Cpush, a rogue software

Source: Internet
Author: User

Cpush, a rogue software

EndurerOriginal
1Version

Just now, a netizen said that his computer was infected with viruses. After rising cleared, He restarted the computer and asked me to remotely assist him through QQ.

Check Rising's antivirus record. It turns out to be the cpush rogue software.

Run the rising Kaka Security Assistant and use the [anti-malware and rogue software] in the [basic functions]. The report shows cpush. Click the [clear now] button ......

Check the boot item again and find that cpush items remain. For example, last year's Sohu game also allows users to uninstall it, but also sets the boot item, so that it will be automatically installed at the next system startup ......

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
/---
Pe_xscan 07-07-24 by Purple endurer
2007-8-1 21:46:23
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

C:/Windows/explorer. EXE * 1432 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/cpasevcl1.dll | 9:45:18 | cpasevcl dynamic link library | 1, 0, 0, 4 | cpasevcl dynamic link library | copyright (c) 2006 | 1, 0, 0, 4 |? |? | Cpasevcl. dll
C:/Windows/system32/cpasevcl. DLL | 9:45:18 | cpasevcl dynamic link library | 1, 0, 0, 4 | cpasevcl dynamic link library | copyright (c) 2006 | 1, 0, 0, 4 |? |? | Cpasevcl. dll

O3-IE Toolbar: shortcut toolbar 3.1.5 -? {BE830FD4-E393-417F-9F4B-CC70ABB3384C }-

O4-HKLM/../run: [nvcpldaemons] C:/program files/common files/ad2180.exe
O4-HKLM/../run: [svpecld] C:/Windows/system32/svpecld.exe
O4-HKLM/../runonce: [cpushsetup] "C:/Windows/system32/regsvr32.exe"/s "C:/program files/common files/cpush. dll"

O23-service: eaglent (eaglent)-C:/Windows/system32/Drivers/eaglent. sys (manual)

O23-service: npkycryp (npkycryp)-C:/Windows/system32/npkycryp. sys (manual)
---/

Where

O4-HKLM/../run: [nvcpldaemons] C:/program files/common files/ad2180.exe

Startup name is quite confusing. If you don't read the corresponding file, you may think it is related to the NVIDIA graphics card.

Cpasevcl1.dll, cpasevcl. dll, and svpecld.exe seem to be related to the speed of the stars. In the rising Kaka Security Assistant, the startup Item of svpecld.exe is canceled. In a short time, the startup Item of svpecld.exe will be overwritten ......

Download autodel from http://endurer.ys168.com

C:/program files/common files/ad2180.exe
C:/Windows/system32/svpecld.exe
C:/program files/common files/cpush. dll

Add the list of files to be deleted, click the [delete upon next Startup] button, and select allow when prompted by the Rising Star Registry monitoring.

Ask netizens to restart their computers and scan again, so they will not find any virus ......

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.