Original endurer
1st
Yesterday another friend's IE browser was hijacked by hxxp: // www.9348.cn, and the symptoms were worse than the previous one: after entering the Windows login password, it would take a long time to enter the desktop, sometimes users cannot access the Internet by dialing numbers, occasionally accessing the internet, and occasionally making advertisements ...... Extremely slow System ~
Go to Windows in safe mode with a command line prompt. Use the original pe_xscan version on your computer to scan logs and analyze the logs. The following suspicious items are found:
Pe_xscan 08-07-01 by Purple endurer
Windows XP Service Pack 3 (5.1.2600)
MSIE: 6.0.2900.5512
Administrator user group
Security Mode
F3-Reg: win. ini: load = flymy.exe
O4-HKLM/../runonce: [egwm] % SystemRoot %/system32/rundll32.exe % SystemRoot %/system32/vrcm. dll, dllregisterserver
O4-HKLM/../policies/Explorer/run: [ming9bstart] C:/Windows/system/ming9b090423.exe
O21-ssodl-webcheck (webcheck)-{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:/Windows/system32/webcheck. dll |
O23-service: jyavhsh (jyavhsh)-system32/Drivers/iyeap. sys (pilot)
O23-service: Klan (Klan)-C:/Windows/system32/Drivers/klan. sys | 9:13:17 (automatic)
O26-ifeo: 360hotfix.exe-> ntsd-d
O26-ifeo: 360rpt.exe-> ntsd-d
O26-ifeo: 360safe.exe-> ntsd-d
O26-ifeo: 360safebox.exe-> ntsd-d
O26-ifeo: 360tray.exe-> ntsd-d
O26-ifeo: agentsvr.exe-> ntsd-d
O26-ifeo: apvxdwin.exe-> ntsd-d
O26-ifeo: ast.exe-> ntsd-d
O26-ifeo: avcenter.exe-> ntsd-d
O26-ifeo: avengine.exe-> ntsd-d
O26-ifeo: avgnt.exe-> ntsd-d
O26-ifeo: avguard.exe-> ntsd-d
O26-ifeo: avltmain.exe-> ntsd-d
O26-ifeo: avp32.exe-> ntsd-d
O26-ifeo: avtask.exe-> ntsd-d
O26-ifeo: bdagent.exe-> ntsd-d
O26-ifeo: bdwizreg.exe-> ntsd-d
O26-ifeo: boxmod.exe-> ntsd-d
O26-ifeo: ccapp.exe-> ntsd-d
O26-ifeo: ccenter.exe-> ntsd-d
O26-ifeo: ccevtmgr.exe-> ntsd-d
O26-ifeo: ccregvfy.exe-> ntsd-d
O26-ifeo: ccsetmgr.exe-> ntsd-d
O26-ifeo: cqw32.exe-> ntsd-d
O26-ifeo: drvanti.exe-> ntsd-d
O26-ifeo: egui.exe-> ntsd-d
O26-ifeo: ekrn.exe-> ntsd-d
O26-ifeo: enc98.exe-> ntsd-d
O26-ifeo: extdb.exe-> ntsd-d
O26-ifeo: frameworkservice.exe-> ntsd-d
O26-ifeo: frwstub.exe-> ntsd-d
O26-ifeo: guardfield.exe-> ntsd-d
O26-ifeo: iparmor.exe-> ntsd-d
O26-ifeo: kaccore.exe-> ntsd-d
O26-ifeo: kasmain.exe-> ntsd-d
O26-ifeo: kav32.exe-> ntsd-d
O26-ifeo: kavstart.exe-> ntsd-d
O26-ifeo: kavsvc.exe-> ntsd-d
O26-ifeo: kavsvcui.exe-> ntsd-d
O26-ifeo: kislnchr.exe-> ntsd-d
O26-ifeo: kissvc.exe-> ntsd-d
O26-ifeo: kmailmon.exe-> ntsd-d
O26-ifeo: knownsvr.exe-> ntsd-d
O26-ifeo: kpfw32.exe-> ntsd-d
O26-ifeo: kpfwsvc.exe-> ntsd-d
O26-ifeo: kregex.exe-> ntsd-d
O26-ifeo: kvfw.exe-> ntsd-d
O26-ifeo: kvmonxp.exe-> ntsd-d
O26-ifeo: kvmonxp. KXP-> ntsd-d
O26-ifeo: kvol.exe-> ntsd-d
O26-ifeo: kvprescan.exe-> ntsd-d
O26-ifeo: kvsrvxp.exe-> ntsd-d
O26-ifeo: kvwsc.exe-> ntsd-d
O26-ifeo: kvxp. KXP-> ntsd-d
O26-ifeo: kwatch.exe-> ntsd-d
O26-ifeo: livesrv.exe-> ntsd-d
O26-ifeo: makereport.exe-> ntsd-d
O26-ifeo: mcagent.exe-> ntsd-d
O26-ifeo: mcdash.exe-> ntsd-d
O26-ifeo: mcdetect.exe-> ntsd-d
O26-ifeo: mcshield.exe-> ntsd-d
O26-ifeo: mctskshd.exe-> ntsd-d
O26-ifeo: mcvsescn.exe-> ntsd-d
O26-ifeo: mcvsshld.exe-> ntsd-d
O26-ifeo: mghtml.exe-> ntsd-d
O26-ifeo: naprdmgr.exe-> ntsd-d
O26-ifeo: navapsvc.exe-> ntsd-d
O26-ifeo: navapw32.exe-> ntsd-d
O26-ifeo: navw32.exe-> ntsd-d
O26-ifeo: nmain.exe-> ntsd-d
O26-ifeo: nod32.exe-> ntsd-d
O26-ifeo: nod32krn.exe-> ntsd-d
O26-ifeo: nod32kui.exe-> ntsd-d
O26-ifeo: npfmntor.exe-> ntsd-d
O26-ifeo: oasclnt.exe-> ntsd-d
O26-ifeo: pavsrv51.exe-> ntsd-d
O26-ifeo: pfw.exe-> ntsd-d
O26-ifeo: psctrls.exe-> ntsd-d
O26-ifeo: psimreal.exe-> ntsd-d
O26-ifeo: psimsvc.exe-> ntsd-d
O26-ifeo: qqdoctormain.exe-> ntsd-d
O26-ifeo: ras.exe-> ntsd-d
O26-ifeo: ravmon.exe-> ntsd-d
O26-ifeo: ravmond.exe-> ntsd-d
O26-ifeo: ravstub.exe-> ntsd-d
O26-ifeo: ravtask.exe-> ntsd-d
O26-ifeo: rfw.exe .exe-> ntsd-d
O26-ifeo: rfwmain.exe-> ntsd-d
O26-ifeo: rfwproxy.exe-> ntsd-d
O26-ifeo: rfwsrv.exe-> ntsd-d
O26-ifeo: rsagent.exe-> ntsd-d
O26-ifeo: rsmain.exe-> ntsd-d
O26-ifeo: rsnetsvr.exe-> ntsd-d
O26-ifeo: rssafety.exe-> ntsd-d
O26-ifeo: rstray.exe-> ntsd-d
O26-ifeo: safebank.exe-> ntsd-d
O26-ifeo: safeboxtray.exe-> ntsd-d
O26-ifeo: scan32.exe-> ntsd-d
O26-ifeo: scanfrm.exe-> ntsd-d
O26-ifeo: sched.exe-> ntsd-d
O26-ifeo: seccenter.exe-> ntsd-d
O26-ifeo: secnotifier.exe-> ntsd-d
O26-ifeo: setupld.exe-> ntsd-d
O26-ifeo: shstat.exe-> ntsd-d
O26-ifeo: smartup.exe-> ntsd-d
O26-ifeo: sndsrvc.exe-> ntsd-d
O26-ifeo: spbbcsvc.exe-> ntsd-d
O26-ifeo: symlcsvc.exe-> ntsd-d
O26-ifeo: tbmon.exe-> ntsd-d
O26-ifeo: uihost.exe-> ntsd-d
O26-ifeo: ulibcmd.exe-> ntsd-d
O26-ifeo: updaterui.exe-> ntsd-d
O26-ifeo: uplive.exe-> ntsd-d
O26-ifeo: vcr32.exe-> ntsd-d
O26-ifeo: vcrmon.exe-> ntsd-d
O26-ifeo: vptray.exe-> ntsd-d
O26-ifeo: vsserv.exe-> ntsd-d
O26-ifeo: vstskmgr.exe-> ntsd-d
O26-ifeo: vstskmgr.exe-> ntsd-d
O26-ifeo: webproxy.exe-> ntsd-d
O26-ifeo: xcommsvr.exe-> ntsd-d
O26-ifeo: xnlscn.exe-> ntsd-d
O26-ifeo: Repair Tool .exe-> ntsd-d
O29-hkcu-start page = hxxp: // www.9348.cn /? 205428
O29-HKLM-start page = hxxp: // www.9348.cn /? 205428
The HKLM/showall value is not 1.
From the log, the IE homepage is changed to hxxp: // www.9348.cn? The original is qq2009.exe,txp1atform.exe,svchoct.exe, Klan. sys and so on blame 1 (http://blog.csdn.net/Purpleendurer/archive/2009/06/13/4267188.aspx) almost.
Since this friend installed the antivirus software avast on his computer, the modification and damage of the virus to the system was not as powerful as that of the previous friend.
Some malicious file information is attached:
File Description: C:/Windows/system32/flymy.exe
Attribute:
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 17:13:25
Modification time: 17:13:26
Size: 69632 bytes, 68.0 KB
MD5: 5d99a5b6c15646410961fbdb8ed12d3e
Sha1: 5c080bbe433dbe024603f37f20dd5d213a026c12
CRC32: d0c0ccdd
Kaspersky Report: Trojan-Spy.Win32.Agent.avxl
Online scan results: http://www.virustotal.com/analisis/b081ef35f8969a82f59655bc45ced390fa71d58bc8e8fde757f7ad26db56afa6-1245467239
File Description: C:/uninstc.exe
Attribute:
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 0:49:24
Modification time: 18:27:52
Size: 82439 bytes, 80.519 KB
MD5: ae9cd5610928479142e12c67f093349b
Sha1: 3040d388a6247c0511fb0e0bdcb3b9cae46188ab
CRC32: 79557f47
Kaspersky news: Trojan. win32.pakes. nkm, rising news: win32.bmw. Ba
Online scan results: http://www.virustotal.com/analisis/e10b74fb5d72ab2ca4f8520070c5704b76752cf9e76053f56afa7ba6425b64f8-1245052825
File Description: C:/uninst2.exe
Attribute:
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 0:49:26
Modification time: 18:27:58
Size: 266896 bytes, 260.656 KB
MD5: cfc3f6cb15d2e0bcf122860dfefeec5c
Sha1: 674fa0b1360f26e32a7f53d4864806271b5d52a0
CRC32: 92a5a51a
Kaspersky Report: Trojan. win32.agent. bsmy. Rising Report: Trojan. win32.nodef. Ehm
Online scan results: http://www.virustotal.com/analisis/862bc928029b43674389df19bcc55383f67de131597c1c5e0fd95fda295d95e6-1245467735
File Description: C:/Windows/system/nb9ming32c090423. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 0:49:32
Modification time: 18:27:56
Size: 110592 bytes, 108.0 KB
MD5: d035bd33150a7d7c3b5fbfc3a8e4e127
Sha1: 0105fdc0c4038d5a012b6f9adda-277559f1142d
CRC32: javasba43d
Kaspersky Report: worm. win32.autorun. afcb, rising Report: Trojan. DL. win32.mydown. CIW
Online scan results: http://www.virustotal.com/analisis/616e2e917e40f5441d4ad2d939b2e569d98a44075e92e526dfc8e38eaedbf57d-1245468119
File Description: C:/Windows/system32/fly1930.dll
Attribute:
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1, 0, 0, 1
Note: mytest3
Copyright: Copyright (c) 2008
Note:
Product Version: 1, 0, 0, 1
Product Name: mytest3 Dynamic Link Library
Company Name:
Legal trademark:
Internal name: mytest3
Source File Name: mytest3.dll
Created at: 17:13:23
Modification time: 17:13:24
Size: 22528 bytes, 22.0 KB
MD5: 8630677285c3902c773ad8f88a25e1d5
Sha1: 4b8e2b1ea00a450dcedc3a2fceda363b24500d33
CRC32: fa524417
Kaspersky Report: Trojan-Spy.Win32.Agent.avxk, rising Report: adware. win32.undef. ezf
Online scan results: http://www.virustotal.com/analisis/45c872767fa18ca00fcc6f1d1ec394a0a0d4537e96331bf275ea82671d0644d0-1245468344
File Description: C:/Windows/system32/htmlpeek. dll
Attribute:
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 17:31:37
Modification time:
Size: 358912 bytes, 350.512 KB
MD5: 23361bde2776ada-f9c01abcd95e37e6
Sha1: 46bcda3337b9fe473de132ff2fa607f491ff3da8
CRC32: 5abestmf
Kaspersky reported: not-a-virus: adware. win32.agent. OKC
Online scan results: http://www.virustotal.com/analisis/52466afcb4d0eb0a2e5251cdbef978428b177b28f2c9c2343d308da33689d470-1245468623
File Description: C:/Windows/system32/Drivers/txp1atform.exe
Property :-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 0:49:26
Modification time: 18:27:52
Size: 82439 bytes, 80.519 KB
MD5: ae9cd5610928479142e12c67f093349b
Sha1: 3040d388a6247c0511fb0e0bdcb3b9cae46188ab
CRC32: 79557f47
Kaspersky news: Trojan. win32.pakes. nkm, rising news: win32.bmw. Ba
Online scan results: http://www.virustotal.com/analisis/e10b74fb5d72ab2ca4f8520070c5704b76752cf9e76053f56afa7ba6425b64f8-1245052825
File Description: C:/Windows/system32/Drivers/klan. sys
Property: ash-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 17:13:17
Modification time:
Size: 3200 bytes, 3.128 KB
MD5: c4beb90047eb14e5b6fc8a69b94bb1bb
Sha1: 655fda962139ae597a2e66916aaa4148bf472a71
CRC32: 827c31c2
Kaspersky reported rootkit. win32.agent. lnw, and rising reported rootkit. win32.mnless. Axe.
Online scan results: http://www.virustotal.com/analisis/66b00ceae1c8ce65ae21af0fb6fb9ba1a13d01d02761e1b002f95bd310715a9f-1245469338
File Description: C:/Windows/system32/vrcm. dll
Property :-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 32768 bytes, 32.0 KB
MD5: a862eafa4b1fda-ccc9fc6239af110b3
Sha1: 48a653d8b2aef2ad1b33efb6b02fbf9691b56771
CRC32: edd3d5dd
Kaspersky Report: Trojan. win32.agent. cmde
Online scan results: http://www.virustotal.com/analisis/1d9316d1a550afb92e2c714ff1f37f43f0f43ff6eaa00373c14ca67bb14d4f03-1245469600
File Description: C:/Windows/system/xz.exe
Attribute:
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 2.0
Note: apsaravideo player pro
Copyright: hxxp: // www.crdy.org
Remarks: apsaravideo player pro
Creation Time:
Modification time:
Size: 944640 bytes, 922.512 KB
MD5: ec877479a5cbd694e626f0ea282abc59
Sha1: b78783f93c117a20ed808d481b60d65aaaedbe75
CRC32: e26bf5b9
Different from http://blog.csdn.net/purpleendurer/archive/2009/05/19/437961.aspx
File Description: C:/Windows/system32/npkcrypt. VxD
Attribute:
Digital Signature: No
PE file: No
Creation Time:
Modification time: 0:20:10
Size: 25730 bytes, 25.130 KB
MD5: aead38aceabaf357b1a8e9a3fa81d0dc
Sha1: cf08fb2945ec9fb051adc2dac9c519d7cd86bd
CRC32: a9ff504d