Rootkit. win32.gamehack. Gen, Trojan. psw. win32.gameol. Gen, and rootkit. win32.mnless

Rootkit. win32.gamehack. Gen, Trojan. psw. win32.gameol. Gen, and rootkit. win32.mnless

Original endurer
2008-03-06 1st

(Continued: rootkit. win32.gamehack. Gen, Trojan. psw. win32.gameol. Gen, rootkit. win32.mnless, etc)

First, download fileinfo, bat_do to the http://purpleendurer.ys168.com to extract, package, and delete suspicious files in the log.

Then, clean up the startup items of the virus. From the pe_xscan log, we can see that the virus uses the image hijacking Technology (O26 items), but the rising Card Security Assistant is not hijacked, so we can start the rising Card Security Assistant normally.

Rising Kaka Security Assistant automatically scans after it is started and finds three rogue software.
Select [advanced functions]-> [plug-in management and uninstallation] To uninstall o24 items.
In [advanced functions]-> [system enable item management], click [logon item] on the left, find the project corresponding to the O4 item on the right, right-click, select Delete from the pop-up menu.
In [advanced functions]-> [system enable item management], click [Application initialization dynamic Connection Library] on the left, find the o20 project on the right, right-click, select Delete from the pop-up menu.
In [advanced functions]-> [system enable item management], click [Driver] on the left, find the o23 project on the right, right-click, select Delete from the pop-up menu.
In [advanced functions]-> [system enable item management], click [Application hijacking item] on the left, find the project corresponding to O26 on the right, right-click, select Delete from the pop-up menu.

Use WinRAR to delete windows temporary folders, ie temporary folders, and files that can be deleted in D:/Windows/prefetch.

Some Virus File Information:

File Description: C:/Documents and Settings/all users/Start Menu/Program/start/atisrv.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:31:48
Modification time: 16:31:48
Access time:
Size: 24576 bytes, 24.0 KB
MD5: 8eca4f3a62acb2273416bc9729adb543
Sha1: c2b94ad5c384872ff6712caab6df3e3bbcfb89a2
CRC32: 740d4190

Hello,
AtiSrv.exe_
No malicious code was found in this file.
Please quote all when answering.
--
Best regards, Mikhail Bulgakov
Virus analyst, Kaspersky Lab.

File Description: C:/Windows/system32/cuhad. dll
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 16:33:12
Modification time: 16:33:14
Access time:
Size: 14849 bytes, 14.513 KB
MD5: 944075f880ef7eae52d2304b113cad82
Sha1: e5dad1c4dd4f85921336dfff645ec543f21beb83
CRC32: c46451e7

Trojan Trojan-PSW.Win32.Lmir.brg file: D:/test/cuhad.dll.rar/cuhad. dll/upack Detected
File Description: C:/program files/Internet Explorer/plugins/syswin7s. JMP
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:33:17
Modification time: 16:33:20
Access time:
Size: 33934 bytes, 33.142 KB
MD5: 9b2c2cff7132770f45e45b6871abd1e7
Sha1: 2bcd0f7a3dd37c3181d07e59fdbf3953450f48a4
CRC32: 14ceab9e
File Description: C:/Windows/system32/9.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:33:16
Modification time: 16:33:18
Access time:
Size: 33934 bytes, 33.142 KB
MD5: 1e1ccd68f5c4db532a1bc4fc19780e29
Sha1: c3a42213cc9b639bcda9f03616455562c95067a9
CRC32: b01f376f
Trojan Trojan-PSW.Win32.OnLineGames.sns file: D:/test/9.exe.rar/9.exe/ UPX Detected
File Description: C:/Windows/system32/bgovintwm. dll
Attribute: ---
Language: Chinese (China)
File version: 5.1.2600.3099
Description: Windows XP msplay API DLL
Copyright: (c) Microsoft Corporation. All rights resad.
Note:
Product Version: 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark: Microsoft
Internal name: msplay32
Source File Name: msplay32
Creation Time: 16:33:43
Modification time: 16:33:44
Access time:
Size: 19774 bytes, 19.318 KB
MD5: 889fdde57f96aa53980506efb63fe9af
Sha1: 8c68443e3063990a8e7bbeba992998c02cdb3322
CRC32: d19699b3
Hello,
bgovintwm.dll - Trojan-PSW.Win32.OnLineGames.swv
New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.
Please quote all when answering.
--
Best regards, Vyacheslav Zakorzhevsky
Virus analyst, Kaspersky Lab.
File Description: C:/Windows/system32/mswmkkk32.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:33:42
Modification time: 16:33:44
Access time:
Size: 32256 bytes, 31.512 KB
MD5: 07557352b909a391630156eec528180c
Sha1: 1867c0b9c5f9235f86fe38341c0ae1718a2a3fe5
CRC32: 62ca52be
Detected: Trojan program Trojan-PSW.Win32.OnLineGames.rkf file: D:/test/mswmkkk32.dll.rar/mswmkkk32.dll