Encountering krnln. FNR, Com. Run, Shell. FNE, dp1.fne, eapi. FNE, Internet. FNE, RegEx. FNR, spec. FNE, etc.

Source: Internet
Author: User
Tags crc32

Encountering krnln. FNR, Com. Run, Shell. FNE, dp1.fne, eapi. FNE, Internet. FNE, RegEx. FNR, spec. FNE, etc.

 

 

A netizen said that his computer may be infected with viruses. The problem is that he rename the folder in the USB flash drive and then double-click it. Then, the system prompts that the folder cannot be found.

With QQ Remote Assistance, I first checked the USB flash drive and found the virus that changed the folder to the EXE file. Delete the virus of the EXE file, and then remove the hidden folder and system attributes of the virus.

Use pe_xscan to scan the computer, generate system logs, and analyze the logs. The following suspicious items are found:

 

Pe_xscan 10-07-04 by Purple endurer
20:54:33
Windows XP Service Pack 3 (5.1.2600)
MSIE: 6.0.2900.5512
Administrator user group
Normal Mode
C:/Windows/cmder.exe * 1596 |
C:/program files/freelaunchbar/flb. DLL | 10:14:49 | Free Launch bar | 1.0.0.0 | Free Launch bar | copyright (c) 2001-2004 truesoft | 1.0.0.0 | truesoft | Free Launch bar | freelaunchbar | flb. DLL
C:/Windows/system32/spoolsv.exe * 1656 |
C:/Windows/system32/ec4698/0246ef. EXE * 1844 |
C:/Windows/system32/ec4698/krnln. FNR | 14:58:26
C:/Windows/system32/ec4698/COM. run | 14:58:26 | com dynamic link library | 1, 0, 0, 1 | com DLL | copyright (c) 2004 | 1, 0, 0, 0, 1 | com. DLL
C:/Windows/system32/ec4698/shell. FNE |
C:/Windows/system32/ec4698/dp1.fne | 14:58:26
C:/Windows/system32/ec4698/eapi. FNE |
C:/Windows/system32/ec4698/Internet. FNE | 14:58:26 | Internet dynamic link library | 1, 0, 0, 1 | Internet DLL | copyright (c) 2002 | 1, 0, 0, 0, 1 | Internet. DLL
C:/Windows/system32/ec4698/RegEx. FNR | 14:58:26
C:/Windows/system32/ec4698/spec. FNE | 14:58:26
C:/Windows/system32/ec4698/pv718346.exe * 3988 | 8:18:52
C:/Windows/system32/ec4698/krnln. FNR | 14:58:26
C:/Windows/system32/ec4698/eapi. FNE |
C:/Windows/system32/ec4698/dp1.fne | 14:58:26
C:/Windows/system32/ec4698/w65c5ef7. EXE * 1948 | 8:18:53
C:/Windows/system32/ec4698/krnln. FNR | 14:58:26
C:/Windows/system32/ec4698/eapi. FNE |
C:/Windows/system32/ec4698/dp1.fne | 14:58:26

 

O2-ieaddon (jsobject class)-{11cc93e4-0be6-4f8f-82aa-d577fb955b05}
= C:/program files/Baidu/addressbar. dll
O4-HKLM/../run: [0246ef] C:/Windows/system32/ec4698/0246ef. exe
O4-startup: 0246ef. lnk-> C:/Windows/system32/ec4698/0246ef. exe

 

The HKLM/showall value is not 1.

Fileinfo and bat_do were downloaded to the http://purpleendurer.ys168.com. Pack the virus file with bat_do and use fileinfo to extract the virus file information.

Only the QQ Software manager is installed on the computer, and there is no anti-virus software. As a result, the home page of the rising website cannot be displayed. It is estimated that the website is blocked by viruses, after the virus is cleared, it can be opened normally.

Try Kingsoft drug overlord website again. It can be opened normally and found that there is a completely free "Kingsoft drug overlord technology preview version", only 10.4 MB. Try again.

There are some system repair functions, but unfortunately the repair effect is not satisfactory, such:

 

O4-startup: 0246ef. lnk-> C:/Windows/system32/ec4698/0246ef. exe

 

After the scan is complete and the computer is restarted, You have to manually clear it.

In addition, it is a false positive. I used fileinfo as a malicious program, and icesword was not spared.

 

 

 

Some malicious file information is attached:

 

File Description: C:/Windows/system32/ec4698/0246ef. exe
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 114176 bytes, 111.512 KB
MD5: fec7a8d7fd20f96995cc3d571d2448ec
Sha1: da92fd20b44f084358f2fe00b2d0ddc531792ff7
CRC32: 70003d06

 

 

File Description: C:/Windows/system32/ec4698/krnln. FNR
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 14:58:26
Modification time: 14:58:25
Size: 1101824 bytes 1.52 MB
MD5: d98daa3910ff67c67ecd6eb248790fa6
Sha1: 2fbc167ea2ab1b83e0fee1f83ebb1c55ce27e553
CRC32: 14c9503b file Description: C:/Windows/system32/ec4698/COM. Run
Property:-sh-
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1, 0, 0, 1
Description: COM DLL
Copyright: Copyright (c) 2004
Product Version: 1, 0, 0, 1
Product Name: COM Dynamic Link Library
Internal name: COM
Source File Name: COM. dll
Creation Time: 14:58:26
Modification time: 14:58:26
Size: 266240 bytes, 260.0 KB
MD5: ce2f773275d3fe8b78f4cf067d5e6a0f
Sha1: b7135e34d46eb%3147%d5cee5e1ef7b392ab
CRC32: f2b03db9 file Description: C:/Windows/system32/ec4698/shell. FNE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 40960 bytes, 40.0 KB
MD5: 6252f4ed0e000019c65aebafe47fdabaa
Sha1: efe5d416d749c27960496cc842e65e70b05393c7
CRC32: aed60996 file Description: C:/Windows/system32/ec4698/dp1.fne
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 14:58:26
Modification time: 14:58:25
Size: 114688 bytes, 112.0 KB
MD5: ce2f031c754188a1e44f3a192e64cde7
Sha1: 7c24b3f551f52b829e838a792f7f8ef38b804284
CRC32: a69e274f file Description: C:/Windows/system32/ec4698/eapi. FNE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 323584 bytes, 316.0 KB
MD5: cd343dd62be7a89a164b19819b7d5808
Sha1: d67e9d2289a8c6b4a7eeef909f1f841ae15abbf9
CRC32: 225f6262 file Description: C:/Windows/system32/ec4698/Internet. FNE
Property:-sh-
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1, 0, 0, 1
Description: Internet DLL
Copyright: Copyright (c) 2002
Product Version: 1, 0, 0, 1
Product Name: Internet Dynamic Link Library
Internal name: Internet
Source File Name: Internet. dll
Creation Time: 14:58:26
Modification time: 14:58:26
Size: 184320 bytes, 180.0 KB
MD5: 299c26fb72a3d286cc24c4a9a9a4a693
Sha1: acc3292d9d0534124675ffa6c6b336e1f25f4e30
CRC32: 191a6c3a file Description: C:/Windows/system32/ec4698/RegEx. FNR
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 14:58:26
Modification time: 14:58:26
Size: 217088 bytes, 212.0 KB
MD5: a67daddcb30335163cf7d99f282f5ae0
Sha1: c033169006bef68bebfa77405c4a35688ab41a99
CRC32: 6e8cc79c file Description: C:/Windows/system32/ec4698/spec. FNE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 14:58:26
Modification time: 14:58:26
Size: 69632 bytes, 68.0 KB
MD5: 8985d73f08638b4b48ecd30759c9e53f
Sha1: 400a90c9eabeb94ae05e5036e21dc922b0c1ffad
CRC32: fac44b10 file Description: C:/Windows/system32/ec4698/9un68. exe
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 14848 bytes, 14.512 KB
MD5: 541088f60a19f6e367cac50b2c2d79d2
Sha1: bfe1c09a42c0838b5ecaae6f0c8d77d0ae89b369
CRC32: cbc95d60 file Description: C:/Windows/system32/ec4698/wh44714b. exe
Same as C:/Windows/system32/ec4698/9um68. EXE file Description: C:/Windows/system32/ec4698/9um68. exe
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 8:55:27
Modification time:
Size: 14848 bytes, 14.512 KB
MD5: ca3f4315bca7460f9df8589b0eb36360
Sha1: bdb67716cf91f72ddeb2234814294d59bc2dbe72
CRC32: fd1c85e5ca3f4315bca7460f9df8589b0eb36360 --- 9um68. EXE file Description: C:/Windows/system32/ec4698/z8cdac38. exe
Same C:/Windows/system32/ec4698/9un68. EXE file Description: C:/Windows/system32/ec4698/VC-WL8.EXE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 15:35:50
Size: 14336 bytes, 14.0 KB
MD5: fa35d4e9867489c581ee263ad77d8e96
Sha1: 63a93a8fc37b3c792356f8f73bffdc7b5f569671
CRC32: 76094d83 Kaspersky Report: Trojan. win32.flystudio. UJ. The Red Star Report is Trojan. win32.generic. 520c5658 file Description: C:/Windows/system32/ec4698/vv6f2450. EXE.
Same as C:/Windows/system32/ec4698/VC-WL8.EXE file Description: C:/Windows/system32/ec4698/cnvpe. FNE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 14:58:26
Modification time: 14:58:25
Size: 61440 bytes, 60.0 KB
MD5: ad05921e0c3d85fd065df25b42ac7685
Sha1: e6802fd48478db7234cd82f79e9b4d00b51d6d1d
CRC32: 90e60753 file Description: C:/Windows/system32/ec4698/VC-G8.EXE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 9:23:37
Modification time: 15:40:30
Size: 13312 bytes, 13.0 KB
MD5: 4de97ffb8d44d3225971b08170a47961
Sha1: 3fc8285d9c3b606ba21fbc316e7f2b94f8a9e62c
CRC32: 324028f8 Kaspersky Report: Trojan. win32.flystudio. Uj, rising Report: Trojan. win32.generic. 5226a7a6 file Description: C:/Windows/system32/ec4698/TC-G9.EXE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 8:55:27
Modification time: 8:11:51
Size: 13312 bytes, 13.0 KB
MD5: 09acefe66d8cf177462a81ab2f2b955a
Sha1: 2cc8c6d8a2bacecc49ee3ba4f554bd736f867e25
CRC32: 9c4356cc Kaspersky report is Trojan. win32.flystudio. Uj, and rising report is Trojan. win32.generic. 522a0ef0 file Description: C:/Windows/system32/ec4698/nv5952b3. exe
Same C:/Windows/system32/ec4698/TC-G9.EXE file Description: C:/Windows/system32/ec4698/TC-GP.EXE
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:18:52
Size: 12800 bytes, 12.512 KB
MD5: de987157d620191f09dd9c6b69459eac
Sha1: ffbabedd3e355751ccad4bc5bdb631581f1c0183
CRC32: c2e3b01e rising Report: Trojan. win32.generic. 5231ff7f file Description: C:/Windows/system32/ec4698/pv718346.exe
Same as C:/Windows/system32/ec4698/TC-GP.EXE file Description: C:/Windows/system32/ec4698/9um78. exe
Property:-sh-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 11:19:19
Modification time: 8:18:52
Size: 14848 bytes, 14.512 KB
MD5: 0a244a1b2478af8c580c805cc394f1c1
Sha1: f14dcdae117f41534e8d683d8d7b205c1c0ce991
CRC32: 1b53050c rising Report: Trojan. win32.generic. 523389f9 file Description: C:/Windows/system32/ec4698/w65c5ef7. exe
Same as C:/Windows/system32/ec4698/9um78. exe
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.