EndurerOriginal
2006-11-28 th1Version
A netizen's computer recently showed that Yok *. * was infected with the virus. at startup, the system prompts that the file could not be found and asked me to check the file.
Open IE, found that the home page is set to hxxp: // www.my123.com, go to the rising website to download my123.com exclusive tool, download hijackthis to http://endurer.ys168.com, procview.
Scanning with rising my123.com exclusive tool, no suspicious files found ...... Khan!
Jiang minkv does not seem to have the history export function, Khan!
Use hijackthis to scan logs and find the following suspicious items:
/-------
Logfile of hijackthis v1.99.1
Scan saved at 13:27:08, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
O2-BHO: coral super search-{75fe2b5a-d3a4-4efa-ac11-adc9c9459688}-C:/progra ~ 1/Yok/toolbar. dll
O4-HKLM/../run: [yok.exe] C:/Windows/system32/rundll32.exe C:/progra ~ 1/Yok. dll, rundll32
O4-HKLM/../run: [dvhzso26] C:/Windows/system32/rundll32.exe C:/Windows/system32/dvhzso26.dll, dllcanunloadnow
O8-extra context menu item: coral super search-C:/progra ~ 1/Yok/yoksch.htm
-------/
Use hijackthis to generate a list of startup items and discover the following suspicious services:
/-------
Startuplist report, 02:02:12
Startuplist version: 1.52.2
========================================================== ============
Enumerating Windows NT/2000/XP services
Dvhzso26: system32/Drivers/dvhzso26.sys (system)
Lybvrlcy: system32/Drivers/lybvrlcy. sys (system)
Ngaacn74: system32/Drivers/ngaacn74.sys (system)
Tykeeper: system32/Drivers/tykeeper. sys (system)
Vhehnzrh: system32/Drivers/vhehnzrh. sys (system)
Windows Socket 2.0 non-ifs service provider support environment:/SYSTEMROOT/system32/Drivers/ws2ifsl. sys (disabled)
-------/
Use WinRAR to find C:/Windows/system32/dvhzso26.dll, and prompt that it is in use during compression. Then, Jiangmin kv2006 real-time monitoring prompts that dvhzso26.dll is infected with Rootkit. startpage.
After kv2006 real-time monitoring is disabled, it cannot be packaged.
Export the system process list using procview and inject dvhzso26.dll into the explorer. EXE process.
/-------
Windows XP (5.1.2600 Service Pack 2)
13:40:51 Process List
C:/Windows/EXPLORER. EXE
C:/Windows/system32/dvhzso26.dll
-------/
Use hijackthis to fix the suspicious items listed above and find that the repair fails.
Use the Registry Editor to change the start type of the suspicious service found in the hijackthis startup Item List to 5 (disabled ).
Clear temporary ie folders and temporary system folders
Restart your computer and Package C:/Windows/system32/dvhzso26.dll in safe mode and then delete it,
Delete C:/progra ~ 1/Yok.
After a while, the netizen said that C:/Windows/system32/dvhzso26.dll could not be deleted, but C:/progra ~ was deleted ~ 1/Yok.
Use hijackthis to scan logs and generate a list of startup items. Suspicious projects and services are still found.
System services are good.
Download bat_do from the http://purpleendurer.ys168.com.
Set
/----------
C:/Windows/system32/dvhzso26.dll
C:/Windows/system32/Drivers/dvhzso26.sys
C:/Windows/system32/lybvrlcy. dll
C:/Windows/system32/Drivers/lybvrlcy. sys
C:/Windows/system32/ngaacn74.dll
C:/Windows/system32/Drivers/ngaacn74.sys
C:/Windows/system32/tykeeper. dll
C:/Windows/system32/Drivers/tykeeper. sys
C:/Windows/system32/vhehnzrh. dll
C:/Windows/system32/Drivers/vhehnzrh. sys
----------/
Add to the list of files to be processed. If bat_do prompts that the file does not exist or the folder is still added.
Click "select all.
Before "setting attributes", "Renaming", and "deleting", take the bait.
Click Generate command.
Click "execute upon restart.
Jiangmin kv2006 Real-time Monitoring prompt bat_do to modify and delete the table.
For system services of the system type, it is safer to use autoexec. BAT to delete the corresponding files.
Open notepad, copy and paste the generated file to notepad, and save it as C:/autoexec. bat.
The system prompts C:/autexec. Bat read-only.
In the bat_do window, enter the command attrib C:/autoexec. Bat-H-r-s in the file/command box.
Click "Execute Command.
Save it as C:/autoexec. BAT in notepad, OK!
Restart your computer.
After restarting the computer, the user said that the system prompts an error in rundll during startup.
Cancel the startup Item containing rundll32 with msconfig.exe.
Dvhzso26.dllKaspersky reportsTrojan-Downloader.Win32.Agent.bbc.