The browser and Yok are hijacked by my123.com.

Source: Internet
Author: User

EndurerOriginal

2006-11-28 th1Version

A netizen's computer recently showed that Yok *. * was infected with the virus. at startup, the system prompts that the file could not be found and asked me to check the file.

Open IE, found that the home page is set to hxxp: // www.my123.com, go to the rising website to download my123.com exclusive tool, download hijackthis to http://endurer.ys168.com, procview.

Scanning with rising my123.com exclusive tool, no suspicious files found ...... Khan!

Jiang minkv does not seem to have the history export function, Khan!

Use hijackthis to scan logs and find the following suspicious items:
/-------
Logfile of hijackthis v1.99.1
Scan saved at 13:27:08, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

O2-BHO: coral super search-{75fe2b5a-d3a4-4efa-ac11-adc9c9459688}-C:/progra ~ 1/Yok/toolbar. dll

O4-HKLM/../run: [yok.exe] C:/Windows/system32/rundll32.exe C:/progra ~ 1/Yok. dll, rundll32

O4-HKLM/../run: [dvhzso26] C:/Windows/system32/rundll32.exe C:/Windows/system32/dvhzso26.dll, dllcanunloadnow

O8-extra context menu item: coral super search-C:/progra ~ 1/Yok/yoksch.htm
-------/

Use hijackthis to generate a list of startup items and discover the following suspicious services:
/-------
Startuplist report, 02:02:12
Startuplist version: 1.52.2
========================================================== ============
Enumerating Windows NT/2000/XP services

Dvhzso26: system32/Drivers/dvhzso26.sys (system)

Lybvrlcy: system32/Drivers/lybvrlcy. sys (system)

Ngaacn74: system32/Drivers/ngaacn74.sys (system)

Tykeeper: system32/Drivers/tykeeper. sys (system)

Vhehnzrh: system32/Drivers/vhehnzrh. sys (system)

Windows Socket 2.0 non-ifs service provider support environment:/SYSTEMROOT/system32/Drivers/ws2ifsl. sys (disabled)
-------/

Use WinRAR to find C:/Windows/system32/dvhzso26.dll, and prompt that it is in use during compression. Then, Jiangmin kv2006 real-time monitoring prompts that dvhzso26.dll is infected with Rootkit. startpage.
After kv2006 real-time monitoring is disabled, it cannot be packaged.

Export the system process list using procview and inject dvhzso26.dll into the explorer. EXE process.
/-------
Windows XP (5.1.2600 Service Pack 2)
13:40:51 Process List
C:/Windows/EXPLORER. EXE
C:/Windows/system32/dvhzso26.dll
-------/

Use hijackthis to fix the suspicious items listed above and find that the repair fails.
Use the Registry Editor to change the start type of the suspicious service found in the hijackthis startup Item List to 5 (disabled ).

Clear temporary ie folders and temporary system folders

Restart your computer and Package C:/Windows/system32/dvhzso26.dll in safe mode and then delete it,
Delete C:/progra ~ 1/Yok.

After a while, the netizen said that C:/Windows/system32/dvhzso26.dll could not be deleted, but C:/progra ~ was deleted ~ 1/Yok.

Use hijackthis to scan logs and generate a list of startup items. Suspicious projects and services are still found.

System services are good.

Download bat_do from the http://purpleendurer.ys168.com.

Set
/----------
C:/Windows/system32/dvhzso26.dll
C:/Windows/system32/Drivers/dvhzso26.sys
C:/Windows/system32/lybvrlcy. dll
C:/Windows/system32/Drivers/lybvrlcy. sys
C:/Windows/system32/ngaacn74.dll
C:/Windows/system32/Drivers/ngaacn74.sys
C:/Windows/system32/tykeeper. dll
C:/Windows/system32/Drivers/tykeeper. sys
C:/Windows/system32/vhehnzrh. dll
C:/Windows/system32/Drivers/vhehnzrh. sys
----------/
Add to the list of files to be processed. If bat_do prompts that the file does not exist or the folder is still added.
Click "select all.
Before "setting attributes", "Renaming", and "deleting", take the bait.
Click Generate command.
Click "execute upon restart.

Jiangmin kv2006 Real-time Monitoring prompt bat_do to modify and delete the table.

For system services of the system type, it is safer to use autoexec. BAT to delete the corresponding files.

Open notepad, copy and paste the generated file to notepad, and save it as C:/autoexec. bat.

The system prompts C:/autexec. Bat read-only.

In the bat_do window, enter the command attrib C:/autoexec. Bat-H-r-s in the file/command box.
Click "Execute Command.

Save it as C:/autoexec. BAT in notepad, OK!

Restart your computer.

After restarting the computer, the user said that the system prompts an error in rundll during startup.

Cancel the startup Item containing rundll32 with msconfig.exe.

Dvhzso26.dllKaspersky reportsTrojan-Downloader.Win32.Agent.bbc.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.