EndurerOriginal
3Added: Kaspersky confirmed as a virus:Trojan. win32.agent. ut
2Edition supplement: Kaspersky (09:06:15) and Jiangmin kv2006 engine version: 9.02.2040 virus database Date: are not reported.
1Version
A netizen said that sometimes browsing the Web page on his computer is slow recently, and sometimes an inexplicable webpage hxxp: // www.88u.com is displayed. The logs scanned by hijackthis are sent concurrently.
The following suspicious items are found in the log:
O2-BHO: iehlprobj class-{A3803141-3CF5-4D66-B7EA-8D2674FE152C}-C:/Windows/stdie. dll
O4-hkcu/../run: [LocalSystem] C:/Windows/system/svchost.exe
After the reply, the netizen packed the two files and sent them.
The svchost.exe report isTrojan. DL. Agent. ALB
This file is written in Microsoft Visual C ++ 7.0 [debug ].
Download micpip by creating a named pipeline:
Hxxp: // www. Ad **** developer.com/filmweb/webad.asp
Hxxp: // www. Ad **** developer.com/filmweb/file.asp
Hxxp: // www. Ad **** developer.com/filmweb/file.dat
Hxxp: // www. Ad **** developer.com/filmweb/ehu.up
Create a file
1.% WINDIR %/setupsvc.txt
2.% USERPROFILE %/Local Settings/temp/run1.bat
File Content:
Rundll32 syssetup, setupinfobjectinstallaction defainstall install 128 drv1.inf
3.% USERPROFILE %/Local Settings/temp // drv1.inf
File Content:
[Version]
Signature = "$ Windows NT $"
[Defainstall install]
Delreg = MYDEL
[MYDEL]
Hkcu, software/Microsoft/Windows/CurrentVersion/policies/system, disableregistrytools
4. netinfo. xml
5.% WINDIR %/system/svchost.exe
6.% WINDIR %/system/netshell. dll
7.% WINDIR %/netshell. dll
Modify multiple key values in the Registry
The most important one is:
Software/Microsoft/Windows/CurrentVersion/policies/explorer % S. dll
To load netshell. dll.
This item is not reported in the concise log of hijackthis.