Capture trojans such as backdoor. gpigeon. voo and Trojan. psw. OnlineGames. XD

EndurerOriginal
1Version

A friend said his computer was running very slowly recently and asked me to help with the repair.

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
/---
Pe_xscan 07-04-12 by Purple endurer
2007-5-8 12:12:51
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

[System process] * 0
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm23.tmp .. Rom |
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/hyso0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/qqso0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/myso0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wgs0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wls0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wos0.dll | 10:58:50
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/rxso0.dll | 10:58:48
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/ztso0.dll | 10:58:48
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/mhso0.dll | 10:58:46
C:/Windows/system32/svchost.exe * 884 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/syst. dll | 19:35:54
C:/Windows/explorer. EXE * 264 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/mhso0.dll | 10:58:46
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/ztso0.dll | 10:58:48
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/rxso0.dll | 10:58:48
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wos0.dll | 10:58:50
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wgs0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wls0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/myso0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/qqso0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/hyso0.dll | 10:58:52
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm23.tmp .. Rom |
C:/program files/common files/real/update_ob/realsched.exe * 272 | 11:18:44 | RealPlayer (32-bit) | 0.1.0.3510 | RealNetworks scheduler | copyright? RealNetworks, Inc. 1995-2004 | 0.1.0.3510 | RealNetworks, Inc. | RealAudio (TM) is a trademark of RealNetworks, Inc. | schedapp | realsched.exe
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
D:/kavstart.exe * 1688 | 16:44:34 | Kingsoft Internet Security | 7, 6, 0,212 | Kingsoft Security Center | copyright (c) 2000-2006 Kingsoft Inc (kis International Team ), all rights reserved. | 2006, 11, 10,212 | Kingsoft corporation | Kingsoft | kavstart. EXE
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
C:/Windows/wos3.exe * 1064 |
C:/Windows/wos3.exe |
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wos0.dll | 10:58:50
C:/Windows/wls3.exe * 1016 | 10:10:20
C:/Windows/wls3.exe | 10:10:20
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wls0.dll | 10:58:52
C:/Windows/wgs3.exe * 976 | 10:10:28
C:/Windows/wgs3.exe | 10:10:28
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/wgs0.dll | 10:58:52
D:/kmailmon. EXE * 2172 | 16:44:34 | Kingsoft Internet Security | 7, 6, 0, 19 | KingSoft Antivirus mail monitor | copyright? 2000-2006 Kingsoft Inc (kis International Team), All rights reserved. | 2006, 9, 7,918 | Kingsoft corporation | Kingsoft | mailmon | kmailmon. exe
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
C:/Windows/soundman. EXE * 2196 | RealTek Sound Manager | 5, 1, 0, 51 | RealTek Sound Manager | copyright (c) 2001-2004 RealTek semiconducorp Corp. | 5, 1, 0, 51 | RealTek semiconducorp. | alsmtray | alsmtray.exe
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
C:/Windows/system32/ctfmon.exe * 2224 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8
D:/kpfw32.exe * 2412 | 16:44:36 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft firewall | copyright (c) 2000-2006 Kingsoft Inc (kis International Team ), all rights reserved. | 2006, 10, 24,658 | Kingsoft corporation | Kingsoft | kpfw32.exe | kpfw32.exe
C:/docume ~ 1/admini ~ 1/locals ~ 1/temp /~ Tm22.tmp. Rom | 1987-5-8

O2-BHO-{8298d101-f992-43b7-8eca-5052d885b996}-C:/Windows/system32/Rs. Bin

O4-hkcr/../run: [3u] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/iexpl0re.exe
O4-hkcr/../run: [tuj] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/rundl132.exe
O4-hkcr/../run: [wc2imbevyfqu7g] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/winlog0n.exe

O4-HKLM/../run: [mhsa] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/mhso.exe
O4-HKLM/../run: [ztsa] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/ztso.exe
O4-HKLM/../run: [rxsa] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/rxso.exe
O4-HKLM/../run: [wos3] C:/Windows/wos3.exe
O4-HKLM/../run: [wls3] C:/Windows/wls3.exe
O4-HKLM/../run: [wgs3] C:/Windows/wgs3.exe
O4-HKLM/../run: [wms3] C:/Windows/wms3.exe
O4-HKLM/../run: [jts3] C:/Windows/jts3.exe
O4-HKLM/../run: [qqs3] C:/Windows/qqs3.exe
O4-HKLM/../run: [mysa] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/myso.exe
O4-HKLM/../run: [qqsa] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/qqso.exe
O4-HKLM/../run: [hysa] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/hyso.exe
O4-HKLM/../run: [kernelmh] C:/Windows/kernelmh.exe

O23-service: ersvc (Error Reporting Service)-C:/Windows/system32/svchost.exe-K netsvcs-> C:/Windows/system32/syst. dll | 19:35:54 (automatic)

O24-[f]-{754fb7d8-b8fe-4810-b363-a788cd060f1f} = f
O24-[f]-{A6011F8F-A7F8-49AA-9ADA-49127D43138F} = f
O24-[c]-{729b6c61-bdc5-4c09-a1de-a296ba0b89ec} = C
O24-[]-{91b1e846-2bef-4345-8848-7699c7c9935f} = C:/program files/common files/Microsoft shared/msinfo/syswfgqq2.dll
---/

Check C:/windows and C:/Windows/system32 for a large number of suspicious files, such:
/---
D:/tools/bat_do> dir C:/Windows/system32/A/OD
The volume in drive C is not labeled.
The serial number of the volume is 40fb-ad0b.

C:/Windows/system32 directory

(Omitted)
70,413 dongdi.exe
256,000 syst. dll
256,000 sysi. dll
21,657 wanmei.exe
26,037 moyu.exe
70,413 chajian.exe
58,369 Rs. Bin
23,657 update.txt.exe
23,657 update.txt. bat
13,312 ntup1.dll
17,408 wow3.exe. bat
32 SINFO. ini
20,845 xy2.exe. bat
32,380 xy2ok.exe. bat
215,264 fntcache. dat
11,264 mutou.exe.exe
11,264 mutou.exe. bat
25,088 s159.exe. bat
24,086 szzy.exe. bat
(Omitted)
---/

Download fileinfo and bat_do to the http://purpleendurer.ys168.com. Use fileinfo to extract information about some of these files.

File Description: C:/Windows/10sy.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:42:40
Access time:
Size: 72568 bytes, 70.888 KB
MD5: 12b7b3d7773dcf24424e83ffcc34eb86

RisingTrojan. psw. qqhx. af

File Description: C:/Windows/wms3.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 10:10:30
Modification time: 10:10:32
Access time:
Size: 69730 bytes, 68.98 KB
MD5: d39aa9d7c7448d126ca6cc8f54ce0a21

Kaspersky reportsTrojan. win32.pakesThe rising report isTrojan. psw. OnlineGames. XB

File Description: C:/Windows/jts3.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 10:10:32
Modification time: 10:10:34
Access time:
Size: 69095 bytes, 67.487 KB
MD5: b009e2c68ad3be89fc97365769f50a3a

Kaspersky reportsTrojan-PSW.Win32.OnLineGames.bsThe rising report isTrojan. psw. OnlineGames. XD

File Description: C:/Windows/system32/dongdi.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:25:41
Modification time: 19:25:42
Access time:
Size: 70413 bytes, 68.781 KB
MD5: c95ddf24696e51abcc08d83a44dba90b

Kaspersky reportsNot-a-virus: adware. win32.delf. gThe rising report isTrojan. DL. BHO. iv

File Description: C:/Windows/system32/wanmei.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:35:52
Modification time: 19:35:54
Access time:
Size: 21657 bytes, 21.153 KB
MD5: 9c97cc090d9c87fcb797a212e12b327f

File Description: C:/Windows/system32/moyu.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:35:53
Modification time: 19:35:56
Access time:
Size: 26037 bytes, 25.437 KB
MD5: 434ebf20c6532f2fec71c208e53f42aa

File Description: C:/Windows/system32/Rs. Bin
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:25:42
Modification time: 19:35:58
Access time:
Size: 58369 bytes, 57.1 KB
MD5: 536a919d0cc058c00a73cb1a3f266f12

File Description: C:/Windows/system32/chajian.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:35:55
Modification time: 19:35:58
Access time:
Size: 70413 bytes, 68.781 KB
MD5: c95ddf24696e51abcc08d83a44dba90b

Kaspersky reportsNot-a-virus: adware. win32.delf. gThe rising report isTrojan. DL. BHO. iv

File Description: C:/Windows/system32/update.txt.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 23657 bytes, 23.105 KB
MD5: c385ed2bc5ea41568892a4a0b6e5f0ab

RisingTrojan. DL. multi. WHN

File Description: C:/Windows/system32/update.txt. bat
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 23657 bytes, 23.105 KB
MD5: c385ed2bc5ea41568892a4a0b6e5f0ab

File Description: C:/Windows/system32/xy2.exe. bat
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 20845 bytes, 20.365 KB
MD5: c168697e596c7183ab28eee23e3ed73e

File Description: C:/Windows/system32/xy2ok.exe. bat
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:18:30
Modification time: 8:18:32
Access time:
Size: 32380 bytes, 31.636 KB
MD5: c014040a36e1ae2c4294a18d24756c88

Kaspersky reportsBackdoor. win32.pcclient. zaThe rising report isBackdoor. gpigeon. voo

File Description: C:/Windows/system32/mutou.exe.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:31:32
Modification time: 8:18:46
Access time:
Size: 11264 bytes, 11.0 KB
MD5: 900c5ccc44a5f7a58952f4bdac0c7e5e

File Description: C:/Windows/system32/mutou.exe. bat
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:18:48
Access time:
Size: 11264 bytes, 11.0 KB
MD5: 900c5ccc44a5f7a58952f4bdac0c7e5e

File Description: C:/Windows/system32/szzy.exe. bat
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:52:40
Modification time: 12:52:42
Access time:
Size: 24086 bytes, 23.534 KB
MD5: 47c6c4411c19f9d3c8f321b9eb299dc1

Use bat_do to package and back up some of them.

Download Dr. Web cureit scan. The result is as follows:
======================================
Dr. Web (r) platform for Windows v4.33.2 (4.33.2.10067)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on:, 12:18:30 [administrator]
Operating System: Windows XP Professional x86 (build 2600), Service Pack 2
======================================
C:/Documents ents and settings/Administrator/Local Settings/temp/hyso.exe infectedTrojan. PWS. wsgame-Deleted
C:/Documents and Settings/Administrator/Local Settings/temp/mhso.exe infectedTrojan. PWS. wsgame-Deleted
C:/Documents ents and settings/Administrator/Local Settings/temp/myso.exe infectedTrojan. PWS. wsgame-Deleted
C:/Documents and Settings/Administrator/Local Settings/temp/qqso.exe infectedTrojan. PWS. wsgame-Deleted
> C:/Documents and Settings/Administrator/Local Settings/temp/rundl132.exe infectedTrojan. PWS. wsgame-Deleted
C:/Documents ents and settings/Administrator/Local Settings/temp/rxso.exe infectedTrojan. PWS. wsgame-Deleted
> C:/Documents and Settings/Administrator/Local Settings/temp/winlog0n.exe infectedTrojan. PWS. wsgame-Deleted
C:/Documents ents and settings/Administrator/Local Settings/temp/ztso.exe infectedTrojan. PWS. wsgame-Deleted
C:/program files/common files/Microsoft shared/msinfo/syswfgqq2.dll infectedTrojan. PWS. qqpass.623-Deleted
C:/Windows/jts3.exe-read error
> C:/Windows/kernelmh.exe infectedTrojan. PWS. Wow-Deleted
C:/Windows/qqs3.exe infectedTrojan. PWS. wsgame-Deleted
C:/Windows/wgs3.exe infectedTrojan. PWS. wsgame-Deleted
C:/Windows/wls3.exe infectedTrojan. PWS. wsgame-Deleted
C:/Windows/wms3.exe-read error
C:/Windows/wos3.exe infectedTrojan. PWS. wsgame-Deleted
C:/Documents and Settings/Administrator/Local Settings/temp/mhso0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/ztso0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/rxso0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/wos0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/wls0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/iexpl0re.exe-read error
C:/Documents and Settings/Administrator/Local Settings/temp/wgs0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/qqso0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/temp/hyso0.dll infectedTrojan. PWS. wsgame-Will be cured after reboot
> C:/Documents and Settings/Administrator/Local Settings/temp /~ Tm22.tmp. Rom probably infectedDloader. Trojan
C:/Documents and Settings/Administrator/Local Settings/temp /~ Tm23.tmp .. Rom infectedTrojan. PWS. wsgame-Will be cured after reboot
> C:/program files/common files/system/commond. pifc:/program files/Internet Explorer/Winlogon. EXE infectedTrojan. PWS. wsgame-Deleted
C:/program files/thunder Network/thunder/Program/AD/n1175509284861.swf infectedTrojan. PWS. wsgame-Deleted
> C:/Windows/kb1_1_logc:/Windows/SMSs. EXE infectedTrojan. PWS. wsgame-Deleted
C:/Windows/8sy.exe infectedTrojan. PWS. wsgame-Deleted
C:/Windows/9sy.exe infectedTrojan. PWS. wsgame-Deleted
C:/Windows/wms3.exe-read error
C:/Windows/jts3.exe-read error
C:/Windows/system32/sysi. dll probably infectedDloader. Trojan
C:/Windows/system32/syst. dll probably infectedDloader. Trojan
> C:/Windows/system32/moyu.exe> C:/Windows/system32/fengyun.exe infectedTrojan. PWS. qqpass.503-Deleted
C:/Windows/system32/chuanqi.exe infectedTrojan. PWS. lineage-Deleted
> C:/Windows/system32/windowstools.exe infectedTrojan. PWS. gamania-Deleted
> C:/Windows/system32/xy2.exe. Bat> C:/Windows/system32/xy2ok.exe. bat probably infectedBackdoor. Trojan
C:/Windows/system32/s159.exe. Bat-read error
> C:/Windows/system32/szzy.exe. bat probably infectedDloader. Trojan
C:/Windows/system32/wow3.exe. Bat-read error
> C:/Windows/system32/sl_xy2.exe.bat infectedTrojan. PWS. wsgame-Deleted
> C:/Windows/system32/sl_my0324.exe.bat infectedTrojan. PWS. wsgame-Deleted
C:/Windows/system32/feizhujixi.exe. Bat infectedTrojan. PWS. wsgame-Deleted
> C:/Windows/system32/sl_wl0325.exe.bat infectedTrojan. PWS. wsgame-Deleted

Download hijackthis to the http://endurer.ys168.com to fix items other than o24; download auto_del to delete files that are missing the next time you start (add files to be deleted if the prompt "file does not exist or directory, add ?" Click "yes ").
Install the rising Card Security Assistant and uninstall the projects in o24.