EndurerOriginal
1Version
This morning, a colleague said that the Kingsoft drug overlord and rising program went wrong when the two computers in their department started up, and they ran slowly, asking me to help with the check.
Pe_xscan is used to scan logs and analyze the logs. The following suspicious items are found:
/=
Pe_xscan 07-06-04 by Purple endurer
2007-6-25 10:17:31
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/docume ~ 1/2298160/locals ~ 1/temp/daso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/rxso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wmso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/tlso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wdso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wgso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/qjso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/ztso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/jtso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/mhso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/wlso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/fyso0.dll | 8:52:48
C:/Windows/explorer. EXE * 532 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/docume ~ 1/2298160/locals ~ 1/temp/mhso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/wlso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/fyso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/ztso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/jtso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wgso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/qjso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wmso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/tlso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wdso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/rxso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/daso0.dll | 8:52:49
C:/program files/common files/relive. DLL | 10:58:12 | MICROSOFT (r) Windows (r) TM | 5.00.1.0.2 | Microsoft Corporation windows DLL | copyright (c) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation |? | Windows. dll | Windows. dll
C:/program files/Internet Explorer/iexplore.exe * 2088 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Internet Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Iexplore. exe
C:/docume ~ 1/2298160/locals ~ 1/temp/daso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/rxso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wmso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/tlso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wdso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/wgso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/qjso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/ztso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/jtso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/mhso0.dll | 8:52:48
C:/docume ~ 1/2298160/locals ~ 1/temp/wlso0.dll | 8:52:49
C:/docume ~ 1/2298160/locals ~ 1/temp/fyso0.dll | 8:52:48
O2-BHO-{D7515C61-A66C-4319-A0E0-D416CB8059E3}-C:/program files/common files/relive. dll
O2-BHO-{E3616E66-C13B-2628-2CDF-EDABCFA235E1}-C:/program files/common files/relive. dll
O4-HKLM/../run: [wosa] C:/docume ~ 1/2298160/locals ~ 1/temp/woso.exe
O4-HKLM/../run: [ztsa] C:/docume ~ 1/2298160/locals ~ 1/temp/ztso.exe
O4-HKLM/../run: [mhsa] C:/docume ~ 1/2298160/locals ~ 1/temp/mhso.exe
O4-HKLM/../run: [fysa] C:/docume ~ 1/2298160/locals ~ 1/temp/fyso.exe
O4-HKLM/../run: [jtsa] C:/docume ~ 1/2298160/locals ~ 1/temp/jtso.exe
O4-HKLM/../run: [WLSA] C:/docume ~ 1/2298160/locals ~ 1/temp/wlso.exe
O4-HKLM/../run: [wgsa] C:/docume ~ 1/2298160/locals ~ 1/temp/wgso.exe
O4-HKLM/../run: [wmsa] C:/docume ~ 1/2298160/locals ~ 1/temp/wmso.exe
O4-HKLM/../run: [qjsa] C:/docume ~ 1/2298160/locals ~ 1/temp/qjso.exe
O4-HKLM/../run: [rxsa] C:/docume ~ 1/2298160/locals ~ 1/temp/rxso.exe
O4-HKLM/../run: [wdsa] C:/docume ~ 1/2298160/locals ~ 1/temp/wdso.exe
O4-HKLM/../run: [tlsa] C:/docume ~ 1/2298160/locals ~ 1/temp/tlso.exe
O4-HKLM/../run: [Dasa] C:/docume ~ 1/2298160/locals ~ 1/temp/daso.exe
O23-service: scbkex (starcenter backup volume Filter Driver)-scdriver/scbkex. sys (pilot)
O23-service: sccchmgr (starcenter cache manager file system filter driver)-scdriver/sccchmgr. sys (pilot)
O23-service: sscflt (sscflt)-scdriver/sscflt. sys | Windows (r) 2000 DDK driver | 5.1.2600.1106 | File System Filter Driver | 5.1.2600.1106 built by: winddk | Windows (r) 2000 DDK provider |? | Kfilter. sys | kfilter. sys (pilot)
O23-service: sscfs (sscfs)-scdriver/sscfs. sys (pilot)
O23-service: ssfltpt ()-scdriver/ssfltpt. sys (pilot)
O24-shlexechook: []-{0ea12c16-cdef-6ac1-236e-cd3fe82f5213} = C:/program files/Internet Explorer/msvcrt. dll
O24-shlexechook: []-{05ad2e16-c6ef-6ac1-136a-ce3fd8ef5613} = C:/program files/Internet Explorer/msvcrt. dll
O25-inscom: {11716107-a10d-11cf-64cd-11115fe1cf41} = C:/Windows/system32/nwizzhuxians.exe
===/
The logs scanned on another computer are similar. It is estimated that it was caused by the use of a virus-infected USB flash drive.
Download fileinfo to http://purpleendurer.ys168.com to extract the Virus File Information and download the bat_do compressed backup Virus File.
Download aide4rav/Rising Antivirus assistant from http://endurer.ys168.com and use rising online free scan. The results are as follows:
/---
10:51:57 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Documents and Settings/2298160/Local Settings/temp/daso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/daso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/daso1.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/fyso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/fyso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/fyso1.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/jtso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/jtso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/jtso1.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/mhso.exe> mian007Trojan. psw. wsgame. APL
C:/Documents and Settings/2298160/Local Settings/temp/mhso0.dll> mian007Trojan. psw. xyonline. QM
C:/Documents and Settings/2298160/Local Settings/temp/mhso1.dll> mian007Trojan. psw. xyonline. QM
C:/Documents and Settings/2298160/Local Settings/temp/qjso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/qjso0.dll> mian007Trojan. psw. sunonline. af
C:/Documents and Settings/2298160/Local Settings/temp/qjso1.dll> mian007Trojan. psw. sunonline. af
C:/Documents and Settings/2298160/Local Settings/temp/rxso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/rxso0.dll> mian007Trojan. psw. OnlineGames. BYT
C:/Documents and Settings/2298160/Local Settings/temp/rxso1.dll> mian007Trojan. psw. OnlineGames. BYT
C:/Documents and Settings/2298160/Local Settings/temp/tlso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/tlso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/tlso1.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/wdso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/wdso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/wdso1.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents ents and settings/2298160/Local Settings/temp/wgso.exeTrojan. psw. win32.worldonline. f
C:/Documents and Settings/2298160/Local Settings/temp/wgso0.dll> mian007Trojan. psw. win32.worldonline. f
C:/Documents and Settings/2298160/Local Settings/temp/wgso1.dll> mian007Trojan. psw. win32.worldonline. f
C:/Documents and Settings/2298160/Local Settings/temp/wlso.exe> mian007Trojan. psw. zhengtu. jzd
C:/Documents and Settings/2298160/Local Settings/temp/wlso0.dll> mian007Trojan. psw. worldonline. Ht
C:/Documents and Settings/2298160/Local Settings/temp/wlso1.dll> mian007Trojan. psw. worldonline. Ht
C:/Documents and Settings/2298160/Local Settings/temp/wmso.exe> mian007Trojan. psw. win32.sunonline. B
C:/Documents and Settings/2298160/Local Settings/temp/wmso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/wmso1.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/woso0.dll> mian007Trojan. psw. OnlineGames. byp
C:/Documents and Settings/2298160/Local Settings/temp/ztso.exe> mian007Trojan. psw. zhengtu. jzd
C:/Documents and Settings/2298160/Local Settings/temp/ztso0.dll> mian007Trojan. psw. OnlineGames. CDW
C:/Documents and Settings/2298160/Local Settings/temp/ztso1.dll> mian007Trojan. psw. OnlineGames. CDW
C:/Windows/system32/nwizzhuxians. dll> mian007 Trojan. psw. zhuxian. B (the value of kapsersky isTrojan-PSW.Win32.OnLineGames.fq)
C:/Windows/system32/nwizzhuxians.exe> mian007 Trojan. psw. zhuxian. B (Kaspersky reportsTrojan-PSW.Win32.OnLineGames.fq)
C:/program files/common files/relive. dll> upx_a Trojan. win32.delf. ady (the value of kapsersky isVirus.win32.autorun.cn)
Msvcrt. dll and romdrivers. dll under C:/program files/Internet Explorer are also detected by rising, but the scan results are not saved.
---/
Since rising was able to scan and kill all of them, he won the bid. He had to suspect that rising from his colleagues' computers had not been upgraded in time ~
Unfortunately, Rising's free online scan does not detect or clear viruses in the memory. In this way, when using Rising's antivirus assistant to delete virus files, the system will prompt that DLL files such as woso0.dll cannot be deleted, in addition to the delete function of the anti-virus assistant at the next startup, freedll and icesword can also be used to uninstall the virus module in the memory and then delete it.
Here I am using freedll, to the http://purpleendurer.ys168.com to download freedll 0.0.0001-bata2, decompress the run, actually lost response.
Freedll 0.0.0001-bata2 will try to run it with the System user account, which may be blocked by some security protection software.
Specify the-nosystem parameter for freedll, so that freedll 0.0.0001-bata2 runs directly with the current user account.
Then, set C:/docume ~ 1/2298160/locals ~ 1. Uninstall temp/daso0.dll one by one, and then use the anti-virus assistant of Rising Star to delete the virus files.
Download and install the rising Kaka Security Assistant and uninstall O2, o24, and o25.
Download hijackthis to http://endurer.ys168.com to repair o24 items.
Information about some virus files:
File Description: C:/program files/Internet Explorer/msvcrt. dll
Property: ash-
Language: Chinese (China)
File version: 1. 0. 0. 1
Note: Microsoft Corporation windows DLL
Copyright: Copyright (c) 2001.01
Note:
Product Version: 5.00.1.0.2
Product Name: Microsoft (r) Windows (r) TM
Company Name: Microsoft Corporation
Legal trademark:
Internal name: Windows. dll
Source File Name: Windows. dll
Creation Time: 10:32:41
Modification time: 8:21:14
Access time:
Size: 12338 bytes, 12.50 KB
MD5: 32fcda85c0359436f01d646a439b2985
C:/program files/common files/relive. dll is the same as C:/program files/Internet Explorer/msvcrt. dll.
File Description: C:/program files/Internet Explorer/msvcrt. Bak
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 10:32:41
Modification time: 15:56:40
Access time:
Size: 21042 bytes, 20.562 KB
MD5: 79701c3d2ba063269aa6bef1c4ac3cfd
File Description: C:/program files/Internet Explorer/romdrivers. dll
Property: ash-
Language: Chinese (China)
File version: 1. 0. 0. 1
Note: Microsoft Corporation windows DLL
Copyright: Copyright (c) 2006.6
Note:
Product Version: 5.00.1.0.1
Product Name: Microsoft (r) Windows (r) System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: System
Source File Name: system. dll
Creation Time: 17:28:46
Modification time: 10:31:36
Access time:
Size: 14898 bytes, 14.562 KB
MD5: 5e12658d4dec4c3f9df782a23d179c5d
File Description: C:/program files/Internet Explorer/romdrivers. Bak
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 17:28:46
Modification time: 9:15:56
Access time:
Size: 22066 bytes, 21.562 KB
MD5: 93ddd394c7d36ccf069141ad84585f57
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/fyso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:30:22
Modification time: 15:56:58
Access time:
Size: 47012 bytes, 45.932 KB
MD5: ab509638459d1aa7fa14904400d26e97
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/fyso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 15:24:28
Modification time: 8:21:14
Access time:
Size: 24260 bytes, 23.708 KB
MD5: 9c10100eda45a8ec6a4241ca8a770575
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/fyso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:55:49
Modification time:
Access time:
Size: 24260 bytes, 23.708 KB
MD5: 9c10100eda45a8ec6a4241ca8a770575
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/jtso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:30:35
Modification time:
Access time:
Size: 46545 bytes, 45.465 KB
MD5: 2eec6964c33beed980862bf10960a0a1
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/jtso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 11:17:19
Modification time: 8:21:14
Access time:
Size: 24444 bytes, 23.892 KB
MD5: 1369255631ec0f2bc212da7c2536ad67
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/jtso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:55:53
Modification time:
Access time:
Size: 24444 bytes, 23.892 KB
MD5: 1369255631ec0f2bc212da7c2536ad67
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/qjso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:31:14
Modification time: 15:57:28
Access time:
Size: 46031 bytes, 44.975 KB
MD5: d61cb3d4f8dde6679ca3d1909eb6eb21
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/qjso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 11:17:19
Modification time: 8:21:14
Access time:
Size: 25484 bytes, 24.908 KB
MD5: d4a34abde803a50d625a145f498afcd8
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/qjso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 15:57:28
Access time:
Size: 25484 bytes, 24.908 KB
MD5: d4a34abde803a50d625a145f498afcd8
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/rxso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:31:22
Modification time: 15:57:30
Access time:
Size: 47222 bytes, 46.118 KB
MD5: 706516df1ce045af0e8e9da0f8b65783
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/rxso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:21:14
Access time:
Size: 25108 bytes, 24.532 KB
MD5: 127f5ab522eb2797737796e246ccc037
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/rxso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:56:12
Modification time: 15:57:30
Access time:
Size: 25108 bytes, 24.532 KB
MD5: 127f5ab522eb2797737796e246ccc037
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/tlso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:31:31
Modification time: 15:57:46
Access time:
Size: 47020 bytes, 45.940 KB
MD5: 12d46b18469e3eafb9e0ad732bce41d7
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/tlso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 11:17:19
Modification time: 8:21:14
Access time:
Size: 24860 bytes, 24.284 KB
MD5: e03a878c04759284b2f86ea8cabb0698
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/tlso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:56:21
Modification time: 15:57:46
Access time:
Size: 24860 bytes, 24.284 KB
MD5: e03a878c04759284b2f86ea8cabb0698
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/wdso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:31:25
Modification time: 15:57:36
Access time:
Size: 48025 bytes, 46.921 KB
MD5: 97199fbcccd0ac855bebdcb10f7cbdfd
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/wdso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 15:24:29
Modification time: 8:21:14
Access time:
Size: 25692 bytes, 25.92 KB
MD5: 2fd8fad946553ba6a7105246bf8b4551
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/wdso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:56:16
Modification time: 15:57:38
Access time:
Size: 25692 bytes, 25.92 KB
MD5: 2fd8fad946553ba6a7105246bf8b4551
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/ztso.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 9:16:26
Access time:
Size: 48418 bytes, 47.290 KB
MD5: 0565f9776f415ef250f4542be4329cb0
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/ztso0.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:21:14
Access time:
Size: 25464 bytes, 24.888 KB
MD5: 9b5e9e5c8eb17b97e355826bea5eff55
File Description: C:/docume ~ 1/2298160/locals ~ 1/temp/ztso1.dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:55:42
Modification time: 9:16:26
Access time:
Size: 25464 bytes, 24.888 KB
MD5: 9b5e9e5c8eb17b97e355826bea5eff55
File Description: C:/Windows/system32/nwizzhuxians.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:38:45
Modification time: 15:57:56
Access time:
Size: 46895 bytes, 45.815 KB
MD5: dda372cd5e1c47b8cb4fe18d8e76af79
File Description: C:/Windows/system32/nwizzhuxians. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:38:46
Modification time: 15:57:58
Access time:
Size: 25144 bytes, 24.568 KB
MD5: aaf846bc52a6bb3b6417c7625d109548