About WIN32.EXE Abnormal Trojan download solution

About WIN32.EXE Abnormal Trojan download solution _ Virus killing

Last Update:2017-01-18 Source: Internet

Author: User

Tags md5 win32

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

First, WIN32. Source of EXE: Http://fdghewrtewrtyrew.biz/adv/130/win32.exe
Two Performance after the operation: this WIN32.EXE through 80 and 8080 ports to access several IP, if the firewall can not monitor or enable the firewall to allow the access, WIN32.EXE will automatically download Trojan Kernels8.exe to system32 directory; Kernels8.exe download 1.dlb from the network , 2.dlb ..... Wait a bunch of Trojans to the current user folder and run it automatically. Download the Trojan load run, and then download other Trojans/worms from the network.

After the Trojan/worm is completely downloaded and implanted into the system, the Sreng log is visible:

Start Project
Registration Form
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<windows update loader><c:\windows\xpupdate.exe> [n/A]
<UpdateService><C:\windows\system32\wservice.exe> [n/A]
<taskdir><C:\windows\system32\taskdir.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<System><C:\windows\system32\testtestt.exe> [n/A]
<UpdateService><C:\windows\system32\wservice.exe> [n/A]
<spoolsvv><C:\windows\system32\spoolsvv.exe> [n/A]
<adir><C:\windows\system32\adirss.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
<30><C:\windows\system32\30.tmp> [n/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
<SystemTools><C:\windows\system32\testtestt.exe> [n/A]
<_mzu_stonedrv3><C:\windows\system32\_mzu_stonedrv3.exe> [n/A]
<30><C:\windows\system32\30.tmp> [n/A]
[Hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
<sqPIftjYG><C:\windows\system32\rflbg.dll> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CURRENTVERSION\WINLOGON\NOTIFY\RPCC]
<WinlogonNotify:rpcc><C:\windows\system32\rpcc.dll> [n/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\notify\winsys2freg]
<winlogonnotify:winsys2freg><c:\documents and Settings\All Users\documents\settings\winsys2f.dll> [N/A ]
==================================
Running processes
[pid:584] [\?? \c:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Documents and Settings\All Users\documents\settings\winsys2f.dll] [N/A, n/a]
[pid:1584] [C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\rflbg.dll] [N/A, n/a]
==================================
HOSTS file
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 f-secure.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 kaspersky.com
127.0.0.1 McAfee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 v5windowsupdate.microsoft.nsatc.net
127.0.0.1 viruslist.com
127.0.0.1 windowsupdate.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www3.ca.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 mast.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.symantec.com

==================================

HijackThis v1.99.1 logs are visible:

O4-hklm\.. \run: [System] C:\windows\system32\testtestt.exe
O4-hklm\.. \run: [Updateservice] C:\windows\system32\wservice.exe
O4-hklm\.. \run: [SPOOLSVV] C:\windows\system32\spoolsvv.exe
O4-hklm\.. \run: [Adir] C:\windows\system32\adirss.exe
O4-hklm\.. \run: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hklm\.. \run: [C:\windows\system32\30.tmp]
O4-hklm\.. \runservices: [SystemTools] C:\windows\system32\testtestt.exe
O4-hklm\.. \runservices: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hklm\.. \runservices: [C:\windows\system32\30.tmp]
O4-hkcu\.. \run: [Windows update loader] C:\Windows\xpupdate.exe
O4-hkcu\.. \run: [Updateservice] C:\windows\system32\wservice.exe
O4-hkcu\.. \run: [Taskdir] C:\windows\system32\taskdir.exe
O4-hkcu\.. \run: [_mzu_stonedrv3] C:\windows\system32\_mzu_stonedrv3.exe
O4-hkcu\.. \run: [WinMedia] C:\windows\loader622535.exe
O4-hkcu\.. \run: [WINSTX] C:\windows\loader628714.exe

O20-winlogon Notify:rpcc-c:\windows\system32\rpcc.dll
O20-winlogon notify:winsys2freg-c:\documents and Settings\All Users\documents\settings\winsys2f.dll
O21-ssodl:sqpiftjyg-{F4233280-5E89-982A-A244-6D00C3A79C12}-C:\windows\system32\rflbg.dll

Where the C:\Documents and Settings\All Users\documents\settings\winsys2f.dll Insert the Winlogon.exe process. This. dll is more difficult to handle. The reason is:
1, this DLL is located in a hidden folder, you must use tools such as IceSword or WinRAR to see.
2, because it inserts the Winlogon.exe process, this DLL cannot be deleted directly.
3, I do not know which of the Trojans/worms to open a number of IE process (and no IE windows open). Windows Task Manager is banned; with other tools, the surface can be used to end the IE process, but no matter what tool to end the IE process, The virus attempts to start the IE process via Winlogon.exe (SSM can monitor this process); At this point, the system crashes and restarts if the IE process is blocked by the Winlogon.exe with a lower version of SSM. The latest version of the SSM 2.2.0.595 can prevent Winlogon.exe from starting the IE process without side effects.

The problem with this pile of viruses is:
1, virus infection system, has been in the system-related directory (with the directory of. exe files) and other than the system partition directory (with the directory of. exe files) released a large number of. t files. Later, whenever the relevant. exe is run, the. t file must be executed first, this process can be monitored by the SSM, can also be banned by the SSM. However, if you use the SSM to ban this. T, then the. exe you want to run is also banned by the SSM. After the use of anti-virus software antivirus is an example (Kaspersky latest virus library can only detect some of the virus). Once the. T operation under Kaspersky Directory is allowed, Kav.exe is infected (MD5 value changes). After cleaning up the system, I had to uninstall Kaspersky, reinstall. The same goes for my tiny firewall. In order to see the whole "Western scene", I closed the tiny. After the virus/system reboots, the tiny amon.exe is infected when it is automatically loaded.
2, if not completely prohibit all the virus program to run, in normal Windows mode to remove Trojan/worm files, delete operations will be generated in the same location in the same place, the filename suffix is. t file, file name is randomly arranged in 8 lowercase English letters.

Third, my approach:
1, with the latest version of the SSM2.2 end of the virus process, and it is grouped into the blocked group. Set the SSM to auto run.
2, restart the system.
3, restart the system, SSM also reported virus program to try to load (Trojan through the SSM installation folder in the. T implementation boot load), can be used to ban it, and into the blocked group.
4, remove the virus add-ins (see previous Sreng and HijackThis log).
5, Show hidden files. Delete the virus file (Figure 1-figure 6). There are too many virus files to remove, as an example, the figure shows only the main files in this heap of viruses and the part of the. t file (if all the virus files that you delete to the Recycle Bin are displayed, you need 18 charts).
The number and distribution range of the. t file produced after the infection depends on (1) How many programs are loaded to run when the system starts; (2) The amount of operation steps under Windows before being treated cleanly after being poisoned; (3) whether the folder in the directory of the partitions other than the system partition contains an. exe file (if the folder contains No. exe files, no disease Poison. T file generation).
6, repair the Hosts file.
7. Uninstall and reinstall infected applications (those with MD5 values changed).

Figure 1

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More