Forcibly recommend Firefox adware. win32.admoke. FG, rootkit. win32.mnless. ft, etc.

Source: Internet
Author: User
Tags crc32 lenovo

Forcibly recommend Firefox adware. win32.admoke. FG, rootkit. win32.mnless. ft, etc.

EndurerOriginal
1st-

A few days ago, a netizen said that Kingsoft drug overlord in his computer recently reported a virus every day, And ie appeared

Encountered sqmapi32.dll, kvmxfma. dll, rarjdpi. dll, Google. dll, a0b1. dll, etc.
Http://blog.csdn.net/Purpleendurer/archive/2007/11/07/1871409.aspx
Http://endurer.bokee.com/6522203.html
Http://blog.nnsky.com/blog_view_222833.html

Similar symptoms: occasionally, when an advertisement window is opened, the recommended Firefox information may appear at the top of any web page, allowing me to help with the repair.

First, check Kingsoft's anti-virus log. The excerpt is as follows:

/---
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/WBEM/knqtybe0.dll win32.adware. admoke. js.604672 skipped and not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/WBEM/txaeilotwzc. dll win32.adware. mokeadt. of.870400 skipped, not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/azagxmbtwehqj. dll win32.adware. ejok. g.584192 skipped, not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/ebbaozknpdtis. dll win32.adware. ejok. g.584192 skipped, not handled
Risk Program 14:51:36 C:/Windows/system32/oswaehkos. dll win32.adware. admoke. fg.574976 skipped, not handled
Risk Program 2008-01-19 14:51:36 C:/Windows/system32/rxjh_2.exe win32.adware. adloader. m.20.496 skipped, not processed
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/knqtybe. dll win32.adware. admoke. js.604672 skipped and not handled
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/txaeilotwzc. dll win32.adware. mokeadt. of.870400 skipped, not handled
Risk Program 12:27:46 C:/Windows/system32/oswaehkos. dll win32.adware. admoke. fg.574976 skipped, not handled
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/knqtybe. dll win32.adware. admoke. js.604672 operation failed
Risk Program 2008-01-18 12:27:46 C:/Windows/system32/WBEM/txaeilotwzc. dll win32.adware. mokeadt. of.870400 operation failed
Risk Program 12:27:46 C:/Windows/system32/oswaehkos. dll win32.adware. admoke. fg.574976 operation failed
---/

At the same time, I found that my computer could not copy or paste it!

Download hijackthis in the http://endurer.ys168.com to analyze it. The following suspicious items are found in the hijackthis log:
/---
Logfile of Trend Micro hijackthis v2.0.2
Scan saved at 11:19:58, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot Mode: normal

O2-BHO: Google class-{CE7C3CF0-4B15-11D1-ABED-709549C10531}-C:/Windows/iloveg ~ 1/Google. dll
O2-BHO: (No Name)-{F89D750D-BDBB-4B04-B893-F2F228138F5F}-C:/Windows/system32/doqeuraqsr. dll

O4-hkcu/../run: [pictureshow] "D:/program files/pictureshow/poco_tools.exe"-P pictureshow
O4-hkcu/../run: [picer] "D:/program files/picer/poco_tools.exe"-P picer

O4-HKLM/../policies/Explorer/run: [zhqbdf] rundll32.exe C:/Windows/system/zhqbdf080116.dll mymain
O4-HKLM/../policies/Explorer/run: [zsms] rundll32.exe C:/Windows/system32/mcsrv16_080119.dll start

O18-filter hijack: text/html-{CF845CF8-833D-4F3E-9579-8944159650A6}-C:/Windows/system32/WBEM/knqtybe. dll
---/

Close all IE and folder windows, fix ~

Download fileinfo from the http://purpleendurer.ys168.com, bat_do to extract, package, and delete information on suspicious files in the log, virus files reported but not cleared.

Download drweb cureit! Scan to detect and clear a batch of malicious programs.

After restarting the computer, Kingsoft drug overlord still prompts to discover the virus ...... However, the copy/paste function resumes normal.

Using the original 360 million guard scanning on the machine, two malicious programs were killed in another ten years.

Download pe_xscan and scan the log for analysis. The following suspicious items are found:
/=
Pe_xscan 08-01-19 by Purple endurer
22:45:17
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

 

C:/Windows/system32/SVCHOST. EXE * 364
C:/Windows/system32/oswaehkos. dll |
C:/Windows/system32/SVCHOST. EXE * 1072
C:/Windows/system32/WBEM/txaeilotwzc. dll | 23:37:46

O23-service: 2 hrhuzb (2 hrhuzb)-system32/Drivers/2hrhuzb. sys (pilot)
O23-service: dwshd ()-C:/Windows/system32/Drivers/dwshd. sys (disabled)
O23-service: nvcjryfmt (Automated)-C:/Windows/system32/SVCHOST. exe-K vhtfscnxitd-> C:/Windows/system32/oswaehkos. dll | (automatic)
O23-service: twbfjmquycf (ybfjnruybgkns)-C:/Windows/system32/SVCHOST. exe-K dhkoswadhlosxb-> C:/Windows/system32/WBEM/txaeilotwzc. DLL | 23:37:46 (automatic)
O23-service: v8360nuj1 (v8360nuj1)-system32/Drivers/v8360nuj1. sys (pilot)
O23-service: w32time (Windows Time)-C:/Windows/system32/SVCHOST. exe-K netsvcs-> C:/Windows/system32/WBEM/kipqnfvnx. dll (automatic)
===/

Dwshd. sys is probably the drweb cureit used previously! Released Dongdong

Google, as described below at http://spywaredlls.prevx.com/rrihdc43518690/dwshd.sys.html:

Common File Name: dwshd. sys
Common Path: % Temp %/rarsfx2/
Vendor information: drweb Ltd.
Product Information: Dr. Web bruteforce driver
Version Information: 4.44.0.0
File Name structure: normal
File and Path Structure: normal

Use fileinfo and bat_do to extract, package, and delete suspicious files in a delayed manner.

But 2hrhuzb. sys could not be operated, download icesword to the http://endurer.ys168.com, copy it to a packaged backup and then force delete it.

Download Rising Antivirus assistant aide4rav from http://endurer.ys168.com, use rising online free scan, the results are as follows:

21:39:24 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/winudmp32.txt> aspack212r adware. win32.admoke. WCF
C:/Windows/my_70338.exe Trojan. DL. win32.mnless. QP
C:/Windows/tempaq Trojan. win32.undef. bpj
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/fky8wicn/real1_1).htm hack. Exploit. Script. Small. g
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/c5i7cr8x/14.01).htm Trojan. DL. Script. js. Agent. MAV
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/c5i7cr8x/real1_1).htm hack. Exploit. Script. Small. AE
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/mvmxmrit/060141_12.16.htm Trojan. DL. Script. Small. m
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/mvmxmrit/dm1_1).htm hack. Exploit. Script. Small. AJ
C:/Documents and Settings/NetworkService/Local Settings/Temporary Internet Files/content. ie5/cf8vi5eh/61420.12.16.htm hack. Exploit. Script. Small. AK
C:/Documents and Settings/Lenovo/doctorweb/quarantine/yesetup.exe dropper. win32.agent. zbx
C:/Documents and Settings/Lenovo/doctorweb/quarantine/up.exe Trojan. win32.agent. vsw
C:/Documents and Settings/Lenovo/doctorweb/quarantine/zhqb080116.exe> upack0.36 Trojan. win32.undef. bqd
C:/Documents and Settings/Lenovo/doctorweb/quarantine/zhqbdf080133. # ll Trojan. win32.killav. GfK

Deleted using the Rising Antivirus assistant.

Open the Registry Editor and delete the o23 project.

Restart the computer again, and the drug overlord no longer reports a virus ~

File Description: C:/Windows/system32/WBEM/txaeilotwzc. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:37:45
Modification time: 23:37:46
Access time:
Size: 1348096 bytes 1.292 MB
MD5: 03e1dfbc2bbfb4488364362e52a8fe36
Sha1: 25e83a402b7f5b8ca1b7c8ec07a86e37561e270f
CRC32: 62d46428

Kapsersky reports not-a-virus: adware. win32.admoke. IU, and rising reports adware. win32.admoke. wck.

File Description: C:/Windows/system32/oswaehkos. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 574976 bytes, 561.512 KB
MD5: cce5c15dc6b2c9d3ff3fc021e80d098e
Sha1: 201770b51d306f9da24fe61945716c147881d300d
CRC32: 790bd6f4

Kapsersky reports not-a-virus: adware. win32.admoke. Oe, and rising reports adware. win32.admoke. FG.

File Description: D:/test/2hrhuzb. sys
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 21:38:16
Modified on: 21:23:16
Access time:
Size: 24512 bytes, 23.960 KB
MD5: 66%e7%f2e2c3b618448fc7e7760
Sha1: fe39a85f838fb722e74cb11e6a5db389817b55b3
CRC32: cff8780b

Kapsersky reported as Trojan-Downloader.Win32.Hmir.rn, rising as rootkit. win32.mnless. ft

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.