About WIN32.EXE Abnormal Trojan download solution _ Virus killing

Source: Internet
Author: User
Tags md5 win32
First, WIN32. Source of EXE: Http://fdghewrtewrtyrew.biz/adv/130/win32.exe
Two Performance after the operation: this WIN32.EXE through 80 and 8080 ports to access several IP, if the firewall can not monitor or enable the firewall to allow the access, WIN32.EXE will automatically download Trojan Kernels8.exe to system32 directory; Kernels8.exe download 1.dlb from the network , 2.dlb ..... Wait a bunch of Trojans to the current user folder and run it automatically. Download the Trojan load run, and then download other Trojans/worms from the network.

After the Trojan/worm is completely downloaded and implanted into the system, the Sreng log is visible:

Start Project
Registration Form
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<windows update loader><c:\windows\xpupdate.exe> [n/A]
<UpdateService><C:\windows\system32\wservice.exe> [n/A]
<taskdir><C:\windows\system32\taskdir.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<System><C:\windows\system32\testtestt.exe> [n/A]
<UpdateService><C:\windows\system32\wservice.exe> [n/A]
<spoolsvv><C:\windows\system32\spoolsvv.exe> [n/A]
<adir><C:\windows\system32\adirss.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
<30><C:\windows\system32\30.tmp> [n/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
<SystemTools><C:\windows\system32\testtestt.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
<30><C:\windows\system32\30.tmp> [n/A]
[Hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
<sqPIftjYG><C:\windows\system32\rflbg.dll> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CURRENTVERSION\WINLOGON\NOTIFY\RPCC]
<WinlogonNotify:rpcc><C:\windows\system32\rpcc.dll> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\notify\winsys2freg]
<winlogonnotify:winsys2freg><c:\documents and Settings\All Users\documents\settings\winsys2f.dll> [N/A ]
==================================
Running processes
[pid:584] [\?? \c:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Documents and Settings\All Users\documents\settings\winsys2f.dll] [N/A, n/a]
[pid:1584] [C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\rflbg.dll] [N/A, n/a]
==================================
HOSTS file
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 f-secure.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 kaspersky.com
127.0.0.1 McAfee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 v5windowsupdate.microsoft.nsatc.net
127.0.0.1 viruslist.com
127.0.0.1 windowsupdate.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www3.ca.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 mast.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com

==================================

HijackThis v1.99.1 logs are visible:

O4-hklm\.. \run: [System] C:\windows\system32\testtestt.exe
O4-hklm\.. \run: [Updateservice] C:\windows\system32\wservice.exe
O4-hklm\.. \run: [SPOOLSVV] C:\windows\system32\spoolsvv.exe
O4-hklm\.. \run: [Adir] C:\windows\system32\adirss.exe
O4-hklm\.. \run: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hklm\.. \run: [C:\windows\system32\30.tmp]
O4-hklm\.. \runservices: [SystemTools] C:\windows\system32\testtestt.exe
O4-hklm\.. \runservices: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hklm\.. \runservices: [C:\windows\system32\30.tmp]
O4-hkcu\.. \run: [Windows update loader] C:\Windows\xpupdate.exe
O4-hkcu\.. \run: [Updateservice] C:\windows\system32\wservice.exe
O4-hkcu\.. \run: [Taskdir] C:\windows\system32\taskdir.exe
O4-hkcu\.. \run: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hkcu\.. \run: [WinMedia] C:\windows\loader622535.exe
O4-hkcu\.. \run: [WINSTX] C:\windows\loader628714.exe

O20-winlogon Notify:rpcc-c:\windows\system32\rpcc.dll
O20-winlogon notify:winsys2freg-c:\documents and Settings\All Users\documents\settings\winsys2f.dll
O21-ssodl:sqpiftjyg-{F4233280-5E89-982A-A244-6D00C3A79C12}-C:\windows\system32\rflbg.dll

Where the C:\Documents and Settings\All Users\documents\settings\winsys2f.dll Insert the Winlogon.exe process. This. dll is more difficult to handle. The reason is:
1, this DLL is located in a hidden folder, you must use tools such as IceSword or WinRAR to see.
2, because it inserts the Winlogon.exe process, this DLL cannot be deleted directly.
3, I do not know which of the Trojans/worms to open a number of IE process (and no IE windows open). Windows Task Manager is banned; with other tools, the surface can be used to end the IE process, but no matter what tool to end the IE process, The virus attempts to start the IE process via Winlogon.exe (SSM can monitor this process); At this point, the system crashes and restarts if the IE process is blocked by the Winlogon.exe with a lower version of SSM. The latest version of the SSM 2.2.0.595 can prevent Winlogon.exe from starting the IE process without side effects.

The problem with this pile of viruses is:
1, virus infection system, has been in the system-related directory (with the directory of. exe files) and other than the system partition directory (with the directory of. exe files) released a large number of. t files. Later, whenever the relevant. exe is run, the. t file must be executed first, this process can be monitored by the SSM, can also be banned by the SSM. However, if you use the SSM to ban this. T, then the. exe you want to run is also banned by the SSM. After the use of anti-virus software antivirus is an example (Kaspersky latest virus library can only detect some of the virus). Once the. T operation under Kaspersky Directory is allowed, Kav.exe is infected (MD5 value changes). After cleaning up the system, I had to uninstall Kaspersky, reinstall. The same goes for my tiny firewall. In order to see the whole "Western scene", I closed the tiny. After the virus/system reboots, the tiny amon.exe is infected when it is automatically loaded.
2, if not completely prohibit all the virus program to run, in normal Windows mode to remove Trojan/worm files, delete operations will be generated in the same location in the same place, the filename suffix is. t file, file name is randomly arranged in 8 lowercase English letters.

Third, my approach:
1, with the latest version of the SSM2.2 end of the virus process, and it is grouped into the blocked group. Set the SSM to auto run.
2, restart the system.
3, restart the system, SSM also reported virus program to try to load (Trojan through the SSM installation folder in the. T implementation boot load), can be used to ban it, and into the blocked group.
4, remove the virus add-ins (see previous Sreng and HijackThis log).
5, Show hidden files. Delete the virus file (Figure 1-figure 6). There are too many virus files to remove, as an example, the figure shows only the main files in this heap of viruses and the part of the. t file (if all the virus files that you delete to the Recycle Bin are displayed, you need 18 charts).
The number and distribution range of the. t file produced after the infection depends on (1) How many programs are loaded to run when the system starts; (2) The amount of operation steps under Windows before being treated cleanly after being poisoned; (3) whether the folder in the directory of the partitions other than the system partition contains an. exe file (if the folder contains No. exe files, no disease Poison. T file generation).
6, repair the Hosts file.
7. Uninstall and reinstall infected applications (those with MD5 values changed).

Figure 1










Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.