New Viking variants, legends, and Warcraft account theft Trojans (version 3rd)

Source: Internet
Author: User

EndurerOriginal

2006-10-133Supplement the effect of Kaspersky on files not reported

2006-10-092Added Kaspersky's response

2006-10-091Version

A netizen, the new host, shouted slowly in less than two days and asked me to help check it.

After the desktop is started on, the system loses response. It is hard to open the task manager and check that the CPU usage is not high, but the memory usage is extremely high.

Force reboot to safe mode with network, download hijackthis scan log to http://endurer.ys168.com, found the following suspicious items:

Logfile of hijackthis v1.99.1
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

C:/Windows/logocmd.exe

C:/program files/Internet Explorer/3sy.exe

F3-Reg: win. ini: load = C:/Windows/rundl132.exe

O1-hosts: 219.139.58.97 www.hao123.com
O1-hosts: 219.139.58.97 hao123.com
O1-hosts: 219.139.58.97 www.7b.com.cn
O1-hosts: 219.139.58.97 7b.com.cn
O1-hosts: 219.139.58.97 www.7939.com
O1-hosts: 219.139.58.97 www.maohehe.com
O1-hosts: www.sina-baidu.com 219.139.58.97
O1-hosts: sina-baidu.com 219.139.58.97
O1-hosts: 219.139.58.97 www.maipao.com
O1-hosts: 219.139.58.97 update.virussky.com
O1-hosts: 219.139.58.97 down.virussky.com
O1-hosts: 219.139.58.97 www.ycdy.com
O1-hosts: 219.139.58.97 ycdy.com
O1-hosts: 219.139.58.97 www.2tu.cn
O1-hosts: 219.139.58.97 2tu.cn
O1-hosts: 219.139.58.97 www.91tu.cn
O1-hosts: 219.139.58.97 91tu.cn
O1-hosts: 219.139.58.97 www.haotop.com
O1-hosts: 219.139.58.97 news01.virussky.com
O1-hosts: 219.139.58.97 news02.virussky.com
O1-hosts: 219.139.58.97 news03.virussky.com
O1-hosts: 219.139.58.97 news04.virussky.com
O1-hosts: 219.139.58.97 www.an85.com
O1-hosts: 219.139.58.97 an85.com
O1-hosts: 219.139.58.97 www.360safe.com
O1-hosts: 219.139.58.97 360safe.com
O1-hosts: 219.139.58.97 dl.360safe.com
O1-hosts: 219.139.58.97 bbs.360safe.com
O1-hosts: 219.139.58.97 www.gao58.com
O1-hosts: 219.139.58.97 count18.51yes.com
O1-hosts: 219.139.58.97 www.ok538.com
O1-hosts: 219.139.58.97 www.3000sss.com
O1-hosts: 219.139.58.97 3000sss.com
O1-hosts: 219.139.58.97 www.qq658.com
O1-hosts: 219.139.58.97 www.53679.com
O1-hosts: 219.139.58.97 www.17587.net
O1-hosts: 219.139.58.97 www.17587.com
O1-hosts: 219.139.58.97 www.an188.com
O1-hosts: 219.139.58.97 cwzwxm.3322.org
O1-hosts: 219.139.58.97 www.onediy.net
O1-hosts: 219.139.58.97 sohu.fswan.com
O1-hosts: 219.139.58.97 www.hewdq.com
O1-hosts: 219.139.58.97 go.ipcenter.cn
O1-hosts: 219.139.58.97 www.32666.com
O1-hosts: 219.139.58.97 show.googleadsenseagent.com
O1-hosts: 219.139.58.97 www.2yin.cn
O1-hosts: 219.139.58.97 2yin.cn
O1-hosts: 219.139.58.97 www.84442.com
O1-hosts: 219.139.58.97 www.898333.com
O1-hosts: 219.139.58.97 hewdq.com
O1-hosts: 219.139.58.97 84442.com
O1-hosts: 219.139.58.97 wwww.systeel.com.cn
O1-hosts: 219.139.58.97 go.baibaoxiang.cn
O1-hosts: 219.139.58.97 www.btbaicai.com
O1-hosts: 219.139.58.97 btbaicai.com
O1-hosts: 219.139.58.97 www.2t2t.cn
O1-hosts: 219.139.58.97 2t2t.cn
O1-hosts: 219.139.58.97 3.a.kal.cn
O1-hosts: 219.139.58.97 www.222978.com
O1-hosts: 219.139.58.97 www.5yaowan.com
O1-hosts: 219.139.58.97 show.roogoo.com
O1-hosts: 219.139.58.97 ip.alexaanywhere.com

O3-toolbar: searchcar-{BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD}-C:/program files/searchcar. dll

O4-HKLM/../run: [qcsszjcz] D:/chenqxms.exe

O4-HKLM/../run: [R] C:/Windows/system32/rundll32.exe msprt. dll s

O10-unknown file in Winsock LSP: C:/Windows/system32/wsd_sock32.dll
O10-unknown file in Winsock LSP: C:/Windows/system32/wsd_sock32.dll

Download procview termination process from http://endurer.ys168.com:
/----------
C:/Windows/logocmd.exe
C:/program files/Internet Explorer/3sy.exe
----------/

Download the file association of the Registry repair tool from the rising website.

Use WinRAR to check files in the following folders

C :/
------------
Drsmartload.exe (the value of Kaspersky isTrojan-Downloader.Win32.Adload.gf, Drweb reportsTrojan. downloader.13572)
Mte3ndi6odoxngv2.exe (the value of Kaspersky isTrojan-Downloader.Win32.Agent.azc)

C:/windows and C:/Windows/system32
-------------
Winampa.exe (the value of Kaspersky isTrojan. win32.agent. TL, Drweb reportsTrojan. downloader.12870)
Nmhxy. dll (indicated by KasperskyTrojan-PSW.Win32.Agent.iu, Drweb reportsTrojan. PWS. legmir.602)
Nmhxy.exe (Kaspersky reportsTrojan-PSW.Win32.Agent.iu, Drweb reportsTrojan. PWS. legmir.602)
0. EXE (Kaspersky reportsTrojan. win32.qhost. IC, Drweb reportsTrojan. qhost)
Mvlib. dll (Kaspersky reportsTrojan. win32.bcb. I, Drweb reportsWin32.hllw. mybot)
Jxdll. dll (indicated by KasperskyTrojan-PSW.Win32.Delf.hh)
Myrx. dll (Kaspersky reportedTrojan-PSW.Win32.Agent.ia)
Mywow. dll (Kaspersky reportedTrojan-PSW.Win32.WOW.jw)
Myztr. dll (Kaspersky reportedTrojan-PSW.Win32.OnLineGames.v)
Ss3.exe
Wsd_sock32.dll (the value of Kaspersky isTrojan-PSW.Win32.Agent.if)
Xia.exe (Kaspersky reportsWorm. win32.viking. Ax)
Rundl132.exe (note: the front of 32 is the number 1. Kaspersky reportsWorm. win32.viking. Ax)
Rundll.exe
Msprt. dll (Kaspersky reportsTrojan. win32.bcb. I)
Logocmd.exe (Kaspersky reportsEmail-Worm.Win32.Viking.ax)

C:/progam files/Internet Explorer
-------------
0sy.exe (Kaspersky reportsTrojan-PSW.Win32.Lineage.amd, Drweb reportsTrojan. PWS. gamania)
4sy.exe (Kaspersky reportsTrojan-PSW.Win32.Delf.hh, Drweb reportsTrojan. PWS. lineage)
Internat3.exe (Kaspersky reportsTrojan-PSW.Win32.WOW.gq)
Internat5.exe (Kaspersky reportsTrojan-Downloader.Win32.Agent.axg, Drweb reportsTrojan. downloader.13331)
Iedw.exe (Kaspersky reportsTrojan. win32.agent. ZL, Drweb reportsTrojan. starter.84)

Temporary system folder
-------------
Temp.exe (the value of Kaspersky isTrojan-Downloader.Win32.QQHelper.ft)
Setup_wm.exe (the value of Kaspersky isTrojan. win32.agent. ZL, Drweb reportsTrojan. downloader.12618)

Temporary ie folder
-------------
Maaa2.exe (Kaspersky reportsWorm. win32.detnat. e)

C:/Windows/system32/Drivers
-------------
Modrl. sys (Kaspersky replies "no malicious code was found in this file", and the drweb reportsTrojan. PWS. hertThe rising report isRootkit. callgat. gen)

Clear temporary ie folders and temporary system folders

Open the Registration Table editor, and first renew the registration table. Then search for the project containing rundl132.exe (Note: Before 32, it is digit 1) and delete it.

Download and run lspfix from the http://endurer.ys168.com, select the option "I know what I'm doing", and move the wsd_sock32.dll file in the left window to the right window (do not move other files ), select "finish ".

Close all IE Windows and folder windows, run hijackthis scan, and repair the items in the previous column.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.