Solution to WIN32.EXE abnormal Trojan download

1. Source of WIN32.EXE: http://fdghewrtewrtyrew.biz/adv/130/win32.exe
Ii. performance after running: Download 1.dlb, 2. dlb... and other Trojans from the network to the current user folder and run them automatically. After the downloaded Trojan is loaded and running, it downloads other Trojans/worms from the network.

After the trojan/worm is completely downloaded and implanted into the system, the SREng log is visible:

Start the project
Registry
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
<Windows update loader> <C: \ Windows \ xpupdate.exe> [N/A]
<UpdateService> <C: \ windows \ system32 \ wservice.exe> [N/A]
<Taskdir> <C: \ windows \ system32 \ taskdir.exe> [N/A]
<_ Mzu_stonedrv3> <C: \ windows \ system32 \ _mzu_stonedrv3.exe> [N/A]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
<System> <C: \ windows \ system32 \ testtestt.exe> [N/A]
<UpdateService> <C: \ windows \ system32 \ wservice.exe> [N/A]
<Spoolsvv> <C: \ windows \ system32 \ spoolsvv.exe> [N/A]
<Adir> <C: \ windows \ system32 \ adirss.exe> [N/A]
<_ Mzu_stonedrv3> <C: \ windows \ system32 \ _mzu_stonedrv3.exe> [N/A]
<30> <C: \ windows \ system32 \ 30.tmp> [N/A]
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices]
<SystemTools> <C: \ windows \ system32 \ testtestt.exe> [N/A]
<_ Mzu_stonedrv3> <C: \ windows \ system32 \ _mzu_stonedrv3.exe> [N/A]
<30> <C: \ windows \ system32 \ 30.tmp> [N/A]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ ShellServiceObjectDelayLoad]
<SqPIftjYG> <C: \ windows \ system32 \ rflbg. dll> [N/A]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y Y \ rpcc]
<WinlogonNotify: rpcc> <C: \ windows \ system32 \ rpcc. dll> [N/A]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y Y \ winsys2freg]
<Winlogonpolicy: winsys2freg> <C: \ Documents and Settings \ All Users \ Documents \ Settings \ winsys2f. dll> [N/A]
========================================
Running Process
[PID: 584] [\? \ C: \ windows \ system32 \ winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C: \ Documents ents and Settings \ All Users \ Documents ents \ Settings \ winsys2f. dll] [N/A, N/A]
[PID: 1584] [C: \ windows \ Explorer. EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C: \ windows \ system32 \ rflbg. dll] [N/A, N/A]
========================================
HOSTS file
127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 f-secure.com
127.0.0.1 housecall.trendmicro.com
127.0.0.1 kaspersky.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.tetec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 v5.windowsupdate.microsoft.com
127.0.0.1 v5windowsupdate.microsoft.nsatc.net
127.0.0.1 viruslist.com
127.0.0.1 windowsupdate.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.com
127.0.0.1 www.bitdefender.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.ravantivirus.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www3.ca.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 mast.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 update.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 liveupdate.tetecliveupdate.com
127.0.0.1 download.mcafee.com
127.0.0.1 updates.tetec.com

========================================

HijackThis v1.99.1 log visible:

O4-HKLM \ .. \ Run: [System] C: \ windows \ system32 \ testtestt.exe
O4-HKLM \ .. \ Run: [UpdateService] C: \ windows \ system32 \ wservice.exe
O4-HKLM \ .. \ Run: [spoolsvv] C: \ windows \ system32 \ spoolsvv.exe
O4-HKLM \ .. \ Run: [adir] C: \ windows \ system32 \ adirss.exe
O4-HKLM \ .. \ Run: [_ mzu_stonedrv3] C: \ windows \ system32 \ _mzu_stonedrv3.exe
O4-HKLM \ .. \ Run: [30] C: \ windows \ system32 \ 30.tmp
O4-HKLM \ .. \ RunServices: [SystemTools] C: \ windows \ system32 \ testtestt.exe
O4-HKLM \ .. \ RunServices: [_ mzu_stonedrv3] C: \ windows \ system32 \ _mzu_stonedrv3.exe
O4-HKLM \ .. \ RunServices: [30] C: \ windows \ system32 \ 30.tmp
O4-HKCU \ .. \ Run: [Windows update loader] C: \ Windows \ xpupdate.exe
O4-HKCU \ .. \ Run: [UpdateService] C: \ windows \ system32 \ wservice.exe
O4-HKCU \ .. \ Run: [taskdir] C: \ windows \ system32 \ taskdir.exe
O4-HKCU \ .. \ Run: [_ mzu_stonedrv3] C: \ windows \ system32 \ _mzu_stonedrv3.exe
O4-HKCU \ .. \ Run: [WinMedia] C: \ windows \ loader622535.exe
O4-HKCU \ .. \ Run: [Winstx] C: \ windows \ loader628714.exe

O20-Winlogon Y: rpcc-C: \ windows \ system32 \ rpcc. dll
O20-Winlogon policy: winsys2freg-C: \ Documents ents and Settings \ All Users \ Documents ents \ Settings \ winsys2f. dll
O21-SSODL: sqPIftjYG-{F4233280-5E89-982A-A244-6D00C3A79C12}-C: \ windows \ system32 \ rflbg. dll

C: \ Documents ents and Settings \ All Users \ Documents ents \ Settings \ winsys2f.dllare inserted into the winlogon.exe process. This. dll is difficult to process. The reason is:
1. This dll is located in a hidden folder and must be viewed using tools such as IceSword or WINRAR.
2XX indicates that the dll cannot be directly deleted because the handler is inserted into the winlogon.exe process.
3. I don't know which of these Trojans/worms have started the IE process (and no IE window is opened ). When the worker starts the IE process, the system crashes and restarts. Use the latest SSM 2.2.0.595to disable winlogon.exe from starting the IE process without any side effects.

Difficulties in processing these viruses include:
A large number of. t files are released. The. t file must be executed when the related .exe is run. This process can be monitored by SSM or disabled by SSM. However, if you use ssmto disable this. t operation, the. exe you want to run is also disabled by SSM. Anti-virus software is an example (only some of the viruses can be detected in Kaspersky's latest virus database ). After all, kav.exe is infected (the MD5 value is changed) at the. t operation in the baseline directory of the karazy ). After cleaning up the system, I had to uninstall Kaspersky and reinstall it. My Tiny firewall also ends. I disabled Tiny to view the "West Ocean View. After infection/system restart, amon.exe is infected when tinyautomatic renewal.
2. If you do not completely prohibit all virus programs from running, delete the trojan/worm files in normal WINDOWS mode. During the delete operation, a file name with a suffix of a different number will be generated at the same location. t. The file name is a random array of 8 lower-case English letters.

Iii. My solutions:
1. Use the latest version of SSM2.2 to end the above virus process and classify it into the blocked group. Set SSM to "auto run ".
2. restart the system.
3. After the system is restarted, SSM also reports that the virus program tries to load (the trojan uses the. t in the SSM installation folder to start loading). SSM can be used to disable it and classify it into the blocked group.
4. Delete the virus add-on (see the preceding SREng and HijackThis logs ).
5. Show Hidden Files. Delete A Virus File (Figure 1-figure 6 ). There are too many virus files to be deleted. As an example, the figure shows only the main files in the heap virus and the parts generated when the virus files are deleted. t file (if all the virus files deleted to the recycle bin are displayed, 18 images are required ).
The. t file is generated ).
6. Fix the HOSTS file.
7. Uninstall and reinstall the infected application (which has the MD5 value changed ).

Figure 1