Rootkit. win32.gamehack. Gen, Trojan. psw. win32.gameol. Gen, and rootkit. win32.mnless

Rootkit. win32.gamehack. Gen, Trojan. psw. win32.gameol. Gen, and rootkit. win32.mnless

EndurerOriginal
2008-03-051Version

Today, a netizen said that his computer suddenly became very slow yesterday afternoon, so he had to force the shutdown. Today, there was a black window flashing when he started the system. He detected some viruses with rising, but the system response was still slow, let me help with the repair.

With the help of QQ Remote Assistance, check rising's antivirus logs (fragments) first ):

/===

Virus name processing result scan method path File
Rootkit. win32.gamehack. GFA deleted successfully. C:/Windows/system32/drivers mselk. sys
Rootkit. win32.gamehack. gen deleted successfully. File monitoring: C:/Windows/system32/drivers msyecp. sys
Rootkit. win32.gamehack. gen deleted successfully. File Monitor C:/Windows/system32 mseion. sys

Virus name processing result scan method path file virus source
Rootkit. win32.mnless. Hz deleted successfully. manual scan for C:/Windows/system32/drivers msosfpids32.sys Local Machine
Trojan. psw. win32.gameol. gen is deleted and manually scanned for C:/Windows/system32 2.exe>> upack0.32 Local Machine
Rootkit. win32.gamehack. gen after restarting the computer, delete the file and manually scan C:/Windows/system32 gnolnait. dll> upack0.34 Local Machine
Trojan. psw. win32.xyonline. ABx deleted successfully manually scanning C:/Windows/system32 msosmhfp00.dll> upack0.34 Local Machine
Trojan. psw. win32.gamesonline. FZ deleted successfully. Manually scanning C:/Windows/system32 10.exe>> upack0.39 Local Machine
Rootkit. win32.gamehack. gen after restarting the computer, delete the file and manually scan C:/Windows/system32 laixuhz. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. MGW restart the computer and delete the files. manually scan C:/Windows/system32 xjxr. dll> upack0.34 Local Machine
Trojan. psw. win32.gamesonline. Oz after restarting the Computer, delete the file and manually scan C:/Windows/system32 SVE. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. Ma deleted successfully manually scanning C:/Windows/system32 otaw.awow. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. Ma deleted successfully. Manually scanning C:/Windows/system32 hhhcompress. dll> upx_c Local Machine
Trojan. psw. win32.gameol. MFV after restarting the Computer, delete the file and manually scan C:/Windows/system32 kiluw. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. lvx after restarting the Computer, delete the file and manually scan C:/Windows/system32 tsqc. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. lxr restart the computer and delete the files. manually scan C:/Windows/system32 jhrcar. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. MGB restarts the computer and deletes the file. Manually scans C:/Windows/system32 knaixnauhuoyizqq. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. mk is deleted successfully. Manually scanning C:/Windows/system32 oubivagdj. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. mk is deleted and manually scanned for C:/Windows/system32 msmmmdj32.dll> upx_c Local Machine
Trojan. psw. win32.gameol. MGM restart the computer and delete the file manually scanning C:/Windows/system32 oaijihzeuyouhz. dll> upack0.34 Local Machine
Trojan. psw. win32.fyonline. EI after restarting the Computer, delete the file and manually scan C:/Windows/system32 duygnef. dll> upack0.34 Local Machine
Trojan. psw. win32.zeroonline. Do After restarting the Computer, delete the file and manually scan C:/Windows/system32 pahzij. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. MGD after restarting the Computer, delete the file and manually scan C:/Windows/system32 bchib. dll> upack0.34 Local Machine
Trojan. psw. win32.so2online. Au after restarting the computer, delete the file and manually scan C:/Windows/system32 tzm. dll> upack0.34 Local Machine
Rootkit. win32.gamehack. gen deleted successfully. manual scan for C:/Windows/system32 mseion. sys Local Machine
Trojan. psw. win32.gameol. MGA after restarting the Computer, delete the file and manually scan C:/Windows/system32 xptyj. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. mgk restarts the computer and deletes the file. Manually scans C:/Windows/system32 jemnaw. dll> upack0.34 Local Machine
Rootkit. win32.gamehack. GFA deleted successfully. Manually scanning C:/Windows/temp tmp10.tmp Local Machine
Trojan. psw. win32.lmir. YZR deleted successfully. manual scan of C:/Windows 49400MM. dll Local Machine
Trojan. psw. win32.gameol. gen is successfully deleted and manually scanned for C:/Windows gwsmhxuq.exe> upack0.32 Local Machine
Trojan. psw. win32.hxonline. FP is deleted successfully. Manually scanning C:/Windows shaproc.exe> upack0.32 Local Machine
Trojan. psw. win32.gameol. gen is successfully deleted and manually scanned for C:/Windows wsockdrv32.exe> upack0.32 Local Machine
===/

There are many viruses ~

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:

/=
Pe_xscan 08-03-03 by Purple endurer
12:28:31
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
Normal Mode
[System process] * 0
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/Winlogon. EXE * 524 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | Windows NT logon application | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Winlogon. exe
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/services. EXE * 568 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | services and controller app | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Services.exe
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/LSASS. EXE * 580 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | LSA shell (export version) |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Lsass.exe
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/SVCHOST. EXE * 724 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/cuhad. dll | 16:33:14
D:/program files/rising/rav/ravstub. EXE * 1340 | 20:10:24 | ravstub application | 19, 0, 0, 4 | rising ravstub | copyright (c) 1998-2005 rising Corp. | 19, 0, 0, 4 | Beijing rising Technology Co ., ltd. | ravstub | ravstub.exe
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/wdfmgr. EXE * 1528 | 13:44:28 | MICROSOFT? Windows? Operating System | 5.2.20.0.1230 | Windows user mode driver manager |? Microsoft Corporation. All Rights Reserved. | 5.2.20.0.1230 built by: dnsrv (bld4act) | Microsoft Corporation |? | Wdfmgr | wdfmgr.exe
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/explorer. EXE * 1952 | 21:21:56 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.3156 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/ALG. EXE * 496 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | Application Layer Gateway Service |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Alg.exe
C:/Windows/system32/cuhad. dll | 16:33:14
C:/Windows/system32/ctfmon. EXE * 1516 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/Windows/system32/cuhad. dll | 16:33:14
 
O4-HKLM/../run: [winsysm] C:/Windows/49400m. exe
O4-Global startup: atisrv.exe-> invalid lnk file
O20-appinit_dlls: bauhgnem. DLL, eohsom. DLL, fyom. DLL, sauhad. DLL, ijougiemnaw. DLL, taijoad. DLL, lnaixnauhqq. DLL, idtj. DLL, vhqq. DLL, atgnehz. DLL, rsqq. DLL, tsqc. DLL, vauyiqvlnaix. DLL, WQ. DLL, fmxh. DLL, cty. DLL, pahzij. DLL, JZ. DLL, BZ. DLL, pyomielnux. DLL, mhtd. DLL, qnefnaib. DLL, EJ. DLL, uixauh. DLL, hjiq. DLL, kiluw. DLL, dsfg. DLL, yqhs. DLL, oaijihzeuyouhz. DLL, jemnaw. DLL, cuhad. DLL, laixuhz. DLL, rfhx. DLL, mnauygniqaixnaij. DLL, oqnauhc. DLL, xjxr. DLL, utiemnaw. DLL, SVE. DLL, wininat. DLL, gnolnait. DLL, zadnew. DLL, htwx. DLL, knaixnauhuoyizqq. DLL, duygnef. DLL, gmx. DLL, nadgnohiac. DLL, agzg. DLL, qlihzouhgnfe. DLL, bchib. DLL, tzm. DLL, r2.dll, slcs. DLL, xptyj. DLL, xhtd. DLL, QQ. DLL, sfhx. DLL, gnaixnauhqq. DLL, 3auhad. DLL, oadnew. DLL, iemnaw. DLL, qcsct. DLL, oadgnohiac. DLL, iqnauhc. DLL, aixauh. DLL, ddtj. DLL, nuygnef. DLL, uohsom. DLL, gnefnaib. DLL, ijiq. DLL, hjxr. DLL, naijoad. DLL, naixuhz. DLL, nahzij. DLL, fmxh. DLL, zqhs. DLL, jsfg. DLL, utgnehz. DLL, uyom. DLL, wtiemnaw. DLL, uyomielnux. DLL, vlihzouhgnfe. DLL, 2ty. DLL, nauhgnem. DLL, auhad. DLL, RJ. DLL, Hz. DLL, naijihzeuyouhz. DLL, xhqq. DLL, JMX. DLL, dgzg. DLL, gsqq. DLL, Fz. DLL
O23-service: icafe Manager (icafe manager)-C:/docume ~ 1/DONGHE/locals ~ 1/temp/usbhcid. sys (manual)
O23-service: SC Manager-C:/docume ~ 1/DONGHE/locals ~ 1/temp/usbcams3.sys (manual)
O24-shlexechook: [Microsoft]-{CAED0F3B-DF8B-4DBF-BB20-8DFBC3199068} = C:/Windows/system32/jhrcar. dll
O26-ifeo: 360rpt.exe-> ntsd-d
O26-ifeo: 360safe.exe-> ntsd-d
O26-ifeo: 360safebox.exe-> ntsd-d
O26-ifeo: 360tray.exe-> ntsd-d
O26-ifeo: adam.exe-> ntsd-d
O26-ifeo: agentsvr.exe-> ntsd-d
O26-ifeo: Prepare vc32.exe-> ntsd-d
O26-ifeo: autoruns.exe-> ntsd-d
O26-ifeo: avconsol.exe-> ntsd-d
O26-ifeo: avgrssvc.exe-> ntsd-d
O26-ifeo: avmonitor.exe-> ntsd-d
O26-ifeo: avp.com-> ntsd-d
O26-ifeo: avp.exe-> ntsd-d
O26-ifeo: ccsvchst.exe-> ntsd-d
O26-ifeo: eghost.exe-> ntsd-d
O26-ifeo: ftcleanershell.exe-> ntsd-d
O26-ifeo: fyfirewall.exe-> ntsd-d
O26-ifeo: hijackthis.exe-> ntsd-d
O26-ifeo: icesword.exe-> ntsd-d
O26-ifeo: iparmo.exe-> ntsd-d
O26-ifeo: iparmor.exe-> ntsd-d
O26-ifeo: ispwdsvc.exe-> ntsd-d
O26-ifeo: kabaload.exe-> ntsd-d
O26-ifeo: kascrscn. scr-> ntsd-d
O26-ifeo: kasmain.exe-> ntsd-d
O26-ifeo: kastask.exe-> ntsd-d
O26-ifeo: kav32.exe-> ntsd-d
O26-ifeo: kavdx.exe-> ntsd-d
O26-ifeo: kavpf.exe-> ntsd-d
O26-ifeo: kavpfw.exe-> ntsd-d
O26-ifeo: kavsetup.exe-> ntsd-d
O26-ifeo: kavstart.exe-> ntsd-d
O26-ifeo: kislnchr.exe-> ntsd-d
O26-ifeo: kmailmon.exe-> ntsd-d
O26-ifeo: kmfilter.exe-> ntsd-d
O26-ifeo: kpfw32.exe-> ntsd-d
O26-ifeo: kpfw32x.exe-> ntsd-d
O26-ifeo: kpfwsvc.exe-> ntsd-d
O26-ifeo: kregex.exe-> ntsd-d
O26-ifeo: krepair.com-> ntsd-d
O26-ifeo: ksloader.exe-> ntsd-d
O26-ifeo: kvcenter. KXP-> ntsd-d
O26-ifeo: kvdetect.exe-> ntsd-d
O26-ifeo: kvfwmcl.exe-> ntsd-d
O26-ifeo: kvmonxp. KXP-> ntsd-d
O26-ifeo: kvmonxp_1.kxp-> ntsd-d
O26-ifeo: kvol.exe-> ntsd-d
O26-ifeo: kvolself.exe-> ntsd-d
O26-ifeo: kvreport. KXP-> ntsd-d
O26-ifeo: kvscan. KXP-> ntsd-d
O26-ifeo: kvsrvxp.exe-> ntsd-d
O26-ifeo: kvstub. KXP-> ntsd-d
O26-ifeo: kvupload.exe-> ntsd-d
O26-ifeo: kvwsc.exe-> ntsd-d
O26-ifeo: kvxp. KXP-> ntsd-d
O26-ifeo: kvxp_1.kxp-> ntsd-d
O26-ifeo: kwatch.exe-> ntsd-d
O26-ifeo: kwatch9x.exe-> ntsd-d
O26-ifeo: kwatchx.exe-> ntsd-d
O26-ifeo: magicset.exe-> ntsd-d
O26-ifeo: mcconsol.exe-> ntsd-d
O26-ifeo: mmqczj.exe-> ntsd-d
O26-ifeo: mmsk.exe-> ntsd-d
O26-ifeo: navapsvc.exe-> ntsd-d
O26-ifeo: navapw32.exe-> ntsd-d
O26-ifeo: nod32.exe-> ntsd-d
O26-ifeo: nod32krn.exe-> ntsd-d
O26-ifeo: nod32kui.exe-> ntsd-d
O26-ifeo: npfmntor.exe-> ntsd-d
O26-ifeo: ollydbg. exe-> ntsd-d
O26-ifeo: ollyice. exe-> ntsd-d
O26-ifeo: pfw.exe-> ntsd-d
O26-ifeo: pfwliveupdate.exe-> ntsd-d
O26-ifeo: procexp.exe-> ntsd-d
O26-ifeo: qhset.exe-> ntsd-d
O26-ifeo: qqdoctor.exe-> ntsd-d
O26-ifeo: qqkav.exe-> ntsd-d
O26-ifeo: rawcopy.exe-> ntsd-d
O26-ifeo: regtool.exe-> ntsd-d
O26-ifeo: rfwproxy.exe-> ntsd-d
O26-ifeo: rfwstub.exe-> ntsd-d
O26-ifeo: safebank.exe-> ntsd-d
O26-ifeo: safeboxtray.exe-> ntsd-d
O26-ifeo: safelive.exe-> ntsd-d
O26-ifeo: scan32.exe-> ntsd-d
O26-ifeo: shda-32.exe-> ntsd-d
O26-ifeo: Sreng. exe-> ntsd-d
O26-ifeo: symlcsvc.exe-> ntsd-d
O26-ifeo: syssafe.exe-> ntsd-d
O26-ifeo: trojandetector.exe-> ntsd-d
O26-ifeo: trojanwall.exe-> ntsd-d
O26-ifeo: trojdie. KXP-> ntsd-d
O26-ifeo: uihost.exe-> ntsd-d
O26-ifeo: umxagent.exe-> ntsd-d
O26-ifeo: umxattachment.exe-> ntsd-d
O26-ifeo: umxw..exe-> ntsd-d
O26-ifeo: umxfwhlp.exe-> ntsd-d
O26-ifeo: umxpol.exe-> ntsd-d
O26-ifeo: uplive.exe-> ntsd-d
O26-ifeo: vsstat.exe-> ntsd-d
O26-ifeo: webscanx.exe-> ntsd-d
O26-ifeo: windbg.exe-> ntsd-d
O26-ifeo: wopticlean.exe-> ntsd-d
===/
 
(To be continued)