EndurerOriginal
1Version
After a netizen's computer is connected to a mobile hard disk, Rising's real-time monitoring icon disappears and three command line program windows are displayed, with the following content:
/---
Ntsd: Bad PID '0'
Ntsd: exiting-press ENTER ---
---/
It is estimated that there is a virus in the mobile hard disk. Please use QQ for remote assistance.
Download the pe_xscan scan log and find the following suspicious items (some processes are omitted ):
/=
Pe_xscan 07-06-23 by Purple endurer
2000-10-18 8:55:52
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/Windows/system32/msimms32.dll | 8:41:18, 2000-10-18
C:/Windows/system32/winform. dll | 8:41:18, 2000-10-18
C:/Windows/system32/upxdnd. dll | 8:41:18, 2000-10-18
C:/Windows/system32/kvsc3.dll | 8:41:16, 2000-10-18
C:/Windows/system32/svchost.exe * 732 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/Windows/explorer. EXE * 2012 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/Windows/system32/kvsc3.dll | 8:41:16, 2000-10-18
C:/Windows/system32/winform. dll | 8:41:18, 2000-10-18
C:/Windows/system32/upxdnd. dll | 8:41:18, 2000-10-18
C:/Windows/system32/msimms32.dll | 8:41:18, 2000-10-18
C:/Windows/system32/nwiztlbb. dll | 8:41:50, 2000-10-18
C:/Windows/system32/moyu103.dll | 8:41:50, 2000-10-18
C:/Windows/system32/dh2104.dll | 8:43:16, 2000-10-18
C:/Windows/soundman. EXE * 1528 | 16:54:14 | RealTek Sound Manager | 5.1.0.24 | RealTek Sound Manager | copyright (c) 2001-2003 RealTek semiconducorp Corp. | 5.1.0.24 | RealTek semiconducorp. |? | Alsmtray | alsmtray.exe
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/program files/rising/rav/ravtask.exe * 1780 | 20:10:24 | Rising antivirus software | 19, 0, 0, 9 | ravtimer | copyright (c) 1998-2007 Beijing rising Technology Corporation Limited | 19, 0, 0, 9 | Beijing rising Technology Co ., ltd. | Beijing rising Technology Co ., ltd. | ravtask
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/program files/rising/rav/ravmon.exe * 1904 | 20:10:24 | Rising anti-virus monitor | 19, 0, 0, 45 | ravmon | copyright (c) 1998-2007 Beijing rising Technology Corporation Limited | 19, 0, 0, 45 | Beijing rising Technology Co ., ltd. | rising | Beijing rising Technology Co ., ltd. | ravmon. EXE
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/Windows/system32/ntsd.exe * 2080 | MICROSOFT? Windows? Operating System | 5.1.2600.0 | symbolic debugger for Windows 2000 |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.0 (xpclient000017-1148) | Microsoft Corporation |? | Ntsd. exe | ntsd. exe
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/Windows/system32/ctfmon.exe * 2164 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/Windows/system32/conime.exe * 2364 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | console IME |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Console | conime. exe
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
C:/program files/Internet Explorer/plugins/system64.sys | 2000-10-18
C:/Windows/system32/svchost.exe * 2612 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/msdebug. dll | 8:13:22
C:/Windows/system32/netsrvcs. dll | 8:27:56
O4-HKLM/../run: [kvsc3] C:/Windows/kvsc3.exe
O4-HKLM/../run: [winform] C:/Windows/winform.exe
O4-HKLM/../run: [msimms32] C:/Windows/msimms32.exe
O4-HKLM/../run: [upxdnd] C:/Windows/upxdnd.exe
O4-HKLM/../run: [Microsoft autorun6] C:/Windows/system32/mydata.exe
O4-HKLM/../run: [Microsoft autorun7] C:/Windows/system32/nwiztlbu.exe
O4-HKLM/../run: [Microsoft autorun1] C:/Windows/system32/nwizdh.exe
O4-HKLM/../policies/Explorer/run: [visin] C:/Windows/system32/visin. exe
C:/autorun. inf
/-----
[Autorun]
Open = pagefile. pif
ShellExecute = pagefile. pif
Shell/auto/command = pagefile. pif]
-----/
E:/autorun. inf
/-----
[Autorun]
Open = pagefile. pif
ShellExecute = pagefile. pif
Shell/auto/command = pagefile. pif]
-----/
F:/autorun. inf
/-----
[Autorun]
Open = pagefile. pif
ShellExecute = pagefile. pif
Shell/auto/command = pagefile. pif]
-----/
O15-Trusted Zone: (more than 10, omitted)
O23-service: msdebugsvc (Win32 debug Service)-C:/Windows/system32/rundll32.exe msdebug. dll, input (automatic)
O23-service: wzcsrvc (Wireless Service)-C:/Windows/system32/rundll32.exe netsrvcs. dll, input (automatic)
O24-shlexechook: []-{754fb7d8-b8fe-4810-b363-a788cd060f1f} = C:/program files/Internet Explorer/plugins/system64.sys
===/
Look! The system time has been changed to 2000-10-18 ~
Download freedll, bat_do, fileinfo from the http://purpleendurer.ys168.com and hijackthis, icesword from the http://endurer.ys168.com.
First use freedll to uninstall C:/Windows/system32/msdebug. dll ~
It seems that these DLL modules hook some API functions, so let's put them first.
After restarting QQ Remote Assistance, the two o23 services are stopped and disabled first.
Use the "plugin management and uninstallation" of the Security Assistant of rising Kaka to unload o24 items. This is generally the last one in the list.
Use fileinfo to extract the virus file information, and use bat_do to package and delete the backup in batches. If the file cannot be deleted, the file removal attribute and deletion command will be generated and executed the next time, And the deletion will be delayed.
Use WinRAR to delete autorun. inf from each disk
Use hijackthis to repair the first 7 O4 items
Use Registry Editor Regedit to delete the last O4 and o23 items.
Restore the system time to normal.
Select the rising real-time monitoring center from the Start Menu. The green umbrella icon appears again.
Check rising and find that the virus database is from ~ Dizzy. Upgrade now to scan and kill viruses ......
At the same time, check the killing log of rising. In the past two days, rising monitoring detected several viruses, but they were ignored by users.
C:/Windows/system32/netsrvcs. dll must be restarted before cleanup.
Some Virus File Information:
File description:C:/program files/Internet Explorer/plugins/system64.sys
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 8:28:26
Modification time: 2000-10-18
Access time: 2000-10-18 0: 0
Size: 44173 bytes, 43.141 KB
MD5: aeac5ca5d3400877049783d8e1980b24
Kaspersky reportsTrojan-PSW.Win32.QQPass.wmThe rising report isTrojan. psw. win32.qqpass. qii
File description:C:/program files/Internet Explorer/plugins/system64.jmp
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 8:28:26
Modification time: 8:28:26
Access time: 2000-10-18 0: 0
Size: 31885 bytes, 31.141 KB
MD5: 75260059da74cd786635f9d28285db2d
File description:C:/program files/Internet Explorer/iw.e. sys
Property: ash-
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 30856 bytes, 30.136 KB
File description:C:/program files/Internet Explorer/iw.e. JMP
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 11:47:51
Modification time: 11:47:50
Access time:
Size: 26255 bytes, 25.655 KB
MD5: dd81a25aa7bc478094e07cc317a1cc04
File description:C:/program files/Internet Explorer/iexplore. ime
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 11:47:52
Access time:
Size: 25736 bytes, 25.136 KB
MD5: 24f97553a71b409731df29474cc06f35
File description:C:/program files/Internet Explorer/iw.e. New
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 11:47:51
Modification time: 11:47:52
Access time:
Size: 23148 bytes, 22.620 KB
MD5: b0620209bb6928bf67c3e860d6f5f099
File description:C:/program files/Internet Explorer/iw.e. Win
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 11:47:51
Modification time: 11:47:52
Access time:
Size: 28780 bytes, 28.108 KB
MD5: d1c4a2d9f64f50dcc87f572137b03507
File description:C:/program files/Internet Explorer/iw.e. dat
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 11:47:51
Modification time: 11:47:52
Access time:
Size: 35471 bytes, 34.655 KB
MD5: ca21c147be04b598885853f7a7243927
File description:C:/program files/Internet Explorer/iexplore. Dak
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 11:47:51
Modification time: 11:47:52
Access time:
Size: 30856 bytes, 30.136 KB
File description:C:/Windows/msimms32.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time: 8:12:10
Modification time: 8:27:34
Access time: 2000-10-18 0: 0
Size: 22016 bytes, 21.512 KB
MD5: a408ea3bdb76db9ce5539fc4e3847e28
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zkThe rising report isTrojan. psw. win32.onlinegames. Con
File description:C:/Windows/system32/msimms32.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:13:21
Modification time: 8:41:18
Access time: 2000-10-18 0: 0
Size: 13312 bytes, 13.0 KB
MD5: afc673585ec37b698cee54b44ede8615
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zkThe rising report isTrojan. psw. win32.onlinegames. Con
File description:C:/Windows/kvsc3.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:27:44
Access time: 2000-10-18 0: 0
Size: 22528 bytes, 22.0 KB
MD5: ff10ef904eba543e491ffeabb73511a6
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zlThe rising report isTrojan. psw. win32.onlinegames. cql
File description:C:/Windows/system32/kvsc3.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:41:16
Access time: 2000-10-18 0: 0
Size: 13824 bytes, 13.512 KB
MD5: f25c35fb91e0a40a9034eefe35ed5fab
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zlThe rising report isTrojan. psw. win32.onlinegames. cql
File description:C:/Windows/winform.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time: 2000-10-18 0: 0
Size: 17408 bytes, 17.0 KB
MD5: 19ab195f03b8082515f92849ee52b001
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zjThe rising report isTrojan. psw. win32.xyonline. t
File description:C:/Windows/system32/winform. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:41:18
Access time: 2000-10-18 0: 0
Size: 8704 bytes, 8.512 KB
MD5: 281bbdfb98bf9ce6b424e36f38e3e8f2
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zjThe rising report isTrojan. psw. win32.xyonline. t
File description:C:/Windows/upxdnd.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time: 8:13:13
Modification time:
Access time: 2000-10-18 0: 0
Size: 29696 bytes, 29.0 KB
MD5: 9d729f5e4fd09f856f5e195cf6209ccd
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.esThe rising report isTrojan. psw. win32.onlinegames. CoC
File description:C:/Windows/system32/upxdnd. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:13:13
Modification time: 8:41:18
Access time: 2000-10-18 0: 0
Size: 20992 bytes, 20.512 KB
MD5: 3b0b0bda-44aca82f1249a6cabec63ab
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.wzThe rising report isTrojan. psw. win32.shanda. e
File description:C:/Windows/system32/netsrvcs. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:27:56
Access time:
Size: 19456 bytes, 19.0 KB
MD5: debf9e8c40374a2f729b72269ad688f3
Kaspersky reportsTrojan-Proxy.Win32.Small.duThe rising report isTrojan. psw. win32.onlinegames. B
File description:C:/Windows/system32/mydata.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:23:50
Access time:
Size: 9728 bytes, 9.512 KB
MD5: 75ed0c72d9ea5bab766c6950108b7c02
Kaspersky reportsTrojan-PSW.Win32.Nilage.bkpThe rising report isTrojan. psw. win32.roconline. e
File description:C:/Windows/system32/nwiztlbu.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time: 8:23:51
Modification time: 8:28:12
Access time:
Size: 10712 bytes, 10.472 KB
MD5: 38f570f8da8562195a9cb6ac472a433a
Kaspersky reportsTrojan-PSW.Win32.Nilage.bkpThe rising report isTrojan. psw. win32.agent. MJ
File description:C:/Windows/system32/nwizdh.exe
Attribute :----
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:28:34
Access time:
Size: 10240 bytes, 10.0 kb
MD5: 42cf8053dcd1362b4249bd26e0320061
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.qwThe rising report isTrojan. psw. win32.xyonline. r
File description:D:/pagefile. pif
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 11:55:28
Access time: 2000-10-18 0: 0
Size: 28164 bytes, 27.516 KB
MD5: 4c81f3817cec03c8309f1bdb46a7c2e0
Kaspersky reportsTrojan-Downloader.Win32.Delf.bniThe rising report isTrojan. DL. win32.agent. FH
File description:C:/Windows/system32/msdebug. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:13:20
Modification time: 8:13:22
Access time: 2000-10-18 0: 0
Size: 19968 bytes, 19.512 KB
MD5: e2ca6851edf32812ca9ded08086e01bc
File description:C:/Windows/temp/systemc.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:10:37
Modification time: 8:28:26
Access time:
Size: 31885 bytes, 31.141 KB
MD5: 75260059da74cd786635f9d28285db2d
Kaspersky reportsTrojan-PSW.Win32.QQPass.wmThe rising report isTrojan. psw. win32.qqpass. Qin
File description:C:/Windows/temp/systeme.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:28:43
Modification time: 8:28:46
Access time:
Size: 165510 bytes, 161.646 KB
File description:C:/Windows/temp/system1.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:23:10
Access time:
Size: 9613 bytes, 9.397 KB
MD5: 77e271e73650b0fbec0674083ecac55e
Kaspersky reportsTrojan-Downloader.Win32.Small.evuThe rising report isTrojan. win32.agent. hyb
File description:C:/Windows/temp/system2.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:32:10
Access time:
Size: 17408 bytes, 17.0 KB
MD5: 19ab195f03b8082515f92849ee52b001
Kaspersky reportsTrojan-PSW.Win32.OnLineGames.zj
File description:C:/Windows/temp/system3.exeSame as C:/Windows/upxdnd.exe.
File description:C:/Windows/temp/system4.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:23:38
Modification time: 8:32:32
Access time:
Size: 23552 bytes, 23.0 KB
MD5: af71865433c02193cee0a3d0b07fe001
Kaspersky reportsTrojan-Proxy.Win32.Small.du
File description:C:/Windows/temp/system5.exeSame as C:/Windows/system32/mydata.exe.
File description:C:/Documents ents and settings/user/Local Settings/temp/svchost.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 11:10:10
Access time:
Size: 5359 bytes, 5.239 KB
MD5: 520ccf6c55bea38040da688ff9db7115
Kaspersky reportsTrojan-Downloader.Win32.Cryptic.gen
File description:C:/Windows/system32/visin. exe
Property:-sh-
Language: Chinese (China)
File version: 5.1.2600.0
Note: Microsoft wisin Control
Copyright: Microsoft Corporation. All rights reserved.
Note:
Product Version: 5.1.2600.0
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: wisin
Source File Name: wisin.exe
Creation Time:
Modification time: 23:37:22
Access time:
Size: 25603 bytes, 25.3 KB
MD5: f3655b9967e08435e4fde2d8935e9ef7
Kaspersky reportsTrojan-Downloader.Win32.Small.czl
File description:C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/d7bp7lvg/81_1cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 23040 bytes, 22.512 KB
MD5: 089b7ace5466729347490ba90481088d
Kaspersky reportsTrojan-Proxy.Win32.Small.du
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
