About the solution of WIN32.EXE abnormal Trojan downloader

First, WIN32. EXE Source: Http://fdghewrtewrtyrew.biz/adv/130/win32.exe
Two Performance after operation: This WIN32.EXE through 80 and 8080 ports to access a number of IP, if the firewall can not monitor or allow the access to the firewall, WIN32.EXE will automatically download Trojan Kernels8.exe to system32 directory; Kernels8.exe download 1.dlb from the network , 2.dlb ..... Wait a bunch of Trojans into the current user folder and run automatically. Download the Trojan after the load runs and download other Trojans/worms from the network.

After the Trojan/worm is completely downloaded and implanted into the system, the Sreng log is visible:

Start Project
Registration Form
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<windows update loader><c:\windows\xpupdate.exe> [n/A]
<UpdateService><C:\windows\system32\wservice.exe> [n/A]
<taskdir><C:\windows\system32\taskdir.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<System><C:\windows\system32\testtestt.exe> [n/A]
<UpdateService><C:\windows\system32\wservice.exe> [n/A]
<spoolsvv><C:\windows\system32\spoolsvv.exe> [n/A]
<adir><C:\windows\system32\adirss.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
<30><C:\windows\system32\30.tmp> [n/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
<SystemTools><C:\windows\system32\testtestt.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
<30><C:\windows\system32\30.tmp> [n/A]
[Hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
<sqPIftjYG><C:\windows\system32\rflbg.dll> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CURRENTVERSION\WINLOGON\NOTIFY\RPCC]
<WinlogonNotify:rpcc><C:\windows\system32\rpcc.dll> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\notify\winsys2freg]
<winlogonnotify:winsys2freg><c:\documents and Settings\All Users\documents\settings\winsys2f.dll> [N/A ]
==================================
A Running process
[pid:584] [\?? \c:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Documents and Settings\All Users\documents\settings\winsys2f.dll] [N/A, n/a]
[pid:1584] [C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\rflbg.dll] [N/A, n/a]
==================================
HOSTS file
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 f-secure.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 kaspersky.com
127.0.0.1 McAfee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 v5windowsupdate.microsoft.nsatc.net
127.0.0.1 viruslist.com
127.0.0.1 windowsupdate.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www3.ca.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 mast.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com

==================================

HijackThis v1.99.1 logs are visible:

O4-hklm\. \run: [System] C:\windows\system32\testtestt.exe
O4-hklm\. \run: [Updateservice] C:\windows\system32\wservice.exe
O4-hklm\. \run: [SPOOLSVV] C:\windows\system32\spoolsvv.exe
O4-hklm\. \run: [Adir] C:\windows\system32\adirss.exe
O4-hklm\. \run: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hklm\. \run: [+] C:\windows\system32\30.tmp
O4-hklm\. \runservices: [SystemTools] C:\windows\system32\testtestt.exe
O4-hklm\. \runservices: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hklm\. \runservices: [+] C:\windows\system32\30.tmp
O4-hkcu\. \run: [Windows update loader] C:\Windows\xpupdate.exe
O4-hkcu\. \run: [Updateservice] C:\windows\system32\wservice.exe
O4-hkcu\. \run: [Taskdir] C:\windows\system32\taskdir.exe
O4-hkcu\. \run: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hkcu\. \run: [WinMedia] C:\windows\loader622535.exe
O4-hkcu\. \run: [WINSTX] C:\windows\loader628714.exe

O20-winlogon Notify:rpcc-c:\windows\system32\rpcc.dll
O20-winlogon notify:winsys2freg-c:\documents and Settings\All Users\documents\settings\winsys2f.dll
O21-ssodl:sqpiftjyg-{F4233280-5E89-982A-A244-6D00C3A79C12}-C:\windows\system32\rflbg.dll

where C:\Documents and Settings\All Users\documents\settings\winsys2f.dll are inserted into the Winlogon.exe process. This. dll is more difficult to handle. The reason is:
1, this DLL is located in the hidden folder, must use IceSword or WinRAR and other tools to see.
2, because it inserts the Winlogon.exe process, this DLL cannot be deleted directly.
3, I do not know which of the Trojan Horse/worm has opened a number of IE process (and no IE window open). Windows "Task Manager" is banned, with other tools, the surface can be used to end the IE process operation, but no matter what tool to end the IE process, The virus also attempts to start the IE process via Winlogon.exe (SSM can monitor this process), at which point the system crashes and restarts if an earlier SSM prevents Winlogon.exe from starting the IE process. Using the latest version of the SSM 2.2.0.595 can prevent Winlogon.exe from starting the IE process without side effects.

The difficulty of dealing with this heap of viruses is:
1. When the virus infects the system, it has released a large number of. t files in the system-related directory (the directory with the. exe file) and the partition directory other than the system partition (the directory with the. exe file). Later, when running the associated. exe, the. t file must be executed, and this process can be monitored by the SSM or it can be suppressed by SSM. However, if this. T is forbidden to run with SSM, the. exe you want to run is also banned by the SSM. After the use of anti-virus antivirus software is an example (Kaspersky latest virus database can only detect some of the virus). Once the. T in Kaspersky Directory is allowed to run, Kav.exe is infected (MD5 value changes). After cleaning up the system, I had to uninstall Kaspersky and reinstall it. My tiny firewall is also the same fate. To see all this "Western view", I closed the tiny. After the virus/system restarts, the tiny automatically loads when the Amon.exe is infected.
2, if not completely prohibit all virus programs to run, in normal Windows mode to delete Trojan/worm files, delete operation will be generated in the same location, the file name suffix. t files, file name is randomly arranged in 8 lowercase English letters.

Third, my way of handling:
1. End the virus process with the latest version SSM2.2 and classify it into the blocked group. Set the SSM to "run automatically".
2, restart the system.
3. After rebooting the system, the SSM also reported virus program tries to load (Trojan through the. T in the SSM installation folder to implement the boot load), it can be banned by SSM and classified into the blocked group.
4. Remove the virus's add-ons (see previous Sreng and HijackThis logs).
5. Show hidden files. Delete the virus file (Figure 1-figure 6). To remove too many virus files, as an example, the figure shows only the main files in this heap virus and the deletion of the virus files when the part of the. t file (if the virus files deleted to the Recycle Bin are all displayed, then 18 images are required).
The size and distribution of the. t file generated after exposure depends on (1) The number of programs that are loaded and run when the system starts, and (2) the amount of steps under windows that are not processed after the poison has been treated, (3) whether the folder in the directory under the partition of the system partition contains an. exe file (without the. exe file Virus. t file generation).
6, repair the Hosts file.
7. Uninstall, reinstall the infected application (those with MD5 value change).

Figure 1

About the solution of WIN32.EXE abnormal Trojan downloader