Removed new gray pigeon variants and several advertising programs

EndurerOriginal
1Version

A netizen's computer, which was reported by rising boot scanning in the past two days, found backdoor. gpigeon. uql. For example:
/------------
Virus name processing result found date path file virus source
Backdoor. gpigeon. uqlCleared successfully iexplore. EXE> C:/program files/Internet Explorer/iexplore. EXE Local Machine
------------/

Use hijackthis (which can be downloaded to the http://endurer.ys168.com) to scan logs and discover several suspicious items:

/------------
Logfile of hijackthis v1.99.1
Scan saved at 21:51:03, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running Processes:
C:/Windows/wincup/wincup.exe

O2-BHO: Vision-{6671a431-5c3d-463d-a7cf-5587f9b7e191}-C:/progra ~ 1/mmsass ~ 1/mmsass ~ 1. dll

O2-BHO: stdup-{6a512bf7-ec78-4e8d-9841-6c02e8fa9838}-C:/Windows/system32/stdup. dll

O2-BHO: bandie class-{77fef28e-eb96-44ff-b511-3185dea48697}-C:/progra ~ 1/Baidu/BAR/baidubar. dll

O3-toolbar: (No Name)-{E0E899AB-F487-11D5-8D29-0050BA6940E3}-(no file)

O3-toolbar: Baidu super souba-{B580CF65-E151-49C3-B73F-70B13FCA8E86}-C:/progra ~ 1/Baidu/BAR/baidubar. dll

O8-extra context menu item:> MMS sending <-res: // C:/progra ~ 1/mmsass ~ 1/mmsass ~ 1. dll/mms.htm

O21-ssodl: systime-{724c75f1-b757-408d-a50a-4cf99da35d73}-C:/progra ~ 1/winkld. dll

O21-ssodl: webwork-{4c611512-2c1d-44b2-a044-872ad2ad5a61}-C:/Windows/webwork. dll

O21-ssodl: themeadp-{64274c93-3ce7-4663-9c8d-cd2dc8a3590b}-C:/Windows/system32/themeadp. dll

O23-service: System Manage Server (managesrv)-unknown owner-C:/Windows/server.exe

O23-service: winwrcup-mswincup-C:/Windows/wincup/wincup.exe

------------/

(For the following repair methods, refer to [system repair series] basic operation indexes.
Http://endurer.blogchina.com/2591241.html)

Uninstall: Baidu super souba, vision, stdup, webwork

In addition, winkld. DLL is a "Windows Calendar (winkalendar, lunar calendar display)" file of the 88dog series software. However, it is not recommended to load/start it in this way.

Stop and disable the service:
/---------
System Manage Server (managesrv)
Winwrcup-mswincup
---------/

Restart your computer to safe Mode

Find with WinRAR:
/---------
C:/Windows/server.exe
C:/Windows/system32/themeadp. dll
---------/
After the backup is packaged, delete it.

Delete a folder:
/---------
C:/Windows/webwork
C:/Windows/wincup
---------/

Close all folder windows, use hijackthis to scan and repair the items listed above.

Clear temporary ie folders

Kaspersky reports C:/Windows/server.exeBackdoor. win32.hupigon. VX
Kaspersky reports C:/Windows/wincup/wincup.exeNot-a-virus: adware. win32.boran. p