Worm. win32.diskgen. GEN/is there any advertisement on the drive?

Worm. win32.diskgen. GEN/is there any advertisement on the drive?

EndurerOriginal
2008-02-19 th1Version

Yesterday, a friend said his computer was poisoned and occasionally advertised. The system was very slow. Please help me with the repair.
Open the task manager check process and find that there are two alg.exeand two lsass.exe users: system and user. Terminate the services belonging to the user. The computer restarts automatically ~
So I just chose to start using the secure mode with network connection ~
I had to start it in normal mode, but I kept pressing the Shift key during the startup process ......
After entering the desktop, download pe_xscan to scan logs and find the following suspicious items:
/=
Pe_xscan 08-01-29 by Purple endurer
2008-2-19 17:58:14
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

O2-BHO Tencent Browser Helper-{0c7c23ef-a848-485b-873c-0ed954731014}-C:/program files/Tencent/ssplus/saddr. dll
 
O4-hkcu/../runonce: [MyApp] 1
O4-Global startup :~. Exe.65140.exe-> invalid lnk file
O4-Global startup :~. Exe.25207046.exe-> invalid lnk file
O4-Global startup :~. Exe.64125.exe-> invalid lnk file
C:/autorun. inf
/-----
[Autorun]
Open = pagefile. pif
Shell/open = open (& O)
Shell/Open/command = pagefile. pif
Shell/Open/default = 1
Shell/volume E = Resource Manager (& X)
Shell/cmde/command = pagefile. pif
-----/
D:/autorun. inf
/-----
[Autorun]
Open = pagefile. pif
Shell/open = open (& O)
Shell/Open/command = pagefile. pif
Shell/Open/default = 1
Shell/volume E = Resource Manager (& X)
Shell/cmde/command = pagefile. pif
-----/
O11-ie extension quota group: tbh (Chinese search) =
O18-Protocol: ic32pp ()-{BBCA9F81-8F4F-11D2-90FF-0080C83D3571}-C:/Windows/wc98pp. dll

O23-service: COM + Event System Log (COM + Event System Log)-C:/program files/common files/Microsoft shared/msinfo/twunk_64.aaa | 21:53:26 (automatic)
===/

The preceding alg.exeand lsass.exe processes run by userusers are missing. Search and check:

File Description: C:/Windows/system32/Drivers/alg.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:17:10
Modification time: 16:17:12
Access time:
Size: 18829 bytes, 18.397 KB
MD5: e6b26c23fda20664844d870a662127da
Sha1: 30930c99e99e417ac8b06d19db9d2056a552dd82
CRC32: ad1b25ac

Kaspersky reported as Trojan-Downloader.Win32.Agent.iqj

Subject: virus report email analysis result-streamline Ticket No.: 20080220135301474033
Sender: <send@rising.net.cn> sent at: 2008.02.20

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: alg.exe
Virus name: Trojan. DL. win32.mnless. yxx

The virus file you reported will be processed in Rising Star 2008's versions 32.21 (Rising Star 2007's 19.63.21.
 

File Description: C:/Windows/system32/COM/lsass.exe
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 16:11:36
Modification time: 16:12:14
Access time:
Size: 95744 bytes, 93.512 KB
MD5: 13949cf3910b0d255439136ec1b6cd78
Sha1: 4d873d332feddef66b90940ca18418fe91833ea7
CRC32: 652ce9ac

Kaspersky reports virus. win32.xorer. Dr.

The Autorun. INF and pagefile. PIF, rather than the recent popular Virus Worm. win32.diskgen. GEN/drive, use WinRAR to check C:/Windows/system32/COM, and found:

File Description: C:/Windows/system32/COM/netcfg.000
Property:-sh-
Language: English (USA)
File version: 1, 0, 0, 1
Description: ifobj ActiveX Control Module
Copyright: Copyright (c) 2007
Note:
Product Version: 1, 0, 0, 1
Product Name: ifobj ActiveX Control Module
Company Name: 506
Legal trademark:
Internal name: ifobj
Source File Name: ifobj. ocx
Creation Time:
Modification time: 16:15:10
Access time:
Size: 16384 bytes, 16.0 KB
MD5: f527f2633493d985fb77a348c8e9e723
Sha1: 83a3fbfa3eba9a435399707f7b83eda4b93d69ec
CRC32: d39b8df2

Kaspersky reports virus. win32.xorer. Du

File Description: C:/Windows/system32/COM/netcfg. dll
Property:-sh-
Language: English (USA)
File version: 1, 0, 0, 1
Description: ifobj ActiveX Control Module
Copyright: Copyright (c) 2007
Note:
Product Version: 1, 0, 0, 1
Product Name: ifobj ActiveX Control Module
Company Name: 506
Legal trademark:
Internal name: ifobj
Source File Name: ifobj. ocx
Creation Time: 16:11:37
Modification time: 16:15:10
Access time:
Size: 16384 bytes, 16.0 KB
MD5: f527f2633493d985fb77a348c8e9e723
Sha1: 83a3fbfa3eba9a435399707f7b83eda4b93d69ec
CRC32: d39b8df2

Kaspersky reports virus. win32.xorer. Du

File Description: C:/Windows/system32/COM/SMSs. exe
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 16:11:34
Modification time: 16:15:10
Access time:
Size: 40960 bytes, 40.0 KB
MD5: 2c5834f823066354d9e92417ecaca50d
Sha1: 37647491c08aa2ec6d07cf805b0eabd978869f11
CRC32: 18ec1d71

Kaspersky reports virus. win32.xorer. dt, and rising reports worm. win32.diskgen. Cy.

Download fileinfo and bat_do to the http://purpleendurer.ys168.com, use fileinfo to extract file information, use bat_do to package backup, delayed deletion.

File Description: C:/pagefile. pif
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time: 16:12:22
Modification time: 16:12:14
Access time:
Size: 95744 bytes, 93.512 KB
MD5: 13949cf3910b0d255439136ec1b6cd78
Sha1: 4d873d332feddef66b90940ca18418fe91833ea7
CRC32: 652ce9ac

Kaspersky reports virus. win32.xorer. Dr.

File Description: C:/Documents and Settings/all users/Start Menu/Program/start /~. Exe.25207046.exe
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 16:12:19
Modification time: 16:12:14
Access time:
Size: 95744 bytes, 93.512 KB
MD5: 13949cf3910b0d255439136ec1b6cd78
Sha1: 4d873d332feddef66b90940ca18418fe91833ea7
CRC32: 652ce9ac

Kaspersky reports virus. win32.xorer. Dr.

File Description: C:/Documents and Settings/all users/Start Menu/Program/start /~. Exe.64125.exe
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 16:15:12
Modification time: 16:12:14
Access time:
Size: 95744 bytes, 93.512 KB
MD5: 13949cf3910b0d255439136ec1b6cd78
Sha1: 4d873d332feddef66b90940ca18418fe91833ea7
CRC32: 652ce9ac

Kaspersky reports virus. win32.xorer. Dr.

File Description: C:/Documents and Settings/all users/Start Menu/Program/start /~. Exe.65140.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 17:15:37
Modification time: 17:15:38
Access time:
Size: 95744 bytes, 93.512 KB
MD5: 13949cf3910b0d255439136ec1b6cd78
Sha1: 4d873d332feddef66b90940ca18418fe91833ea7
CRC32: 652ce9ac

Kaspersky reports virus. win32.xorer. Dr.

Uninstall Chinese search

Download hijackthis from the http://endurer.ys168.com, scan and fix items O2, O4, o18, and o23.

Use WinRAR to delete autorun. inf and pagefile. pif from drive C and drive D, Windows Temporary Folder, ie temporary folder, and files that can be deleted from drive D:/Windows/prefetch.

Download rising diskgen family killing tool (http://it.rising.com.cn/Channels/Service/2008-02/1201874341d45273.shtml) Full scan

I went home first ~

Later, my friend told me on the messenger that the computer is not playing any advertisement ~