Worm. Agent. wk, Trojan. psw. OnlineGames. Caw, etc., which are subject to image hijacking

Source: Internet
Author: User

EndurerOriginal
1Version

A friend said that his computer could not be connected to the Internet, and NOD32 and Kingsoft drug overlord could not be started. He asked me to help with the repair.

You cannot download pe_xscan because you cannot access the network. Therefore, use hijackthis, which was previously saved on your computer, for analysis.
Double-click hijackthis. Double-click the rising Card Security Assistant icon on the desktop.
Run msconfig.exe, but it is easy to use. Several suspicious startup items and services are found.

If you suspect that the computer has an image hijacking virus, change hijackthis.exe to 4.exeso that hijackthis can be used.

Analyze the log and find the following suspicious items:
/---
Logfile of hijackthis v1.99.1
Scan saved at 15:38:19, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

O4-HKLM/../run: [kvsc] C:/Windows/kvsc3.exe
O4-hkcu/../run: [ravtask] C:/Windows/system32/svch0st. exe

O23-service: de6c282d-unknown owner-C:/Windows/system32/6f0f34d5. EXE (file missing)

O23-service: Windows (windowsdown000)-unknown owner-C:/Windows/system32/000.exe
---/

Disable o23 services.
Use fileinfo to extract the file information and use bat_do to package and delete it.
C:/Windows/system32/svch0st. EXE does not exist.
Hijackthis is fixed.

Restart your computer and access the internet. Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:
/=
Pe_xscan 07-06-04 by Purple endurer
2007-6-11 15:53:26
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

[System process] * 0
C:/Windows/system32/msdebug. dll | 7:59:46
C:/Windows/system32/windhcp. ocx | 2007-6-10 7:59:14
C:/Windows/system32/netsrvcs. dll |
C:/program files/common files/Microsoft shared/msinfo/06b4d0bf. dll | 12:57:46
C:/Windows/system32/hreax. dll |
C:/Windows/system32/wtrmm. dll |
C:/Windows/system32/msport. dll |
C:/Windows/system32/services.exe * 588 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | services and controller app | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Services.exe
C:/Windows/system32/lymangr. dll | 13:49:44
C:/Windows/system32/nvsvc32.exe * 1552 | NVIDIA driver Helper Service, version 81.85 | 6.14.10.8185 | NVIDIA driver Helper Service, version 81.85 | (c) NVIDIA Corporation. all rights reserved. | 6.14.10.8185 | NVIDIA Corporation |? | Nvsvc | nvsvc32.exe
C:/Windows/system32/msdebug. dll | 7:59:46
C:/Windows/explorer. EXE * 1956 | MICROSOFT (r) Windows (r) Operating System | 6.00.2900.2180 | Windows Explorer | (c) Microsoft Corporation. all rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/Windows/system32/msdebug. dll | 7:59:46
C:/Windows/system32/windhcp. ocx | 2007-6-10 7:59:14
C:/Windows/system32/netsrvcs. dll |
C:/program files/common files/Microsoft shared/msinfo/06b4d0bf. dll | 12:57:46
C:/Windows/system32/msacn. dll |
C:/Windows/system32/msport. dll |
C:/Windows/system32/wscsv. dll |
C:/Windows/system32/wtrmm. dll |
C:/Windows/system32/hreax. dll |
C:/Windows/system32/shqmangr. dll | 13:49:46, 2007-6-11
C:/Windows/system32/conime.exe * 280 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | console IME |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Console | conime. exe
C:/Windows/system32/msdebug. dll | 7:59:46
C:/Windows/system32/windhcp. ocx | 2007-6-10 7:59:14
C:/Windows/system32/netsrvcs. dll |
C:/Windows/system32/msport. dll |
C:/program files/common files/Microsoft shared/msinfo/06b4d0bf. dll | 12:57:46
C:/Windows/system32/hreax. dll |
C:/Windows/system32/wtrmm. dll |
C:/Windows/system32/ctfmon.exe * 1132 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | CTF loader |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Ctfmon. exe
C:/Windows/system32/msdebug. dll | 7:59:46
C:/Windows/system32/windhcp. ocx | 2007-6-10 7:59:14
C:/Windows/system32/netsrvcs. dll |
C:/program files/common files/Microsoft shared/msinfo/06b4d0bf. dll | 12:57:46
C:/Windows/system32/hreax. dll |
C:/Windows/system32/wtrmm. dll |
C:/Windows/system32/msport. dll |

O4-HKLM/../policies/Explorer/run: [msdeg32] lyloader.exe
O4-HKLM/../policies/Explorer/run: [msdwg32] lyloadbr.exe
O4-HKLM/../policies/Explorer/run: [msdcg32] lyleador.exe
O4-HKLM/../policies/Explorer/run: [msdog32] lyloador.exe
O4-HKLM/../policies/Explorer/run: [msdsg32] lyloadar.exe
O4-HKLM/../policies/Explorer/run: [msdmg32] lyloadmr.exe
O4-HKLM/../policies/Explorer/run: [msdhg32] lyloadhr.exe
O4-HKLM/../policies/Explorer/run: [msdqg32] lyloadqr.exe

D:/autorun. inf
/-----
[Autorun]
Open‑06b4d0bf.exe
Shell/open = open (& O)
Shell/Open/command%06b4d0bf.exe
Shell/Open/default = 1
Shell/volume E = Resource Manager (& X)
Shell/cmde/command1_06b4d0bf.exe
-----/
E:/autorun. inf
/-----
[Autorun]
Open‑06b4d0bf.exe
Shell/open = open (& O)
Shell/Open/command%06b4d0bf.exe
Shell/Open/default = 1
Shell/volume E = Resource Manager (& X)
Shell/cmde/command1_06b4d0bf.exe
-----/
F:/autorun. inf
/-----
[Autorun]
Open‑06b4d0bf.exe
Shell/open = open (& O)
Shell/Open/command%06b4d0bf.exe
Shell/Open/default = 1
Shell/volume E = Resource Manager (& X)
Shell/cmde/command1_06b4d0bf.exe
-----/

O23-service: de6c282d (de6c282d)-C:/Windows/system32/6f0f34d5. exe-D (disabled)

O23-service: msdebugsvc (Win32 debug Service)-C:/Windows/system32/rundll32.exe msdebug. dll, input (automatic)

O23-service: windhcpsvc (Windows Dhcp Service)-C:/Windows/system32/rundll32.exe windhcp. ocx, input (automatic)
O23-service: windowsdown000 (Windows)-C:/Windows/system32/000.exe( disabled)

O23-service: wzcsrvc (Wireless Service)-C:/Windows/system32/rundll32.exe netsrvcs. dll, input (automatic)

O24-shlexechook: []-{4d0b06b4-06b4-d0bf-b4d0-6b40b6b4d0bf} = C:/program files/common files/Microsoft shared/msinfo/06b4d0bf. dll

O25-inscom: {3a202177-913d-417b-54cd-72ff5fe1cf20} = C:/Windows/system32/nwiztlbu.exe

O25-inscom: {77709117-a10d-41cf-64cd-51ff5fe1cf41} = C:/Windows/system32/nwizwmgjs.exe

O25-inscom: {79702107-a10d-11cf-64cd-51ff5fe1cf41} = C:/Windows/system32/nwizwmsjs.exe

O26-ifeo: 360rpt.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: 360safe.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: 360tray.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: adam.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: agentsvr.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: unzip vc32.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: autoruns.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: avgrssvc.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: avmonitor.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: avp.com-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: avp.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ccenter.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ccsvchst.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: filedsty.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ftcleanershell.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: hijackthis.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: icesword.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: iparmo.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: iparmor.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ispwdsvc.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kabaload.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kascrscn. scr-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kasmain.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kastask.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kav32.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kavdx.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kavpfw.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kavsetup.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kavstart.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kislnchr.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kmailmon.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kmfilter.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kpfw32.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kpfw32x.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kpfwsvc.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kregex.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: krepair. com-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ksloader.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvcenter. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvdetect.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvfwmcl.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvmonxp. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvmonxp_1.kxp-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvol.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvolself.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvreport. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvscan. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvsrvxp.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvstub. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvupload.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvwsc.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvxp. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kvxp_1.kxp-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kwatch.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kwatch9x.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: kwatchx.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: loaddll.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: magicset.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: mcconsol.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: mmqczj.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: mmsk.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: navsetup.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: nod32krn.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: nod32kui.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: pfw.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: pfwliveupdate.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: qhset.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ras.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rav.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ravmon.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ravmond.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ravstub.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: ravtask.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: regclean.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rfw.exe .exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rfwmain.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rfwproxy.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rfwsrv.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rsagent.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: rsaupd.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: runiep.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: safelive.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: scan32.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: shw.32.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: smartup.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: sreng.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: symlcsvc.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: syssafe.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: trojandetector.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: trojanwall.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: trojdie. KXP-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: uihost.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: umxagent.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: umxattachment.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: umxw..exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: umxfwhlp.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: umxpol.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: uplive.exe.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: wopticlean.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
O26-ifeo: zxsweep.exe-> C:/progra ~ 1/common ~ 1/micros ~ 1/msinfo/06b4d0bf. dat
===/
(To be continued)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.