649453.sys/adware. CDN/hacktool. Rootkit
EndurerOriginal
1Version
A netizen said that his computer has been working very slowly recently, so that he can use QQ for remote assistance.
Download pe_xscan to scan logs and analyze the logs. Only one suspicious item is found:
/=
Pe_xscan 07-08-30 by Purple endurer
2007-9-4 20:58:58
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
O23-service: 649453 (649453)-system32/Drivers/649453.sys( pilot)
===/
File Description: C:/Windows/system32/Drivers/649453.sys
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 11:32:58
Modification time:
Access time:
Size: 19968 bytes, 19.512 KB
MD5: aaa3f5cf09cbdd013844ecf3764e1466
Hsa1: ac835fab36f34fcb4b05a94803c588952e04f964
Google, no information about this file ~
Upload to virustotal for scan. The result is as follows:
File 649453.sys received at 15:16:53 (CET)
Current status: Completed
Result: 10/32 (31.25%)
Anti-Virus engine |
Version |
Last update |
Scan results |
AhnLab-V3 |
2007.9.4.1 |
2007.09.04 |
- |
AntiVir |
7.4.1.66 |
2007.09.04 |
TR/rootkit. gen |
Authentium |
4.93.8 |
2007.09.04 |
- |
Avast |
4.7.1029.0 |
2007.09.04 |
- |
AVG |
7.5.0.20. |
2007.09.04 |
- |
BitDefender |
7.2 |
2007.09.04 |
Adware. CDN |
Cat-quickheal |
9.00 |
2007.09.03 |
- |
ClamAV |
0.91.2 |
2007.09.04 |
- |
Drweb |
4.33 |
2007.09.04 |
- |
Esafe |
7.0.15.0 |
2007.09.03 |
Win32.hacktool |
ETrust-vet |
31.1.5107 |
2007.09.04 |
- |
Ewido |
4.0 |
2007.09.04 |
Adware. CDN |
Fileadvisor |
1 |
2007.09.04 |
- |
Fortinet |
3.11.0.0 |
2007.09.04 |
- |
F-Prot |
4.3.2.48 |
2007.09.04 |
- |
F-Secure |
6.70.13030.0 |
2007.09.04 |
- |
Ikarus |
T3.1.1.12 |
2007.09.04 |
Virus. win32.agent. khp |
Kaspersky |
4.0.2.24 |
2007.09.04 |
- |
McAfee |
5111 |
2007.09.03 |
- |
Microsoft |
1.2803 |
2007.09.04 |
Virtool: winnt/protmin. Gen! B |
Nod32v2 |
2502 |
2007.09.04 |
- |
Norman |
5.80.02 |
2007.09.04 |
- |
Panda |
9.0.0.4 |
2007.09.04 |
Adware/goodsearchnow |
Prevx1 |
V2 |
2007.09.04 |
- |
Rising |
19.39.12.00 |
2007.09.04 |
- |
Sophos |
4.21.0 |
2007.09.04 |
- |
Sunbelt |
2.2.907.0 |
2007.08.31 |
Hacktool. Rootkit |
Symantec |
10 |
2007.09.04 |
Hacktool. Rootkit |
Thehacker |
6.1.9.177 |
2007.09.04 |
- |
Vba32 |
3.12.2.3 |
2007.09.03 |
- |
Virusbuster |
4.3.26: 9 |
2007.09.04 |
- |
Webcycler-Gateway |
6.0.1 |
2007.09.04 |
Trojan. rootkit. gen |
Additional information
File Size: 19968 bytes
MD5: aaa3f5cf09cbdd013844ecf3764e1466
Sha1: ac835fab36f34fcb4b05a94803c588952e04f964
Download auto_del from http://ndurer.ys168.com and add C:/Windows/system32/Drivers/649453.sys to the list of files to be deleted.
Use Regedit to delete the corresponding service item.
Continue to check and find that disk C has very little space. There are more than N files in the Temporary Folder ~
Let the netizens start with --> program --> attachment --> system tool --> disk cleanup to clear the C disk, and use WinRAR to clear the C:/Windows/prefetch
Scan disk C to clear disk fragments ~