Encounter Trojan-PSW.Win32.OnLineGames, Trojan. psw. win32.agent, virus. win32.autorun. Er, ETC/v2

Source: Internet
Author: User

Encountered Trojan-PSW.Win32.OnLineGames, Trojan. psw. win32.agent, virus. win32.autorun. Er, etc.

EndurerOriginal
2Added replies from Kaspersky.
1Version

Kaspersky, a netizen's computer, recently reported viruses, such:
/---
Infection: Trojan programTrojan-PSW.Win32.OnLineGames.dzC:/Windows/system32/system63qso. dll 70.2 KB
Infection: Trojan programTrojan-PSW.Win32.OnLineGames.dzC:/Windows/system32/system82qso. dll 70.2 KB
Infection: VirusVirus. win32.autorun. ErC:/Windows/system32/install.exe 24.5 KB
Infection: Trojan programTrojan-PSW.Win32.OnLineGames.abtC:/Windows/system32/rav008c. dat 6.4 KB
---/

Allow Remote Assistance via QQ.

Download the pe_xscan scan log. If no program error occurs, cancel the list of file version information option and complete the scan.

After analysis, suspicious items are found (the process module is omitted ):
/---
Pe_xscan 07-06-23 by Purple endurer
2007-7-17 12:50:49
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

[System process] * 0
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/wkjhl. dll |

C:/Windows/EXPLORER. EXE * 1496 |
C:/Windows/system32/aetpksw. dll |
C:/Windows/system32/wkjhl. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/agent. dll |

D:/program files/Tencent/QQ/timplatform.exe * 1420 | 20:11:30
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/wkjhl. dll |

D:/program files/Tencent/QQ/qq.exe * 2072 |
C:/Windows/system32/zeqax. dll |
C:/Windows/system32/wiytd. dll |
C:/Windows/system32/wljhj. dll |
C:/Windows/system32/hytsx. dll |
C:/Windows/system32/wlkhm. dll |
C:/Windows/system32/wkjhl. dll |

O23-service: aticdsdr (aticdsdr)-C:/docume ~ 1/user/locals ~ 1/temp/{1735a ~ 1/atiicdxx. sys (manual)
O23-service: gwiopm (gwiopm)-f:/create a folder/gwiopm. sys | 13:59:40 (manual)
O23-service: new0 (new0)-C:/Windows/system32/New. sys | 13:10:58 (automatic)
O23-service: npkycryp (npkycryp)-C:/Windows/system32/npkycryp. sys (manual)
O23-service: remotedbg (Remote debug Service)-C:/Windows/system32/rundll32.exe remotedbg. dll, input (automatic)

O24-shlexechook: [Office]-{13bb17c5-1bab-1f85-237a-273d2b2f2f26} = C:/Windows/system32/system63qso. dll
O24-shlexechook: [Microsoft Data tools query designe]-{D8E0E3BA-D55F-4A08-8EE4-0A59E0284124} = C:/Windows/system32/agent. dll
O24-shlexechook: [Office]-{13ba17c5-1bab-1f85-237a-273d2b2f2f26} = C:/Windows/system32/system82qso. dll
---/

First download and install the Security Assistant of rising star Kaka. In the advanced functions-> plug-in management and uninstallation, uninstall the three o24 items.

Download freedll, bat_do, fileinfo from http://purpleendurer.ys168.com.

Use freedll to uninstall the agent. dll and other DLL injected into the system process, use fileinfo to extract file information, and use bat_do to package the backup.

Open the Registry Editor and prepare to delete the o23 project ~

Wait until the user restarts the computer. Delete all o23 projects in the registry. Use bat_do to delete files such as agent. dll, and access is denied ~

Use pe_xscan to scan log analysis and find
/---
O24-shlexechook: [Microsoft Data tools query designe]-{D8E0E3BA-D55F-4A08-8EE4-0A59E0284124} = C:/Windows/system32/agent. dll
---/
And the aetpksw. dll and other DLL are injected into the system process ~

This o24 will be reborn after being detached from the Kaka Security Assistant.

Add these files to bat_do, use delayed deletion, and generate the command for removing attributes, deleting and renaming. The command will be executed at the next startup.

Use WinRAR to delete windows temporary folders, ie temporary folders, and files that can be deleted in C:/Windows/prefetch.

Ask a netizen to disable the system restoration function and restart the computer. If the DLL cannot be cleared, use icesword to detach the DLL from the system process, delete it, and use the Kaka Security Assistant to detach o24.

Partial file information:

File Description: C:/Windows/system32/aetpksw. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 19538 bytes, 19.82 KB
MD5: 16b524ab36cb7ef7c0a849581dce56d7

RisingTrojan. psw. win32.agent. QG

Subject: Re: aetpksw. dll [KLAB-2451058]
Sender: "" <Newvirus@kaspersky.com> Sent at: 00:36:32

Hello,
Aetpksw. dll-Trojan-PSW.Win32.OnLineGames.wy
New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help.
Please quote all when answering.
--
Best regards, Denis maslennikov
Virus analyst, Kaspersky Lab.

E-mail: newvirus@kaspersky.com
Http://www.kaspersky.com/

File

C:/Windows/system32/wkjhl. dll
C:/Windows/system32/wlkhm. dll
C:/Windows/system32/hytsx. dll
C:/Windows/system32/wiytd. dll
C:/Windows/system32/zeqax. dll
C:/Windows/system32/agent. dll

Both are the same as C:/Windows/system32/aetpksw. dll.

File Description: D:/test/New. sys
Attribute :----
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 13:10:58
Access time:
Size: 1880 bytes, 1.856 KB
MD5: 79b0dd5f393c132f7a84b7dbf85a9f40

File: New. sys

Status: infected/malware

MD5: 79b0dd5f393c132f7a84b7dbf85a9f40

Packers detected :-

Bit9 reports: file not found

Scan taken on 17 Jul 2007 13:02:40 (GMT)
A-squared Found nothing
AntiVir Found CC/1000.bd
Arcavir Found nothing
Avast Found nothing
AVG AntiVirus Found generic. Ofe
BitDefender Found nothing
ClamAV Found nothing
Dr. Web Found nothing
F-Prot AntiVirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found generic
Rising Antivirus Found nothing
Sophos AntiVirus Found nothing
Virusbuster Found nothing
Vba32 Found nothing

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.