EndurerOriginal
2006.03.114Rising version reports C:/Windows/. EXE as Trojan. DL. Agent. fej
2006.03.103Jiang min of version replied that C:/Windows/. EXE is a new virus and the virus name is to be tested.
2006.03.092Added error prompt box handling
2006.03.081Version
Today, a friend's computer is slow to start, and there is an error prompt box. The Internet is slow, and advertisements are occasionally played. Let me take a look.
An error prompt box pops up after boot: "loading c:/Pocume-1/user/locals-1/temp/rarsfx3/Dtserv-1.dll" error cannot find the specified module ".
This is one of the most recent questions on the Internet.
With hijackthis (you can download hijachthis from the http://endurer.ys168.com) scan the log, really don't see don't know, read a fright, n more rogue software, the following are the parts that need to be fixed and suspicious:
C:/program files/crtvmsn/crtvmsn.exe
C:/docume ~ 1/user/locals ~ 1/temp /~ Ex1.exe
C:/program files/huaci/zsearch.exe
C:/program files/Bala/bin/balalive.exe
C:/program files/uploadtop/mrup.exe
C:/docume ~ 1/user/locals ~ 1/temp /~ Ex25.exe
C:/program files/huaci/zsup.exe
C:/program files/pcast/podcastbarmini/podcastbarmini.exe
C:/Windows/javas/msnmon.exe
C:/Windows/alcupd/alcupd.exe
C:/program files/save/save.exe
C:/program files/searchnet/searchnet.exe
C:/Windows/system32/servehost.exe
C:/program files/common files/comm/network.exe
C:/program files/Bala/bin/autodown.exe
F2-Reg: system. ini: userinit = C:/Windows/system32/userinit.exe, C:/Windows/. exe
R3-urlsearchhook: (No Name)-{982cb676-38f0-4d9a-bb72-d9371abe876e}-(no file)
O2-BHO: monitorurl class-{08a312bb-5409-49fc-9347-54bb7d069ac6}-C:/progra ~ 1/AD ~ 1/deskipn. dll
O2-BHO: wmpdrm-{0e674588-66b7-4e19-9d0e-2053b800f69f}-C:/Windows/system32/wmpdrm. dll
O2-BHO: myiehelper class-{16a770a0-0e87-4278-b748-2460d64a8386}-C:/Documents and Settings/all users/Application Data/Microsoft/iehelper/iehelper_8911.dll
O2-BHO: quickbtn-{1a199c20-de2b-4838-ae3f-b5257ece2b7e}-C:/program files/coolwebsite/Quicklink. dll
O2-BHO: zhongsou Browser Helper-{2a0176fe-008b-4706-90f5-bba532a49731}-C:/program files/searchnet/snhpr. dll
O2-BHO: mmsassist-{6671a431-5c3d-463d-a7cf-5587f9b7e191}-(no file)
O2-BHO: STD software-{6a512bf7-ec78-4e8d-9841-6c02e8fa9838}-C:/Windows/system32/stdup. dll
O2-BHO: bandie class-{77fef28e-eb96-44ff-b511-3185dea48697}-C:/progra ~ 1/Baidu/BAR/baidubar. dll
O2-BHO: bhelper-{8a4280ad-9b37-4872-a51d-73f3c3a32af7}-C:/Windows/system32/msibm/cfsbho. dll
O2-BHO: accoona search assistant-{944864a5-3916-46e2-96a9-a2e84f3f1208}-C:/program files/accoona/asearchassist. dll
O2-BHO: newweb controller-{9aceee30-143f-471a-aa45-72b061fe7d60}-C:/Windows/system32/advsc32.dll
O2-BHO: hbobject class-{AE22AFE5-1EF4-4D25-9E23-D2825FB17DA1}-C:/progra ~ 1/hbclient/tbhelper. dll
O2-BHO: meobjectsdt-{D4D5C535-BA95-4327-870D-A33826FDD17A}-C:/Windows/system32/obwbkya. dll
O3-toolbar: Baidu super souba-{B580CF65-E151-49C3-B73F-70B13FCA8E86}-C:/progra ~ 1/Baidu/BAR/baidubar. dll
O3-toolbar: accoona-{364b6276-c6c1-40b6-a6d7-6c48871fd707}-C:/program files/accoona/atoolbar. dll
O4-HKLM/../run: [res] C:/Windows/system32/res.exe
O4-HKLM/../run: [dtservice] rundll32.exe C:/docume ~ 1/user/locals ~ 1/temp/rarsfx0/dtserv ~ 1. dll, load
O4-HKLM/../run: [mscfs] rundll32 C:/Windows/system32/msibm/cfsys. dll, CFS
O4-HKLM/../run: [richmedia] C:/Windows/system32/rundll32.exe "C:/progra ~ 1/hbclient/tbhelper. dll ", waitwindows
O4-HKLM/../run: [kuco] D:/cool entertainment ~ 1/kuco.exe
O4-HKLM/../run: [pigupdate] C:/docume ~ 1/user/locals ~ 1/temp /~ Ex1.exe
O4-HKLM/../run: [searchnet_up] "C:/program files/searchnet/serveup.exe"
O4-HKLM/../run: [desktop] C:/Windows/system32/rundll32.exe "C:/program files/deskadtop/run. dll", rundll
O4-HKLM/../run: [update] C:/program files/common files/update/update.exe
O4-HKLM/../run: [movesearch] C:/program files/huaci/zsearch.exe
O4-HKLM/../run: [pobres] C:/Windows/system32/pob2res.exe
O4-HKLM/../run: [minipcast] C:/program files/pcast/podcastbarmini/start.exe
O4-HKLM/../run: [balalive] C:/program files/Bala/bin/balalive.exe Autorun
O4-HKLM/../run: [balaautodown] C:/program files/Bala/bin/getautodown.exe
O4-HKLM/../run: [feiyingupdate] C:/docume ~ 1/user/locals ~ 1/temp /~ Ex25.exe
O4-HKLM/../run: [fkczic] rundll32.exe "C:/Windows/system32/tpavppre. dll", boot
O4-HKLM/../run: [hnetpolcy] rundll32.exe C:/docume ~ 1/user/locals ~ 1/temp/rarsfx4/hnetpo ~ 1. dll, start
O4-hkcu/../run: [update8] C:/Windows/aupdate.exe
O4-hkcu/../run: [msnmon] C:/Windows/javas/msnmon.exe
O4-hkcu/../run: Export alcupd.exe] C:/Windows/alcupd/alcupd.exe
O4-hkcu/../run: [whenusave] "C:/program files/save/save.exe"
O4-hkcu/../run: [update] C:/program files/Internet Explorer/ie uninstall/aupdate.exe
O4-hkcu/../run: [hnetpolcy] rundll32.exe C:/docume ~ 1/user/locals ~ 1/temp/rarsfx4/hnetpo ~ 1. dll, start
O4-startup: search by word. lnk = C:/program files/huaci/zsearch.exe
O4-Global startup: Desktop Media. lnk =?
O8-extra context menu item:> MMS sending <-res: // C:/progra ~ 1/mmsass ~ 1/mmsass ~ 1. dll/mms.htm
O8-extra context menu item: u88 franchise network-C:/program files/Internet Explorer/2052/contextmenu.htm
O9-extra button: navigate to {1d903167-2529-4a9b-9b6b-7a1db3a44cb5}-C:/program files/coolwebsite/Quicklink. dll
O9-extra 'tools' menuitem: mmsassist toolbar settings-{6671a433-5c3d-463d-a7cf-5587f9b7e191}-C:/Windows/system32/shdocvw. dll
O9-extra button: My subscription-{8755ce6e-0bf7-4441-8751-fb728941b0b4}-C:/program files/P4P/RSS. dll
O9-extra button: (No Name)-{9239e4ec-c9a6-11d2-a844-00c04f68d538}-(no file)
O9-extra button: Bala music world-{A79B8444-E20F-4D87-97B1-7D62E392E874}-C:/program files/Bala/bin/balalive.exe
O9-extra 'tool' menuitem: Bala music world-{A79B8444-E20F-4D87-97B1-7D62E392E874}-C:/program files/Bala/bin/balalive.exe
O10-unknown file in Winsock LSP: C:/Windows/system32/hbmter. dll
O10-unknown file in Winsock LSP: C:/Windows/system32/hbmter. dll
O11-Options Group: [cdnclient] accessing Chinese
O23-service:. Net boot service-unknown owner-C:/Windows/system32/big5_gb2312.exe
O23-service: remote log-Beijing zhongsuo online software Co., Ltd.-C:/Windows/system32/servehost.exe
O23-service: sdagent Service (sdagentservice)-Beijing Xinghua Foundation Software Technology Co., Ltd.-C:/program files/common files/smartde/sde.exe
O23-service: Network System (Universal Disk Manager)-comenet technology-C:/program files/common files/comm/network.exe
Visible, boot pop up an error prompt box: "loading c;/Pocume-1/user/locals-1/temp/rarsfx3/Dtserv-1.dll" error cannot find the specified module ".
Possible
O4-HKLM/../run: [dtservice] rundll32.exe C:/docume ~ 1/user/locals ~ 1/temp/rarsfx0/dtserv ~ 1. dll, load
O4-HKLM/../run: [hnetpolcy] rundll32.exe C:/docume ~ 1/user/locals ~ 1/temp/rarsfx4/hnetpo ~ 1. dll, start
.
However, after the two items are fixed, the problem cannot be solved, and the two items will be rebuilt at the next startup. Use hijackthis to generate a startuplist report and find that:
Autorun entries from registry:
HKLM/software/Microsoft/Windows/CurrentVersion/policies/Explorer/run
Crtvmsn = C:/program files/crtvmsn/crtvmsn.exe
IPSec = rundll32.exe C:/progra ~ 1/common ~ 1/system/msdc32.dll, _ S1
Hnetpolcy = rundll32.exe C:/docume ~ 1/vlk/locals ~ 1/temp/rarsfx4/hnetpo ~ 1. dll, start
Ip_sec = rundll32.exe C:/progra ~ 1/common ~ 1/system/msdc32.dll, _ S1
All items are suspicious and deleted from the registry.
In addition
O4-HKLM/../run: [res] C:/Windows/system32/res.exe
O4-HKLM/../run: [update] C:/program files/common files/update/update.exe
In the past, the process was hidden.
Http://endurer.ys168.com
The icesword has been downloaded. There are three stealth processes in the process list,
C:/Windows/system32/res.exe
C:/program files/common files/update/update.exe
The other is
C:/program files/common files/smartde/sde.exe
All of them are terminated.
This computer is also in adware. hbang,
I remember a friend
Solve the pop-up window and adware. hbang
Left a message asking if you can uninstall "great secretary" by adding and deleting richmedia in the program ".
I did a test here. first go to the control panel --> terminal to cancel the startup items of the virus and suspicious items.
Then restart the computer and use rising to check whether "great secretary" has been completely uninstalled.
Using rising online scanning, we found more than 100 virus files:
12:37:42 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/system32/res.exe Trojan. DL. Agent. eja
C:/Windows/system32/qcssbl9.exe Trojan. Spy. Agent. Zs
C:/Windows/system32/msibm/linbak. DLL Trojan. Spy. Agent. xv
C:/Windows/system32/temp/temp1.plt adware. hbang. e
C:/Windows/system32/bakcfs/linbak. DLL Trojan. Spy. Agent. xv
C:/Windows/system32/pob2res.exe Trojan. DL. Agent. FDN
C:/Windows/system32/big5_gb2312.exe Trojan. DL. Agent. EHD
C:/Windows/aupdate.exe Trojan. DL. aupdate.
C:/Windows/wingmt.exe Trojan. DL. Agent. Eno
C:/Windows/temp/lupsetup. Ex 'e Trojan. Agent. AWO
C:/Windows/hhelp. dll adware. hbang. e
C:/Documents and Settings/user/Local Settings/temp/rarsfx0/dtservice. dll. tmp. tmp Trojan. DL. Small. cdy
C:/Documents and Settings/user/Local Settings/temp/del9.tmp Trojan. DL. aupdate.
C:/Documents and Settings/user/Local Settings/temp/del80.tmp Trojan. DL. aupdate.
C:/Documents and Settings/user/Local Settings/1 Trojan. DL. Small. cit
C:/program files/common files/San/diskman.exe adware. Clicker. ynyw. B
C:/program files/common files/update/update.exe Trojan. DL. qqhelper. AP
C:/program files/common files/sand/qqfaceclient.exe adware. Clicker. ynyw. m
C:/program files/snkes/msndrc .exe> crtvmsn.exe Trojan. Delf. AFL
C:/program files/crtvmsn/crtvmsn.exe Trojan. Delf. AFL
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/RP1/a0001005.dll adware. hbang. e
... (All of them are from adware. hbang. E, omitted)
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/RP3/a0008167.dll Trojan. DL. qqhelper. AG
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/RP3/a0008175.dll adware. hbang. e
...... (All of them are from adware. hbang. E, omitted)
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/RP3/a0010186.exe Trojan. Spy. Agent. xx
...... (All of them are from trojan. Spy. Agent. XX, omitted)
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/rp5/a00000050.dll Trojan. Clicker. Agent. se
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/rp6/a00000016.exe Trojan. Clicker. Agent. RV
C:/system volume information/_ restore {8bd25a2e-00005-440d-ba24-840ff00efca0}/rp6/a00000017.dll Trojan. Clicker. Agent. RV
Rising found adware. hbang. It seems that the uninstallation program provided by "great secretary" is not completely uninstalled.
To the http://endurer.ys168.com to download "Rising Antivirus assistant", first click Copy rising detection results list, then "Save scan results", then the Virus File packaging backup, then the "directly Delete the infected files, do not put it in the recycle bin hook, and then click "delete all infected files ".
Looking:
O4-hkcu/../run: [update] C:/program files/Internet Explorer/ie uninstall/aupdate.exe
C:/program files/Internet Explorer/ie uninstall, but C:/program files/Internet Explorer/2052 and C: the/program files/Internet Explorer/lib folder contains the "u88 franchise network" and is packaged and deleted.
Then, the temporary ie folder and the temporary windows folder are cleared.
The most interesting is
F2-Reg: system. ini: userinit = C:/Windows/system32/userinit.exe, C:/Windows/. exe
File C:/Windows/. exe
Use http://virusscan.jotti.org/to scan the result as follows:
File: |
_.Exe |
Status: |
Possibly infected/malware (Note: This file was only flagged as malware by Heuristic detection (s ). this might be a false positive. therefore, results of this scan will not be stored in the database) |
MD5 |
823b7f849da8354e8206fb0d7015fb85 |
Packers detected: |
ASPack |
Scanner results |
AntiVir |
Found nothing |
Arcavir |
Found nothing |
Avast |
Found nothing |
AVG AntiVirus |
Found nothing |
BitDefender |
Found dropped: Generic. malware. SF. eaa7020d (probable variant) |
ClamAV |
Found nothing |
Dr. Web |
Found backdoor. Trojan (probable variant) |
F-Prot AntiVirus |
Found nothing |
Fortinet |
Found nothing |
Kaspersky Anti-Virus |
Found nothing |
NOD32 |
Found nothing |
Norman Virus Control |
Found nothing |
Una |
Found nothing |
Virusbuster |
Found nothing |
Vba32 |
Found Downloader. small.105 (paranoid heuristics) (probable variant) |