After the festival, Weijin/Viking will pay a New Year's greeting

EndurerOriginal

1Version

A colleague said that his computer was abnormal and asked me to check it out.

Download hijackthis scan log to http://endurer.ys168.com and find suspicious items:

/-----
Logfile of hijackthis v1.99.1
Scan saved at 9:04:52, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running Processes:
C:/Windows/logocmd.exe
E:/qqgame/pocket ~ 1/pocketrpg.exe

F3-Reg: win. ini: load = C:/Windows/rundl132.exe
-----/

Logocmd.exe and rundl132.exe are easy to think of as Weijin/Viking.

Pocketrpg.exe does not find the relevant information in Google search, 2 in sogou/sogou, or Baidu.

Download Rising Antivirus assistant to http://endurer.ys168.com, use rising online free scanning C drive, the results are as follows:

/-----
9:41:18 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/system32/Drivers/339267.sysRootkit. cnsprot.
C:/Windows/system32/Drivers/119822.sysRootkit. cnsprot.
C:/Windows/system32/Drivers/199617.sysRootkit. cnsprot.
C:/Windows/system32/dhgart37.dllTrojan. DL. qqhelper. Emi
C:/Windows/system32/ntabhor.exeTrojan. psw. Agent. IHD
C:/Windows/DLL. dllWorm. Viking. DV
-----/

Although rising online free Virus Detection does not report logocmd.exe and rundl132.exe, neither pe_xscan nor hijackthis logs have found the process C:/Windows/logocmd.exe.

When I came back, I used the Rising antivirus software to scan the logs. Both of them reported the results. It seems that rising's free online drug detection has left a hand in comparison with rising's anti-virus software.

Downloaded fileinfo to the http://purpleendurer.ys168.com to extract file information, and backed up with the Rising Antivirus assistant.

File description:C:/Windows/logocmd.exe
Attribute: ---
Language: Chinese (China)
File version: 1.0.0.0
Note:
Copyright:
Note:
Product Version: 1.0.0.0
Product Name:
Company Name:
Legal trademark:
Internal Name:
Source File Name:
Creation Time:
Modification time:
Access time:
Size: 34212 bytes, 33.420 KB
MD5: 97555480d38b2296f2c5aa601401b34c

Rising news:Worm. Viking. DV

Scanned file: logow..exe-infected

Logow..exe-infected by worm. win32.viking. bb Statistics: Known viruses: 273315 Updated: 25-02-2007 File size (Kb ): 34 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

File description:C:/Windows/rundl132.exe
Attribute: ---
Language: Chinese (China)
File version: 1.0.0.0
Note:
Copyright:
Note:
Product Version: 1.0.0.0
Product Name:
Company Name:
Legal trademark:
Internal Name:
Source File Name:
Creation Time:
Modification time:
Access time:
Size: 34212 bytes, 33.420 KB
MD5: 97555480d38b2296f2c5aa601401b34c

Rising news:Worm. Viking. DV

Scanned file: rundl132.exe-infected

Rundl132.exe-infected by worm. win32.viking. bb Statistics: Known viruses: 273315 Updated: 25-02-2007 File size (Kb ): 34 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

File description:C:/Windows/DLL. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 27648 bytes, 27.0 KB
MD5: 2064728420cdde016ee6b85457be28f9

Rising news:Worm. Viking. DV

Scanned file: DLL. dll-infected

DLL. dll-infected by worm. win32.viking. bb Statistics: Known viruses: 273315 Updated: 25-02-2007 File size (Kb ): 27 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

File description:C:/Windows/system32/ntabhor.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 12:12:48
Access time:
Size: 53248 bytes, 52.0 KB
MD5: 2fc49f9b2d586521af20746a33ee74a5

Scanned file: ntabhor.exe-infected

Ntabhor.exe-infected by Trojan-Spy.Win32.Agent.iw Statistics: Known viruses: 273315 Updated: 25-02-2007 File size (Kb ): 52 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

File description:C:/Windows/system32/dhgart37.dll
Attribute: ---
Language: English (USA)
File version: 5, 1, 2600,218 0
Description: Battery meter helper DLL
Copyright: (c) Microsoft Corporation. All rights reserved.
Note:
Product Version: 5, 1, 2600,218 0
Product Name:
Company Name: Microsoft Corporation
Legal trademark:
Internal Name:
Source File Name:
Creation Time:
Modification time:
Access time:
Size: 49152 bytes, 48.0 KB
MD5: 8306c2271f54cf73b61a5762b5a28ab0

Scanned file: dhgart37.dll-infected

Dhgart37.dll-infected by Trojan-Downloader.Win32.QQHelper.mo Statistics: Known viruses: 273315 Updated: 25-02-2007 File size (Kb ): 48 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

The name of the virus reported by Kaspersky is the same as that reported by pandatv. It seems that Kaspersky's virus pattern has made a good improvement.

Download Jiangmin's Weijin killing tool to scan and kill and find a large number of program files infected:

In the previous test, it was found that Jiangmin's Weijin exclusive killing tool had missed the kill. Due to the time, other soft scanning tools are no longer used here.

Others are deleted by the rising anti-virus assistant.

Use hijackthis to fix the suspicious items listed above.

Close all programs and run the disk cleanup program in the Windows attachment for cleanup.

By the way, I tested the webpage that analyzed pe_xscan logs written a year ago and found that the results were good.