Trojan. win32.mnless. ZPC/ojj6erv. sys that bypasses the icesword file Detection

Trojan-Downloader.Win32.Hmir.hw/Trojan. win32.mnless. ZPC/ojj6erv. sys bypassing icesword file Detection

EndurerOriginal
1Version

A netizen said that he was poisoned when he browsed a literary website two days ago. Today, computers can use anti-virus software every day to scan for viruses such as online game account theft Trojans and QQ account theft Trojans. Now the prompt box appears, prompting that the file f5bk37q187. dll cannot be found. The IE homepage is changed to hxxp: // ***. K * ZD *** H.com /? G. Let me check it.

Download the pe_xscan scan log. Because the system scan has just been performed with anti-virus software, only some startup items are found in the log:

/---
Pe_xscan 07-11-25 by Purple endurer
2007-11-27 12:23:32
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
 
O23-service: 0jj6erv (0jj6erv)-system32/Drivers/0jj6erv. sys (pilot)
O23-service: adprot (adprot)-system32/Drivers/adprot. sys (pilot)
O23-service: pciharddisk (pciharddisk)-C:/Windows/system32/Drivers/pcidisk. sys (manual)
O23-service: TCPIP (TCP/IP protocol driver)-system32/Drivers/tcpip. sys | MICROSOFT? Windows? Operating System | 5.1.2600.2892 | TCP/IP protocol driver |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2892 (xpsp.060420-0256) | Microsoft Corporation |? | Tcpip. sys | tcpip. sys (system)
---/

 

Check the file with WinRAR and find TCPIP in o23-service: TCPIP (TCP/IP protocol driver. the last modification date of the file SYS is 2007-11-23. The file TCPIP is found in C:/Windows/system32/drivers. SYS. original, after comparison:

C:/Windows/system32/drivers> FC tcpip. sys tcpip. SYS. Original
Comparing the files tcpip. sys and tcpip. SYS. Original
00000130: 92 F6
00000131: EC EB
0004f7c6: 00 64
0004f7c7: 01 00

The two files are different.

Unfortunately, I do not know why the http://purpleendurer.ys168.com can not open, failed to download fileinfo to extract file information.
Set tcpip. sys package the backup, and then use the original icesword 1.12 English version on the netizen computer to delete the file. If the Windows system prompts that the file protection is canceled, then the tcpip. SYS. original is renamed as tcpip. SYS.

When the first three o23 items were deleted by the Security Assistant of rising star Kaka, 1st items were deleted and reborn. However, the file 0jj6erv. sys was not found in C:/Windows/system32/drivers with icesword 1.12, but 0jj6erv. sys... was found in the kernel module list ......

After downloading the icesword 1.22 Chinese version, you still cannot see the files on the disk, nor can you delete the service startup items, or disable them.

Unfortunately, bat_do cannot be downloaded and cannot be deleted.

Restart the computer to safe mode, change a user login, start icesword 1.22 Chinese version again, finally in C:/Windows/system32/drivers saw 0jj6erv. sys, copies a packaged backup and then deletes it forcibly.

Restart your computer and use the Security Assistant of rising Kaka to delete o23-service: 0jj6erv (0jj6erv.
The f5bk37q187. dll file cannot be found at startup.

Because 0jj6erv. after being loaded by windows as a driver, sys will hide its own files on the disk. Therefore, anti-virus software cannot be scanned after it enters the desktop. It seems that starting scanning is required to deal with such viruses.

File Description: D:/test/ojj6erv. sys
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 13:10:26
Access time: 13:10:35
Size: 23104 bytes, 22.576 KB
MD5: a2bad1749c3cf2c7d7108b7f140a9619
Sha1: 6c382ca9f73f7e0cee5f342c5cc4ed0f82c094a8
CRC32: 1579b0b3

Kaspersky has detected: Trojan programTrojan-Downloader.Win32.Hmir.hwFile: D:/test/ojj6erv.sys.rar/ojj6erv. sys

RisingTrojan. win32.mnless. ZPC