Windows update.exe/trojan.win32.autoit.fc,se .exe/adware. win32.undef. Eko

Windows update.exe/trojan.win32.autoit.fc,se .exe/adware. win32.undef. Eko

 

Original endurer
Version 1st

 

A friend's computer has encountered a strange problem recently. Please help me with the repair.

After opening the computer and entering the Windows desktop, I felt that the computer was very stuck. Apart from the Super patrol window, opening other windows seemed to be constantly switching between the front-end program and the background program, difficult to operate.

Open the task manager, check the CPU usage of the process, and find that the CPU usage is 100%, of which Windows update.exe occupies about 70%.

Restart your computer to "safe mode with command line prompts", run pe_xscan to scan logs and analyze the logs, and find the following suspicious items:

 

 

Pe_xscan 09-04-28 by Purple endurer

Windows XP Service Pack 3 (5.1.2600)
MSIE: 6.0.2900.5512
Administrator user group
Security Mode with command line prompt

F2-Reg: system. ini: userinit = <C:/Windows/system32/userinit.exe, C:/Windows/system32/Windows update.exe>

O30-ieopenhomepage = "C:/program files/Internet Explorer/iyune.exe" hxxp: // www.52 ** 4 * 16.com

 

In addition, the "C:/" and "WMP" icons of the love seader .exe and WMP are found to be suspicious.

Use fileinfo to extract file information and use bat_do to package and delete the backup.

 

Use hijackthis to fix F2.

 

O30 indicates that

 

[Hkey_classes_root/CLSID/{871c5316-42a0-1069-a2ea-08002b30309d}/Shell/openhomepage/command,

 

The value is modified, and you can manually remove the following URL.

 

 

Attachment: malicious program file information

 

 

File Description: C:/Windows/system32/Windows update.exe
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.0
Note: Windows Update
Copyright: http://www.microsoft.com/
Note: Windows Update
Creation Time:
Modification time: 2:41:14
Size: 325939 bytes, 318.307 KB
MD5: 422221553bcd2e13641519068973b69a
Sha1: f56611d1be5e7ab17b3f3a9d7997d153aabe34fc
CRC32: 457d6ebf

 

File windows_update.exe.del received at 08:16:07 (CET)

 

Anti-Virus engine	Version	Last update	Scan results
A-squared	4.0.0.101	2009.05.19	Malwarrent. backdoor. hupigon.3! Ik
AhnLab-V3	5.0.0.2	2009.05.19	-
AntiVir	7.9.0.168	2009.05.19	TR/crypt. CFI. gen
Antiy-AVL	2.0.3.1	2009.05.18	Trojan/win32.startpage
Authentium	5.1.2.4	2009.05.19	-
Avast	4.8.1335.0	2009.05.18	-
AVG	8.5.0.336	2009.05.18	-
BitDefender	7.2	2009.05.19	-
Cat-quickheal	10.00	2009.05.15	Trojan. Agent. ATV
ClamAV	0.94.1	2009.05.19	-
Comodo	1157	2009.05.08	-
Drweb	5.0.0.12182	2009.05.19	-
Esafe	7.0.20.	2009.05.18	Suspicious File
ETrust-vet	31.6.20.9	2009.05.18	-
F-Prot	4.4.4.56	2009.05.18	-
F-Secure	8.0.14470.0	2009.05.19	-
Fortinet	3.117.0.0	2009.05.18	-
Gdata	19	2009.05.19	-
Ikarus	T3.1.1.49.0	2009.05.19	Malwarw.backdoor. hupigon.3
K7antivirus	7.10.737	2009.05.16	-
Kaspersky	7.0.0.125	2009.05.19	-
McAfee	5619	2009.05.18	-
McAfee + Artemis	5619	2009.05.18	-
McAfee-GW-Edition	6.7.6	2009.05.19	Trojan. crypt. CFI. gen
Microsoft	1.4602	2009.05.19	-
NOD32	4085	2009.05.19	-
Norman	6.01.05	2009.05.18	Smalltroj. lzea
Nprotect	2009.1.8.0	2009.05.19	-
Panda	10.0.0.14	2009.05.18	BCK/agent. LQR
Pctools	4.4.2.0	2009.05.18	-
Prevx	3.0	2009.05.19	-
Rising	21.30.10.00	2009.05.19	Trojan. win32.autoit. FC
Sophos	4.41.0	2009.05.19	-
Sunbelt	3.2.1858.2	2009.05.18	-
Symantec	1.4.4.12	2009.05.19	-
Thehacker	6.3.4.1.327	2009.05.19	-
TrendMicro	8.950.0.1092	2009.05.19	-
ViRobot	2009.5.19.1740	2009.05.19	-
Virusbuster	4.6.5.0	2009.05.18	-

 

Additional information
File Size: 325939 bytes
Md5.....: 422221553bcd2e13642519068973b69a
Sha1..: f56611d1be5e7ab17b3f3a9d7997d153aabe34fc
Sha256: sha256
Sha512: sha512 Bytes
Ssdeep: 6144: plz/zumu4pdsxscmrzf7x3sfs1jazxbtl76wf6lss34yrwv: phlumuiv9rg Fsjazrt7fcpju
Peid ..: UPX 2.90 [lzma]-> Markus oberhumer, Laszlo Molnar & John Reiser
TRID...: file type identification UPX compressed Win32 executable (43.8%) Win32 EXE Yoda's crypter (38.1%) Win32 executable generic (12.2%) Generic win/DOS executable (2.8%) DOS executable generic (2.8%)
Peinfo: PE Structure Information (Base data) Entrypointaddress.: 0xab0e0 Timedatestamp...: 0x4951fa17 (Wed Dec 24 09:00:07 2008) Machinetype ......: 0x14c (i386) (3 sections) Name viradd virsiz rawdsiz ntrpy MD5 Upx0 0x1000 0x6b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e Upx1 0x6c000 0x40000 0x3f400 7.93 e946dee236b5ce856d3776cb75eea917 . Rsrc 0xac000 0x5000 0x4e00 5.26 cb3d8421caed79623919b9748aef2c6 (16 imports) > Kernel32.dll: loadlibrarya, getprocaddress, virtualprotect, virtualalloc, virtualfree, exitprocess > Advapi32.dll: addace > Comctl32.dll: imagelist_remove > Comdlg32.dll: getsavefilenamew > Gdi32.dll: bitblt > Send. dll: wnetgetconnectionw > Ole32.dll: coinitialize > Oleaut32.dll :- > Psapi. dll: enumprocesses > Shell32.dll: dragfinish > User32.dll: getdc > Userenv. dll: loaduserprofilew > Version. dll: verqueryvaluew > Wininet. dll: ftpopenfilew > Winmm. dll: timegettime > Wsock32.dll :- (0 exports)
Upload ID .:-
RDS...: NSL reference data set -
Packers (Kaspersky): pe_patch.upx, UPX
Packers (F-Prot): UPX       Subject: Re: 422221553bcd2e13642619068973b69a --- windows update.exe [KLAN-30650641] Sender: newvirus@kaspersky.com Date: 16:33:44 Hello, Windowsupdate.exe _. UNP-Trojan-Downloader.Win32.Agent.bydr New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help. Please quote all when answering. -- Best regards, Pavel FIRSOV Virus analyst, Kaspersky Lab. E-mail: newvirus@kaspersky.com Http://www.kaspersky.com/ Http://www.kaspersky.com/virusscanner-free online virus testing. Http://www.kaspersky.com/helpdesk.html-technical support.

 

File Description: C:/sese.exe .exe
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.0.0.0
Note: Movie players
Copyright: movie player
Remarks: movie player
Creation Time: 19:56:51
Modification time:
Size: 327051 bytes, 319.395 KB
MD5: 110230c200611c32ed417b9fec1e6076
Sha1: 5481afa2bedd051d70f39de1fa0060f507a0345f
CRC32: 7ac87b88

 

File _____________ .exe. Del received at 08:27:22 (CET)

 

Anti-Virus engine	Version	Last update	Scan results
A-squared	4.0.0.101	2009.05.19	Trojan. agentmb! Ik
AhnLab-V3	5.0.0.2	2009.05.19	-
AntiVir	7.9.0.168	2009.05.19	TR/crypt. CFI. gen
Antiy-AVL	2.0.3.1	2009.05.18	-
Authentium	5.1.2.4	2009.05.19	-
Avast	4.8.1335.0	2009.05.18	Win32: crypt-Doc
AVG	8.5.0.336	2009.05.18	-
BitDefender	7.2	2009.05.19	GEN: Trojan. heur.3106677233
Cat-quickheal	10.00	2009.05.15	Trojan. Agent. ATV
ClamAV	0.94.1	2009.05.19	-
Comodo	1157	2009.05.08	-
Drweb	5.0.0.12182	2009.05.19	-
Esafe	7.0.20.	2009.05.18	Suspicious File
ETrust-vet	31.6.20.9	2009.05.18	-
F-Prot	4.4.4.56	2009.05.18	-
F-Secure	8.0.14470.0	2009.05.19	-
Fortinet	3.117.0.0	2009.05.18	-
Gdata	19	2009.05.19	GEN: Trojan. heur.3106677233
Ikarus	T3.1.1.49.0	2009.05.19	Trojan. agentmb
K7antivirus	7.10.737	2009.05.16	-
Kaspersky	7.0.0.125	2009.05.19	-
McAfee	5619	2009.05.18	-
McAfee + Artemis	5619	2009.05.18	-
McAfee-GW-Edition	6.7.6	2009.05.19	Trojan. crypt. CFI. gen
Microsoft	1.4602	2009.05.19	-
NOD32	4085	2009.05.19	-
Norman	6.01.05	2009.05.18	Smalltroj. lqvy
Nprotect	2009.1.8.0	2009.05.19	-
Panda	10.0.0.14	2009.05.18	-
Pctools	4.4.2.0	2009.05.18	-
Prevx	3.0	2009.05.19	Medium risk malware
Rising	21.30.10.00	2009.05.19	Adware. win32.undef. Eko
Sophos	4.41.0	2009.05.19	-
Sunbelt	3.2.1858.2	2009.05.18	-
Symantec	1.4.4.12	2009.05.19	Downloader
Thehacker	6.3.4.1.327	2009.05.19	-
TrendMicro	8.950.0.1092	2009.05.19	-
Vba32	3.12.10.5	2009.05.19	-
ViRobot	2009.5.19.1740	2009.05.19	-
Virusbuster	4.6.5.0	2009.05.18	-

 

Additional information
File Size: 327051 bytes
Md5.....: 110230c200611c32ed417b9fec1e6076
Sha1..: 5481afa2bedd051d70f39de1fa0060f507a0345f
Sha256: f6bfe2e9e5c2a3dd29c9aa622b0c8723922a0df012b4772b7aab8721ab76a370
Sha512: sha512 7fa584f7228677d2c6029d7abd3161743a1cef31556b697d857a73c63420a269
Ssdeep: 6144: plz/zumu4pdsxscmrzf7x3sfs1jazxbtl76wq0qaplibdi: phlumuiv9rgf Sjazrt74bw
Peid ..: UPX 2.90 [lzma]-> Markus oberhumer, Laszlo Molnar & John Reiser
TRID...: file type identification UPX compressed Win32 executable (43.8%) Win32 EXE Yoda's crypter (38.1%) Win32 executable generic (12.2%) Generic win/DOS executable (2.8%) DOS executable generic (2.8%)
Peinfo: PE Structure Information (Base data) Entrypointaddress.: 0xae0e0 Timedatestamp...: 0x4951fa17 (Wed Dec 24 09:00:07 2008) Machinetype ......: 0x14c (i386) (3 sections) Name viradd virsiz rawdsiz ntrpy MD5 Upx0 0x1000 0x6e000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e Upx1 0x6f000 0x40000 0x3f400 7.93 1de6866c729aedc69f7e1b0f019b0210 . Rsrc 0xaf000 0x8000 0x7600 5.78 eda-ca9f0d06f723c60cb7833d91f99a (16 imports) > Kernel32.dll: loadlibrarya, getprocaddress, virtualprotect, virtualalloc, virtualfree, exitprocess > Advapi32.dll: addace > Comctl32.dll: imagelist_remove > Comdlg32.dll: getsavefilenamew > Gdi32.dll: bitblt > Send. dll: wnetgetconnectionw > Ole32.dll: coinitialize > Oleaut32.dll :- > Psapi. dll: enumprocesses > Shell32.dll: dragfinish > User32.dll: getdc > Userenv. dll: loaduserprofilew > Version. dll: verqueryvaluew > Wininet. dll: ftpopenfilew > Winmm. dll: timegettime > Wsock32.dll :- (0 exports)
Upload ID .:-
RDS...: NSL reference data set -
Packers (Kaspersky): pe_patch.upx, UPX
<A href = 'HTTP: // info.prevx.com/aboutprogramtext.asp? Px5 = bd2da-b38bd33d88fda604cbf58d55006644a0d9 'target = '_ blank'> http://info.prevx.com/aboutprogramtext.asp? Px5 = bd2da-b38bd33d88fda604cbf58d55006644a0d9 </a>
Packers (F-Prot): UPX