Encounter psw. win32.wowar, Trojan. win32.mnless, Trojan. immsg. win32.tbmsg, etc.
EndurerOriginal
1Version
A netizen said rising in his computer often prompts to discover viruses and asked him to help him remotely via QQ.
Check the record history of rising and export a segment:
/---
Virus name processing result scan method path File
Trojan. psw. win32.wowar. sbSuccessfully deleted file monitoring C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/rz9z7dws wow061720.12.16.exe> upack0.36
Trojan. psw. win32.wowar. sbSuccessfully deleted file monitoring C:/Windows/system32 k11839392662.exe> upack0.36
Trojan. psw. win32.onlinegames. cyhSuccessfully deleted file monitoring C:/Windows msimms32.exe
Trojan. psw. win32.onlinegames. cxbIgnore file monitoring C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/fisr35g1 my061620.1cmd.exe
Trojan. psw. win32.xyonline. AESuccessfully deleted file monitoring C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/fisr35g1 dh061620.1).exe> upx_c
Trojan. psw. win32.onlinegames. cxbSuccessfully deleted file monitoring C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/fisr35g1 my061642522.16.exe
Trojan. win32.mnless. kksSuccessfully deleted file monitoring C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/kzuuqyaw vod1_1).exe> upack0.34
Trojan. win32.mnless. kksSuccessfully deleted file monitoring C:/Windows/system32 k118393927812.exe> upack0.34
Trojan. immsg. win32.tbmsg. HHSuccessfully deleted file monitoring C:/Windows/system32 8bbd01a6.exe> nspack
Trojan. psw. win32.onlinegames. DBFRestart the computer and delete file monitoring C:/Windows/system32 msapi. dll
Trojan. immsg. win32.tbmsg. HHRestart the computer and delete file monitoring C:/Windows/system32 8bbd01a6. dll> nspack
Trojan. psw. win32.cabalonline. oRestart the computer and delete file monitoring C:/Windows/system32 cmdbcs. dll
Trojan. psw. win32.onlinegames. DCLRestart the computer and delete file monitoring C:/Windows/system32 winform. dll
Trojan. psw. win32.onlinegames. DCNRestart the computer and delete file monitoring C:/Windows/system32 avpsrv. dll
Trojan. psw. win32.cabalonline. oRestart the computer and delete file monitoring C:/Windows/system32 cmdbcs. dll
Trojan. psw. win32.onlinegames. DCMRestart the computer and delete file monitoring C:/Windows/system32 nwizqjsj. dll
Trojan. psw. win32.onlinegames. DCERestart the computer and delete file monitoring C:/Windows/system32 nwizwlwzs. dll
---/
Download the pe_xscan scan log and find the following suspicious items (the process module is omitted ):
/=
Pe_xscan 07-06-23 by Purple endurer
2007-7-9 12:55:10
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/Windows/system32/k11839392684.dat |
C:/Windows/system32/msimms32.dll |
C:/Windows/system32/csrss.exe * 508 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime process |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | CSRSS. exe | CSRSS. exe
C:/Windows/system32/8bbd01a6. dll | 7:59:32, 2007-7-9
C:/Windows/system32/winlogon.exe * 532 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | Windows NT logon application | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Winlogon. exe
C:/Windows/system32/8bbd01a6. dll | 7:59:32, 2007-7-9
C:/Windows/system32/services.exe * 576 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | services and controller app | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Services.exe
C:/Windows/system32/8bbd01a6. dll | 7:59:32, 2007-7-9
C:/Windows/system32/lsass.exe * 588 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | LSA shell (export version) |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Lsass.exe
C:/Windows/system32/8bbd01a6. dll | 7:59:32, 2007-7-9
C:/Windows/system32/svchost.exe * 780 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/msapi. dll | 10:22:44
C:/Windows/system32/8bbd01a6. dll | 7:59:32, 2007-7-9
C:/Windows/explorer. EXE * 168 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/8bbd01a6. dll | 7:59:32, 2007-7-9
C:/Windows/system32/msapi. dll | 10:22:44
C:/Windows/system32/k11839392684.dat |
C:/Windows/system32/nwizqjsj. dll |
C:/Windows/system32/avpsrv. dll |
C:/Windows/system32/nwizwlwzs. dll |
C:/Windows/system32/winform. dll |
C:/Windows/system32/cmdbcs. dll |
C:/Windows/system32/msimms32.dll |
C:/Windows/system32/wuauclt.exe * 1404 | 22:45:20 | MICROSOFT? Windows? Operating System | 7.0.6000.374 | Windows Update Automatic Updates |? Microsoft Corporation. All Rights Reserved. | 7.0.6000.374 (winmain (wmbla). 070416-2057) | Microsoft Corporation |? | Wuauclt.exe
C:/Windows/system32/mucltui. dll | 22:44:20 | MICROSOFT? Windows? Operating System | 7.0.6000.374 | Microsoft Update client UI plugin |? Microsoft Corporation. All Rights Reserved. | 7.0.6000.374 (winmain (wmbla). 070416-2057) | Microsoft Corporation |? | Mucltui. dll | mucltui. dll
C:/Windows/system32/k11839392684.dat |
C:/Windows/system32/ctfmon.exe * 2332 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/Windows/system32/k11839392684.dat |
F:/software/qq.exe * 3044 | Tencent QQ | 0, 0, 0, 0 | QQ | Copyright 2007 | 0, 0, 0, 0, 0 | Tencent | comqqd | qq.exe
C:/Windows/system32/k11839392684.dat |
C:/Windows/system32/msimms32.dll |
C:/Windows/system32/cmdbcs. dll |
C:/Windows/system32/winform. dll |
C:/Windows/system32/avpsrv. dll |
C:/Windows/system32/msapi. dll | 10:22:44
O4-HKLM/../run: [Microsoft autorun7] C:/Windows/system32/nwizqjsj.exe
O4-HKLM/../run: [avpsrv] C:/Windows/avpsrv.exe
O4-HKLM/../run: [winform] C:/Windows/winform.exe
O4-HKLM/../run: [Microsoft autorun11] C:/Windows/system32/nwizwlwzs.exe
O4-HKLM/../run: [cmdbcs] C:/Windows/cmdbcs.exe
O4-HKLM/../run: [msimms32] C:/Windows/msimms32.exe
C:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
D:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
E:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
F:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
O23-service: 4d69cf24 (4d69cf24)-C:/Windows/system32/8bbd01a6. exe-k | 8:50:56 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |? (Automatic)
O23-service: npkycryp (npkycryp)-C:/program files/Tencent/QQ/npkycryp. sys (manual)
O23-service: ws2ifsl (Windows Socket 2.0 non-ifs service provider support environment)-C:/Windows/system32/Drivers/ws2ifsl. sys | MICROSOFT? Windows? Operating System | 5.1.2600.0 | Winsock2 ifs layer |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.0 (xpclient000017-1148) | Microsoft Corporation |? | Ws2ifsl. sys | ws2ifsl. sys (disabled)
O25-inscom: {81716107-a10d-11cf-64cd-11115fe1cf41} = C:/Windows/system32/nwizzhuxians.exe
The showall value is not 1.
===/
Download freedll, bat_do, fileinfo from http://purpleendurer.ys168.com.
Use freedll to inject the virus module into the process, use fileinfo to extract file information, use bat_do to package and delete the file, use delayed deletion for saving points, and generate commands to remove file attributes and delete files, run the command at the next startup.
Unfortunately, the virus module injected into the process was removed by freedll and deleted by rising before the virus file information was extracted. The real-time monitoring of rising had to be temporarily disabled. previously deleted virus files were also lazy and recovered in the isolation zone of rising ......
Use WinRAR to delete autorun. inf and auto.exe under each disk.
Download hijackthis to the http://endurer.ys168.com to fix the O4 item.
Use Registry Editor to delete o23 and o25.
Some Virus File Information:
File Description: C:/Windows/system32/k11839392684.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 8828 bytes, 8.636 KB
MD5: 00b6f61160bb15f047cd962893a34192
File Description: C:/Windows/system32/k11839392684.dat
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 5506 bytes, 5.386 KB
MD5: 21ca9c06990496a0b7642752530c1e33
File Description: C:/Windows/msimms32.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 22528 bytes, 22.0 KB
MD5: 95d8f8399f2f09a583a13c624cea6a2d
File Description: C:/Windows/system32/msimms32.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 13312 bytes, 13.0 KB
MD5: c73d850a7ba83e5b3833715faeb9fdf0
File Description: C:/Windows/system32/8bbd01a6. exe
Attribute :----
Language: English (USA)
File version:
Note:
Copyright: (c) Microsoft Corporation. All rights reserved.
Note:
Product Version:
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal Name:
Source File Name:
Creation Time: 8:50:57
Modification time: 8:50:56
Access time:
Size: 18231 bytes, 17.823 KB
MD5: bb7c9cea012dec18c7e7b9619b7b97b7
File Description: C:/Windows/system32/8bbd01a6. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 7:59:32
Access time:
Size: 11888 bytes, 11.624 KB
File Description: C:/Windows/system32/msapi. dll
Properties: A-H-
An error occurred while obtaining the file version information!
Creation Time: 10:22:41
Modification time: 10:22:44
Access time:
Size: 65536 bytes, 64.0 KB
MD5: c66f30a73f4bf6a0e1373ca1c4e9d45a
File Description: C:/Windows/system32/mucltui. dll
Attribute: ---
Language: English (USA)
File version: 7.0.6000.374 (winmain (wmbla). 070416-2057)
Description: Microsoft Update client UI plugin
Copyright :? Microsoft Corporation. All rights reserved.
Note:
Product Version: 7.0.6000.374
Product Name: Microsoft? Windows? Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: mucltui. dll
Source File Name: mucltui. dll
Creation Time: 8:11:36
Modification time: 22:44:20
Access time:
Size: 271224 bytes, 264.888 KB
MD5: 5a0cd6dc6a03c5bf47ca2c16fe846d0b
File Description: C:/Windows/system32/nwizwlwzs.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:19:56
Modification time:
Access time:
Size: 10240 bytes, 10.0 kb
MD5: 4d3de7dcb170be0734a95b0f17dbb603