Encountered worm. win32.agent. O, backdoor. win32.snooperyb. B, etc.

EndurerOriginal
2006-11-171Version

A netizen's computer found a gray pigeon in the past two days.

The following suspicious items are found in the hijackthis log sent by the user:

/-------
O2-BHO: Java class-{38ce3843-4420-4aa8-a129-f9e771b4561b}-C:/Windows/Java/classes/Java. dll

O20-appinit_dlls: kernel32.sys
-------/

Check with WinRAR:
C:/Documents and Settings/user/Local Settings/temp
/-------------------------------
Emtv.com (the Kaspersky report isTrojan-Downloader.Win32.Delf.awr)
Iomonkey. sys
(Services in the hijackthis startup Item List include:
Iomonkey :/?? /C:/docume ~ 1/user/locals ~ 1/temp/iomonkey. sys (Manual start)
This option is displayed in the registry, but not in the icesword 1.20 Chinese version .)

Mcbrar.exe (the value of Kaspersky isTrojan-Dropper.Win32.Small.atu)
Mccrar.exe
Mcrar.exe (Kaspersky reportsBackdoor. win32.snooperyb. B)
Mywl. dll (indicated by KasperskyTrojan-PSW.Win32.Agent.ja)
NPF. sys
Packet. dll
Stdwin. dll (Kaspersky reportsBackdoor. win32.snooperyb. B)
Vbr5dnt. dll
Wanpacket. dll
Win1268.exe
Win2232.exe
-------------------------------/

C:/Windows/system32:
/-------------------------------
Java. dll (Kaspersky reportedWorm. win32.agent. o)
Kernel32.sys (the value of Kaspersky isWorm. win32.agent. o)
Mfc48.dll (indicated by KasperskyWorm. win32.agent. o)
Mswdm.exe
Svvosts.exe (the value of Kaspersky isTrojan-PSW.Win32.Agent.ja)
-------------------------------/

For more information about the analysis of Java. dll and kernel32.sys, see:
Http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php? Lystr = vmaindata & vnav = 3 & vname = worm_agent.fzw

However, it does not mention mfc48.dll.

After the backup is packaged, delete it.

In the hiajckthis startup Item list, we also found:
/-------------------------------
Windows NT 'wininit. ini ':
Pendingfilerenameoperations: C:/program files/common files/Microsoft shared/msinfo/sysinfo. TMP => C:/program files/common files/Microsoft shared/msinfo/sysinfo. WMP |/
-------------------------------/

This seems to be something that steals QQ account information.

Use WinRAR to check C:/program files/common files/Microsoft shared/msinfo. If the following files exist:
/-------------------------------
Sysinfo. dll
Sysinfo. tmp
Sysinfo. WMP
-------------------------------/

Also, package the backup and delete it.

The following repair operations are best performed in security mode.
(For relevant methods, refer to: [System Recovery series] basic operation index http://endurer.blogchina.com/2591241.html)

Restart your computer to safe Mode

Disable System Restoration

Use hijackthis to fix the items listed above.

Use hijackthis to delete the System Service: iomonkey. If hijackthis cannot be deleted, delete it directly in the registry.

Clear the IE Temporary Folder and system Temporary Folder, C:/Windows/prefetch folder.