[07-19] solves new gray pigeon variants, rootkit. vanti. Gen, and www.58111.com hijacking (version 5th)

EndurerOriginal

5Anti-virus software.
4Anti-virus software.
3Anti-virus software.
2The version supplements anti-virus software and detects malicious programs on other disks of the user's computer.
1Version

Yesterday, some netizens said that rising in his computer always reports thatGray pigeon, Real-time monitoring of the total discovery and successful DeletionRootkit. vanti. genFile C:/Windows/tempkqmbz78.dll.

For example:
--------------------------------------------------------------------
07-11
Virus name processing result scan method path File
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll
Exploit. vbs. phel. Z skip the script webpage/script monitoring C:/docume ~ 1/admini ~ 1/locals ~ 1/temp375264011664.tmp
Exploit. vbs. phel. Z restart the computer and delete file monitoring C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/content. ie5/h9ce4rpybbs1_1).htm
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll
Trojan. DL. Small. mjr deleted successfully. File monitoring C:/system volume information/_ restore {E636C2E6-57A1-4711-9BF0-6BE15D9B34BF}/rp26a0007133. dll
Rootkit. vanti. gen deleted successfully. File monitoring C:/Windows/tempkqmbz78.dll

--------------------------------------------------------------------

And the IE homepage is forcibly setHxxp: // www.58111.com.

 

Via QQ remote assistance, first to the http://endurer.ys168.com downloadHijackthisAnd"Automatically delete files at next startup" program(Auto_del.rar ).

Use hijackthis to scan the concise log and discover the following suspicious items:

--------------------------------------------------------------------
Logfile of hijackthis v1.99.1
Scan saved at 20:46:10, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

O2-BHO: (No Name)-{669751ed-d558-49ae-b01a-3b374cc7910e}-C:/Windows/system32/ssup. dll
O2-BHO: internet_explorer_service-{9e1e1371-9d8f-4421-81b9-f8d2e1773a59}-C:/Windows/system32/helperservice. dll
O3-toolbar: System Standard button (& E)-{6b2455fd-3669-4555-8df8-69fd5bc846f8}-C:/Windows/system32/systemtoolbar. dll

O23-service: System Event Log Service (systemlog)-www. huigezi. Net-C:/Windows/system32/shellext/services.exe
O23-service: Windows XP Vista-unknown owner-C:/Windows/fish.exe

--------------------------------------------------------------------
 

The repair process is as follows (for more information, see:[System repair series] basic operation index):

1. Stop and disable system services:

System Event Log Service (systemlog)
Windows XP Vista

2. Open the Registry Editor, locate HKEY_LOCAL_MACHINE/system/CurrentControlSet/service, and find and delete the System Event Log Service (systemlog) and Windows XP Vista subkeys.

3. Use WinRAR to find the following files, package the backups, and delete them:

C:/Windows/system32/ssup. dll
C:/Windows/system32/helperservice. dll
C:/Windows/system32/systemtoolbar. dll
C:/Windows/system32/shellext/services.exe
C:/Windows/fish.exe

/*************************************** ***************************
Supplement to Version 07-13 2nd:
Kaspersky willServices.exeAndFish.exeReportedBackdoor. win32.hupigon. BTB

Subject:	Virus report email analysis result-flow Ticket No.: 2969997
Sender:	"" <Send@rising.net.cn>	Sent at: 20:39:41

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: fish.exe
Virus Name:Backdoor. gpigeon. zjn
We will solve the problem in the newer version 18.35.40. Please upgrade your rising software to version 18.35.40 and open the monitoring center to completely eliminate the virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.

Subject:	Virus report email analysis result-flow Ticket No.: 2970004
Sender:	"" <Send@rising.net.cn>	Sent at: 20:49:54

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: services.exe
Virus Name:Backdoor. gpigeon. ziu

We will solve the problem in the newer version 18.35.40. Please upgrade your rising software to version 18.35.40 and open the monitoring center to completely eliminate the virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.
**************************************** **************************/

/*************************************** ***************************
07-17 Supplement to version 4th:
Kaspersky willSystemtoolbar. dllReportedTrojan-Clicker.Win32.Delf.dn

**************************************** **************************/

/*************************************** ***************************
Supplement to Version 07-19 5th:
Kaspersky willHelperservice. dllReportedNot-a-virus: adware. win32.delf. g

**************************************** **************************/

4. Close all browser and folder windows, use hijackthis scan again, check the suspicious items listed above, and click [Fix] (fix) (If you know that something is safe, you can leave it alone ).

5. In addition, the suspicious files internat.exe, infoser. HTA and autoexec.com are also found in C:/, and WinRAR is also used to pack and back up and delete the files.

/*************************************** ***************************
Supplement to Version 07-13 2nd:
Kaspersky willInternat.exeReportedTrojan-Downloader.Win32.Delf.aqv
Kaspersky willAutoexec.comReportedTrojan-Downloader.Win32.Small.dfh
**************************************** **************************/

/*************************************** ***************************
07-17 Supplement to version 4th:

Subject:	Virus report email analysis result-flow Ticket No.: 2970024
Sender:	"" <Send@rising.net.cn>	Sent at: 17:36:42

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: autoexec. com
Virus Name:Trojan. DL. Small. MSE

2. File Name: infoser. HTA
Not a virus

3. File Name: internat.exe
Virus Name:Trojan. DL. Direct. u

We will solve the problem in the newer version 18.36.2. Please upgrade your rising software to version 18.36.2 and enable the monitoring center to completely eliminate the virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.

**************************************** **************************/

6. Clear ie temporary folders and Windows temporary folders (C:/Windows/temp)

7. disable the system restoration function and then enable it.

8. Use the rising registry Repair Tool to fix the IE homepage as about: blank.

9. Scan drive C using the online scanning function of Kaspersky and find another one:

C:/program files/Internet Explorer/plugins/new123.sys infected:Trojan-PSW.Win32.QQGame.mSkipped

/*************************************** ***************************
Supplement to version 3rd:

Subject:	Virus report email analysis result-flow Ticket No.: 2978259
Sender:	"" <Send@rising.net.cn>	Sent at: 20:26:10

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: new123.sys
Virus name: Trojan. psw. qqpass. PMO

We will solve the problem in the newer 18.36.0 version. Please upgrade your rising software to 18.36.0 and enable the monitoring center to completely eliminate the virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2. **************************************** **************************/

It also uses WinRAR to package backups, but cannot be deleted directly. RunThe file deletion utility auto_del.exe automatically deletes files during the next startup.Drag new123.sys from the WinRAR window to the auto_del window, and click "change all file names" and "delete upon next startup.

At noon today, the netizen said on QQ that today rising no longer showed gray pigeons and rootkit. vanti. gen. He used Kaspersky's online scan function to scan other disks and found some viruses:

---------------------------------------------------------

E:/Documents and Settings/owner/Local Settings/Temporary Internet Files/content. ie5/d8yufa9d/open_01 [1]. js infected:Trojan-Downloader.JS.IstBar.aiSkipped
F:/Documents and Settings/owner/Local Settings/Temporary Internet Files/content. ie5/bkl9ncc8/wintest [1]. js infected:Trojan-Downloader.JS.IstBar.aiSkipped
F:/Documents and Settings/J/Local Settings/temp/kucosetupno3.exe/wise0009.bin infected:Trojan-Downloader.Win32.Small.davSkipped
F:/Documents and Settings/J/Local Settings/temp/kucosetupno3.exe wisesfx: infected-1 skipped
F:/program files/office/3721.exe infected:Trojan-Clicker.Win32.VB.lcSkipped
F:/program files/office/ad1.exe infected:Trojan-Clicker.Win32.VB.lcSkipped
F:/program files/office/ad3.exe infected:Trojan-Clicker.Win32.VB.lcSkipped
F:/program files/office/ad5.exe infected:Trojan-Clicker.Win32.VB.lcSkipped
F:/program files/office/system.exe infected:Trojan-Clicker.Win32.VB.maSkipped
F:/program files/FTC/fygplugins.exe infected:Backdoor. win32.agent. AbuSkipped

---------------------------------------------------------

It was also handled through QQ Remote Assistance.