In the event of kav32.exe, scvhost.exe, nxd.exe, winmscabc.ime, extext74296t.exe, etc. 2

Original endurer
1st-

 

(Continued 1)

 

From the log, we can find that the following system files fail to pass the digital signature verification, and may be replaced by viruses:

 

C:/Windows/assumer.exe
C:/Windows/system32/userinit.exe
C:/Windows/system32/mshtml. dll
C:/Windows/system32/sfc_ OS .dll
C:/Windows/system32/wininet. dll
C:/Windows/system32/dnsapi. dll
C:/Windows/system32/mswsock. dll
C:/Windows/system32/comres. dll
C:/Windows/system32/stobject. dll
C:/Windows/system32/Drivers/AFD. sys
C:/Windows/winsxs/x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df/gdiplus. dll
C:/program files/Messenger/msgscr. dll

In addition, a relatively rare system service item is found in the complete pe_xscan log:

 

O23-service: hardlock (hardlock)-C:/Windows/system32/Drivers/hardlock. sys | 14:52:55 | hardlock Device Driver for Windows NT | 3.25 | hardlock Device Driver for Windows NT | copyright 1994-2003 Aladdin knowledge systems. | 3.25 | Aladdin knowledge systems |? | Hardlock. sys | hardlock. sys (automatic)

 
Google, hardlock. sys is the driver of the Aladdin digital copyright encryption lock tool. Many large software have adopted copyright protection measures ~

 

After the analysis is complete, start the repair.

 

Download bat_do and fileinfo from the http://purpleendurer.ys168.com and disconnect the network cable.

 

Open the task manager and terminate the following process tree:

 

C:/Windows/assumer.exe
C:/Windows/extext74296t.exe
C:/Windows/extext74406t.exe
C:/Windows/system32/userinit.exe
C:/Windows/system32/rundll32.exe
C:/Windows/system32/scvhost.exe

 

In this way, WinRAR can run normally. We extract bat_do and fileinfo.

Use fileinfo to extract the red file information in the log.

Rename the system file listed above. We use a USB flash drive to copy the above files from other computers to the corresponding directory.

Use fileinfo to extract the red-marked file information in the log, use bat_do to pack and back up other red-marked files in the log except the system files listed above, and delete the files at a delay.

Delete C:/autorun. inf in WinRAR.

Open Registry Editor and delete the virus startup Item.

Restart your computer. The red umbrella icon of rising monitoring is displayed as a red umbrella. Fix and install it.

Connect to the network cable and download drweb cureit! Virus detection and removal: Many EXE and DLL files are infected and repaired!

After the computer is restarted, the umbrella icon is displayed as green umbrella, but an error occurs during manual upgrade, prompting that the network is faulty.

Check the file named wsock32.dll in the rising program folder and use bat_do to delete it in a delayed manner. Restart the computer, and rising will be able to upgrade normally to completely scan and kill viruses ~

 

Some malicious file information is attached:

 

File Description: C:/Windows/assumer.exe
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 6.00.2900.5512 (xpsp.080413-2105)
Note: Windows Explorer
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 6.00.2900.5512
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Internal name: Explorer
Source File Name: EXPLORER. EXE
Creation Time:
Modification time:
Size: 3440660 bytes 3.288 MB
MD5: a8bf54829afcc4fca6bf9cd16f88d106
Sha1: 7aae0703e72eb8ca165ca8870fb6f84dd7314946
CRC32: 18ea0319

File Description: C:/Windows/system32/userinit.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 8:56:38
Modification time:
Size: 23552 bytes, 23.0 KB
MD5: e93566a2d7e84951cc2a6c28dffc2303
Sha1: 7896ebe6117572b050dfd99e72ea300179cc76e4
CRC32: fe0994ed

 

File Description: C:/Windows/mkmkrnl. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 18:47:37
Modification time: 18:47:37
Size: 10240 bytes, 10.0 kb
MD5: 3e24626303f7745ef4b3009892c55622
Sha1: ab9d118108cfcec039b143b95bf0aa8a5bf88489
CRC32: 86ccf000

 

Kaspersky reported Trojan. win32.agent. anoe, and rising reported Trojan. win32.undef. SOE.

 

File Description: C:/Windows/mpkrnl. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 20480 bytes, 20.0 KB
MD5: 1e64d0fefa081984fcaf4fd63ab34b4c
Sha1: ac1d299dee15e12806a41c3874124c6e568f3ae1
CRC32: a1_cad6

 

Kaspersky report for Trojan-Downloader.Win32.Agent.ansh, rising report for Worm. win32.agent. ZV

File Description: C:/Windows/msvb50chs. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.00
Product: 1.00
Product Name: wmilib
Company Name: Matrix
Internal name: wmilib
Source File Name: wmilib. dll
Creation Time:
Modification time:
Size: 24625 bytes, 24.49 KB
MD5: de39bdf26687a771c8fa21728350b41a
Sha1: 02223da4d42000f4c6dc9a71b25991b14ba3dd72
CRC32: cd733685

 

The Kaspersky report is Trojan. win32.vb. gqe, and the rising report is Trojan. win32.generic. 51e8fa99.

File Description: C:/Windows/system32/dsound. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 5.3.2600.5512 (xpsp.080413-0845)
Direct: directsound
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 5.3.2600.5512
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Internal name: directsound
Source File Name: dsound. dll
Creation Time:
Modification time: 22:42:50
Size: 368160 bytes, 359.544 KB
MD5: 463471de6efc4374b619732ffea6ef9f
Sha1: d047549f70b6f40e529b2699965ca32099a09518
CRC32: 98d1e786

 

Rising news: win32.loader.

File Description: C:/Windows/system32/comres. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 9:16:11
Size: 11780 bytes, 11.516 KB
MD5: c8adffde155e967csc3740a8c417b3d6
Sha1: f7895b84ec06435735853133f59734b58e8ad258
CRC32: c12668bd

 

Rising news: Trojan. psw. win32.dnfonline. EC

 

File Description: C:/Windows/system32/processa. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 11264 bytes, 11.0 KB
MD5: 73181359706f938ded7049c6850558d2
Sha1: 429beeb1b3beef3981a236f00dd237c0d8fac839
CRC32: 3a95ba1c

File Description: C:/Windows/system32/substdals. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 12:57:26
Modification time: 12:57:26
Size: 45056 bytes, 44.0 KB
MD5: 9df09ed22996e6764e23b07117c393ee
Sha1: 84ff4791a72779895d6ac60efbad8cc14a5370a3
CRC32: 9bca2e8c

File Description: C:/Windows/system32/soundxvolumns.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 18:54:10
Modification time:
Size: 23433 bytes, 22.905 KB
MD5: 27fa93ade9eb532ca70de7cf818d3a6c
Sha1: 16a9f880b6e55734bd98a82ee04bc7e5602a97e3
CRC32: 5c6e60f4

File Description: C:/Windows/system32/scvhost.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 17:40:20
Modification time:
Size: 30568 bytes, 29.872 KB
MD5: 221f69cd310b20e0a148257dfafed2f5
Sha1: 737e3323c979ac82345cfb5df7faf115b8aadf87
CRC32: 8e8f8c5d

File Description: C:/Windows/system32/nxd.exe
Property: ash-
Digital Signature: No
PE file: Yes
Language: English (USA)
File version: 21.0.0.17
Description: ravcopy Module
Copyright: Copyright (c) 2008-2009 Beijing rising Information Technology Co., Ltd. All rights reserved.
Product: 21.00
Product Name: Rising Antivirus 2009
Company: Beijing rising Information Technology Co., Ltd.
Internal name: Beijing rising Information Technology Co., Ltd.
Source File Name: ravcopy.exe
Creation Time: 20:14:19
Modification time: 20:14:19
Size: 25600 bytes, 25.0 KB
MD5: 5d9fcffe4b2e12d6038b22dea7b0547c
Sha1: 2089f293d1cb6ef00b1ad2408b258038df533666
CRC32: 08432242

 

Kaspersky reported Trojan. win32.scar. vwe, and rising reported hack. ddoser. win32.agent. lb.

 

File Description: C:/Windows/system32/soundxvolumns. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.00
Product: 1.00
Product Name: browserhelper
Company Name: Lenovo (Beijing) Limited
Internal name: browserhelper
Source File Name: browserhelper. dll
Creation Time:
Modification time: 8:57:36
Size: 45056 bytes, 44.0 KB
MD5: 6ec5b0bda41024446997e8b3666ccddb
Sha1: 86581584bca838c1011d6d37da-4c4e407161cac
CRC32: ccb30ebe

File Description: C:/Windows/system32/stobject. dll
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 5.1.2600.5512 (xpsp.080413-2105)
Ray Shell service object
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 5.1.2600.5512
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Internal name: stobject
Source File Name: stobject. dll
Creation Time:
Modification time: 18:45:23
Size: 121344 bytes, 118.512 KB
MD5: 2a9bb882b4b26a76887fbe0307c84e30
Sha1: af3169da2c5138ac3f3b19fde9c9a294d2d877f9
CRC32: 8940ab51

 

Kazski reports trojan.win32.patched.gz

 

File Description: C:/Windows/system32/qt-dx3.dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 18:47:55
Modification time: 18:47:55
Size: 17920 bytes, 17.512 KB
MD5: afe31b1b7f6e6734a44be7700023e34b
Sha1: 19b9a9af75bc34ece6df41754e137cd87fc198dd
CRC32: 345e68ea

 

Kaspersky reported Trojan. win32.agent. cxzp

File Description: D:/cconter.exe
Property: -- h-
Digital Signature: 123.cn
PE file: Yes
Language: Chinese (China)
File version: 4.05.0005
Product Version: 4.05.0005
Product Name: dfdf
Company Name: dfdf
Internal name: mode8
Source File Name: mode8.exe
Creation Time: 20:14:19
Modification time: 20:14:20
Size: 65268 bytes, 63.756 KB
MD5: db0ddad2e2ad869ea58911c7f198c38a
Sha1: bef00001acb99778cd432e44f6d01f6000000bdcc9
CRC32: 6ea070a6

 

Kaspersky report for Trojan-PSW.Win32.QQFish.cv, rising for Trojan. psw. win32.qqpass. Ess