Cpush, a rogue software

Cpush, a rogue software

EndurerOriginal
1Version

Just now, a netizen said that his computer was infected with viruses. After rising cleared, He restarted the computer and asked me to remotely assist him through QQ.

Check Rising's antivirus record. It turns out to be the cpush rogue software.

Run the rising Kaka Security Assistant and use the [anti-malware and rogue software] in the [basic functions]. The report shows cpush. Click the [clear now] button ......

Check the boot item again and find that cpush items remain. For example, last year's Sohu game also allows users to uninstall it, but also sets the boot item, so that it will be automatically installed at the next system startup ......

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
/---
Pe_xscan 07-07-24 by Purple endurer
2007-8-1 21:46:23
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

C:/Windows/explorer. EXE * 1432 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/cpasevcl1.dll | 9:45:18 | cpasevcl dynamic link library | 1, 0, 0, 4 | cpasevcl dynamic link library | copyright (c) 2006 | 1, 0, 0, 4 |? |? | Cpasevcl. dll
C:/Windows/system32/cpasevcl. DLL | 9:45:18 | cpasevcl dynamic link library | 1, 0, 0, 4 | cpasevcl dynamic link library | copyright (c) 2006 | 1, 0, 0, 4 |? |? | Cpasevcl. dll

O3-IE Toolbar: shortcut toolbar 3.1.5 -? {BE830FD4-E393-417F-9F4B-CC70ABB3384C }-

O4-HKLM/../run: [nvcpldaemons] C:/program files/common files/ad2180.exe
O4-HKLM/../run: [svpecld] C:/Windows/system32/svpecld.exe
O4-HKLM/../runonce: [cpushsetup] "C:/Windows/system32/regsvr32.exe"/s "C:/program files/common files/cpush. dll"

O23-service: eaglent (eaglent)-C:/Windows/system32/Drivers/eaglent. sys (manual)

O23-service: npkycryp (npkycryp)-C:/Windows/system32/npkycryp. sys (manual)
---/

Where

O4-HKLM/../run: [nvcpldaemons] C:/program files/common files/ad2180.exe

Startup name is quite confusing. If you don't read the corresponding file, you may think it is related to the NVIDIA graphics card.

Cpasevcl1.dll, cpasevcl. dll, and svpecld.exe seem to be related to the speed of the stars. In the rising Kaka Security Assistant, the startup Item of svpecld.exe is canceled. In a short time, the startup Item of svpecld.exe will be overwritten ......

Download autodel from http://endurer.ys168.com

C:/program files/common files/ad2180.exe
C:/Windows/system32/svpecld.exe
C:/program files/common files/cpush. dll

Add the list of files to be deleted, click the [delete upon next Startup] button, and select allow when prompted by the Rising Star Registry monitoring.

Ask netizens to restart their computers and scan again, so they will not find any virus ......