Windows update.exe/trojan.win32.autoit.fc,se .exe/adware. win32.undef. Eko

Source: Internet
Author: User
Tags crc32 crypt

Windows update.exe/trojan.win32.autoit.fc,se .exe/adware. win32.undef. Eko

 

Original endurer
Version 1st

 

A friend's computer has encountered a strange problem recently. Please help me with the repair.

After opening the computer and entering the Windows desktop, I felt that the computer was very stuck. Apart from the Super patrol window, opening other windows seemed to be constantly switching between the front-end program and the background program, difficult to operate.

Open the task manager, check the CPU usage of the process, and find that the CPU usage is 100%, of which Windows update.exe occupies about 70%.

Restart your computer to "safe mode with command line prompts", run pe_xscan to scan logs and analyze the logs, and find the following suspicious items:

 

 

Pe_xscan 09-04-28 by Purple endurer

Windows XP Service Pack 3 (5.1.2600)
MSIE: 6.0.2900.5512
Administrator user group
Security Mode with command line prompt

F2-Reg: system. ini: userinit = <C:/Windows/system32/userinit.exe, C:/Windows/system32/Windows update.exe>

O30-ieopenhomepage = "C:/program files/Internet Explorer/iyune.exe" hxxp: // www.52 ** 4 * 16.com

 

In addition, the "C:/" and "WMP" icons of the love seader .exe and WMP are found to be suspicious.

Use fileinfo to extract file information and use bat_do to package and delete the backup.

 

Use hijackthis to fix F2.

 

O30 indicates that

 

[Hkey_classes_root/CLSID/{871c5316-42a0-1069-a2ea-08002b30309d}/Shell/openhomepage/command,

 

The value is modified, and you can manually remove the following URL.

 

 

Attachment: malicious program file information

 

 

File Description: C:/Windows/system32/Windows update.exe
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.0
Note: Windows Update
Copyright: http://www.microsoft.com/
Note: Windows Update
Creation Time:
Modification time: 2:41:14
Size: 325939 bytes, 318.307 KB
MD5: 422221553bcd2e13641519068973b69a
Sha1: f56611d1be5e7ab17b3f3a9d7997d153aabe34fc
CRC32: 457d6ebf

 

File windows_update.exe.del received at 08:16:07 (CET)

 

Anti-Virus engine Version Last update Scan results
A-squared 4.0.0.101 2009.05.19 Malwarrent. backdoor. hupigon.3! Ik
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 TR/crypt. CFI. gen
Antiy-AVL 2.0.3.1 2009.05.18 Trojan/win32.startpage
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.18 -
AVG 8.5.0.336 2009.05.18 -
BitDefender 7.2 2009.05.19 -
Cat-quickheal 10.00 2009.05.15 Trojan. Agent. ATV
ClamAV 0.94.1 2009.05.19 -
Comodo 1157 2009.05.08 -
Drweb 5.0.0.12182 2009.05.19 -
Esafe 7.0.20. 2009.05.18 Suspicious File
ETrust-vet 31.6.20.9 2009.05.18 -
F-Prot 4.4.4.56 2009.05.18 -
F-Secure 8.0.14470.0 2009.05.19 -
Fortinet 3.117.0.0 2009.05.18 -
Gdata 19 2009.05.19 -
Ikarus T3.1.1.49.0 2009.05.19 Malwarw.backdoor. hupigon.3
K7antivirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.19 -
McAfee 5619 2009.05.18 -
McAfee + Artemis 5619 2009.05.18 -
McAfee-GW-Edition 6.7.6 2009.05.19 Trojan. crypt. CFI. gen
Microsoft 1.4602 2009.05.19 -
NOD32 4085 2009.05.19 -
Norman 6.01.05 2009.05.18 Smalltroj. lzea
Nprotect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.18 BCK/agent. LQR
Pctools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.19 -
Rising 21.30.10.00 2009.05.19 Trojan. win32.autoit. FC
Sophos 4.41.0 2009.05.19 -
Sunbelt 3.2.1858.2 2009.05.18 -
Symantec 1.4.4.12 2009.05.19 -
Thehacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
ViRobot 2009.5.19.1740 2009.05.19 -
Virusbuster 4.6.5.0 2009.05.18 -

 

Additional information
File Size: 325939 bytes
Md5.....: 422221553bcd2e13642519068973b69a
Sha1..: f56611d1be5e7ab17b3f3a9d7997d153aabe34fc
Sha256: sha256
Sha512: sha512
Bytes
Ssdeep: 6144: plz/zumu4pdsxscmrzf7x3sfs1jazxbtl76wf6lss34yrwv: phlumuiv9rg
Fsjazrt7fcpju
Peid ..: UPX 2.90 [lzma]-> Markus oberhumer, Laszlo Molnar & John Reiser
TRID...: file type identification
UPX compressed Win32 executable (43.8%)
Win32 EXE Yoda's crypter (38.1%)
Win32 executable generic (12.2%)
Generic win/DOS executable (2.8%)
DOS executable generic (2.8%)
Peinfo: PE Structure Information

(Base data)
Entrypointaddress.: 0xab0e0
Timedatestamp...: 0x4951fa17 (Wed Dec 24 09:00:07 2008)
Machinetype ......: 0x14c (i386)

(3 sections)
Name viradd virsiz rawdsiz ntrpy MD5
Upx0 0x1000 0x6b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
Upx1 0x6c000 0x40000 0x3f400 7.93 e946dee236b5ce856d3776cb75eea917
. Rsrc 0xac000 0x5000 0x4e00 5.26 cb3d8421caed79623919b9748aef2c6

(16 imports)
> Kernel32.dll: loadlibrarya, getprocaddress, virtualprotect, virtualalloc, virtualfree, exitprocess
> Advapi32.dll: addace
> Comctl32.dll: imagelist_remove
> Comdlg32.dll: getsavefilenamew
> Gdi32.dll: bitblt
> Send. dll: wnetgetconnectionw
> Ole32.dll: coinitialize
> Oleaut32.dll :-
> Psapi. dll: enumprocesses
> Shell32.dll: dragfinish
> User32.dll: getdc
> Userenv. dll: loaduserprofilew
> Version. dll: verqueryvaluew
> Wininet. dll: ftpopenfilew
> Winmm. dll: timegettime
> Wsock32.dll :-

(0 exports)

Upload ID .:-
RDS...: NSL reference data set
-
Packers (Kaspersky): pe_patch.upx, UPX

Packers (F-Prot): UPX

 

 

 

Subject: Re: 422221553bcd2e13642619068973b69a --- windows update.exe [KLAN-30650641]
Sender: newvirus@kaspersky.com
Date: 16:33:44
Hello,

Windowsupdate.exe _. UNP-Trojan-Downloader.Win32.Agent.bydr

New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Pavel FIRSOV
Virus analyst, Kaspersky Lab.
E-mail: newvirus@kaspersky.com
Http://www.kaspersky.com/

Http://www.kaspersky.com/virusscanner-free online virus testing.
Http://www.kaspersky.com/helpdesk.html-technical support.

 

 

 

File Description: C:/sese.exe .exe
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.0.0.0
Note: Movie players
Copyright: movie player
Remarks: movie player
Creation Time: 19:56:51
Modification time:
Size: 327051 bytes, 319.395 KB
MD5: 110230c200611c32ed417b9fec1e6076
Sha1: 5481afa2bedd051d70f39de1fa0060f507a0345f
CRC32: 7ac87b88

 

File _____________ .exe. Del received at 08:27:22 (CET)

 

Anti-Virus engine Version Last update Scan results
A-squared 4.0.0.101 2009.05.19 Trojan. agentmb! Ik
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 TR/crypt. CFI. gen
Antiy-AVL 2.0.3.1 2009.05.18 -
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.18 Win32: crypt-Doc
AVG 8.5.0.336 2009.05.18 -
BitDefender 7.2 2009.05.19 GEN: Trojan. heur.3106677233
Cat-quickheal 10.00 2009.05.15 Trojan. Agent. ATV
ClamAV 0.94.1 2009.05.19 -
Comodo 1157 2009.05.08 -
Drweb 5.0.0.12182 2009.05.19 -
Esafe 7.0.20. 2009.05.18 Suspicious File
ETrust-vet 31.6.20.9 2009.05.18 -
F-Prot 4.4.4.56 2009.05.18 -
F-Secure 8.0.14470.0 2009.05.19 -
Fortinet 3.117.0.0 2009.05.18 -
Gdata 19 2009.05.19 GEN: Trojan. heur.3106677233
Ikarus T3.1.1.49.0 2009.05.19 Trojan. agentmb
K7antivirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.19 -
McAfee 5619 2009.05.18 -
McAfee + Artemis 5619 2009.05.18 -
McAfee-GW-Edition 6.7.6 2009.05.19 Trojan. crypt. CFI. gen
Microsoft 1.4602 2009.05.19 -
NOD32 4085 2009.05.19 -
Norman 6.01.05 2009.05.18 Smalltroj. lqvy
Nprotect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.18 -
Pctools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.19 Medium risk malware
Rising 21.30.10.00 2009.05.19 Adware. win32.undef. Eko
Sophos 4.41.0 2009.05.19 -
Sunbelt 3.2.1858.2 2009.05.18 -
Symantec 1.4.4.12 2009.05.19 Downloader
Thehacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
Vba32 3.12.10.5 2009.05.19 -
ViRobot 2009.5.19.1740 2009.05.19 -
Virusbuster 4.6.5.0 2009.05.18 -

 

Additional information
File Size: 327051 bytes
Md5.....: 110230c200611c32ed417b9fec1e6076
Sha1..: 5481afa2bedd051d70f39de1fa0060f507a0345f
Sha256: f6bfe2e9e5c2a3dd29c9aa622b0c8723922a0df012b4772b7aab8721ab76a370
Sha512: sha512
7fa584f7228677d2c6029d7abd3161743a1cef31556b697d857a73c63420a269
Ssdeep: 6144: plz/zumu4pdsxscmrzf7x3sfs1jazxbtl76wq0qaplibdi: phlumuiv9rgf
Sjazrt74bw
Peid ..: UPX 2.90 [lzma]-> Markus oberhumer, Laszlo Molnar & John Reiser
TRID...: file type identification
UPX compressed Win32 executable (43.8%)
Win32 EXE Yoda's crypter (38.1%)
Win32 executable generic (12.2%)
Generic win/DOS executable (2.8%)
DOS executable generic (2.8%)
Peinfo: PE Structure Information

(Base data)
Entrypointaddress.: 0xae0e0
Timedatestamp...: 0x4951fa17 (Wed Dec 24 09:00:07 2008)
Machinetype ......: 0x14c (i386)

(3 sections)
Name viradd virsiz rawdsiz ntrpy MD5
Upx0 0x1000 0x6e000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
Upx1 0x6f000 0x40000 0x3f400 7.93 1de6866c729aedc69f7e1b0f019b0210
. Rsrc 0xaf000 0x8000 0x7600 5.78 eda-ca9f0d06f723c60cb7833d91f99a

(16 imports)
> Kernel32.dll: loadlibrarya, getprocaddress, virtualprotect, virtualalloc, virtualfree, exitprocess
> Advapi32.dll: addace
> Comctl32.dll: imagelist_remove
> Comdlg32.dll: getsavefilenamew
> Gdi32.dll: bitblt
> Send. dll: wnetgetconnectionw
> Ole32.dll: coinitialize
> Oleaut32.dll :-
> Psapi. dll: enumprocesses
> Shell32.dll: dragfinish
> User32.dll: getdc
> Userenv. dll: loaduserprofilew
> Version. dll: verqueryvaluew
> Wininet. dll: ftpopenfilew
> Winmm. dll: timegettime
> Wsock32.dll :-

(0 exports)

Upload ID .:-
RDS...: NSL reference data set
-
Packers (Kaspersky): pe_patch.upx, UPX
<A href = 'HTTP: // info.prevx.com/aboutprogramtext.asp? Px5 = bd2da-b38bd33d88fda604cbf58d55006644a0d9 'target = '_ blank'> http://info.prevx.com/aboutprogramtext.asp? Px5 = bd2da-b38bd33d88fda604cbf58d55006644a0d9 </a>
Packers (F-Prot): UPX

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.