Home > Others

New Viking variants, legends, and Warcraft account theft Trojans (version 3rd)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

EndurerOriginal

2006-10-133Supplement the effect of Kaspersky on files not reported

2006-10-092Added Kaspersky's response

2006-10-091Version

A netizen, the new host, shouted slowly in less than two days and asked me to help check it.

After the desktop is started on, the system loses response. It is hard to open the task manager and check that the CPU usage is not high, but the memory usage is extremely high.

Force reboot to safe mode with network, download hijackthis scan log to http://endurer.ys168.com, found the following suspicious items:

Logfile of hijackthis v1.99.1
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

C:/Windows/logocmd.exe

C:/program files/Internet Explorer/3sy.exe

F3-Reg: win. ini: load = C:/Windows/rundl132.exe

O1-hosts: 219.139.58.97 www.hao123.com
O1-hosts: 219.139.58.97 hao123.com
O1-hosts: 219.139.58.97 www.7b.com.cn
O1-hosts: 219.139.58.97 7b.com.cn
O1-hosts: 219.139.58.97 www.7939.com
O1-hosts: 219.139.58.97 www.maohehe.com
O1-hosts: www.sina-baidu.com 219.139.58.97
O1-hosts: sina-baidu.com 219.139.58.97
O1-hosts: 219.139.58.97 www.maipao.com
O1-hosts: 219.139.58.97 update.virussky.com
O1-hosts: 219.139.58.97 down.virussky.com
O1-hosts: 219.139.58.97 www.ycdy.com
O1-hosts: 219.139.58.97 ycdy.com
O1-hosts: 219.139.58.97 www.2tu.cn
O1-hosts: 219.139.58.97 2tu.cn
O1-hosts: 219.139.58.97 www.91tu.cn
O1-hosts: 219.139.58.97 91tu.cn
O1-hosts: 219.139.58.97 www.haotop.com
O1-hosts: 219.139.58.97 news01.virussky.com
O1-hosts: 219.139.58.97 news02.virussky.com
O1-hosts: 219.139.58.97 news03.virussky.com
O1-hosts: 219.139.58.97 news04.virussky.com
O1-hosts: 219.139.58.97 www.an85.com
O1-hosts: 219.139.58.97 an85.com
O1-hosts: 219.139.58.97 www.360safe.com
O1-hosts: 219.139.58.97 360safe.com
O1-hosts: 219.139.58.97 dl.360safe.com
O1-hosts: 219.139.58.97 bbs.360safe.com
O1-hosts: 219.139.58.97 www.gao58.com
O1-hosts: 219.139.58.97 count18.51yes.com
O1-hosts: 219.139.58.97 www.ok538.com
O1-hosts: 219.139.58.97 www.3000sss.com
O1-hosts: 219.139.58.97 3000sss.com
O1-hosts: 219.139.58.97 www.qq658.com
O1-hosts: 219.139.58.97 www.53679.com
O1-hosts: 219.139.58.97 www.17587.net
O1-hosts: 219.139.58.97 www.17587.com
O1-hosts: 219.139.58.97 www.an188.com
O1-hosts: 219.139.58.97 cwzwxm.3322.org
O1-hosts: 219.139.58.97 www.onediy.net
O1-hosts: 219.139.58.97 sohu.fswan.com
O1-hosts: 219.139.58.97 www.hewdq.com
O1-hosts: 219.139.58.97 go.ipcenter.cn
O1-hosts: 219.139.58.97 www.32666.com
O1-hosts: 219.139.58.97 show.googleadsenseagent.com
O1-hosts: 219.139.58.97 www.2yin.cn
O1-hosts: 219.139.58.97 2yin.cn
O1-hosts: 219.139.58.97 www.84442.com
O1-hosts: 219.139.58.97 www.898333.com
O1-hosts: 219.139.58.97 hewdq.com
O1-hosts: 219.139.58.97 84442.com
O1-hosts: 219.139.58.97 wwww.systeel.com.cn
O1-hosts: 219.139.58.97 go.baibaoxiang.cn
O1-hosts: 219.139.58.97 www.btbaicai.com
O1-hosts: 219.139.58.97 btbaicai.com
O1-hosts: 219.139.58.97 www.2t2t.cn
O1-hosts: 219.139.58.97 2t2t.cn
O1-hosts: 219.139.58.97 3.a.kal.cn
O1-hosts: 219.139.58.97 www.222978.com
O1-hosts: 219.139.58.97 www.5yaowan.com
O1-hosts: 219.139.58.97 show.roogoo.com
O1-hosts: 219.139.58.97 ip.alexaanywhere.com

O3-toolbar: searchcar-{BD328E49-38AB-42CB-8EEA-73AA4CD2A6FD}-C:/program files/searchcar. dll

O4-HKLM/../run: [qcsszjcz] D:/chenqxms.exe

O4-HKLM/../run: [R] C:/Windows/system32/rundll32.exe msprt. dll s

O10-unknown file in Winsock LSP: C:/Windows/system32/wsd_sock32.dll
O10-unknown file in Winsock LSP: C:/Windows/system32/wsd_sock32.dll

Download procview termination process from http://endurer.ys168.com:
/----------
C:/Windows/logocmd.exe
C:/program files/Internet Explorer/3sy.exe
----------/

Download the file association of the Registry repair tool from the rising website.

Use WinRAR to check files in the following folders

C :/
------------
Drsmartload.exe (the value of Kaspersky isTrojan-Downloader.Win32.Adload.gf, Drweb reportsTrojan. downloader.13572)
Mte3ndi6odoxngv2.exe (the value of Kaspersky isTrojan-Downloader.Win32.Agent.azc)

C:/windows and C:/Windows/system32
-------------
Winampa.exe (the value of Kaspersky isTrojan. win32.agent. TL, Drweb reportsTrojan. downloader.12870)
Nmhxy. dll (indicated by KasperskyTrojan-PSW.Win32.Agent.iu, Drweb reportsTrojan. PWS. legmir.602)
Nmhxy.exe (Kaspersky reportsTrojan-PSW.Win32.Agent.iu, Drweb reportsTrojan. PWS. legmir.602)
0. EXE (Kaspersky reportsTrojan. win32.qhost. IC, Drweb reportsTrojan. qhost)
Mvlib. dll (Kaspersky reportsTrojan. win32.bcb. I, Drweb reportsWin32.hllw. mybot)
Jxdll. dll (indicated by KasperskyTrojan-PSW.Win32.Delf.hh)
Myrx. dll (Kaspersky reportedTrojan-PSW.Win32.Agent.ia)
Mywow. dll (Kaspersky reportedTrojan-PSW.Win32.WOW.jw)
Myztr. dll (Kaspersky reportedTrojan-PSW.Win32.OnLineGames.v)
Ss3.exe
Wsd_sock32.dll (the value of Kaspersky isTrojan-PSW.Win32.Agent.if)
Xia.exe (Kaspersky reportsWorm. win32.viking. Ax)
Rundl132.exe (note: the front of 32 is the number 1. Kaspersky reportsWorm. win32.viking. Ax)
Rundll.exe
Msprt. dll (Kaspersky reportsTrojan. win32.bcb. I)
Logocmd.exe (Kaspersky reportsEmail-Worm.Win32.Viking.ax)

C:/progam files/Internet Explorer
-------------
0sy.exe (Kaspersky reportsTrojan-PSW.Win32.Lineage.amd, Drweb reportsTrojan. PWS. gamania)
4sy.exe (Kaspersky reportsTrojan-PSW.Win32.Delf.hh, Drweb reportsTrojan. PWS. lineage)
Internat3.exe (Kaspersky reportsTrojan-PSW.Win32.WOW.gq)
Internat5.exe (Kaspersky reportsTrojan-Downloader.Win32.Agent.axg, Drweb reportsTrojan. downloader.13331)
Iedw.exe (Kaspersky reportsTrojan. win32.agent. ZL, Drweb reportsTrojan. starter.84)

Temporary system folder
-------------
Temp.exe (the value of Kaspersky isTrojan-Downloader.Win32.QQHelper.ft)
Setup_wm.exe (the value of Kaspersky isTrojan. win32.agent. ZL, Drweb reportsTrojan. downloader.12618)

Temporary ie folder
-------------
Maaa2.exe (Kaspersky reportsWorm. win32.detnat. e)

C:/Windows/system32/Drivers
-------------
Modrl. sys (Kaspersky replies "no malicious code was found in this file", and the drweb reportsTrojan. PWS. hertThe rising report isRootkit. callgat. gen)

Clear temporary ie folders and temporary system folders

Open the Registration Table editor, and first renew the registration table. Then search for the project containing rundl132.exe (Note: Before 32, it is digit 1) and delete it.

Download and run lspfix from the http://endurer.ys168.com, select the option "I know what I'm doing", and move the wsd_sock32.dll file in the left window to the right window (do not move other files ), select "finish ".

Close all IE Windows and folder windows, run hijackthis scan, and repair the items in the previous column.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
new warcraft game scan for trojans and remove warcraft keyboard and mouse sell world of warcraft account world of warcraft full version world of warcraft full version warcraft free download full version

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More