Scvhost.exe, kcohj1ba.sys,4f4.exe, w509v. sys, 8g4. dll, 307b. dll, etc.

Scvhost.exe, kcohj1ba.sys,4f4.exe, w509v. sys, 8g4. dll, 307b. dll, etc.

 

Original endurer
1Version

 

During the meeting today, you need to play the courseware. For this reason, you have prepared two copies, which are not expected to be used as the backup one. After the boot, a message box pops up occasionally, prompting you to load 307b. dll with an error. Obviously, it won the bid.

 

This message box will inevitably affect the courseware playing and must be processed immediately.

 

This is installed with Kingsoft Internet Security 2008. However, the virus database was installed on July 15, August 17 and cannot be upgraded over the Internet.

 

Using Jinshan cleaning experts to scan, no suspicious things were found.

 

Later, it was found that the computer was equipped with the rising card security assistant, but it was a version of 4.x. Use it to check boot items and immediately discover suspicious items. Use pe_xscan to scan and analyze the items as follows:

/=
Pe_xscan 08-08-01 by Purple endurer
2008-9-1 13:40:48
Windows XP Service Pack 2 (5.1.2600)
MSIE: 7.0.5730.13
Administrator user group
Normal Mode

O2-BHO class-{1307e689-5ca1-4a15-9583-f2350790290d} = C:/Windows/system32/oqxovy. dll | 6:41:44
O2-BHO invoke class-{6b76ddab-898d-4e5b-917c-2b697c2ea7a4} = C:/Windows/system32/8g4. dll | 23:28:49
O4-HKLM/../policies/Explorer/run: [307b] rundll32 C:/Windows/downlo ~ 1/307b. dll ", run
307ac. Job
307b. Job
307dc. Job
307sc. Job

O9-IE Toolbar extension button HKLM: Knowledge Base-{06926b30-450e-4f1c-8ee3-543cd96573dc}-hxxp: // blank. La /? H
O9-ie tool menu extension item HKLM:-{06926b30-450e-4f1c-8ee3-543cd96573dc}-hxxtp: // blank. La /? H
O23-service: 9bi9m8 (9bi9m8)-system32/Drivers/9bi9m8. sys (pilot)
O23-service: adprot (adprot)-C:/Windows/system32/Drivers/adprot. sys (system)
O23-service: kcohj1ba (kcohj1ba)-system32/Drivers/kcohj1ba. sys (pilot)
O23-service: oboqyy (Logical Disk Manager amdinistrative oboqyy)-C:/root/yxyeaholes/scvhost.exe | (automatic)
O23-service: osevent (osevent)-C:/Windows/system32/s.exe | (automatic)
O23-service: thinkpadser (thinkpadser)-C:/Windows/system32/4f4.exe | 11:39:15 (automatic)
O23-service: w509v (w509v)-system32/Drivers/w509v. sys (pilot)

===/

After all these items are cleared, restart the computer and the message box is no longer displayed.

File Description: C:/root/yxyeaholes/scvhost.exe
Attribute: ---
Digital Signature: No
PE file: Yes
Language: Chinese (China)
File version: 1.0.0.0
Product Version: 1.0.0.0
Creation Time:
Modification time:
Size: 478720 bytes, 467.512 KB
MD5: 84e9c475ffe13cb7c8fd60f5b2995f00
Sha1: bad9cfae6813748df9eb9bc0ad631628a267d2b2
CRC32: cdee47b1

 

The file scvhost.exe was received at 2008.09.01 15:25:39 (CET)

Anti-Virus engine	Version	Last update	Scan results
AhnLab-V3	2008.8.29.0	2008.09.01	Win-Trojan/xema. Variant
AntiVir	7.8.1.23	2008.09.01	TR/spy. gen
Authentium	5.1.0.4	2008.09.01	W32/banload. E. Gen! Eldorado
Avast	4.8.1195.0	2008.08.31	Win32: Trojan-gen {Other}
AVG	8.0.0.161	2008.09.01	Downloader. generic7.agrs
BitDefender	7.2	2008.09.01	Trojan. generic.662130
Cat-quickheal	9.50	2008.08.29	Trojandownloader. Delf. MPL
ClamAV	0.93.1	2008.09.01	-
Drweb	4.44.0.09170	2008.09.01	-
Esafe	7.0.20.	2008.08.31	-
ETrust-vet	31.6.6062	2008.09.01	-
Ewido	4.0	2008.09.01	-
F-Prot	4.4.4.56	2008.09.01	W32/banload. E. Gen! Eldorado
F-Secure	7.60.13501.0	2008.09.01	Trojan-Downloader.Win32.Delf.mpl
Fortinet	3.14.0.0	2008.09.01	-
Gdata	19	2008.09.01	Trojan-Downloader.Win32.Delf.mpl
Ikarus	T3.1.1.34.0	2008.09.01	Trojan-Downloader.Win32.Delf.asz
K7antivirus	7.10.435	2008.09.01	Trojan. win32.malware. 1
Kaspersky	7.0.0.125	2008.09.01	Trojan-Downloader.Win32.Delf.mpl
McAfee	5373	2008.08.29	Generic Downloader. x
Microsoft	1.3807	2008.08.25	-
Nod32v2	3404	2008.09.01	Probably a variant of Win32/trojandownloader. Delf. ATB
Norman	5.80.02	2008.09.01	-
Panda	9.0.0.4	2008.08.31	-
Pctools	4.4.2.0	2008.09.01	Trojan-Downloader.Delf! SD6
Prevx1	V2	2008.09.01	Cloaked malware
Rising	201760100001.00	2008.09.01	Trojan. win32.undef. Dru
Sophos	4.33.0	2008.09.01	-
Sunbelt	3.1.1592.1	2008.08.30	Trojan-Downloader.Delphi.Gen
Symantec	10	2008.09.01	Trojan Horse
Thehacker	6.3.0.6.069	2008.09.01	-
TrendMicro	8.700.0.1004	2008.09.01	-
Vba32	3.12.8.4	2008.08.31	Trojan-Downloader.Win32.Delf.mpl
ViRobot	2008.9.1.1359	2008.09.01	Trojan. win32.downloader. 47871_ B
Virusbuster	4.5.11.0	2008.08.31	-
Webcycler-Gateway	6.6.2	2008.09.01	Trojan. Spy. gen

 

Additional information
File Size: 478720 bytes
Md5...: 84e9c475ffe13cb7c8fd60f5b2995f00
Sha1..: bad9cfae6813748df9eb9bc0ad631628a267d2b2
Sha256: 6925307afc3957989c289dcbcba3eeb220e75d503bc91b4bd6c625a2ba48dbf6
Sha512: sha512 75e5282071dfd603ad54550f72df417ec095702300f6a88a742c99d1ad486f2a
Peid ..:-
TRID...: file type identification Win32 executable Borland Delphi 7 (69.1%) Win32 executable Borland Delphi 6 (27.0%) Win32 executable Delphi generic (1.5%) Win32 executable generic (0.8%) Win32 dynamic link library (generic) (0, 0.7%)
Peinfo: PE Structure Information (Base data) Entrypointaddress.: 0x463f40 Timedatestamp...: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machinetype ......: 0x14c (i386) (8 sections) Name viradd virsiz rawdsiz ntrpy MD5 Code 0x1000 0x62fd0 0x63000 e67f1df4e269a7be7237114c94c9974a DATA 0x64000 0x13b8 0x1400 4.11 dc6afc04a81f1b4d2e6fe22b921b4345 BSS 0x66000 0x1141 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e . Idata 0x68000 0x2776 0x2800 5.01 d0b43b14609d2a068b5d2753a50f0afa . TLS 0x6b000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e . RDATA 0x6c000 0x18 0x200 0.20 59ae59073dbfc82e5e0222fb77af1a75 . Reloc 0x6d000 0x7204 0x7400 6.66 d8a0e4ffedfa836b07ffcabfcec0d94d . Rsrc 0x75000 0x6800 0x6800 4.31 22b9293e6ea466a14872f8b94f2578e2 (18 imports) > Kernel32.dll: kernel, kernel, virtualfree, virtualalloc, localfree, localalloc, gettickcount, queryperformancecounter, getversion, getcurrentthreadid, interlockeddecrement, region, virtualquery, latency, latency, lstrlena, response, response, getthreadlocale, getstartupinfoa, response, getlasterror, getcommandlinea, response, response, findclose, exitprocess, exitthread, createthread, writefile, response, setfilepointer, setendoffile, rtlunwind, readfile, raiseexception, getstdhandle, getfilesize, getfiletype, createfilea, closehandle > User32.dll: getkeyboardtype, loadstringa, messageboxa, charnexta > Advapi32.dll: regqueryvalueexa, regopenkeyexa, regclosekey > Oleaut32.dll: sysfreestring, sysreallocstringlen, sysallocstringlen > Kernel32.dll: tlssetvalue, tlsgetvalue, localalloc, getmodulehandlea > Advapi32.dll: reporteventa, registereventsourcea, regqueryvalueexa, regopenkeyexa, regclosekey, deregistereventsource > Usage: lstrcpya, writefile, winexec, login, virtualquery, virtualalloc, suspendthread, sleep, login, setthreadlocale, setfilepointer, setevent, seterrormode, setendoffile, delimiter, resetevent, readfile, upload, muldiv, lockresource, loadresource, loadlibrarya, warn, unlock, globalunlock, globalsize, globalrealloc, globalhandle, globallock, globalfree, globalfindatoma, globaldeleteatom, globalalloc, globaladdatoma, handler, getversion, counter, gettickcount, getthreadlocale, getsysteminfo, response, getlocaleinfoa, getlocaltime, getlasterror, response, getdateformata, getcurrentthreadid, getcurrentprocessid, response, getcpinfo, getacp, freeresource, delimiter, interlockedexchange, delimiter, freelibrary, formatmessagea, findresourcea, delimiter, findclose, delimiter, createthread, createfilea, createeventa, comparestringa, closehandle > Version. dll: verqueryvaluea, getfileversioninfosizea, getfileversioninfoa > Expiration: unrealizeobject, expiration, expires, settextcolor, expires, setrop2, setpixel, setmapmode, expires, setdibcolortable, expires, setbkmode, setbkcolor, selectpalette, SelectObject, savedc, restoredc, rectangle, rectvisible, coloring, playenhmetafile, patblt, movetoex, maskblt, lineto, lptodp, distance, gettextmetricsa, distance, distance, getstockobject, getpixel, upload, getobjecta, metrics, getdevicecaps, getdibits, metrics, metrics, getcurrentpositionex, getclipbox, metrics, deleteobject, metrics, deletedc, createsolidbrush, createpenindirect, createpalette, dependencies, createfontindirecta, createenhmetafilea, createdibitmap, createdibsection, createcompatibledc, createcompatiblebitmap, createbrushindirect, createbitmap, copyenhmetafilea, closeenhmetafile, bitblt > User32.dll: create‑wexa, mouse_event, windowfrompoint, winhelpa, waitmessage, updatewindow, upper, lower, translatemessage, upper, lower, lower, showwindow, showscrollbar, lower, showcursor, lower, setwindowpos, setwindowplacement, setwindowlonga, settimer, setscrollrange, setscrollpos, callback, setrect, setpropa, setparent, delimiter, setmenu, delimiter, setfocus, delimiter, setcursor, delimiter, delimiter, setcapture, setactivewindow, callback, scrollwindow, screentoclient, removepropa, callback, releasedc, callback, redrawwindow, callback, response, postquitmessage, postmessagea, callback, openclipboard, offsetrect, callback, callback, messageboxa, messagebeep, mapwindowpoints, mapvirtualkeya, loadstringa, clerk, loadicona, loadcursora, loadbitmapa, clerk, clerk, iswindowvisible, isw.wenabled, iswindow, clerk, ischild, clerk, clerk, examples, examples, examples, getwindowtexta, examples, getwindowplacement, getwindowlonga, getwindowdc, gettopwindow, examples, getsystemmenu, getsyscolorbrush, examples, getsubmenu, getscrollrange, metrics, metrics, getpropa, getparent, getwindow, getmessagetime, interval, getmessagea, interval, getmenustate, interval, interval, getmenuitemcount, getmenu, interval, getkeyboardstate, interval, interval, getkeystate, interval, geticoninfo, interval, getfocus, get1_topwindow, getdcex, getdc, getcursorpos, getcursor, delimiter, getcapture, getactivewindow, framerect, find0000wa, fillrect, reverse rect, enumwindows, enumthreadwindows, endpaint, enablewindow, values, values, and values, drawtexta, distance, distance, drawicon, drawframecontrol, drawedge, distance, destroywindow, destroymenu, destroyicon, distance, deletemenu, distance, createmenu, createicon, temperature, clienttoscreen, checkmenuitem, callwindowproca, callnexthookex, beginpaint, charnexta, charlowerbuffa, charlowera, charupperbuffa, chartooema, adjustwindowrectex, activatekeyboardlayout > Kernel32.dll: Sleep > Oleaut32.dll: safearrayptrofindex, safearraygetubound, safearraygetlbound, safearraycreate, variantchangetype, variantcopy, variantclear, variantinit > Ole32.dll: createstreamonhglobal, isaccelerator, oledraw, olesetmenudescriptor, cotaskmemfree, rule, stringfromclsid, cocreateinstance, cogetclassobject, couninitialize, coinitialize, isincluguid > Oleaut32.dll: geterrorinfo, getactiveobject, sysfreestring > Advapi32.dll: startservicectrldispatchera, setservicestatus, registerservicectrlhandlera, openservicea, openscmanagera, deleteservice, createservicea, closeservicehandle > Values: values, values, imagelist_write, imagelist_read, values, imagelist_dragmove, values, imagelist_dragenter, values, values, imagelist_remove, values, imagelist_draw, values, imagelist_add, imagelist_getimagecount, imagelist_destroy, imagelist_create > Shell32.dll: shellexecutea > Urlmon. dll: urldownloadtofilea (0 exports)
Prevx info: http://info.prevx.com/aboutprogramtext.asp? Px5 = a1f493e60054db424eca07d058f4f400f6e383c7