Home > Industries > Computer

Continued: the process and startup items of scvhsot.exe are found in the computer of the network user.

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

EndurerOriginal

2006-12-311Version

Remote Assistance via QQ today

The process and startup Item of scvhsot.exe are found in the computer of the network friend.
Http://blog.csdn.net/Purpleendurer/archive/2006/12/30/1469853.aspx
Http://endurer.bokee.com/6002927.html

Netizens.

Pe_xscan is used to scan logs and the following suspicious items are found:

/============
Pe_xscan by Purple endurer
2006-12-31 8:49:22
Windows XP Service Pack 2 (5.1.2600)
Non-administrator user group

C:/program files/Symantec AntiVirus/defwatch.exe * 1772
C:/Windows/system32/WBEM/gubvq. dll
11:33:53
Productname: irjit
Productversion: 5, 1, 2600,270 9
Filedescription: Microsoft irjit Module
Legalcopyright: (c) Microsoft Corporation. All rights reserved.
Fileversion: 5, 1, 2600,270 9
CompanyName: Microsoft Corporation
Legaltrademarks:
Internalname: irjit
Originalfilename: irjit. dll

D:/GGGG/Lyl/Installation File/Tencent/QQ/qq.exe * 1252
C:/Windows/system32/WBEM/gubvq. dll
11:33:53
Productname: irjit
Productversion: 5, 1, 2600,270 9
Filedescription: Microsoft irjit Module
Legalcopyright: (c) Microsoft Corporation. All rights reserved.
Fileversion: 5, 1, 2600,270 9
CompanyName: Microsoft Corporation
Legaltrademarks:
Internalname: irjit
Originalfilename: irjit. dll

C:/program files/Internet Explorer/iexplore.exe * 2336
C:/program files/common files/cpush. dll *
Productname:
Productversion: 1.0.2.0
Filedescription:
Legalcopyright:
Fileversion: 1.0.2.0
CompanyName:
Legaltrademarks:
Internalname: cpush. dll
Originalfilename: cpush. dll
C:/Windows/system32/scintruder. dll *

O2-BHO cadlogic object-{11f09afd-75ad-4e51-ab43-e09e9351ce16}-C:/program files/common files/cpush. dll

O2-BHO winsc class-{9aceee31-1440-471b-aa46-72b061fe7d61}-C:/Windows/system32/scintruder. dll

O4-HKLM/../run: [qqkav] C:/Windows/system32/scvhsot.exe

D:/autorun. inf
/-----
[Autorun] opentracing sss.exe
Shellexecutepolicsss.exe
Shell/auto/command#sss.exe
-----/
E:/autorun. inf
/-----
[Autorun] opentracing sss.exe
Shellexecutepolicsss.exe
Shell/auto/command#sss.exe
-----/

O23-service: 00007696 (00007696)-system32/Drivers/ipv7696.sys( pilot)

O23-service: apzgvz94 (apzgvz94)-system32/Drivers/apzgvz94.sys (pilot)

O23-service: djbicdib (djbicdib)-system32/Drivers/djbicdib. sys (pilot)

O23-service: ldomane (Windows install helper)-C:/Windows/system32/rundll32.exe C:/Windows/system32/WBEM/gubvq. dll, export 1087 (automatically started)
=============/

The pe_xscan used is not the latest version, and the log format is not very good -_-!

The scvhsot.exe process has been terminated by netizens using the task manager.

Download bat_do and fileinfo to the http://purpleendurer.ys168.com.

Use fileinfo to extract the following file information. bat_do will package and back up the file and delete it. If it cannot be deleted, it will be executed at the next startup.

File description:C:/Windows/system32/scintruder. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:39:46
Modification time:
Access time:
Size: 105984 bytes, 103.512 KB
MD5: 8b6fa712a16e3d617b9a65e09e1800cf

File description:C:/Windows/system32/scvhsot.exe
Attribute: ashr
An error occurred while obtaining the file version information!
Creation Time: 21:34:38
Modification time: 21:34:38
Access time:
Size: 37376 bytes, 36.512 KB
MD5: 246cc5b5932f1be326a8fdc8478cb315

Scvhsot.exeThe MD5 value

Trojan.dl.multi.wfg(sss.exe, scvhost. EXE)
Http://endurer.bokee.com/5980310.html
Http://blog.csdn.net/Purpleendurer/archive/2006/12/22/1454383.aspx

Is a new variant. Kaspersky 6.0 13:08:50 the virus database cannot be killed.

Because of the time relationship, the files in o23 service are not obtained.

Use WinRAR to check all hard disk partitions from disk D and delete autorun.infand sss.exe.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More