Beep. sys/Trojan. ntrootkit.1192, msplugplay 1005.sys/ backdoor. pigeon.13201, etc. 2

Source: Internet
Author: User
Tags crc32

Beep. sys/Trojan. ntrootkit.1192, msplugplay 1005.sys/ backdoor. pigeon.13201, etc. 2

Original endurer
2008-06-25 1st

(Continued 1)
Modify the computer date, and then download drweb cureit! Scan.
At the same time, download bat_do and fileinfo to extract file information, package and backup, and delete files in a delayed manner.
Then download the rising Kaka Security Assistant to clean up the malicious program startup project.

Appendix 1: malicious file information
Appendix 2: drweb cureit! Scan logs

Appendix 1: malicious file information
File Description: C:/Windows/system32/apsgejba. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 19:53:30
Modification time: 19:53:32
Size: 537608 bytes, 525.8 KB
MD5: dfb233144b035c0d75c7a4eda4acd19f
Sha1: d232b49b7813ec41569ddd95c07960cdb4d484c9
CRC32: 482b926b

Kaspersky reports for Trojan-PSW.Win32.OnLineGames.apjb, drweb reports for Trojan. PWS. gamania.10904, rising for Trojan. psw. win32.gameol. obx

File Description: C:/Windows/system32/apzhbtde. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 19:53:24
Modification time: 19:53:26
Size: 537608 bytes, 525.8 KB
MD5: 5bb14d85a537fc6917151abf82f4b5c3
Sha1: 19c6ede88343be1dcbceac8bf9c1737698d9d96c
CRC32: 78c29065

Kaspersky reports for Trojan-PSW.Win32.OnLineGames.apjo, drweb reports for Trojan. PWS. gamania.11045, rising for Trojan. psw. win32.gameol. Oby

File Description: C:/Windows/system32/cdwqfs. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 20:41:36
Modification time: 20:41:38
Size: 225792 bytes, 220.512 KB
MD5: db5708d7c7eea6021363643c59bf3e67
Sha1: bce9ba14a0a0ef61bdd4e2580ba9e6848ae9bf38
CRC32: 68d68faf

Kaspersky reports Trojan-PSW.Win32.OnLineGames.arqv, drweb reports Trojan. PWS. gamania.000022, rising reports Trojan. psw. win32.gameol. OCV

File Description: C:/Windows/system32/Drivers/beep. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 19:52:14
Size: 16256 bytes, 15.896 KB
MD5: 961bc0b14047b04e23ba2a4a0d5ce2b6
Sha1: 14111c7d8162512316ef0cd829d69af6a56d981
CRC32: 60bc58fb

961bc0b14047b04e23ba2a4a0d5ce2b6 --- Kaspersky reports Trojan. win32.agent. QXB, drweb reports Trojan. ntrootkit.1192, and rising reports rootkit. win32.mnless. Sh

File Description: C:/Windows/system32/fgsakuy. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 541192 bytes, 528.520 KB
MD5: f0ed818b25061ccc04bca17c73630177
Sha1: a551823dcfd2e3ff15b23bfad9457c6e5ee9fc27
CRC32: ac5a4095

File Description: C:/Windows/system32/Drivers/5dinlqohl. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 51840 bytes, 50.640 KB
MD5: 6c72da0b563ca7acff0a00443c417bc2
Sha1: 457f0da752bbd71e3abd3aa7c5b9375de2d34eaa
CRC32: 4561095d

Kaspersky daily for Trojan-Downloader.Win32.Hmir.dkk

File Description: C:/Windows/system32/Drivers/acpidisk. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 19:24:40
Size: 176388 bytes, 172.260 KB
MD5: 29749929f2f8451433ad20da32e7230a
Sha1: d00ab31a4355c7986b1b140afb97d1fbfbf3525d
CRC32: 30c3e5d1

Kaspersky reports not-a-virus: adware. win32.cinmus. khv [KLAB-5442504]

File Description: C:/program files/Microsoft Office/system/apcdli. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 16:59:44
Modification time: 17:49:16
Size: 148100 bytes, 144.644 KB
MD5: 18ec4e0b3b6458a275dbecfeef8f58ed
Sha1: 9785016c0d198c8919a739d6ee9f937436d33b24
CRC32: 6ff9195b

Kaspersky reports not-a-virus: adware. win32.cinmus. khu [KLAB-5442504]

File Description: C:/Windows/system32/bcvnsvc. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 6.6.20.1.1832
Back: Background Intelligent Transfer Services
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 6.6.20.1.1831
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: qmgr32.dll
Source File Name: qmgr32.dll
Creation Time:
Modification time:
Size: 34816 bytes, 34.0 KB
MD5: f08891ef2326db9dc377136d486074d5
Sha1: 20e0b0614f1120552c184b1e4abbd60621c6cb07
CRC32: ab169150

Kaspersky newspaper for Trojan-Downloader.Win32.Agent.udg [KLAB-5442504]

File Description: C:/Windows/system32/Drivers/nesepi. sys
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1, 0, 1, 3
Description: SYS Application
Copyright: Copyright (c) 2006
Product Version: 1, 0, 1, 3
Product Name: SYS Application
Company Name: Beijing sanqi eryi Technology Co., Ltd.
Internal name: SYS
Source File Name: sys.exe
Creation Time: 19:49:15
Modification time: 19:49:16
Size: 62976 bytes, 61.512 KB
MD5: a6dd32785fcdbd3d94d2c16a4dab6735
Sha1: f0d5e6f96b8b60f12b3d510863c523191664bbdd
CRC32: 21f75520

Kaspersky reported as Trojan. win32.agent. SBB [KLAB-5442504]

File Description: C:/Documents and Settings/all users/Application Data/Microsoft/office/system/ntptdb. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 17:32:38
Modification time: 14:34:18
Size: 204420 bytes, 199.644 KB
MD5: 3a36e868e443b5bc54a6e3186d564a18
Sha1: f7db9733ec3fd37482d030b3167fab392c439956
CRC32: 3ecd9604

Kaspersky reports not-a-virus: adware. win32.cinmus. Kht [KLAB-5442504]

File Description: C:/Windows/system32/viscvc.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 18719 bytes, 18.287 KB
MD5: 417cde96cd0b3d08e69a1d1e2e36e196
Sha1: 469e1756af52cee1ea79f0b59d7f85123160d8b8
CRC32: 540903a8

Kaspersky reported backdoor. win32.agent. kqn, and rising reported Trojan. win32.undef. Hyd.

File Description: C:/Windows/system32/tcpip.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:53:27
Modification time:
Size: 62527 bytes, 61.63 KB
MD5: 39af77e4db7ba43a04e07542f4561420
Sha1: 27f976eaa0d8efd94d7e90e4a6650182e9cf7593
CRC32: e923dfeb

Drweb reports Trojan. downloader.60056

File Description: C:/Windows/system32/dlbar.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modified on: 12:21:52
Size: 123904 bytes, 121.0 KB
MD5: 13eb2b92372179d9a5a26136f86aa3f2
Sha1: e0419a9b3e6fc692f1fafdabbee281280e87a66b
CRC32: 5c01108f

File Description: C:/Windows/system32/systemdrv. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 3, 3, 1, 0
Product Version: 3, 3, 1, 0
Created at: 19:18:31
Modified on: 12:21:58
Size: 183808 bytes, 179.512 KB
MD5: fced9d067078ba9538496e7d4aca08df
Sha1: e2f2d499cdf6992fea5c00a00b1ba6026816cd5d
CRC32: 9cee100a

File Description: C:/Windows/system32/upudpkok. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 12096 bytes, 11.832 KB
MD5: 895838862a43b51c0a4d19a94cbcda79
Sha1: 6f8cc16998c0484126f00499f6f1acdc5be014da
CRC32: ebe1acc1

File Description: C:/Windows/system32/yql_lyrics_common.dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 1, 2, 6, 0
Y: yiqilailyrics common
Copyright: yiqilai.com. All rights reserved.
Product Version: 1, 2, 6, 0
Product Name: yiqilailyrics
Company Name: yiqilai.com
Internal name: Common. dll
Source File Name: Common. dll
Created at: 14:13:36
Modification time: 14:13:36
Size: 451584 bytes, 441.0 KB
MD5: 1168031944252821a306656b2e137ba3
Sha1: 08ad9b270084a387f85f6ad39bed0193ecf30230
CRC32: 8c564706

File Description: C:/Windows/system32/sysloader. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 3, 3, 0, 0
Product Version: 3, 3, 0, 0
Created at: 21:54:13
Modification time:
Size: 182272 bytes, 178.0 KB
MD5: 4a8b821bfa1c062af4f78766fb0ba48c
Sha1: 4a2bd2c2dd7e7935533836c9073728c352910e0c
CRC32: e49f8ccd

File Description: C:/Windows/system32/explof. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 24576 bytes, 24.0 KB
MD5: 781d06497ea428cd56809075cafe3d64
Sha1: 501e0b530ab1097bd5c42ff47435115d5065b408
CRC32: 9359757e

File Description: C:/Windows/system32/exlpolr0.dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 24576 bytes, 24.0 KB
MD5: 3c86ba71c8494ebd68f52aa1659cf5d5
Sha1: ba8ecc634fb65e3d0972b801847f4c4ca7b7b5cd
CRC32: 971c376d

File Description: C:/Windows/system32/iisumsvc. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:55:53
Modification time: 22:29:50
Size: 107081 bytes, 104.585 KB
MD5: dc94b7ea05c3c2554725169e2e242412
Sha1: e3f98790ced2a7b5464d7313039fbbff5f5c58c5
CRC32: ff48067d

File Description: C:/Windows/system32/tcpip. sys
Attribute: ---
Digital Signature: No
PE file: No
Created at: 21:53:29
Modification time:
Size: 816 bytes
MD5: db855716b6522ef84c7c64f9042c2a40
Sha1: 21e3a4753bcdfe109f09b66571b855068249f20e
CRC32: 81e18618

File Description: C:/Windows/system32/etcpip. sys
Attribute: ---
Digital Signature: No
PE file: No
Created at: 21:53:29
Modification time:
Size: 404 bytes
MD5: 6d6b8c81d910db6bf56d4d80a3ff0226
Sha1: 63144cd55c7fb8972c8c00d387acfc2d6f56f2ce
CRC32: df2d2698

File Description: C:/Windows/system32/aduio. sys
Attribute: ---
Digital Signature: No
PE file: No
Created at: 21:53:29
Modification time:
Size: 1600 bytes, 1.576 KB
MD5: 071d129efeda0000100ea54877c2b1198
Sha1: 8e8372ca339cc078c56729f37bc89d457de696eb
CRC32: 8e31b511

File Description: C:/Windows/system32/1.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:53:29
Modification time:
Size: 24576 bytes, 24.0 KB
MD5: 7784b316a4cb88062d0767b830583b1b
Sha1: 9f3593e3a24510986b2a5ac9d582e56129f304ee
CRC32: 412b9df1

File Description: C:/Windows/system32/7.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:53:51
Modification time:
Size: 176928 bytes, 172.800 KB
MD5: 0f4590ac313b83a9b4a4902e5e3b2fb9
Sha1: f4db728496c09b38155ea8030362c7780d0180d5
CRC32: 63eb8c58

Appendix 2: drweb cureit! Scan logs

========================
Dr. Web (r) anti-virus scanner v4.44.5 (4.44.5.05200)
Copyright (c) Igor Daniloff, 1992-2008. All rights reserved.
Log generation time:, 12:57:22 [administrator]
Command line: "C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/rarsfx0/setup.exe "/LNG: cn-cureit.dwl/INI: setup_xp.ini
Operating System: Windows XP Professional x86 (build 2600), Service Pack 2
========================
Engine version: 4.44 (4.44.0.09170)
Engine API version: 2.02
Total number of virus databases: 395016

C:/Windows/system32/apsgejba. dll has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/apzhbtde. dll has been infected with Trojan. PWS. gamania.11045-Deleted
C:/Windows/system32/cdwqfs. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/ddserh. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/Drivers/beep. sys has been infected with Trojan. ntrootkit.1192-Deleted
C:/Windows/system32/Drivers/hbkernel. sys has been infected with Trojan. PWS. wsgame.5588-Deleted
C:/Windows/system32/fgsakuy. dll has been infected with Trojan. PWS. gamania.11037-Deleted
C:/Windows/system32/fsrgeb. dll-infected with Trojan. PWS. gamania. Origin
C:/Windows/system32/hbmhly.exe has been infected with Trojan. PWS. wsgame.5588-Deleted
C:/Windows/system32/hhrdxd. dll-infected with Trojan. PWS. gamania. Origin
C:/Windows/system32/jfrwdh. dll has been infected with Trojan. PWS. gamania.20.22-the user refuses to fix it.
C:/Windows/system32/kcomd32.dll may have been infected: dloader. Trojan
C:/Windows/system32/kcomd32.exe may have been infected: muldrop. Trojan
C:/Windows/system32/lassaplo. dll has been infected with Trojan. PWS. gamania.10909-Deleted
C:/Windows/system32/mfdesy. dll has been infected with Trojan. PWS. gamania.20.51-Deleted
C:/Windows/system32/mndhedwd. dll has been infected with Trojan. PWS. wsgame.5947-Deleted
C:/Windows/system32/msplugplay1005.sys has been infected with virus: Backdoor. pigeon.13201-Deleted
C:/Windows/system32/mtewdh. dll-infected with Trojan. Downloader. Origin
C:/Windows/system32/nhmxcjkl. dll has been infected with Trojan. PWS. gamania.20.10-Deleted
C:/Windows/system32/oohxdbyt. dll has been infected with Trojan. PWS. gamania.11211-Deleted
C:/Windows/system32/ptjhehlp. dll has been infected with Trojan. PWS. gamania.11213-Deleted
C:/Windows/system32/rfdswc. dll has been infected with Trojan. PWS. gamania.20.52-Deleted
C:/Windows/system32/sgrefg. dll has been infected with Trojan. PWS. wsgame.5744-Deleted
C:/Windows/system32/tcpip.exe has been infected with Trojan. downloader.60056-Deleted
C:/Windows/system32/tdffdl. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/upudpkok. dll may have been infected: dloader. Trojan
C:/Windows/system32/viscvc.exe may have been infected with: Backdoor. Trojan
C:/Windows/system32/wrqszl. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/wzcfsw. dll-infected with Trojan. PWS. gamania. Origin
C:/Windows/system32/yzztimsn. dll has been infected with Trojan. PWS. gamania.20.15-Deleted
C:/Windows/system32/zdesfx. dll has been infected with Trojan. PWS. gamania.11242-Deleted
C:/Windows/system32/zefdst. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/zgxfdx. dll has been infected with Trojan. PWS. gamania.11165-Deleted
C:/Windows/system32/zptlcsys. dll has been infected with Trojan. PWS. gamania.20.41-Deleted
C:/Windows/system32/zycbdime. dll has been infected with Trojan. PWS. gamania.20.47-Deleted
C:/Windows/system32/zywmgime. dll has been infected with Trojan. PWS. gamania.11243-Deleted
C:/Windows/30192.exe infected with virus: Backdoor. generic.1624-Deleted
C:/Windows/42.169.exe infected with virus: Backdoor. generic.1624-Deleted
C:/Windows/system32/wtocdv.exe has been infected with Trojan. avkill.425-Deleted
C:/Windows/system32/wininnet. NLS virus infected: Trojan. inject.3445-Deleted
C:/Windows/system32/tcpip. l virus infected: Trojan. downloader.63902-Deleted
C:/Windows/system32/pldhadwd.exe has been infected with Trojan. PWS. gamania.11191-Deleted
C:/Windows/system32/zaztamsn.exe has been infected with Trojan. PWS. gamania.20.15-Deleted
C:/Windows/system32/lpzhatde.exe has been infected with Trojan. PWS. gamania.11174-Deleted
C:/Windows/system32/jbhxabyt.exe has been infected with the virus: Trojan. PWS. gamania.11211-Deleted
C:/Windows/system32/aitlasys.exe has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/lpsgajba.exe has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/2.exe infected with virus: Backdoor. generic.1624-Deleted
C:/Windows/system32/upudpkok. dll may have been infected: dloader. Trojan
C:/Windows/system32/c3.exe/data002 is the adware. sogou. Origin advertising software.
C:/Windows/system32/c1.exe/data003/data003 is the advertisement software adware. cinmus. Origin
C:/Windows/system32/spjhahlp.exe has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/azcw.me.exe has been infected with Trojan. PWS. gamania.11053-Deleted
C:/Windows/system32/c8.exe virus infected: Trojan. downloader.65491-Deleted
C:/Windows/system32/lpmxajkl.exe has been infected with Trojan. PWS. gamania.20.10-Deleted
C:/Windows/system32/lkssaplo.exe has been infected with Trojan. PWS. gamania.10909-Deleted
C:/Windows/system32/yufsakuy.exe has been infected with Trojan. PWS. gamania.10908-Deleted
C:/Windows/system32/windowsupdata. dll has been infected with Trojan. downloader.63902-Deleted
C:/Windows/system32/c9.exe virus infected: Trojan. PWS. gamania.10691-Deleted
C:/Windows/temp /~~. EXE virus infected: Trojan. downloader.64113-Deleted
C:/Windows/temp /~ Fc2.tmp-virus infected: Trojan. PWS. gamania. Origin
C:/Windows/temp /~ Fc4.tmp-infected with Trojan. PWS. gamania. Origin
C:/Windows/temp /~ Fc5.tmp has been infected with virus: Trojan. PWS. gamania.000090-Deleted
C:/Windows/temp /~ Fc7.tmp-infected with Trojan. PWS. gamania. Origin
C:/Windows/temp/checksum.exe has been infected with the virus: Trojan. PWS. hangame.800-Deleted
C:/Windows/temp/1023.exe infected with virus: Trojan. Downloader. Origin-unrecoverable-moved
C:/Windows/temp/setup1384.exe infected with Trojan. downloader.60056-Deleted
C:/Windows/temp/temp.exe has been infected with the virus: Trojan. downloader.63902-Deleted
C:/Windows/temp /~ My1.tmp/data003/data003 is the AD software adware. cinmus. Origin
C:/Windows/temp/Temporary Internet Files/content. ie5/k5qd6x6f/bak1_12.16.css has been infected with the virus: Trojan. downloader.64113-Deleted

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.