某日,一位WINDOWS管理员电话找我帮忙,说自己分身无术,自己所在的SITE有多台染毒计算机要处理,不可能花1个多小时的时间跑到我这个SITE 来处理这边的染毒计算机。并说必须引导到安全模式下处理,云云……我要来管理员的密码,通过终端服务连过去看了一下,果然用任务管理器无法杀掉 bcvsrv32.exe,但想到我要先去找键盘、鼠标、显示器还要重启计算机若干次,不禁头大,还是先试试别的办法再说吧。于是赶紧通过GOOGLE, 下载了WINDOWS平台两个管理进程的小工具tlist.exe和pskill.exe(tlist.exe可以从WIN2000光盘中的 Support Tools找到,pskill.exe可以从各个黑客工具网站下载),试了一下,没想到很快将问题搞定。于是写下了下面这个MAIL,发给公司的所有 WINDOWS管理员。
how to deal with the virus "bcvsrv32.exe" in one minute?
Someone say the virus "bcvsrv32.exe" can't be removed unless reboot the computer, but I find a easy way to deal with it.
Firstly, we need two tools named tlist and pskill. You can see them in the attachment.
Secondly, upload the two tools to the victim server. For example, you can put them to 9.184.83.79ADMIN$ .
And then, on the victim server, find out the process id of "bcvsrv32.exe". And in this case I find the pid is 2776.
Let's begin! key down the fllowing commands.
C:Documents and Settingsteserver>tlist 2776 |more
2776 bcvsrv32.exe
CWD: C:WINNTsystem32
CmdLine: C:WINNTsystem32bcvsrv32.exe -meltserver "9.184.83.79E$bcvsrv3
2.exe"
VirtualSize: 2073940 KB PeakVirtualSize: 2074896 KB
WorkingSetSize: 23172 KB PeakWorkingSetSize:103448 KB
NumberOfThreads: 1965
3096 Win32StartAddr:0x00451060 LastErr:0x00000000 State:Waiting
1576 Win32StartAddr:0x0040ba67 LastErr:0x00000000 State:Waiting
......
......
Please notice this line -- C:WINNTsystem32bcvsrv32.exe -meltserver "9.184.83.79E$bcvsrv32.exe".OK, we can find the two bcvsrv32.exe files in this system. The E:bcvsrv32.exe can be deleted easily, but when you delete C:WINNTsystem32bcvsrv32.exe, you will only see a promotion "Access deny".
事后注解:其实问题就在这里,如果不先对付E:bcvsrv32.exe,你就会发现进程bcvsrv32.exe永远杀不掉。会用tlist这样的命令行工具,问题也就迎刃而解。就这么简单!
Don't worry. It's the time to use the tool pskill. Follow me, please.
C:Documents and Settingsteserver>pskill 2776
PsKill v1.03 - Terminates processes on local or remote systems
Copyright (C) 1999-2004 Mark Russinovich
Sysinternals - www.sysinternals.com
Process 2776 killed.
Haha, the game is over. we can see all the processes on the server, and delete the file C:WINNTsystem32bcvsrv32.exe .
C:Documents and Settingsteserver>tlist
0 System Process
8 System
192 smss.exe
216 csrss.exe
240 WINLOGON.EXE
268 services.exe
280 LSASS.EXE
384 termsrv.exe
500 svchost.exe
544 SPOOLSV.EXE
616 msdtc.exe
792 DefWatch.exe
812 svchost.exe
836 ibmasrex.exe
856 ibmasrsv.exe
868 jacservice.exe
884 llssrv.exe
940 tcpsvcs.exe
976 mnmsrvc.exe
1000 NHOSTSVC.EXE
1300 ntfrs.exe
1336 regsvc.exe
1348 mstask.exe
1436 winmgmt.exe
1484 WINS.EXE
1492 Nhstw32.exe
1508 svchost.exe
1532 dfssvc.exe
1620 NLDRW32.EXE
968 svchost.exe
2288 dllhost.exe
9076 DWRCS.EXE
9148 MirrorDir.exe
9548 explorer.exe
10848 VPTray.exe
2876 ss3dfo.scr
10980 CMD.EXE
10176 MirrorDir.exe
9524 java.exe
1892 Rtvscan.exe
10544 csrss.exe
10280 WINLOGON.EXE NetDDE Agent
10924 explorer.exe Program Manager
9540 NHOSTSVC.EXE
11032 Nhstw32.exe NetOp Host - Running
9860 NLDRW32.EXE NetOpWindowsLoader
10156 mmc.exe Computer Management
10712 VPC32.exe Symantec AntiVirus Corporate Edition
9376 taskmgr.exe Windows Task Manager
10308 mmc.exe Services
10956 CMD.EXE C:WINNTsystem32cmd.exe
10772 conime.exe
10844 CMD.EXE C:WINNTsystem32cmd.exe - tlist
10960 tlist.exe
10696 more.com
11092 tlist.exe
C:Documents and Settingsteserver>del C:WINNTsystem32bcvsrv32.exe
C:Documents and Settingsteserver>
By the way, we need reversing the changes made to the registry. Please see this article, http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.bqj.html .
其实,本文没什么特别的东西,只是我觉得一个合格的WINDOWS管理员必须要了解和擅长使用Support Tools、Resource Kit和一些黑客小工具。正所谓,工欲善其事,必先利其器。
========================================================
任何形式的转载,请写明出处:
email: beginner@yeah.net
website: http://blog.chinaunix.net/index.php?blogId=739
========================================================
841
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
