Ebuiiti. sys, qbnlwvqcimqbos. dll, jsrldzlvyunxeo. dll, jsrldzlvyunxeo. dll, etc.
EndurerOriginal
1Version
Yesterday, a netizen said that the computer's AntiVir constantly reported that the virus was working very slowly and asked him to repair it through QQ.
Check the log of AntiVir, as shown in the following figure (duplicate virus items are removed ):
/---
Exported events:
[Guard] malware found
Virus or unwanted program 'html/shellcode. gen [HTML/shellcode. gen]'
Detected in file 'C:/Windows/temp/194070676504. tmp.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'js/dldr. Agent. ZY [JS/dldr. Agent. ZY]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/zfprnt8w/6142 [1]. js.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'js/dldr. fakebaidu [JS/dldr. fakebaidu]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/zfprnt8w/du81_12.16.htm.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'heur/exploit. html [heur/exploit. html]'
Detected in file 'C:/Windows/temp/194028139496. tmp.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'html/ADODB. Exploit. gen [HTML/ADODB. Exploit. gen]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/cv7z6c59/ifuckhackerdewife [1]. js.
Action completed MED: Move file to quarantine
[Guard] error detected
Error detected in AntiVir Guard.
Error message: action failed for file: C:/Documents ents and
Settings/LocalService/Local Settings/Temporary Internet
Files/content. ie5/cv7z6c59/ifuckhackerdewife [1]. js
Error code: [0x00000005-Access denied.].
[Guard] malware found
Virus or unwanted program 'html/dldr. agent.380 [HTML/dldr. agent.380]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/2vrb9sju/xs000012.16.htm.
Action completed MED: delete file
[Guard] malware found
Virus or unwanted program 'exp/ani. gen [exp/ani. gen]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/cv7z6c59/ad1_1).jpg.
Action completed MED: delete file
[Guard] malware found
Virus or unwanted program 'exp/thunder.3 [exp/thunder.3]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/in5svhqn/webxl [1]. js.
Action completed MED: delete file
[Guard] malware found
Virus or unwanted program 'tr/rootkit. AK [tr/rootkit. Ak]'
Detected in file 'C:/Windows/system32/Drivers/bdguard. sys.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'tr/agent. Akl [tr/agent. Akl]'
Detected in file 'C:/program files/Baidu/BAR/bdgdins. dll.
Action completed MED: delete file
[Guard] malware found
Virus or unwanted program 'html/objcode. Q [HTML/objcode. q]'
Detected in file 'C:/Windows/temp/194070688776. tmp.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'html/click. vipstat [HTML/click. vipstat]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/nee4uxl7/log1%2%.htm.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'js/iframe. B [JS/iframe. B]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/7 zdzhnbt/1358616 [1]. js.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'tr/click. html. IFRAME. Da [tr/click. html. IFRAME. Da]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/2vrb9sju/BB [1]. js.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'html/infected. webpage. gen
[HTML/infected. webpage. gen]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/nee4uxl7/wg199742512.16.htm.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'html/dldr. Agent. Zi [HTML/dldr. Agent. Zi]'
Detected in file 'C:/Windows/temp/194028139456. tmp.
Action completed MED: Deny Access
[Guard] malware found
Virus or unwanted program 'html/dldr. codsig [HTML/dldr. codsig]'
Detected in file 'C:/Documents and Settings/LocalService/local
Settings/Temporary Internet Files/content. ie5/7 zdzhnbt/ee00001).htm.
Action completed MED: Deny Access
---/
Baidu souba actually exists and uninstalled.
Download the pe_xscan scan log analysis and find the following suspicious items:
/---
Pe_xscan 07-08-30 by Purple endurer
2007-11-7 17:50:28
Windows XP Service Pack 2 (5.1.2600)
Non-administrator user group
C:/Windows/explorer. EXE * 1356 | 21:21:55 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.3156 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Documents and Settings/RE/Application Data/PPStream/bin/1.0.0.2/vodrc. DLL | vodrc | 1.0.0.2 | vodrc | PPStream Inc. all rights reserved. | 1.0.0.2 | ppstream.com |? | Vodrc. dll | vodrc. dll
C:/progra ~ 1/Baidu/BAR/baidubar. DLL | 15:52:44 | baidubar module | 2, 0, 2,145 | baidubar module | copyright 2005 | 2, 0, 2,145 | Baidu.com, Inc. | baidubar. DLL
C:/Windows/system32/svchost.exe * 1940 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/WBEM/qbnlwvqcimqbos. dll | 11:30:23
O2-BHO ppgoucatcher-{rj0000-0000-0000-e58e57c9c848}-C:/progra ~ 1/ppgou/ppgoui ~ 1. dll
O23-service: bdguard (bdguard)-system32/Drivers/bdguard. sys (pilot)
O23-service: iqguynhth (Automated)-C:/Windows/system32/svchost.exe-K ukwgtocdnjito-> C:/Windows/system32/WBEM/uninstall. dll | 11:30:23 (automatic)
O23-service: npkycryp (npkycryp)-C:/program files/Tencent/QQ/npkycryp. sys (manual)
---/
You have also uninstalled ppgou.
Stop and disable the service: iqguynhth (wkvpwvlquwrfsej ).
Download fileinfo and bat_do from the http://purplendurer.ys168.com and use fileinfo to extract the file information:
File Description: C:/Windows/system32/WBEM/qbnlwvqcimqbos. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 11:30:23
Modification time: 11:30:23
Access time: 18:31:10
Size: 1028608 bytes, 1004.512 KB
MD5: 0e96d0b2ff21e6fd1_b382096c350df
Sha1: 23a89af716af6b34a7a80b67a028ac02d9fb78e1
CRC32: 32b85f3a
File Description: C:/Windows/system32/WBEM/jsrldzlvyunxeo. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:24:33
Modification time: 12:24:34
Access time: 18:31:12
Size: 15223 bytes, 14.887 KB
MD5: 22e9c2373bdac310298e257488698e81
Sha1: 6d71557aef0197ad871bd4070033c95c3ed38cd6
CRC32: 21aec210
File Description: C:/Windows/system32/WBEM/ehuvrynxhdngwg. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:24:35
Modification time: 12:24:35
Access time: 18:31:14
Size: 6132 bytes, 5.1012 KB
MD5: 1d4eecb9e52baaabc210c07cd6ef3007
Sha1: 4eb1170461dcba1bbddc80a7c306be1b8042bd
CRC32: 8e8616b3
File Description: C:/Windows/system32/WBEM/ebuiiti. sys
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:24:33
Modification time:
Access time: 18:31:16
Size: 43 bytes
MD5: bdcf39a82e4a7b905ed678ff50310432
Sha1: 532c3facfe929421583fd47243b68d9b896e041d
CRC32: 89ec3fec
Use bat_do to package and back up suspicious files, delay deletion, change the selected file name, and delay deletion. Restart your computer ......