Beep. sys/Trojan. ntrootkit.1192, msplugplay 1005.sys/ backdoor. pigeon.13201, etc. 1
Original endurer
2008-06-24 1st
A netizen reported that his computer often pops up Advertisement Windows recently. Sometimes the response is slow and the program restarts. Please help me with the repair.
Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
Pe_xscan 08-04-26 by Purple endurer 2008-5-22 12:36:54 Windows XP Service Pack 2 (5.1.2600) MSIE: 6.0.2900.2180 administrator user group normal mode [system process] * 0 C: /Windows/system32/cdwqfs. DLL | 12:41:36 C:/Windows/system32/fsrgeb. DLL | 12:43:11 C:/Windows/system32/tdffdl. DLL | 12:40:57 C:/Windows/system32/zefdst. DLL | C:/Windows/system32/mfdesy. DLL | 12:40:19 C:/Windows/system32/mtewdh. DLL | C:/Windows/system32/wrqszl. DLL | C:/Windows/system32/ddserh. DLL | 12:41:17 C:/Windows/system32/rfdswc. DLL | 11:57:14 C:/Windows/system32/jfrwdh. DLL | 11:57:25 C:/Windows/system32/zgxfdx. DLL | 11:55:45 C:/Windows/system32/sgrefg. DLL | 11:56:35 C:/Windows/system32/zdesfx. DLL | 2008 -5-13 :55:3 C:/Windows/system32/hhrdxd. DLL | 11:54:52 C:/Windows/system32/wzcfsw. DLL | 11:54:47 C:/Windows/system32/winlogon.exe * 816 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | Windows NT logon application | (c) microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Winlogon. exe c:/Windows/system32/yzztimsn. DLL | 11:53:32 C:/Windows/system32/nhmxcjkl. DLL | 11:53:55 C:/Windows/system32/winlib. dllc:/Windows/system32/SVCHOST. EXE * 1048 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe C:/Windows/system32/kcomd32.dll | 11:53:20 C:/Windows/system32/SVCHOST. EXE * 284 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe C:/Windows/system32/bcvnsvc. DLL | MICROSOFT (r) Windows (r) Operating System | 6.6.20.1.1831 | Background Intelligent Transfer Services | (c) Microsoft Corporation. all rights reserved. | 6.6.20.1.1832 | Microsoft Corporation | qmgr32.dll | qmgr32.dll C:/Windows/system32/SVCHOST. EXE * 1148 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe C:/Windows/system32/msplugplay1005.sys | C:/Windows/system32/hbmhly.exe * 1340 | C:/Windows/system32/yzztimsn. DLL | 11:53:32 C:/Windows/system32/nhmxcjkl. DLL | 11:53:55 C:/Windows/system32/SVCHOST. EXE * 1432 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe C:/Windows/system32/yzztimsn. DLL | 11:53:32 C:/Windows/system32/nhmxcjkl. DLL | 11:53:55 C:/program files/Internet Explorer/iexplore.exe * 2424 | 17:41:16 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Internet Explorer | (c) microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | MICROSOFT Corpo Ration |? | Iexplore. exe c:/Windows/system32/yzztimsn. DLL | 11:53:32 C:/Windows/system32/nhmxcjkl. DLL | 11:53:55 C:/Windows/system32/upudpkok. DLL | C:/program files/common files/cpush/cpush0.dll |? | 1.0.9.1 |? |? | 1.0.9.1 |? |? | Cpush. DLL | cpush. dll c:/Windows/system32/lassaplo. DLL | C:/Windows/system32/apzhbtde. DLL | 11:53:24 C:/Documents and Settings/all users/Application Data/Microsoft/pctools. DLL | ATI module | 1, 0, 0, 0 | ATI module | Copyright 2007 | 1, 0, 0, 0 | Ming Xun Technology Co., Ltd. | ATI | Ati. dll c:/Windows/system32/zycbdime. DLL | 11:53:42 C:/Windows/System 32/zptlcsys. DLL | 11:53:27 C:/Windows/system32/ptjhehlp. DLL | 11:53:40 C:/Windows/system32/oohxdbyt. DLL | 11:53:25 C:/Windows/system32/mndhedwd. DLL | 11:53:15 C:/Windows/system32/fgsakuy. DLL | C:/Windows/system32/apsgejba. DLL | 11:53:30 C:/Windows/system32/zywmgime. DLL | 11:53:35 C:/Documents and Settings/all users/Application Data/Microsoft/office/userdata/webbrowser_2134.dll | 3, 4, 4, 0 | Copyright 2008 | 3, 4, 4, 0 ||| C: /Windows/explorer. EXE * 3592 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer. exe c:/Windows/system32/yzztimsn. DLL | 11:53:32 C:/Windows/system32/nhmxcjkl. DLL | 11:53:55 C:/Windows/system32/mndhedwd. DLL | 11:53:15 C:/Windows/system32/apzhbtde. DLL | 11:53:24 C:/Windows/system32/oohxdbyt. DLL | 11:53:25 C:/Windows/system32/zptlcsys. DLL | 11:53:27 C:/Windows/system32/apsgejba. DLL | 11:53:30 C :/ Windows/system32/zywmgime. DLL | 11:53:35 C:/Windows/system32/ptjhehlp. DLL | 11:53:40 C:/Windows/system32/zycbdime. DLL | 11:53:42 C:/Windows/system32/lassaplo. DLL | C:/Windows/system32/fgsakuy. DLL | C:/Windows/system32/wzcfsw. DLL | 11:54:47 C:/Windows/system32/hhrdxd. DLL | 11:54:52 C:/Windows/system32/zdesfx. DLL | 200 8-5-13 :55:3 C:/Windows/system32/zgxfdx. DLL | 11:55:45 C:/Windows/system32/sgrefg. DLL | 11:56:35 C:/Windows/system32/wrqszl. DLL | C:/Windows/system32/rfdswc. DLL | 11:57:14 C:/Windows/system32/jfrwdh. DLL | 11:57:25 C:/Windows/system32/mtewdh. DLL | C:/Windows/system32/mfdesy. DLL | 12:40:19 C:/Windows/system32/TDF FDL. DLL | 12:40:57 C:/Windows/system32/zefdst. DLL | C:/Windows/system32/ddserh. DLL | 12:41:17 C:/Windows/system32/cdwqfs. DLL | 12:41:36 C:/Windows/system32/fsrgeb. DLL | 12:43:11 D:/qq2006/qq.exe * 2536 | 7:15:25 | QQ | 1998, 2007 | QQ | copyright (c)-Tencent Inc. all rights reserved | 7,1, 644,1777 | Tencent | comqq D | qq.exe C:/Windows/system32/yzztimsn. DLL | 11:53:32 C:/Windows/system32/nhmxcjkl. DLL | 11:53:55 C:/Windows/system32/mndhedwd. DLL | 11:53:15 C:/Windows/system32/apzhbtde. DLL | 11:53:24 C:/Windows/system32/oohxdbyt. DLL | 11:53:25 C:/Windows/system32/zptlcsys. DLL | 11:53:27 C:/Windows/system32/apsgejba. DLL | 11:53:30 C:/Windows/system3 2/zywmgime. DLL | 11:53:35 C:/Windows/system32/ptjhehlp. DLL | 11:53:40 C:/Windows/system32/zycbdime. DLL | 11:53:42 C:/Windows/system32/lassaplo. DLL | C:/Windows/system32/fgsakuy. DLL | 9:10:35 D:/qq2006/txplatform.exe * 2568 | tm2008 | 1, 0,170,201 | tm2008 | copyright (c) 1998-2007 Tencent Inc. all rights reserved | 1, 0,170, 0 | Tencent |? | C:/Windows/system32/fsrgeb. DLL | 12:43:11 C:/Windows/system32/cdwqfs. DLL | 12:41:36 C:/Windows/system32/ddserh. DLL | 12:41:17 C:/Windows/system32/zefdst. DLL | C:/Windows/system32/tdffdl. DLL | 12:40:57 C:/Windows/system32/mfdesy. DLL | 12:40:19 C:/Windows/system32/mtewdh. DLL | C:/Windows/system32/jfrwdh. DLL | 2 008-5-13 11:57:25 C:/Windows/system32/rfdswc. DLL | 11:57:14 C:/Windows/system32/wrqszl. DLL | C:/Windows/system32/zgxfdx. DLL | 11:55:45 C:/Windows/system32/sgrefg. DLL | 11:56:35 C:/Windows/system32/zdesfx. DLL | C:/Windows/system32/hhrdxd. DLL | 11:54:52 C:/Windows/system32/wzcfsw. DLL | 11:54:47 O2-BHO cadlogic ob Ject-{11f09afd-75ad-4e51-ab43-e09e9351ce16}-C:/program files/common files/cpush/cpush0.dllo2-BHO-{14698742-2059-3025-9058-954023874141}-C: /Windows/system32/jkhxaklo. dllo2-BHO-{1ab1f65a-964f-4ae7-b254-05146a0e602e}-C:/program files/Internet Explorer/plugins/winsys48.syso2-BHO-{22596546-2036-9451-6058-658402589722}-C: /Windows/system32/opshbbty. dllo2-BHO-{2b69874a-c58c-458d- 69f0-698f874e41b2}-C:/Windows/system32/lassaplo. dllo2-BHO-{2d698451-2015-6358-9871-2015987452d2}-C:/Windows/system32/apzhbtde. dllo2-BHO-{35671234-7890-abcd-cdef-567801237653}-C:/Windows/system32/yxcschlp. dllo2-BHO-{37ac9076-c898-b098-d098-a18310480973}-C:/Windows/system32/nhmxcjkl. dllo2-BHO info cache-{export ab8c6-fb22-4d17-8834-064e2ba0a6f0}-C:/Documents and Settings/all us ERS/Application Data/Microsoft/pctools. dllo2-BHO-{4629ff4f-acdb-5c90-a098-facb3456a264}-C:/Windows/system32/mpmydapi. dllo2-BHO-{4a698102-5904-afd0-20df-cd1a65829ca4}-C:/Windows/system32/zycbdime. dllo2-BHO-{50940f85-f015-14f1-a05f-f69858ac6d05}-C:/Windows/system32/zptlcsys. dllo2-BHO-{528df602-9541-a985-210a-984a698c6f25}-C:/Windows/system32/ptjhehlp. dllo2-BHO-{55 694105-5108-9405-3695-954187462155}-C:/Windows/system32/mpwdeapi. dllo2-BHO-{5a069845-2036-6084-9054-6087502480a5}-C:/Windows/system32/ozfyebyt. dllo2-BHO-{5b1aef69-ddae-fdad-dcab-698f026abdb5}-C:/Windows/system32/oohxdbyt. dllo2-BHO-{5c648541-1025-9650-9057-631658720c5}-C:/Windows/system32/mndhedwd. dllo2-BHO-{5e091341-6715-2098-51f0-178107ae53e5}-C:/Windows/system32/fgsak Uy. dllo2-BHO-{5fd45a54-9875-698f-e56e-65102358fdf5}-C:/Windows/system32/apsgejba. dllo2-BHO-{6319a1f1-9410-9654-3201-345ffa349136}-C:/Windows/system32/zywmfime. dllo2-BHO-{6a041f13-a111-12a3-b0cf-f99818aa68a6}-C:/Windows/system32/zxmscwin. dllo2-BHO-{7319a1f1-9410-9654-3201-345ffa349133}-C:/Windows/system32/zywmgime. dllo2-BHO-{7c8d1401-a58d-a81c-cd24-a5915c4517c7}-C:/win Dows/system32/mnmhgsrv. dllo2-BHO-{81954fac-1023-154f-895a-1458258ad818}-C:/Windows/system32/ypdjfbmp. dllo2-BHO-{9490108f-65f8-b5c5-d8ba-9405fb120133}-C:/Windows/system32/yzztimsn. dllo2-BHO surfer class-{users}-C:/Documents and Settings/all users/Application Data/Microsoft/office/userdata/webbrowser_2134.dllo2-BHO-{AA59145F-315D-BC23-AC1F-145DF81 A34aa}-C:/Windows/system32/zyzxjime. dllo4-HKLM /.. /run: [wallpaper] C:/Windows/system32/wallpaper. EXE O4-HKLM /.. /run: [hbmhly] C:/Windows/system32/hbmhly.exe "-ro4-HKLM /.. /run: [winsysw] C:/Windows/533931l.exe O4-HKLM /.. /policies/Explorer/run: [kcomd] kcomd32.exe O4-Global startup: Self. bat-> invalid lnk file o20-appinit_dlls = exploreo. DLL, yzztimsn. DLL, nhmxcjkl. dllo21-ssodl-midimapwd (-)-{4f4f0064-71e0-4f0d-0018-708476c7815f} = C:/Windows/system32/midimapwd. dllo21-ssodl-midimapgj (-)-{4f4f0064-71e0-4f0d-0003-708476c7815f} = C:/Windows/system32/midimapgj. dllo21-ssodl-midimapqhx (-)-{4f4f0064-71e0-4f0d-0027-708476c7815f} = C:/Windows/system32/midimapqhx. dllo23-service: 2j9raw (2j9raw)-system32/Drivers/2j9raw. sys | 1, 0, 0, 1 | file system driver | (c) Microsoft Corpo Ration. all rights reserved. | 1, 0, 0, 1 | (pilot) o23-service: 5 dinlqohl (5 dinlqohl)-system32/Drivers/5dinlqohl. sys (BOOT) o23-service: acpidisk (acpidisk)-C:/Windows/system32/Drivers/acpidisk. sys | (automatic) o23-service: apcdli (apcdli)-C:/program files/Microsoft Office/system/apcdli. sys | 8:59:44 (automatic) o23-service: beep ()-C:/Windows/system32/Drivers/beep. sys | (System System) o23-service: bbzxuu (bbzxuu)-C:/Windows/system32/bbzxuu (manual) o23-service: bcvnsvc (Visual Studio analyzer Remote bridge Helper Service)-C: /Windows/system32/svchost.exe-K bcvnsvc-> C:/Windows/system32/bcvnsvc. DLL | MICROSOFT (r) Windows (r) Operating System | 6.6.20.1.1831 | Background Intelligent Transfer Services | (c) Microsoft Corporation. all rights reserved. | 6.6.20.1.1832 | Microsoft Corporation | qmgr32.dll | qmgr32.dll (automatic) o23-service: eaglent (eaglent)-C:/Windows/system32/Drivers/eaglent. sys (manual) o23-service: hbkernel (hbkernel driver)-system32/Drivers/hbkernel. sys (pilot) o23-service: hjdmc (hjdmc)-system32/Drivers/hjdmc. sys (BOOT) o23-service: msplugplay (Windows Plug and Play)-C:/Windows/system32/svchost.exe-K msplugplay-> C:/Windows/system32/msplugplay1005.sys | (Automatic) o23-service: nesepi (nesepi)-C:/Windows/system32/Drivers/nesepi. sys | 11:49:15 | sys application | 1, 0, 1, 3 | sys application | copyright (c) 2006 | 1, 0, 1, 3 | Beijing sanqi eryi Technology Co., Ltd. |? | Sys | sys.exe (pilot) o23-service: ntptdb (ntptdb)-C:/Documents and Settings/all users/Application Data/Microsoft/office/system/ntptdb. sys | 9:32:38 (automatic) o23-service: upudpkok (upudpkok)-C:/Windows/system32/viscvc.exe | (automatic) o23-service: windowsupdata (windowsupdata) -C:/Windows/system32/tcpip.exe | 13:53:27 (automatic) o24-shlexechook: [5]-{55694105-5108-9405-3695-954187462155} = C: /Windows/system32/mpwdeapi. dllo24-shlexechook: [6]-{6a041f13-a111-12a3-b0cf-f99818aa68a6} = C:/Windows/system32/zxmscwin. dllo24-shlexechook: [5]-{5c648541-1025-9650-9057-637958720c5} = C:/Windows/system32/mndhedwd. DLL | 11:53:15 o24-shlexechook: [4]-{4629ff4f-acdb-5c90-a098-facb3456a264} = C:/Windows/system32/mpmydapi. dllo24-shlexechook: [2]-{2d698451-2015-6358-9871-2015987452d2} = C:/Windows/system32/apzhbtde. DLL | 11:53:24 o24-shlexechook: [5]-{5b1aef69-ddae-fdad-dcab-698f026abdb5} = C:/Windows/system32/oohxdbyt. DLL | 11:53:25 o24-shlexechook: [5]-{50940f85-f015-14f1-a05f-f69858ac6d05} = C:/Windows/system32/zptlcsys. DLL | 11:53:27 o24-shlexechook: [5]-{5fd45a54-9875-698f-e56e-65102358fdf5} = C:/Windows/system32/apsgejba. DLL | 11:53:30 o24-shlexechook: [9]-{9490108f-65f8-b5c5-d8ba-9405fb120549} = C:/Windows/system32/yzztimsn. DLL | 11:53:32 o24-shlexechook: [7]-{7c8d1401-a58d-a81c-cd24-a5915c4517c7} = C:/Windows/system32/mnmhgsrv. dllo24-shlexechook: [7]-{7319a1f1-9410-9654-3201-345ffa349133} = C:/Windows/system32/zywmgime. DLL | 11:53:35 o24-shlexechook: [1]-{14698742-2059-3025-9058-954023874141} = C:/Windows/system32/jkhxaklo. dllo24-shlexechook: [3]-{35671234-7890-abcd-cdef-567801237653} = C:/Windows/system32/yxcschlp. dllo24-shlexechook: [5]-{528df602-9541-a985-210a-984a698c6f25} = C:/Windows/system32/ptjhehlp. DLL | 11:53:40 o24-shlexechook: [4]-{4a698102-5904-afd0-20df-cd1a65829ca4} = C:/Windows/system32/zycbdime. DLL | 11:53:42 o24-shlexechook: [2]-{22596546-2036-9451-6058-658402589722} = C:/Windows/system32/opshbbty. dllo24-shlexechook: [8]-{81954fac-1023-154f-895a-1458258ad818} = C:/Windows/system32/ypdjfbmp. dllo24-shlexechook: [5]-{5a069845-2036-6084-9054-6087502480a5} = C:/Windows/system32/ozfyebyt. dllo24-shlexechook: [a]-{AA59145F-315D-BC23-AC1F-145DF81A34AA} = C:/Windows/system32/zyzxjime. dllo24-shlexechook: []-{program} = C:/program files/Internet Explorer/plugins/winsys48.syso24-shlexechook: [3]-{program} = C: /Windows/system32/nhmxcjkl. DLL | 11:53:55 o24-shlexechook: [2]-{2b69874a-c58c-458d-69f0-698f874e41b2} = C:/Windows/system32/lassaplo. DLL | o24-shlexechook: [5]-{5e091341-6715-2098-51f0-178107ae53e5} = C:/Windows/system32/fgsakuy. DLL | o24-shlexechook: [6]-{6319a1f1-9410-9654-3201-345ffa349136} = C:/Windows/system32/zywmfime. dllo24-shlexechook: [Microsoft]-{28766e1c-74b0-4417-8c75-f12ae309ef35} = C:/Windows/system32/wzcfsw. DLL | 11:54:47 o24-shlexechook: [Microsoft]-{17dfd111-bf3a-4cb4-adb0-88fcbfe69821} = C:/Windows/system32/hhrdxd. DLL | 11:54:52 o24-shlexechook: [Microsoft]-{45aadfaa-dd36-42ab-83ad-0521bbf58c24} = C:/Windows/system32/zdesfx. DLL | o24-shlexechook: [Microsoft]-{1e51c0fd-ee36-434b-ad2a-fd1ff3731c38} = C:/Windows/system32/wyrsdj. dllo24-shlexechook: [Microsoft]-{6e6ca8a1-81bc-4707-a54c-f4903dd70bad} = C:/Windows/system32/zgxfdx. DLL | 11:55:45 o24-shlexechook: [Microsoft]-{84141087-b645-4bff-b873-da1dc886e9a7} = C:/Windows/system32/cedafb. dllo24-shlexechook: [Microsoft]-{8c41b7f7-4408-400d-a702-0e7efe0ba304} = C:/Windows/system32/sgrefg. DLL | 11:56:35 o24-shlexechook: [Microsoft]-{F99DEFDD-200B-4410-B572-E90883D527D2} = C:/Windows/system32/wrqszl. DLL | o24-shlexechook: [Microsoft]-{461d2ab4-29a5-45c2-9134-d52272d3de38} = C:/Windows/system32/rfdswc. DLL | 11:57:14 o24-shlexechook: [Microsoft]-{841529cb-7f77-4b99-a895-b5441e0d302f} = C:/Windows/system32/jfrwdh. DLL | 11:57:25 o24-shlexechook: [Microsoft]-{189f087f-4378-405f-85fa-37d955ad7a8c} = C:/Windows/system32/mtewdh. DLL | o24-shlexechook: [Microsoft]-{DC3D30AE-0380-4151-8934-EE98A34B0370} = C:/Windows/system32/mfdesy. DLL | 12:40:19 o24-shlexechook: [f]-{4f4f0064-71e0-4f0d-0018-708476c7815f} = C:/Windows/system32/midimapwd. dllo24-shlexechook: [Microsoft]-{C0595A7E-2E2F-4B34-A83A-019270A0A464} = C:/Windows/system32/tdffdl. DLL | 12:40:57 o24-shlexechook: [Microsoft]-{28eb3777-3e23-4e72-8449-a992d09d24c3} = C:/Windows/system32/zefdst. DLL | o24-shlexechook: [Microsoft]-{A9895933-6636-4281-BC58-EE6DE2AF96E3} = C:/Windows/system32/ddserh. DLL | 12:41:17 o24-shlexechook: [Microsoft]-{011db9b9-44b4-44d9-b17e-bc7608f2e133} = C:/Windows/system32/cdwqfs. DLL | 12:41:36 o24-shlexechook: [f]-{4f4f0064-71e0-4f0d-0003-708476c7815f} = C:/Windows/system32/midimapgj. dllo24-shlexechook: [f]-{4f4f0064-71e0-4f0d-0027-708476c7815f} = C:/Windows/system32/midimapqhx. dllo24-shlexechook: [Microsoft]-{EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6} = C:/Windows/system32/fsrgeb. DLL | 2008-5-17 12: 43: 11o26-ifeo: drvanti.exe-> ntsd-d
(To be continued)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
