EndurerOriginal
2006-10-133Supplement the effect of Kaspersky on files not reported
2006-10-092Added Kaspersky's response
2006-10-091Version
A netizen, the new host, shouted slowly in less than two days and asked me to help check it.
After the desktop is started on, the system loses response. It is hard to open the task manager and check that the CPU usage is not high, but the memory usage is extremely high.
Force reboot to safe mode with network, download hijackthis scan log to http://endurer.ys168.com, found the following suspicious items:
Logfile of hijackthis v1.99.1
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:/Windows/logocmd.exe
C:/program files/Internet Explorer/3sy.exe
F3-Reg: win. ini: load = C:/Windows/rundl132.exe
O1-hosts: 219.139.58.97 www.hao123.com
O1-hosts: 219.139.58.97 hao123.com
O1-hosts: 219.139.58.97 www.7b.com.cn
O1-hosts: 219.139.58.97 7b.com.cn
O1-hosts: 219.139.58.97 www.7939.com
O1-hosts: 219.139.58.97 www.maohehe.com
O1-hosts: www.sina-baidu.com 219.139.58.97
O1-hosts: sina-baidu.com 219.139.58.97
O1-hosts: 219.139.58.97 www.maipao.com
O1-hosts: 219.139.58.97 update.virussky.com
O1-hosts: 219.139.58.97 down.virussky.com
O1-hosts: 219.139.58.97 www.ycdy.com
O1-hosts: 219.139.58.97 ycdy.com
O1-hosts: 219.139.58.97 www.2tu.cn
O1-hosts: 219.139.58.97 2tu.cn
O1-hosts: 219.139.58.97 www.91tu.cn
O1-hosts: 219.139.58.97 91tu.cn
O1-hosts: 219.139.58.97 www.haotop.com
O1-hosts: 219.139.58.97 news01.virussky.com
O1-hosts: 219.139.58.97 news02.virussky.com
O1-hosts: 219.139.58.97 news03.virussky.com
O1-hosts: 219.139.58.97 news04.virussky.com
O1-hosts: 219.139.58.97 www.an85.com
O1-hosts: 219.139.58.97 an85.com
O1-hosts: 219.139.58.97 www.360safe.com
O1-hosts: 219.139.58.97 360safe.com
O1-hosts: 219.139.58.97 dl.360safe.com
O1-hosts: 219.139.58.97 bbs.360safe.com
O1-hosts: 219.139.58.97 www.gao58.com
O1-hosts: 219.139.58.97 count18.51yes.com
O1-hosts: 219.139.58.97 www.ok538.com
O1-hosts: 219.139.58.97 www.3000sss.com
O1-hosts: 219.139.58.97 3000sss.com
O1-hosts: 219.139.58.97 www.qq658.com
O1-hosts: 219.139.58.97 www.53679.com
O1-hosts: 219.139.58.97 www.17587.net
O1-hosts: 219.139.58.97 www.17587.com
O1-hosts: 219.139.58.97 www.an188.com
O1-hosts: 219.139.58.97 cwzwxm.3322.org
O1-hosts: 219.139.58.97 www.onediy.net
O1-hosts: 219.139.58.97 sohu.fswan.com
O1-hosts: 219.139.58.97 www.hewdq.com
O1-hosts: 219.139.58.97 go.ipcenter.cn
O1-hosts: 219.139.58.97 www.32666.com
O1-hosts: 219.139.58.97 show.googleadsenseagent.com
O1-hosts: 219.139.58.97 www.2yin.cn
O1-hosts: 219.139.58.97 2yin.cn
O1-hosts: 219.139.58.97 www.84442.com
O1-hosts: 219.139.58.97 www.898333.com
O1-hosts: 219.139.58.97 hewdq.com
O1-hosts: 219.139.58.97 84442.com
O1-hosts: 219.139.58.97 wwww.systeel.com.cn
O1-hosts: 219.139.58.97 go.baibaoxiang.cn
O1-hosts: 219.139.58.97 www.btbaicai.com
O1-hosts: 219.139.58.97 btbaicai.com
O1-hosts: 219.139.58.97 www.2t2t.cn
O1-hosts: 219.139.58.97 2t2t.cn
O1-hosts: 219.139.58.97 3.a.kal.cn
O1-hosts: 219.139.58.97 www.222978.com
O1-hosts: 219.139.58.97 www.5yaowan.com
O1-hosts: 219.139.58.97 show.roogoo.com
O1-hosts: 219.139.58.97 ip.alexaanywhere.com
O3-toolbar: searchcar-{BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD}-C:/program files/searchcar. dll
O4-HKLM/../run: [qcsszjcz] D:/chenqxms.exe
O4-HKLM/../run: [R] C:/Windows/system32/rundll32.exe msprt. dll s
O10-unknown file in Winsock LSP: C:/Windows/system32/wsd_sock32.dll
O10-unknown file in Winsock LSP: C:/Windows/system32/wsd_sock32.dll
Download procview termination process from http://endurer.ys168.com:
/----------
C:/Windows/logocmd.exe
C:/program files/Internet Explorer/3sy.exe
----------/
Download the file association of the Registry repair tool from the rising website.
Use WinRAR to check files in the following folders
C :/
------------
Drsmartload.exe (the value of Kaspersky isTrojan-Downloader.Win32.Adload.gf, Drweb reportsTrojan. downloader.13572)
Mte3ndi6odoxngv2.exe (the value of Kaspersky isTrojan-Downloader.Win32.Agent.azc)
C:/windows and C:/Windows/system32
-------------
Winampa.exe (the value of Kaspersky isTrojan. win32.agent. TL, Drweb reportsTrojan. downloader.12870)
Nmhxy. dll (indicated by KasperskyTrojan-PSW.Win32.Agent.iu, Drweb reportsTrojan. PWS. legmir.602)
Nmhxy.exe (Kaspersky reportsTrojan-PSW.Win32.Agent.iu, Drweb reportsTrojan. PWS. legmir.602)
0. EXE (Kaspersky reportsTrojan. win32.qhost. IC, Drweb reportsTrojan. qhost)
Mvlib. dll (Kaspersky reportsTrojan. win32.bcb. I, Drweb reportsWin32.hllw. mybot)
Jxdll. dll (indicated by KasperskyTrojan-PSW.Win32.Delf.hh)
Myrx. dll (Kaspersky reportedTrojan-PSW.Win32.Agent.ia)
Mywow. dll (Kaspersky reportedTrojan-PSW.Win32.WOW.jw)
Myztr. dll (Kaspersky reportedTrojan-PSW.Win32.OnLineGames.v)
Ss3.exe
Wsd_sock32.dll (the value of Kaspersky isTrojan-PSW.Win32.Agent.if)
Xia.exe (Kaspersky reportsWorm. win32.viking. Ax)
Rundl132.exe (note: the front of 32 is the number 1. Kaspersky reportsWorm. win32.viking. Ax)
Rundll.exe
Msprt. dll (Kaspersky reportsTrojan. win32.bcb. I)
Logocmd.exe (Kaspersky reportsEmail-Worm.Win32.Viking.ax)
C:/progam files/Internet Explorer
-------------
0sy.exe (Kaspersky reportsTrojan-PSW.Win32.Lineage.amd, Drweb reportsTrojan. PWS. gamania)
4sy.exe (Kaspersky reportsTrojan-PSW.Win32.Delf.hh, Drweb reportsTrojan. PWS. lineage)
Internat3.exe (Kaspersky reportsTrojan-PSW.Win32.WOW.gq)
Internat5.exe (Kaspersky reportsTrojan-Downloader.Win32.Agent.axg, Drweb reportsTrojan. downloader.13331)
Iedw.exe (Kaspersky reportsTrojan. win32.agent. ZL, Drweb reportsTrojan. starter.84)
Temporary system folder
-------------
Temp.exe (the value of Kaspersky isTrojan-Downloader.Win32.QQHelper.ft)
Setup_wm.exe (the value of Kaspersky isTrojan. win32.agent. ZL, Drweb reportsTrojan. downloader.12618)
Temporary ie folder
-------------
Maaa2.exe (Kaspersky reportsWorm. win32.detnat. e)
C:/Windows/system32/Drivers
-------------
Modrl. sys (Kaspersky replies "no malicious code was found in this file", and the drweb reportsTrojan. PWS. hertThe rising report isRootkit. callgat. gen)
Clear temporary ie folders and temporary system folders
Open the Registration Table editor, and first renew the registration table. Then search for the project containing rundl132.exe (Note: Before 32, it is digit 1) and delete it.
Download and run lspfix from the http://endurer.ys168.com, select the option "I know what I'm doing", and move the wsd_sock32.dll file in the left window to the right window (do not move other files ), select "finish ".
Close all IE Windows and folder windows, run hijackthis scan, and repair the items in the previous column.