Trojan. win32.killfiles. M, Packer. mian007, etc.

Trojan. win32.killfiles. M, Packer. mian007, etc.

EndurerOriginal
1Version

Just now, a netizen said that his computer was very slow recently and asked me to remotely assist in the inspection through QQ.

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
/=
Pe_xscan 07-08-30 by Purple endurer

Windows XP Service Pack 2 (5.1.2600)
Administrator user group

C:/Windows/system32/explorer. EXE * 1428 | 8:32:36 | MICROSOFT (r) Windows (r) Operating System | 6.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.2900.2180 | Microsoft Corporation |? | Explorer | EXPLORER. EXE

C:/Windows/svchost.exe * 1768 | 15:42:16 | 1.00 |? |? | 1.00 |? |? | 1 | 1.exe

C:/program files/yayad/adpop. EXE * 2440 | 1:54:32 | ad. pop | 1.0.0.1 | ad. popup | (c) CDM. all rights reserved. | 1.0.0.1 | CDM |? | Adpop.exe
C:/program files/yayad/AutoUpdate. dll | 1:53:46 | AutoUpdate | 1.0.0.1 | AutoUpdate | (c) <yayad>. All Rights Reserved. | 1.0.0.1 | CDM |? | AutoUpdate. dll | AutoUpdate. dll

C:/program files/Internet Explorer/iw.e. EXE * 1484 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Internet Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Iexplore. exe
C:/program files/yayad/adcore. dll | 1:54:52 | ad core | 1.0.0.1 | ad core | (c) CDM. All Rights Reserved. | 1.0.0.1 | CDM |? | Adcore. dll | adcore. dll

F2-Reg: system. ini: userinit.exe, EXPLORER. EXE

O4-hkcu/../run: Invalid wsctf.exe] wsctf.exe
O4-hkcu/../run: [EXPLORER. EXE] EXPLORER. EXE

O4-Global startup: Windows. HTA-> invalid lnk file

I:/autorun. inf
/-----
[Autorun]
Opentracing autorun.exe
Iconw.pr2.exe
-----/

O23-service: c12063328 (c12063328)-system32/Drivers/c12063328.sys (pilot)

O23-service: Internet Explorer Service-C:/Windows/svchost.exe | 15:42:16 | 1.00 |? |? | 1.00 |? |? | 1 | 1.exe( automatic)

O23-service: mysee2_runtime ()-C:/Windows/system32/svchost.exe-K mysee2-> C:/Windows/system32/Gy/runtime. DLL | 14:59:14 | runtime application | 1, 0, 0, 3 | <mysee live!> Runtime | (c) Beijing high-dimensional video Technology Co., Ltd. All rights reserved. | 1, 0, 0, 3 | Beijing high-dimensional video Technology Co., Ltd. |? | <Mysee live!> Runtime | runtime.exe (manual)

O23-service: npkycryp (npkycryp)-C:/Windows/system32/npkycryp. sys (manual)
O23-service: pohci13f (pohci13f)-C:/docume ~ 1/www/locals ~ 1/temp/pohci13f. sys (manual)
O23-service: ws2ifsl (Windows Socket 2.0 non-ifs service provider support environment)-C:/Windows/system32/Drivers/ws2ifsl. sys | MICROSOFT? Windows? Operating System | 5.1.2600.0 | Winsock2 ifs layer |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.0 (xpclient000017-1148) | Microsoft Corporation |? | Ws2ifsl. sys | ws2ifsl. sys (disabled)
===/

Download procview and hijackthis from http://endurer.ys168.com.

Terminate a process with procview:

C:/Windows/system32/EXPLORER. EXE
C:/Windows/svchost.exe

Use hijackthis to fix F2 and O4.

Unmount yayad from the Add/delete program on the control panel

Open Registry Editor to delete the o23 project.

Download fileinfo and bat_do to the http://purpleendurer.ys168.com to extract file information, package the backup, and then delete it.

File Description: C:/Windows/svchost.exe
Attribute: ---
Language: Chinese (China)
File version: 1.00
Note:
Copyright:
Note:
Product: 1.00
Product Name:
Company Name:
Legal trademark:
Internal name: 1
Source File Name: 1.exe
Creation Time: 15:42:15
Modification time: 15:42:16
Access time:
Size: 16384 bytes, 16.0 KB
MD5: d339fe10cf5ccd99bc95a4e702579301
Hsa1: 8aef0adde759af973ed10d798cc067c8ba2e4373

RisingTrojan. win32.killfiles. m

Scanned file: svchost.exe-infected

Svchost.exe-infected by Trojan. win32.killfiles. m

File Description: C:/Windows/system32/EXPLORER. EXE
Property:-SHR
Language: Chinese (China)
File version: 6.2900.2180
Note: Windows Explorer
Copyright: (c) Microsoft Corporation. All rights reserved.
Note:
Product Version: 6.2900.2180
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: Explorer
Source File Name: EXPLORER. EXE
Creation Time: 20:52:35
Modification time: 8:32:36
Access time:
Size: 84701 bytes, 82.733 KB
MD5: 1a58d82fe73fb4e9de10facb0ef22881
Hsa1: 71b949acebb15da95057b3f9fbc1be4cac461b69

RisingPacker. mian007

Scanned file: EXPLORER. EXE-infected

EXPLORER. EXE-infected by virus. win32.vb. Bu

File Description: C:/Windows/system32/Gy/runtime. dll
Attribute: ---
Language: Chinese (China)
File version: 1, 0, 0, 3
Note: <mysee live!> Runtime
Copyright: (c) Beijing high-dimensional video Technology Co., Ltd. All rights reserved.
Note:
Product Version: 1, 0, 0, 3
Product Name: runtime Application
Company: Beijing high-dimensional video Technology Co., Ltd.
Legal trademark:
Internal name: <mysee live!> Runtime
Source File Name: runtime.exe
Creation Time:
Modification time: 14:59:14
Access time:
Size: 569344 bytes, 556.0 KB
MD5: d99151f4e4fecac91862edaad4e3c055
Hsa1: 45a1b6ee195f537b58e8791e593f93ee21df2389

File Description: I:/pr2.exe
Attribute: --- R
Language: German (Germany)
File version: 1.1.1.8
Description: Port Royal 2
Copyright: Copyright (c) 2002-2004
Note:
Product Version: 1.1.1.8
Product Name:
Company: ascaron entertainment GmbH
Legal trademark:
Internal Name:
Source File Name:
Creation Time: 23:30:16
Modification time: 23:30:16
Access time: 1601-1-1
Size: 7847936 bytes 7.496 MB
MD5: 3f5e3ac92cd73f92024a4eedc0ddc512
Hsa1: e1f514fa33f82e40a83d7bae964b1bf2e9dd1539

File Description: I:/autorun.exe
Attribute: --- R
Language: German (Germany)
File version: 1, 0, 0, 0
Description: Autorun
Copyright: Copyright (c) 2002
Note: scripted Autorun
Product Version: 1, 0, 0, 0
Product Name: Scriptable Autorun
Company: ascaron entertainment GmbH
Legal trademark:
Internal name: Autorun
Source File Name: autorun.exe
Creation Time: 9:53:44
Modification time: 9:53:44
Access time: 1601-1-1
Size: 270336 bytes, 264.0 KB
MD5: 494e74d927921d8da85b3a5e7ae93652
Hsa1: d962a1d0ef216b9c56f21b87e1565ae31e3acd6c

C:/Documents and Settings/all users/Start Menu/Program/start/Windows. HTA
Contains JavaScript scripts. The function is to run IE and move the window out of the display range on the screen. Open hxxp: // www. I *** F5 ** 6.cn/l1_o#/downmm.html, and then run abc1_1cmd.exe In the IE cache.

Use WinRAR to delete windows temporary folders, ie temporary folders, and files and folders that can be deleted in D:/Windows/prefetch.