the rest are ordinary office computers, common office 2000 office software (including Access, PowerPoint, Word, and Excel et al.); One of which is often used for mail reception, but does not use client mail transceiver tool software, but use direct landing mailboxes.
Anti-virus software: There is no anti-virus software installed two machines; one machine is equipped with Rising firewall; the remaining machines are installed with Jiangmin KV2004, and the last update date is around March 29; some of which have residual non-genuine sections Tiek, the final update date is 2004.
Network: Ethernet access services provided using the community property to connect to the Internet, the service uses the PPPoE mode to automatically obtain DNS and IP. Access Ethernet provides Internet access for each site in the company's local area network through a router. The router uses a switch and a hub to extension.
on site
Network blocking. The NIC has been in a busy state, there is a lot of packets to enter and exit, but it is unable to connect.
Most of the computer runs slowly, slightly large picture editing software can't be opened, and the mouse keyboard is slow.
The enemy has absolute advantage
Investigate
Open Task Manager, there are two suspicious processes: SCVHOST.EXE and WDFMGR.exe (enemy main force?). The latter takes up a large number of CPU resources, and after termination of it, the local computer is slowly relieved. After the two are terminated, the data packets entering and exiting the NIC have greatly reduced. But if you continue to open the network, the two processes will appear quickly in the process list.
SCVHost.exe is an enemy's spy, wants to make a common system process svchost.exe, which takes up a certain number of CPU times. Before terminating it, the registry editor will shut down automatically after startup, so that we cannot view and modify it. Finding the enemy data, there is a viral Agobot (also known as the Gaobot) series in this feature, the basic information is as follows (transfer from Rising anti-virus information network):
The virus integrates worms, Trojans, and the latter door, etc., will infect all the computers in the local area network by decipher the simple network password, and build a viral service platform in infected computer through the form of the latter door, so that the outside world The client can run more than a dozen remote control commands through the virus.
When the virus is run, there will be a sequence number of more than a dozen products, turn off dozens of applications, so that the infected computer is slow, and if the shear board cannot be used, the registry editing tool cannot run, etc. User users cannot use a computer normally.
The virus is running in the system catalog to generate a "scvhost.exe" viral file, build a service called "cfgldr", and open a back door on the infected system, listen to the 65506 port, waiting for the remote control command, With this back door, remote controllers can launch a 10 attacks such as httpflood, udpflood.
In addition, the virus also establishes a list of dozens of programs, during which the programs are found in the operation, and the virus will turn off them to make them unable to run.
Note: Many varieties can achieve automatic upgrades of common anti-virus software through the functions described above. Therefore, after infecting the virus, the anti-virus software is upgraded, and the operation is probably invalid. This has also been confirmed in practice. The upgrade after infection does not intercept or remove the virus. So you need to re-upgrade anti-virus software after hand-cleaning the virus. As for the WDFMGR.EXE process, the data detected is displayed by Microsoft, which is described as: Microsoft Windows Media Player 10, which is called Windows Driver Foundation Manager, not a system important process. However, according to the on-site investigation, it can be found that the WDFMGR.EXE file is located under the system folder and shared folder, and there is an auto-start-up related setting in the registry, and the enemy characteristics such as this kind of enemy, so, even if this is not an enemy's regular force. At least the ghost soldiers who borrow the gods.
In addition to a non-connected machine and two password-oriented machines, other machines are hit.
Big counterattack
Isolation: Disconnect all computers
Cut off the enemy before and after: Restart the computer
Encirclement Pioneer: Check the process table of the task manager to terminate the above two processes.
Destroy the command. Open the Registry Editor, in HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run and HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Run, delete all keys to SCVHOST.EXE and wdfmgr.exe keys. Save modifications and close.
Direct Logo: Open Explorer, search for all files named SCVHOST.EXE and WDFMGR.exe on your hard drive, and remove them completely in the recycle bin.
Clean up battlefield: restart your computer
Self-check to ensure that there is no spy residual: Check the task manager's process table, determine if there are no two processes described above.
Building a defense work: Run the latest upgrade package of anti-virus software for upgrading.
Comprehensively eliminate the residual evil forces, the dismutors and other opposition power: comprehensively check with the upgraded anti-virus software.
Open Open: Connect this computer into the network.
Turning the next battlefield: Handling other computers in this order.
Note: Ensure that the computer that is incorporated into the network has no virus and the anti-virus software is upgraded. Otherwise, this virus will be returned on the network, and all work will be over.
Other gangs
Other gangs
In addition to the above two major viruses, individual computers (mainly long-term unacceptable machines) also have VBS viruses, similar to Agobot RBOT series viruses, as well as Trojans similar to online banking thieves, etc. These can be Kill.
War construction
Turn off unnecessary services, see the list of system processes.
Add or modify the Administrator-level user password. Two without poisoning computers, their Administrator-level users have custom passwords, which can be seen that adding passwords are a simple and effective way to prevent Agobot, RBOT this virus.
Delete misused gampers and web programs.
At this point, this battle has won a full victory!
