Forcibly recommend Firefox adware. win32.admoke. FG, rootkit. win32.mnless. ft, etc.
EndurerOriginal
1st-
A few days ago, a netizen said that Kingsoft drug overlord in his computer recently reported a virus every day, And ie appeared
Encountered sqmapi32.dll, kvmxfma. dll, rarjdpi. dll, Google. dll, a0b1. dll, etc.
Http://blog.csdn.net/Purpleendurer/archive/2007/11/07/1871409.aspx
Http://endurer.bokee.com/6522203.html
Http://blog.nnsky.com/blog_view_222833.html
Similar symptoms: occasionally, when an advertisement window is opened, the recommended Firefox information may appear at the top of any web page, allowing me to help with the repair.
First, check Kingsoft's anti-virus log. The excerpt is as follows:
/---
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/WBEM/knqtybe0.dll win32.adware. admoke. js.604672 skipped and not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/WBEM/txaeilotwzc. dll win32.adware. mokeadt. of.870400 skipped, not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/azagxmbtwehqj. dll win32.adware. ejok. g.584192 skipped, not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/ebbaozknpdtis. dll win32.adware. ejok. g.584192 skipped, not handled
Risk Program 14:51:36 C:/Windows/system32/oswaehkos. dll win32.adware. admoke. fg.574976 skipped, not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/rxjh_2.exe win32.adware. adloader. m.20.496 skipped, not processed
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/knqtybe. dll win32.adware. admoke. js.604672 skipped and not handled
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/txaeilotwzc. dll win32.adware. mokeadt. of.870400 skipped, not handled
Risk Program 12:27:46 C:/Windows/system32/oswaehkos. dll win32.adware. admoke. fg.574976 skipped, not handled
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/knqtybe. dll win32.adware. admoke. js.604672 operation failed
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/txaeilotwzc. dll win32.adware. mokeadt. of.870400 operation failed
Risk Program 12:27:46 C:/Windows/system32/oswaehkos. dll win32.adware. admoke. fg.574976 operation failed
---/
At the same time, I found that my computer could not copy or paste it!
Download hijackthis in the http://endurer.ys168.com to analyze it. The following suspicious items are found in the hijackthis log:
/---
Logfile of Trend Micro hijackthis v2.0.2
Scan saved at 11:19:58, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot Mode: normal
O2-BHO: Google class-{CE7C3CF0-4B15-11D1-ABED-709549C10531}-C:/Windows/iloveg ~ 1/Google. dll
O2-BHO: (No Name)-{F89D750D-BDBB-4B04-B893-F2F228138F5F}-C:/Windows/system32/doqeuraqsr. dll
O4-hkcu/../run: [pictureshow] "D:/program files/pictureshow/poco_tools.exe"-P pictureshow
O4-hkcu/../run: [picer] "D:/program files/picer/poco_tools.exe"-P picer
O4-HKLM/../policies/Explorer/run: [zhqbdf] rundll32.exe C:/Windows/system/zhqbdf080116.dll mymain
O4-HKLM/../policies/Explorer/run: [zsms] rundll32.exe C:/Windows/system32/mcsrv16_080119.dll start
O18-filter hijack: text/html-{CF845CF8-833D-4F3E-9579-8944159650A6}-C:/Windows/system32/WBEM/knqtybe. dll
---/
Close all IE and folder windows, fix ~
Download fileinfo from the http://purpleendurer.ys168.com, bat_do to extract, package, and delete information on suspicious files in the log, virus files reported but not cleared.
Download drweb cureit! Scan to detect and clear a batch of malicious programs.
After restarting the computer, Kingsoft drug overlord still prompts to discover the virus ...... However, the copy/paste function resumes normal.
Using the original 360 million guard scanning on the machine, two malicious programs were killed in another ten years.
Download pe_xscan and scan the log for analysis. The following suspicious items are found:
/=
Pe_xscan 08-01-19 by Purple endurer
22:45:17
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
C:/Windows/system32/SVCHOST. EXE * 364
C:/Windows/system32/oswaehkos. dll |
C:/Windows/system32/SVCHOST. EXE * 1072
C:/Windows/system32/WBEM/txaeilotwzc. dll | 23:37:46
O23-service: 2 hrhuzb (2 hrhuzb)-system32/Drivers/2hrhuzb. sys (pilot)
O23-service: dwshd ()-C:/Windows/system32/Drivers/dwshd. sys (disabled)
O23-service: nvcjryfmt (Automated)-C:/Windows/system32/SVCHOST. exe-K vhtfscnxitd-> C:/Windows/system32/oswaehkos. dll | (automatic)
O23-service: twbfjmquycf (ybfjnruybgkns)-C:/Windows/system32/SVCHOST. exe-K dhkoswadhlosxb-> C:/Windows/system32/WBEM/txaeilotwzc. DLL | 23:37:46 (automatic)
O23-service: v8360nuj1 (v8360nuj1)-system32/Drivers/v8360nuj1. sys (pilot)
O23-service: w32time (Windows Time)-C:/Windows/system32/SVCHOST. exe-K netsvcs-> C:/Windows/system32/WBEM/kipqnfvnx. dll (automatic)
===/
Dwshd. sys is probably the drweb cureit used previously! Released Dongdong
Google, as described below at http://spywaredlls.prevx.com/rrihdc43518690/dwshd.sys.html:
Common File Name: dwshd. sys
Common Path: % Temp %/rarsfx2/
Vendor information: drweb Ltd.
Product Information: Dr. Web bruteforce driver
Version Information: 4.44.0.0
File Name structure: normal
File and Path Structure: normal
Use fileinfo and bat_do to extract, package, and delete suspicious files in a delayed manner.
But 2hrhuzb. sys could not be operated, download icesword to the http://endurer.ys168.com, copy it to a packaged backup and then force delete it.
Download Rising Antivirus assistant aide4rav from http://endurer.ys168.com, use rising online free scan, the results are as follows:
21:39:24 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/winudmp32.txt> aspack212r adware. win32.admoke. WCF
C:/Windows/my_70338.exe Trojan. DL. win32.mnless. QP
C:/Windows/tempaq Trojan. win32.undef. bpj
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/fky8wicn/real1_1).htm hack. Exploit. Script. Small. g
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/c5i7cr8x/14.01).htm Trojan. DL. Script. js. Agent. MAV
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/c5i7cr8x/real1_1).htm hack. Exploit. Script. Small. AE
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/mvmxmrit/060141_12.16.htm Trojan. DL. Script. Small. m
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/mvmxmrit/dm1_1).htm hack. Exploit. Script. Small. AJ
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/cf8vi5eh/61420.12.16.htm hack. Exploit. Script. Small. AK
C:/Documents and Settings/Lenovo/doctorweb/quarantine/yesetup.exe dropper. win32.agent. zbx
C:/Documents and Settings/Lenovo/doctorweb/quarantine/up.exe Trojan. win32.agent. vsw
C:/Documents and Settings/Lenovo/doctorweb/quarantine/zhqb080116.exe> upack0.36 Trojan. win32.undef. bqd
C:/Documents and Settings/Lenovo/doctorweb/quarantine/zhqbdf080133. # ll Trojan. win32.killav. GfK
Deleted using the Rising Antivirus assistant.
Open the Registry Editor and delete the o23 project.
Restart the computer again, and the drug overlord no longer reports a virus ~
File Description: C:/Windows/system32/WBEM/txaeilotwzc. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:37:45
Modification time: 23:37:46
Access time:
Size: 1348096 bytes 1.292 MB
MD5: 03e1dfbc2bbfb4488364362e52a8fe36
Sha1: 25e83a402b7f5b8ca1b7c8ec07a86e37561e270f
CRC32: 62d46428
Kapsersky reports not-a-virus: adware. win32.admoke. IU, and rising reports adware. win32.admoke. wck.
File Description: C:/Windows/system32/oswaehkos. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 574976 bytes, 561.512 KB
MD5: cce5c15dc6b2c9d3ff3fc021e80d098e
Sha1: 201770b51d306f9da24fe61945716c147881d300d
CRC32: 790bd6f4
Kapsersky reports not-a-virus: adware. win32.admoke. Oe, and rising reports adware. win32.admoke. FG.
File Description: D:/test/2hrhuzb. sys
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 21:38:16
Modified on: 21:23:16
Access time:
Size: 24512 bytes, 23.960 KB
MD5: 66%e7%f2e2c3b618448fc7e7760
Sha1: fe39a85f838fb722e74cb11e6a5db389817b55b3
CRC32: cff8780b
Kapsersky reported as Trojan-Downloader.Win32.Hmir.rn, rising as rootkit. win32.mnless. ft