Secuers32.exe, internet.exe, explore.exe, pig. vbs, hbkernel. sys, ssqexd. sys, etc. 2

Secuers32.exe, internet.exe, explore.exe, pig. vbs, hbkernel. sys, ssqexd. sys, etc. 2

Original endurer
2008-09-08 1st

 

Hbkernel. sys has been used before. See:

Fontsapcum. dll, aaudstum. sys, hbkernel. sys, hev32_c.sys, windows64.sys, etc. 1

Http://endurer.bokee.com/6766433.html
Http://space.zdnet.com.cn/html/36/177236-1397738.html
Http://blog.csdn.net/Purpleendurer/archive/2008/08/08/2788930.aspx

 

I don't feel any problems ~

 

Run fileinfo to extract the red file information in the log and run bat_do to pack the file.

 

Unexpectedly, bat_docannot find rar.exe. Check and find that both winrar.exeand rar.exe in D:/program files/winrarare lost, And editplus.exe in D:/program files/editplus 3 is also missing ~

 

Fortunately, there is also a WinRAR installation file on the computer, which is re-installed, and checked with WinRAR. It is found that each folder contains a file named wsock32.dll, such:

 

File Description: D:/tools/wsock32.dll
Property:-sh-
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 5.1.2600.2180
Note: Windows Socket 32-bit DLL
Copyright: C) Microsoft Corporation. All rights reserved.
Product Version: 5.1.2600.2180
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Internal name: wsock32
Source File Name: wsock32.dll
Created at: 9:34:56
Modified on: 9:20:54
Size: 17408 bytes, 17.0 KB
MD5: 25f0a195433664e4bb46fcca41d41c1
Sha1: 657a1268ad4efac28c8e97173f5b67b295ff110e
CRC32: 2f50e4fb

 

(Kaspersky Report: worm. win32.autorun. LXV; rising Report: worm. win32.cnvampire. f)

 

Run the following command to delete a disk by disk:

Attrib/S x:/wsock32.dll-H-S
Del/S x:/wsock32.dll

X indicates the drive letter.

Use fileinfo to detect and find that the file corresponding to the Process C:/Windows/system32/debug.exe is fake:

 

File Description: C:/Windows/system32/debug.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 20634 bytes, 20.154 KB
MD5: 3f1bfe1b1328af93b0c1adf8cc9d84ac
Sha1: a0fb258325e9b75237433f015c81ad34f7d9f217
CRC32: 506a4064

 

(Kaspersky Report: Trojan-PSW.Win32.QQPass.dcg, rising Report: Trojan. DL. win32.mnless. ATB)

 

Authentic:

File Description: C:/Windows/system32/dllcache/debug.exe
Attribute: ---
Digital Signature: Microsoft Corporation
PE file: No
Creation Time:
Modification time:
Size: 20634 bytes, 20.154 KB
MD5: 6c151a8cc2cbdac06635c38ebf564c19
Sha1: c6d4df341fb485d944e10abbf4099869c5e498fa
CRC32: aa4503c

 

In addition, system files such as ctfmon.exe and beep. sys are replaced by malicious program files:

 

File Description: C:/Windows/system32/ctfmon.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 15:31:58
Size: 368640 bytes, 360.0 KB
MD5: c338ff709aa7d081514d9a3c4bfe9c58
Sha1: 12e2502a7061278f9684b4212c47c7b3c14c387d
CRC32: 1d6b1689

 

(Kaspersky Report: Trojan. win32.killav. Alu)

File Description: C:/Windows/system32/Drivers/beep. sys
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Time modified:
Size: 16256 bytes, 15.896 KB
MD5: 17520c1ec38c2b92498be0ac75fa9729
Sha1: 7bcb155b57add016c1cea91e0773ba92097f96d3
CRC32: 253b01e1

 

(Kaspersky Report: Trojan-GameThief.Win32.OnLineGames.tbnn, drweb Report: Trojan. ntrootkit.1469)

 

In this case, the SFC/scannow command should be used to repair the system files, but I am too lazy to use the rename replacement method.

 

The most terrible thing is that hijackthis or Kaka's Security Assistant is useless:

 

F2-Reg: system. ini: userinit = <C:/Windows/system32/userinit.exe, C:/program files/common files/system/secuers32.exe>

 

Restart the computer, and use the "Last correct configuration" item in the advanced boot menu to start it. This is good, and the logon interface is not displayed, do not want to enter the desktop.

 

The security mode of the command prompt cannot be started ~

 

You want to use the Windows installation CD to enter the Recovery Console

 

Run the following command:

 

C:/> Cd/Windows/Repair
C:/> copy *. * C:/Windows/system32/config

 

Overwrite the current registry information file with the registry information file during initial installation.

 

Unexpectedly, the optical drive cannot be played ~

 

I remember that the hard disk uses the FAT32 file system, so it was hard to find a win 98 boot floppy disk, but an error occurred while reading the disk ~

 

I had to reinstall the system because I didn't start the USB flash drive ~