Encounter a bunch of Trojan. psw. win32.onlinegames/* door0.dll and so on 1

Encounter a bunch of Trojan. psw. win32.onlinegames/* door0.dll and so on 1

EndurerOriginal
1Version

A netizen said that Kingsoft drug overlord had an error recently when his computer was powered on and ran slowly. He asked QQ to remotely assist in the inspection.

As the computer reaction of a netizen is really slow, let him restart to the safe mode with network connection.

After downloading pe_xscan and decompressing it, the file suddenly disappeared ...... This is the case several times. Is pe_xscan also included in the malicious program sniper list?

Decompress pe_xscan to C:/Windows/system32, change the file name, and run again. This time OK!

Scan logs and analyze the logs to find the following suspicious items (the process module is omitted ):
/=
Pe_xscan 07-07-24 by Purple endurer
2007-8-27 12:38:37
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

[System process] * 0
C:/program files/Internet Explorer/rksldk. DLL | Microsoft Windows operating system | 6.00.2900.3028 | Microsoft Corporation windows DLL | copyright (c) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation |? | Windows. dll | Windows. dll
C:/Windows/system32/dadoor0.dll | 8:39:14
C:/Windows/system32/wddoor0.dll | 8:39:14
C:/Windows/system32/fydoor0.dll | 8:39:14
C:/Windows/system32/qjdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/mydoor0.dll | 8:39:14
C:/Windows/system32/tldoor0.dll | 8:39:14
C:/Windows/system32/rxdoor0.dll | 8:39:14
C:/Windows/system32/wmdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/qhdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/wgdoor0.dll | 8:39:14
C:/Windows/system32/wldoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/jtdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/ztdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/wodoor0.dll | 8:39:14
C:/Windows/system32/mhdoor0.dll | 8:39:14

C:/Windows/explorer. EXE * 1448 | 8:39:14 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/program files/Internet Explorer/msvcrt. DLL | Microsoft Windows operating system | 6.00.2900.3028 | Microsoft Corporation windows DLL | copyright (c) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation |? | Windows. dll | Windows. dll
C:/Windows/system32/mhdoor0.dll | 8:39:14
C:/program files/Internet Explorer/rksldk. DLL | Microsoft Windows operating system | 6.00.2900.3028 | Microsoft Corporation windows DLL | copyright (c) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation |? | Windows. dll | Windows. dll
C:/Windows/system32/wodoor0.dll | 8:39:14
C:/Windows/system32/ztdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/jtdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/wldoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/wgdoor0.dll | 8:39:14
C:/Windows/system32/qhdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/wmdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/rxdoor0.dll | 8:39:14
C:/Windows/system32/tldoor0.dll | 8:39:14
C:/Windows/system32/mydoor0.dll | 8:39:14
C:/Windows/system32/qjdoor0.dll | 8:39:14, 2004-8-16
C:/Windows/system32/fydoor0.dll | 8:39:14
C:/Windows/system32/wddoor0.dll | 8:39:14
C:/Windows/system32/dadoor0.dll | 8:39:14
C:/program files/WinRAR/rarext. dll | 20:41:30

C:/program files/Internet Explorer/rksldk. Bak * 1532 |
C:/program files/Internet Explorer/rksldk. Bak |
C:/program files/Internet Explorer/rksldk. DLL | Microsoft Windows operating system | 6.00.2900.3028 | Microsoft Corporation windows DLL | copyright (c) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation |? | Windows. dll | Windows. dll

C:/Windows/system32/ctfmon.exe * 1232 | 8:39:14 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/program files/Internet Explorer/rksldk. DLL | Microsoft Windows operating system | 6.00.2900.3028 | Microsoft Corporation windows DLL | copyright (c) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation |? | Windows. dll | Windows. dll

O2-BHO-{A1626E66-B26B-C628-A1DF-BDACCFA26EE1}-C:/program files/common files/relive. dll
O2-BHO-{C1626E66-C26B-C628-E1DF-CDACCFA26EE1}-C:/program files/common files/goskdl. dll
O2-BHO-{D7515C61-A66C-4319-A0E0-D416CB8059E3}-C:/program files/common files/relive. dll
O2-BHO-{E3616E66-C13B-2628-2CDF-EDABCFA235E1}-C:/program files/common files/relive. dll

O4-HKLM/../run: [aslkgadlkgsl1] C:/Windows/system32/oigdfgdfl1.exe
O4-HKLM/../run: [asgfdjs2] C:/Windows/system32/vbsdaas2.exe
O4-HKLM/../run: [askasdkl3] C:/Windows/system32/faskflxld3.exe
O4-HKLM/../run: [asfkafsk4] C:/Windows/system32/fdaolfdos4.exe
O4-HKLM/../run: [sakdasksd5] C:/Windows/system32/eksdlfs5.exe
O4-HKLM/../run: [daskaskfsak6] C:/Windows/system32/dsfids6.exe
O4-HKLM/../run: [xcxdsaa7] C:/Windows/system32/FIG
O4-HKLM/../run: [afskfask8] C:/Windows/system32/fsfjasj8.exe
O4-HKLM/../run: [akgkagaksad9] C:/Windows/system32/fsakfask9.exe
O4-HKLM/../run: [xzkadsfk10] C:/Windows/system32/afslkfasl10.exe
O4-HKLM/../run: [faslkakj11] C:/Windows/system32/kjgagklj11.exe
O4-HKLM/../run: [gadkgak12] C:/Windows/system32/fsafsakx12.exe
O4-HKLM/../run: [asdsaxcxz13] C:/Windows/system32/dasxcsx13.exe
O4-HKLM/../run: [dsadlsa14] C:/Windows/system32/dsakfsak14.exe
O4-HKLM/../run: [daskgfkkcx15] C:/Windows/system32/dasdsaads15.exe
O4-HKLM/../run: [gajklgasjlkga] C:/Windows/system32/aglajgkd16.exe
O4-HKLM/../run: [sakdasj6ksd5] C:/Windows/system32/e656lkls5.exe
O4-HKLM/../run: [apadslasla13] C:/Windows/system32/alsdlaslx13.exe
O4-HKLM/../run: [aslgflsdakgsl1] C:/Windows/system32/ogdflsd1.exe
H:/autorun. inf
/-----
[Autorun]
Open = ghost. pif
ShellExecute = ghost. pif
Shell/auto/command = ghost. pif
Shell = auto
-----/

O24-shlexechook: []-0cce6e12-c2ec-56cd + 1a62-ae3fd6ef56e6} = C:/program files/Internet Explorer/msvcrt. dll
O24-shlexechook: []-{5c7596cb-c3cc-6ba3-be52-8eea63f9c61d} = C:/program files/Internet Explorer/msvcrt. dll
O24-shlexechook: []-{DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D} = C:/program files/Internet Explorer/rksldk. dll
O24-shlexechook: [f]-{3422fb0f-95eb-458a-8b56-3955366a4ef} = C:/Windows/system32/mhdoor0.dll
O24-shlexechook: [6]-{5731ea1d-6aaf-4de9-bd3167b390a75b286} = C:/Windows/system32/wodoor0.dll
O24-shlexechook: [9]-{E952B8F8-D91A-4EDD-851C-EE1A0F944469} = C:/Windows/system32/ztdoor0.dll
O24-shlexechook: [1]-{71046dd5-e136-4c4b-a6b5-91c30cb15291} = C:/Windows/system32/jtdoor0.dll
O24-shlexechook: [3]-{E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3} = C:/Windows/system32/wldoor0.dll
O24-shlexechook: [7]-{A3C95A74-638D-4C6B-A856-4B27664A7F47} = C:/Windows/system32/wgdoor0.dll
O24-shlexechook: [d]-{ABD0935D-B35A-47BD-BA9A-81678DDE74DD} = C:/Windows/system32/qhdoor0.dll
O24-shlexechook: [c]-{074616a6-5adc-4a3f-b252-e1d605228b5c} = C:/Windows/system32/wmdoor0.dll
O24-shlexechook: [0]-{EDFF29C1-5A70-4460-AC1D-16DCB4B672F0} = C:/Windows/system32/rxdoor0.dll
O24-shlexechook: [8]-{08e909a4-b236-48dd-8bcc-90a604b93e68} = C:/Windows/system32/tldoor0.dll
O24-shlexechook: [8]-{4e3fbfa4-f1cc-4b66-b333-b9f0ff4b4748} = C:/Windows/system32/mydoor0.dll
O24-shlexechook: [8]-{6826a3db-ea8e-4e67-880d-53d04c7c0bd8} = C:/Windows/system32/qjdoor0.dll
O24-shlexechook: [B]-{BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B} = C:/Windows/system32/fydoor0.dll
O24-shlexechook: [7]-{781fbcc1-99c7-4ae0-95f7-66ea49e86dd7} = C:/Windows/system32/zxdoor0.dll
O24-shlexechook: [2]-{68f7767a-090c-4bbf-a015-720acc6706e2} = C:/Windows/system32/wddoor0.dll
O24-shlexechook: [B]-{D8CC4845-441C-44F8-9053-28F2EF67655B} = C:/Windows/system32/dadoor0.dll

O25-inscom: {11716107-a10d-11cf-64cd-11115fe1cf41} = C:/Windows/system32/nwizzhuxians.exe
===/

Disable system restoration.

Download hijackthis from the http://endurer.ys168.com and bat_do and fileinfo from the http://purpleendurer.ys168.com.

Use pe_xscan's webpage analysis tool to extract the file description of suspicious files, add fileinfo to extract file information, add bat_do, select all, use rar.exe to package backup, then delete the files in a delayed manner, change the selected file name, and delete the files again in a delayed manner.

Run hijackthis to repair items O2 and O4.

Use WinRAR to delete H:/autorun. inf.

Download Dr. Web cureit scan and find a bunch of viruses.

Download and install the Security Assistant.

Use WinRAR to delete windows temporary folders, ie temporary folders, and files and folders that can be deleted in C:/Windows/prefetch.

Restart your computer and enter the Secure Mode with network connection. Run the rising Kaka Security Assistant, select [advanced functions]-> [plug-in management and uninstallation], and uninstall the o24 project.

Switch to [system startup Item Management], click [Resource Manager plug-in] In the list on the left, find o25 in the list on the right, right-click, and choose delete from the pop-up menu.