Beep. sys/Trojan. ntrootkit.1192, msplugplay 1005.sys/ backdoor. pigeon.13201, etc. 2
Original endurer
2008-06-25 1st
(Continued 1)
Modify the computer date, and then download drweb cureit! Scan.
At the same time, download bat_do and fileinfo to extract file information, package and backup, and delete files in a delayed manner.
Then download the rising Kaka Security Assistant to clean up the malicious program startup project.
Appendix 1: malicious file information
Appendix 2: drweb cureit! Scan logs
Appendix 1: malicious file information
File Description: C:/Windows/system32/apsgejba. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 19:53:30
Modification time: 19:53:32
Size: 537608 bytes, 525.8 KB
MD5: dfb233144b035c0d75c7a4eda4acd19f
Sha1: d232b49b7813ec41569ddd95c07960cdb4d484c9
CRC32: 482b926b
Kaspersky reports for Trojan-PSW.Win32.OnLineGames.apjb, drweb reports for Trojan. PWS. gamania.10904, rising for Trojan. psw. win32.gameol. obx
File Description: C:/Windows/system32/apzhbtde. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 19:53:24
Modification time: 19:53:26
Size: 537608 bytes, 525.8 KB
MD5: 5bb14d85a537fc6917151abf82f4b5c3
Sha1: 19c6ede88343be1dcbceac8bf9c1737698d9d96c
CRC32: 78c29065
Kaspersky reports for Trojan-PSW.Win32.OnLineGames.apjo, drweb reports for Trojan. PWS. gamania.11045, rising for Trojan. psw. win32.gameol. Oby
File Description: C:/Windows/system32/cdwqfs. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 20:41:36
Modification time: 20:41:38
Size: 225792 bytes, 220.512 KB
MD5: db5708d7c7eea6021363643c59bf3e67
Sha1: bce9ba14a0a0ef61bdd4e2580ba9e6848ae9bf38
CRC32: 68d68faf
Kaspersky reports Trojan-PSW.Win32.OnLineGames.arqv, drweb reports Trojan. PWS. gamania.000022, rising reports Trojan. psw. win32.gameol. OCV
File Description: C:/Windows/system32/Drivers/beep. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 19:52:14
Size: 16256 bytes, 15.896 KB
MD5: 961bc0b14047b04e23ba2a4a0d5ce2b6
Sha1: 14111c7d8162512316ef0cd829d69af6a56d981
CRC32: 60bc58fb
961bc0b14047b04e23ba2a4a0d5ce2b6 --- Kaspersky reports Trojan. win32.agent. QXB, drweb reports Trojan. ntrootkit.1192, and rising reports rootkit. win32.mnless. Sh
File Description: C:/Windows/system32/fgsakuy. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 541192 bytes, 528.520 KB
MD5: f0ed818b25061ccc04bca17c73630177
Sha1: a551823dcfd2e3ff15b23bfad9457c6e5ee9fc27
CRC32: ac5a4095
File Description: C:/Windows/system32/Drivers/5dinlqohl. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 51840 bytes, 50.640 KB
MD5: 6c72da0b563ca7acff0a00443c417bc2
Sha1: 457f0da752bbd71e3abd3aa7c5b9375de2d34eaa
CRC32: 4561095d
Kaspersky daily for Trojan-Downloader.Win32.Hmir.dkk
File Description: C:/Windows/system32/Drivers/acpidisk. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 19:24:40
Size: 176388 bytes, 172.260 KB
MD5: 29749929f2f8451433ad20da32e7230a
Sha1: d00ab31a4355c7986b1b140afb97d1fbfbf3525d
CRC32: 30c3e5d1
Kaspersky reports not-a-virus: adware. win32.cinmus. khv [KLAB-5442504]
File Description: C:/program files/Microsoft Office/system/apcdli. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 16:59:44
Modification time: 17:49:16
Size: 148100 bytes, 144.644 KB
MD5: 18ec4e0b3b6458a275dbecfeef8f58ed
Sha1: 9785016c0d198c8919a739d6ee9f937436d33b24
CRC32: 6ff9195b
Kaspersky reports not-a-virus: adware. win32.cinmus. khu [KLAB-5442504]
File Description: C:/Windows/system32/bcvnsvc. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 6.6.20.1.1832
Back: Background Intelligent Transfer Services
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 6.6.20.1.1831
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: qmgr32.dll
Source File Name: qmgr32.dll
Creation Time:
Modification time:
Size: 34816 bytes, 34.0 KB
MD5: f08891ef2326db9dc377136d486074d5
Sha1: 20e0b0614f1120552c184b1e4abbd60621c6cb07
CRC32: ab169150
Kaspersky newspaper for Trojan-Downloader.Win32.Agent.udg [KLAB-5442504]
File Description: C:/Windows/system32/Drivers/nesepi. sys
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1, 0, 1, 3
Description: SYS Application
Copyright: Copyright (c) 2006
Product Version: 1, 0, 1, 3
Product Name: SYS Application
Company Name: Beijing sanqi eryi Technology Co., Ltd.
Internal name: SYS
Source File Name: sys.exe
Creation Time: 19:49:15
Modification time: 19:49:16
Size: 62976 bytes, 61.512 KB
MD5: a6dd32785fcdbd3d94d2c16a4dab6735
Sha1: f0d5e6f96b8b60f12b3d510863c523191664bbdd
CRC32: 21f75520
Kaspersky reported as Trojan. win32.agent. SBB [KLAB-5442504]
File Description: C:/Documents and Settings/all users/Application Data/Microsoft/office/system/ntptdb. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 17:32:38
Modification time: 14:34:18
Size: 204420 bytes, 199.644 KB
MD5: 3a36e868e443b5bc54a6e3186d564a18
Sha1: f7db9733ec3fd37482d030b3167fab392c439956
CRC32: 3ecd9604
Kaspersky reports not-a-virus: adware. win32.cinmus. Kht [KLAB-5442504]
File Description: C:/Windows/system32/viscvc.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 18719 bytes, 18.287 KB
MD5: 417cde96cd0b3d08e69a1d1e2e36e196
Sha1: 469e1756af52cee1ea79f0b59d7f85123160d8b8
CRC32: 540903a8
Kaspersky reported backdoor. win32.agent. kqn, and rising reported Trojan. win32.undef. Hyd.
File Description: C:/Windows/system32/tcpip.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:53:27
Modification time:
Size: 62527 bytes, 61.63 KB
MD5: 39af77e4db7ba43a04e07542f4561420
Sha1: 27f976eaa0d8efd94d7e90e4a6650182e9cf7593
CRC32: e923dfeb
Drweb reports Trojan. downloader.60056
File Description: C:/Windows/system32/dlbar.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modified on: 12:21:52
Size: 123904 bytes, 121.0 KB
MD5: 13eb2b92372179d9a5a26136f86aa3f2
Sha1: e0419a9b3e6fc692f1fafdabbee281280e87a66b
CRC32: 5c01108f
File Description: C:/Windows/system32/systemdrv. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 3, 3, 1, 0
Product Version: 3, 3, 1, 0
Created at: 19:18:31
Modified on: 12:21:58
Size: 183808 bytes, 179.512 KB
MD5: fced9d067078ba9538496e7d4aca08df
Sha1: e2f2d499cdf6992fea5c00a00b1ba6026816cd5d
CRC32: 9cee100a
File Description: C:/Windows/system32/upudpkok. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 12096 bytes, 11.832 KB
MD5: 895838862a43b51c0a4d19a94cbcda79
Sha1: 6f8cc16998c0484126f00499f6f1acdc5be014da
CRC32: ebe1acc1
File Description: C:/Windows/system32/yql_lyrics_common.dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 1, 2, 6, 0
Y: yiqilailyrics common
Copyright: yiqilai.com. All rights reserved.
Product Version: 1, 2, 6, 0
Product Name: yiqilailyrics
Company Name: yiqilai.com
Internal name: Common. dll
Source File Name: Common. dll
Created at: 14:13:36
Modification time: 14:13:36
Size: 451584 bytes, 441.0 KB
MD5: 1168031944252821a306656b2e137ba3
Sha1: 08ad9b270084a387f85f6ad39bed0193ecf30230
CRC32: 8c564706
File Description: C:/Windows/system32/sysloader. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 3, 3, 0, 0
Product Version: 3, 3, 0, 0
Created at: 21:54:13
Modification time:
Size: 182272 bytes, 178.0 KB
MD5: 4a8b821bfa1c062af4f78766fb0ba48c
Sha1: 4a2bd2c2dd7e7935533836c9073728c352910e0c
CRC32: e49f8ccd
File Description: C:/Windows/system32/explof. dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 24576 bytes, 24.0 KB
MD5: 781d06497ea428cd56809075cafe3d64
Sha1: 501e0b530ab1097bd5c42ff47435115d5065b408
CRC32: 9359757e
File Description: C:/Windows/system32/exlpolr0.dll
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 24576 bytes, 24.0 KB
MD5: 3c86ba71c8494ebd68f52aa1659cf5d5
Sha1: ba8ecc634fb65e3d0972b801847f4c4ca7b7b5cd
CRC32: 971c376d
File Description: C:/Windows/system32/iisumsvc. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:55:53
Modification time: 22:29:50
Size: 107081 bytes, 104.585 KB
MD5: dc94b7ea05c3c2554725169e2e242412
Sha1: e3f98790ced2a7b5464d7313039fbbff5f5c58c5
CRC32: ff48067d
File Description: C:/Windows/system32/tcpip. sys
Attribute: ---
Digital Signature: No
PE file: No
Created at: 21:53:29
Modification time:
Size: 816 bytes
MD5: db855716b6522ef84c7c64f9042c2a40
Sha1: 21e3a4753bcdfe109f09b66571b855068249f20e
CRC32: 81e18618
File Description: C:/Windows/system32/etcpip. sys
Attribute: ---
Digital Signature: No
PE file: No
Created at: 21:53:29
Modification time:
Size: 404 bytes
MD5: 6d6b8c81d910db6bf56d4d80a3ff0226
Sha1: 63144cd55c7fb8972c8c00d387acfc2d6f56f2ce
CRC32: df2d2698
File Description: C:/Windows/system32/aduio. sys
Attribute: ---
Digital Signature: No
PE file: No
Created at: 21:53:29
Modification time:
Size: 1600 bytes, 1.576 KB
MD5: 071d129efeda0000100ea54877c2b1198
Sha1: 8e8372ca339cc078c56729f37bc89d457de696eb
CRC32: 8e31b511
File Description: C:/Windows/system32/1.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:53:29
Modification time:
Size: 24576 bytes, 24.0 KB
MD5: 7784b316a4cb88062d0767b830583b1b
Sha1: 9f3593e3a24510986b2a5ac9d582e56129f304ee
CRC32: 412b9df1
File Description: C:/Windows/system32/7.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:53:51
Modification time:
Size: 176928 bytes, 172.800 KB
MD5: 0f4590ac313b83a9b4a4902e5e3b2fb9
Sha1: f4db728496c09b38155ea8030362c7780d0180d5
CRC32: 63eb8c58
Appendix 2: drweb cureit! Scan logs
========================
Dr. Web (r) anti-virus scanner v4.44.5 (4.44.5.05200)
Copyright (c) Igor Daniloff, 1992-2008. All rights reserved.
Log generation time:, 12:57:22 [administrator]
Command line: "C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/rarsfx0/setup.exe "/LNG: cn-cureit.dwl/INI: setup_xp.ini
Operating System: Windows XP Professional x86 (build 2600), Service Pack 2
========================
Engine version: 4.44 (4.44.0.09170)
Engine API version: 2.02
Total number of virus databases: 395016
C:/Windows/system32/apsgejba. dll has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/apzhbtde. dll has been infected with Trojan. PWS. gamania.11045-Deleted
C:/Windows/system32/cdwqfs. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/ddserh. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/Drivers/beep. sys has been infected with Trojan. ntrootkit.1192-Deleted
C:/Windows/system32/Drivers/hbkernel. sys has been infected with Trojan. PWS. wsgame.5588-Deleted
C:/Windows/system32/fgsakuy. dll has been infected with Trojan. PWS. gamania.11037-Deleted
C:/Windows/system32/fsrgeb. dll-infected with Trojan. PWS. gamania. Origin
C:/Windows/system32/hbmhly.exe has been infected with Trojan. PWS. wsgame.5588-Deleted
C:/Windows/system32/hhrdxd. dll-infected with Trojan. PWS. gamania. Origin
C:/Windows/system32/jfrwdh. dll has been infected with Trojan. PWS. gamania.20.22-the user refuses to fix it.
C:/Windows/system32/kcomd32.dll may have been infected: dloader. Trojan
C:/Windows/system32/kcomd32.exe may have been infected: muldrop. Trojan
C:/Windows/system32/lassaplo. dll has been infected with Trojan. PWS. gamania.10909-Deleted
C:/Windows/system32/mfdesy. dll has been infected with Trojan. PWS. gamania.20.51-Deleted
C:/Windows/system32/mndhedwd. dll has been infected with Trojan. PWS. wsgame.5947-Deleted
C:/Windows/system32/msplugplay1005.sys has been infected with virus: Backdoor. pigeon.13201-Deleted
C:/Windows/system32/mtewdh. dll-infected with Trojan. Downloader. Origin
C:/Windows/system32/nhmxcjkl. dll has been infected with Trojan. PWS. gamania.20.10-Deleted
C:/Windows/system32/oohxdbyt. dll has been infected with Trojan. PWS. gamania.11211-Deleted
C:/Windows/system32/ptjhehlp. dll has been infected with Trojan. PWS. gamania.11213-Deleted
C:/Windows/system32/rfdswc. dll has been infected with Trojan. PWS. gamania.20.52-Deleted
C:/Windows/system32/sgrefg. dll has been infected with Trojan. PWS. wsgame.5744-Deleted
C:/Windows/system32/tcpip.exe has been infected with Trojan. downloader.60056-Deleted
C:/Windows/system32/tdffdl. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/upudpkok. dll may have been infected: dloader. Trojan
C:/Windows/system32/viscvc.exe may have been infected with: Backdoor. Trojan
C:/Windows/system32/wrqszl. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/wzcfsw. dll-infected with Trojan. PWS. gamania. Origin
C:/Windows/system32/yzztimsn. dll has been infected with Trojan. PWS. gamania.20.15-Deleted
C:/Windows/system32/zdesfx. dll has been infected with Trojan. PWS. gamania.11242-Deleted
C:/Windows/system32/zefdst. dll has been infected with Trojan. PWS. gamania.20.22-Deleted
C:/Windows/system32/zgxfdx. dll has been infected with Trojan. PWS. gamania.11165-Deleted
C:/Windows/system32/zptlcsys. dll has been infected with Trojan. PWS. gamania.20.41-Deleted
C:/Windows/system32/zycbdime. dll has been infected with Trojan. PWS. gamania.20.47-Deleted
C:/Windows/system32/zywmgime. dll has been infected with Trojan. PWS. gamania.11243-Deleted
C:/Windows/30192.exe infected with virus: Backdoor. generic.1624-Deleted
C:/Windows/42.169.exe infected with virus: Backdoor. generic.1624-Deleted
C:/Windows/system32/wtocdv.exe has been infected with Trojan. avkill.425-Deleted
C:/Windows/system32/wininnet. NLS virus infected: Trojan. inject.3445-Deleted
C:/Windows/system32/tcpip. l virus infected: Trojan. downloader.63902-Deleted
C:/Windows/system32/pldhadwd.exe has been infected with Trojan. PWS. gamania.11191-Deleted
C:/Windows/system32/zaztamsn.exe has been infected with Trojan. PWS. gamania.20.15-Deleted
C:/Windows/system32/lpzhatde.exe has been infected with Trojan. PWS. gamania.11174-Deleted
C:/Windows/system32/jbhxabyt.exe has been infected with the virus: Trojan. PWS. gamania.11211-Deleted
C:/Windows/system32/aitlasys.exe has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/lpsgajba.exe has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/2.exe infected with virus: Backdoor. generic.1624-Deleted
C:/Windows/system32/upudpkok. dll may have been infected: dloader. Trojan
C:/Windows/system32/c3.exe/data002 is the adware. sogou. Origin advertising software.
C:/Windows/system32/c1.exe/data003/data003 is the advertisement software adware. cinmus. Origin
C:/Windows/system32/spjhahlp.exe has been infected with Trojan. PWS. gamania.10904-Deleted
C:/Windows/system32/azcw.me.exe has been infected with Trojan. PWS. gamania.11053-Deleted
C:/Windows/system32/c8.exe virus infected: Trojan. downloader.65491-Deleted
C:/Windows/system32/lpmxajkl.exe has been infected with Trojan. PWS. gamania.20.10-Deleted
C:/Windows/system32/lkssaplo.exe has been infected with Trojan. PWS. gamania.10909-Deleted
C:/Windows/system32/yufsakuy.exe has been infected with Trojan. PWS. gamania.10908-Deleted
C:/Windows/system32/windowsupdata. dll has been infected with Trojan. downloader.63902-Deleted
C:/Windows/system32/c9.exe virus infected: Trojan. PWS. gamania.10691-Deleted
C:/Windows/temp /~~. EXE virus infected: Trojan. downloader.64113-Deleted
C:/Windows/temp /~ Fc2.tmp-virus infected: Trojan. PWS. gamania. Origin
C:/Windows/temp /~ Fc4.tmp-infected with Trojan. PWS. gamania. Origin
C:/Windows/temp /~ Fc5.tmp has been infected with virus: Trojan. PWS. gamania.000090-Deleted
C:/Windows/temp /~ Fc7.tmp-infected with Trojan. PWS. gamania. Origin
C:/Windows/temp/checksum.exe has been infected with the virus: Trojan. PWS. hangame.800-Deleted
C:/Windows/temp/1023.exe infected with virus: Trojan. Downloader. Origin-unrecoverable-moved
C:/Windows/temp/setup1384.exe infected with Trojan. downloader.60056-Deleted
C:/Windows/temp/temp.exe has been infected with the virus: Trojan. downloader.63902-Deleted
C:/Windows/temp /~ My1.tmp/data003/data003 is the AD software adware. cinmus. Origin
C:/Windows/temp/Temporary Internet Files/content. ie5/k5qd6x6f/bak1_12.16.css has been infected with the virus: Trojan. downloader.64113-Deleted