Encountered Trojan-PSW.Win32.OnLineGames, Trojan. psw. win32.agent, virus. win32.autorun. Er, etc.
EndurerOriginal
2Added replies from Kaspersky.
1Version
Kaspersky, a netizen's computer, recently reported viruses, such:
/---
Infection: Trojan programTrojan-PSW.Win32.OnLineGames.dzC:/Windows/system32/system63qso. dll 70.2 KB
Infection: Trojan programTrojan-PSW.Win32.OnLineGames.dzC:/Windows/system32/system82qso. dll 70.2 KB
Infection: VirusVirus. win32.autorun. ErC:/Windows/system32/install.exe 24.5 KB
Infection: Trojan programTrojan-PSW.Win32.OnLineGames.abtC:/Windows/system32/rav008c. dat 6.4 KB
---/
Allow Remote Assistance via QQ.
Download the pe_xscan scan log. If no program error occurs, cancel the list of file version information option and complete the scan.
After analysis, suspicious items are found (the process module is omitted ):
/---
Pe_xscan 07-06-23 by Purple endurer
2007-7-17 12:50:49
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/wkjhl. dll |
C:/Windows/EXPLORER. EXE * 1496 |
C:/Windows/system32/aetpksw. dll |
C:/Windows/system32/wkjhl. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/agent. dll |
D:/program files/Tencent/QQ/timplatform.exe * 1420 | 20:11:30
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/wkjhl. dll |
D:/program files/Tencent/QQ/qq.exe * 2072 |
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/wkjhl. dll |
O23-service: aticdsdr (aticdsdr)-C:/docume ~ 1/user/locals ~ 1/temp/{1735a ~ 1/atiicdxx. sys (manual)
O23-service: gwiopm (gwiopm)-f:/create a folder/gwiopm. sys | 13:59:40 (manual)
O23-service: new0 (new0)-C:/Windows/system32/New. sys | 13:10:58 (automatic)
O23-service: npkycryp (npkycryp)-C:/Windows/system32/npkycryp. sys (manual)
O23-service: remotedbg (Remote debug Service)-C:/Windows/system32/rundll32.exe remotedbg. dll, input (automatic)
O24-shlexechook: [Office]-{13bb17c5-1bab-1f85-237a-273d2b2f2f26} = C:/Windows/system32/system63qso. dll
O24-shlexechook: [Microsoft Data tools query designe]-{D8E0E3BA-D55F-4A08-8EE4-0A59E0284124} = C:/Windows/system32/agent. dll
O24-shlexechook: [Office]-{13ba17c5-1bab-1f85-237a-273d2b2f2f26} = C:/Windows/system32/system82qso. dll
---/
First download and install the Security Assistant of rising star Kaka. In the advanced functions-> plug-in management and uninstallation, uninstall the three o24 items.
Download freedll, bat_do, fileinfo from http://purpleendurer.ys168.com.
Use freedll to uninstall the agent. dll and other DLL injected into the system process, use fileinfo to extract file information, and use bat_do to package the backup.
Open the Registry Editor and prepare to delete the o23 project ~
Wait until the user restarts the computer. Delete all o23 projects in the registry. Use bat_do to delete files such as agent. dll, and access is denied ~
Use pe_xscan to scan log analysis and find
/---
O24-shlexechook: [Microsoft Data tools query designe]-{D8E0E3BA-D55F-4A08-8EE4-0A59E0284124} = C:/Windows/system32/agent. dll
---/
And the aetpksw. dll and other DLL are injected into the system process ~
This o24 will be reborn after being detached from the Kaka Security Assistant.
Add these files to bat_do, use delayed deletion, and generate the command for removing attributes, deleting and renaming. The command will be executed at the next startup.
Use WinRAR to delete windows temporary folders, ie temporary folders, and files that can be deleted in C:/Windows/prefetch.
Ask a netizen to disable the system restoration function and restart the computer. If the DLL cannot be cleared, use icesword to detach the DLL from the system process, delete it, and use the Kaka Security Assistant to detach o24.
Partial file information:
File Description: C:/Windows/system32/aetpksw. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 19538 bytes, 19.82 KB
MD5: 16b524ab36cb7ef7c0a849581dce56d7
RisingTrojan. psw. win32.agent. QG
Subject: |
Re: aetpksw. dll [KLAB-2451058] |
Sender: |
"" <Newvirus@kaspersky.com> |
Sent at: 00:36:32 |
Hello,
Aetpksw. dll-Trojan-PSW.Win32.OnLineGames.wy
New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help.
Please quote all when answering.
--
Best regards, Denis maslennikov
Virus analyst, Kaspersky Lab.
E-mail: newvirus@kaspersky.com
Http://www.kaspersky.com/
File
C:/Windows/system32/wkjhl. dll
C:/Windows/system32/wlkhm. dll
C:/Windows/system32/hytsx. dll
C:/Windows/system32/wiytd. dll
C:/Windows/system32/zeqax. dll
C:/Windows/system32/agent. dll
Both are the same as C:/Windows/system32/aetpksw. dll.
File Description: D:/test/New. sys
Attribute :----
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 13:10:58
Access time:
Size: 1880 bytes, 1.856 KB
MD5: 79b0dd5f393c132f7a84b7dbf85a9f40
File: New. sys
Status: infected/malware
MD5: 79b0dd5f393c132f7a84b7dbf85a9f40
Packers detected :-
Bit9 reports: file not found
Scan taken on 17 Jul 2007 13:02:40 (GMT) |
A-squared |
Found nothing |
AntiVir |
Found CC/1000.bd |
Arcavir |
Found nothing |
Avast |
Found nothing |
AVG AntiVirus |
Found generic. Ofe |
BitDefender |
Found nothing |
ClamAV |
Found nothing |
Dr. Web |
Found nothing |
F-Prot AntiVirus |
Found nothing |
F-Secure Anti-Virus |
Found nothing |
Fortinet |
Found nothing |
Kaspersky Anti-Virus |
Found nothing |
NOD32 |
Found nothing |
Norman Virus Control |
Found nothing |
Panda Antivirus |
Found generic |
Rising Antivirus |
Found nothing |
Sophos AntiVirus |
Found nothing |
Virusbuster |
Found nothing |
Vba32 |
Found nothing |