First, questions
C:\WINDOWS\system32\LgSym.dll: Trojan Horse program detected TROJAN-PSW.WIN32.ONLINEGAMES.FQ
C:\WINDOWS\system32\Qqzos.dll: Trojan Horse program detected trojan-psw.win32.onlinegames.kr
I follow your space in some of the methods of the post processing, although Kabbah does not appear above the hint but has a new trouble, every time I open the computer Kabbah will prompt me:
C:\WINDOWS\system32\winrpcs.exe: New variant risk detected software Hidden object
And then it's:
C:\WINDOWS\system32\dfsdfsg.exe: New variant risk detected software Hidden object
Then all kinds of *. EXE file detects this risk software Hidden object .... Kabbah also can not find out the poison to every once in a while to jump out about this hidden object tips. Is not the last virus I did not deal with clean or the newly-added. I don't have a choice. Mr. CUI asked for a solution.
Add: For a long time the network is often inexplicably broken network connection is really a display connection. You can only break a cat, whether a Web page or a network program. I was at the beginning of the CRC to think that the quality of the network is not good. But there's never been a problem in my neighborhood.
Sreng Scan Log is slightly
Second, analysis
1. Turn off System Restore before antivirus (Win2000 system can be ignored): Right button My Computer, properties, System Restore, turn off System Restore tick on all drives.
Clear IE Temporary files: Open IE point tool-->internet option: Internet temporary files, click the "Delete Files" button, will delete all offline content tick, click OK Delete.
Close applications such as QQ. Do not do any double-click to open the disk until you do the following. All downloaded tools are placed directly on the desktop.
2. Delete the files listed below using the Force Removal Tool Xdelbox (file deletion terminator).
"Copy all the paths to delete files when you delete them, right-click on the file list you want to delete, and select Import from Clipboard. After the import to delete the file on the right click, choose to restart the deletion immediately, the computer will restart into the DOS interface for deletion, delete the completion will automatically restart into your installed operating system. Remember to save the document you are opening on your computer before you operate. For more information on Xdelbox, please see Help.chm in the xdelbox1.2 directory. 】
Code:
D:\Autorun.inf
D:\pagefile.pif
E:\Autorun.inf
E:\pagefile.pif
C:\docume~1\glg\locals~1\temp\servere.exe
C:\docume~1\glg\locals~1\temp\cftmon.exe
C:\docume~1\glg\locals~1\temp\crasos.exe
C:\WINDOWS\servicea.exe
C:\WINDOWS\system32\dfsdfsg.exe
C:\WINDOWS\system32\rpcsddos.exe
C:\WINDOWS\system32\winrpcs.exe
C:\docume~1\glg\locals~1\temp\xpe.sys
~ ~ ~ Note that the GLG is the user name of the caller, may also be Wang ya/administrator. To see the specific user name of the poisoned person.
3. Use tool Sreng to delete the following
The contents of the "Sreng reminder after opening" function do not match the expected value they may be modified by some malicious software "Please ignore the error, install the normal modification after the soft." 】
==================================
Code:
Start Project--> The following key to the registry delete [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<wu1jz><C:\DOCUME~1\GLG\LOCALS~1\Temp\Servere.exe> [n/A]
<dlf67keir><C:\DOCUME~1\GLG\LOCALS~1\Temp\cftmon.exe> [n/A]
<64qq0fg020gw7><C:\DOCUME~1\GLG\LOCALS~1\Temp\crasos.exe> [n/A]
<uewhqm4x8><C:\WINDOWS\servicea.exe> [n/A]
==================================
Start the project--> service-->win32 The following item deletion of the service application
[SADSAADS/AFDSFSGG] [Stopped/auto Start]
<c:\windows\system32\dfsdfsg.exe><microsoft corporation>
[Remote Procedure call System (Rpcsddos)/Rpcsddos] [Stopped/auto Start]
<C:\WINDOWS\system32\rpcsddos.exe><N/A>
[Windows Rpcs/winrpcs] [Stopped/auto Start]
<C:\WINDOWS\system32\winrpcs.exe><N/A>
==================================
Start Project--> Service--> driver for the following items delete (if not deleted, set the type is disabled!)
[king001/king001] [Stopped/manual Start]
<\?? \c:\docume~1\glg\locals~1\temp\xpe.sys><n/a>
