Encounter Trojan-PSW.Win32.WOW, Trojan. psw. win32.onlinegames, Trojan. mnless. kks and so on 1
EndurerOriginal
1Version
Just now, a friend called for help and said that his computer could not be connected to the Internet. Rising monitoring umbrella was yellow. I can't fix the problem with the help of Yahoo.
Check rising monitoring and find that email monitoring cannot be started.
Looking at the network, my friend's computer uses the LAN access method. Ping the gateway can be pinged, www.163.com can also be pinged, but the web page cannot be opened. In this way, even common software such as pe_xscan cannot be downloaded.
Fortunately, hijackthis was used to help him solve computer problems last time. He used it to scan logs and found suspicious items:
/---
Logfile of hijackthis v1.99.1
Scan saved at 12:23:43, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
O10-broken Internet access because of LSP provider 'C:/Windows/system32/MSComm. dll'
O23-service: 5a8c7aba-unknown owner-C:/Windows/system32/1f944ec3. EXE (file missing)
---/
The original is caused by o10, this general use lspfix or winsockfix to fix, these two tools can be downloaded from the http://endurer.ys168.com, but now can not download network ~
Use the Kaka security assistant on the desktop. Double-click it to run it. It seems that the user has never used it. The latest version is 3.2. Upgrade now and a website error is prompted ~
Select [IE and system repair] And find that two items are displayed in red. The content is MSComm. dll ~
Open the http://endurer.ys168.com, found that the directory list is not displayed, check found that the browser is unable to execute the activity script, with the/rereg parameter to start IE, invalid. You can use the regsvr32 command to register jscript. dll and VBScript. DLL for normal display.
Upgrade the Kaka Security Assistant first, and then check the Rising antivirus software. The virus database is still from to 31. the upgrade process is not expected. A blue screen error is reported ~
Only the computer can be restarted, and the administrator user in the computer has not set a password ~
After entering the desktop, Rising's monitoring umbrella was green at first, and then the file monitoring was automatically disabled, it turned into red, and all monitoring services were manually enabled, but soon it turned into red, manually enable all monitoring again, and rising continuously reports viruses
Download pe_xscan log analysis and find suspicious items:
/=
Pe_xscan 07-07-24 by Purple endurer
2007-8-6 12:56:59
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/Windows/system32/k118636446310.dat |
C:/Windows/system32/k118636446612.dat |
C:/Windows/system32/k118636446511.dat |
C:/Windows/system32/k11863644596.dat | 12:42:12, 2007-8-6
C:/Windows/system32/k11863644618.dat |
C:/Windows/system32/winform. dll |
C:/Windows/system32/cmdbcs. dll |
C:/Windows/system32/msimms32.dll |
C:/Windows/system32/mptp.dll |
C:/Windows/system32/avpsrv. dll |
C:/Windows/system32/kvsc3.dll |
C:/Windows/system32/csrss.exe * 860 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime process |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | CSRSS. exe | CSRSS. exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/winlogon.exe * 948 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | Windows NT logon application | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Winlogon. exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/a815a0f7. dll | 12:43:12 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/services.exe * 1056 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | services and controller app | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Services.exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/lsass.exe * 1084 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | LSA shell (export version) |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Lsass.exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/svchost.exe * 1324 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
D:/rising/rav/ccenter.exe * 1584 | 17:12:21 | Rising antivirus software | 18, 0, 0, 3 | ccenter | copyright rising 2002 | 18, 0, 0, 0, 3 | Beijing rising Technology Co ., ltd. | Beijing rising Technology Co ., ltd. | ccenter.exe
C:/Windows/system32/svchost.exe * 1600 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/svchost.exe * 1740 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/svchost.exe * 1860 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/explorer. EXE * 224 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/af0d0e8e. dll | 12:40:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/kvsc3.dll |
C:/Windows/system32/winform. dll |
C:/Windows/system32/avpsrv. dll |
C:/Windows/system32/mptp.dll |
C:/Windows/system32/k11863644618.dat |
C:/Windows/system32/msimms32.dll |
C:/Windows/system32/timhost. dll | 12:42:11
C:/Windows/system32/k11863644596.dat | 12:42:12, 2007-8-6
C:/Windows/system32/k118636446511.dat |
C:/Windows/system32/k118636446612.dat |
C:/Windows/system32/cmdbcs. dll |
C:/Windows/system32/k118636446310.dat |
C:/Windows/system32/a815a0f7. dll | 12:43:12 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |?
C:/Windows/system32/ctfmon.exe * 1516 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/Windows/system32/winform. dll |
C:/Windows/system32/k11863644596.dat | 12:42:12, 2007-8-6
C:/Windows/system32/k11863644618.dat |
C:/Windows/system32/conime.exe * 3800 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | console IME |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Console | conime. exe
C:/Windows/system32/k11863644596.dat | 12:42:12, 2007-8-6
C:/Windows/system32/k11863644618.dat |
C:/Windows/system32/winform. dll |
C:/Windows/system32/k118636446511.dat |
C:/Windows/system32/k118636446310.dat |
C:/Windows/system32/k118636446612.dat |
C:/Windows/system32/6bd3f1dc.exe * 2064 | 12:43:12
C:/Windows/system32/6bd3f1dc.exe | 12:43:12
C:/Windows/system32/k118636446310.dat |
C:/Windows/system32/k118636446612.dat |
C:/Windows/system32/k118636446511.dat |
C:/Windows/system32/k11863644596.dat | 12:42:12, 2007-8-6
C:/Windows/system32/k11863644618.dat |
C:/Windows/system32/winform. dll |
C:/Windows/system32/cmdbcs. dll |
C:/Windows/system32/msimms32.dll |
C:/Windows/system32/mptp.dll |
C:/Windows/system32/avpsrv. dll |
C:/Windows/system32/kvsc3.dll |
C:/Windows/system32/nslookupi.exe * 2584 | 12:44:30
C:/Windows/system32/k118636446310.dat |
C:/Windows/system32/k118636446612.dat |
C:/Windows/system32/k118636446511.dat |
C:/Windows/system32/k11863644596.dat | 12:42:12, 2007-8-6
C:/Windows/system32/k11863644618.dat |
O4-HKLM/../run: [winform] C:/Windows/winform.exe
O4-HKLM/../run: [kvsc3] C:/Windows/kvsc3.exe
O4-HKLM/../run: [avpsrv] C:/Windows/avpsrv.exe
O4-HKLM/../run: [mppds] C:/Windows/mppds.exe
O4-HKLM/../run: [msimms32] C:/Windows/msimms32.exe
O4-HKLM/../run: [cmdbcs] C:/Windows/cmdbcs.exe
C:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
D:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
E:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
F:/autorun. inf
/-----
[Autorun]
Opentracing auto.exe
Shellexecuteappsauto.exe
Shell/auto/command#auto.exe
-----/
G:/autorun. inf
/-----
[Autorun]
Open‑launcher.exe
Iconw.launcher.exe
-----/
O23-service: 5a8c7aba (5a8c7aba)-C:/Windows/system32/1f944ec3. exe-5a8c7aba | 12:43:11 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |? (Automatic)
O23-service: 5c0d4d9c (5c0d4d9c)-C:/Windows/system32/542de44. exe-k | 23:41:30 | MICROSOFT (r) Windows (r) Operating System |? |? | (C) Microsoft Corporation. All Rights Reserved. |? | Microsoft Corporation |? |? |? (Automatic)
O23-service: bnhoenni (bnhoenni)-system32/Drivers/bnhoenni. sys |? | 1.1.0.1015 |? |? | 1.1.0.1015 |? |? |? |? (Guide)
O23-service: kdlepi (kdlepi)-C:/Windows/system32/Drivers/kdlepi. sys | 21:36:45 | sys application | 1, 0, 1, 3 | sys application | copyright (c) 2006 | 1, 0, 1, 3 | Beijing sanqi eryi Technology Co., Ltd. |? | Sys | sys.exe (pilot)
O23-service: new0 (new0)-C:/Windows/system32/New. sys | (automatic)
O23-service: ws2ifsl (Windows Socket 2.0 non-ifs service provider support environment)-C:/Windows/system32/Drivers/ws2ifsl. sys | MICROSOFT? Windows? Operating System | 5.1.2600.0 | Winsock2 ifs layer |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.0 (xpclient000017-1148) | Microsoft Corporation |? | Ws2ifsl. sys | ws2ifsl. sys (system)
O24-shlexechook: [4]-{D157330A-9EF3-49F8-9A67-4141AC41ADD4} = 4
===/
Haha, many of them have met before ~
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
