Home > Others

Suffered from multiple Trojans, such as Trojan. psw. lmir. Trojan and Trojan. DL. qqhelper.

Source: Internet
Author: User
Tags sha1 unpack virus scan
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

EndurerOriginal

2006-09-231Version

A netizen's computer often finds the virus, and manual scanning is not cleaned up.
Let me check it out.

Download hijackthis scan log from http://endurer.ys168.com and find the following suspicious items:

/----------
Hijackthis_zww Chinese Version scan log v1.99.1
Saved on 0:30:24, date
Operating System: Windows XP SP2 (winnt 5.01.2600)
Browser: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Currently running process:
C:/progra ~ 1/svhost32.exe

F3-Reg: win. ini: load = C:/progra ~ 1/svhost32.exe
O2-BHO: adpopup-{11f09afd-75ad-4e51-ab43-e09e9351ce16}-C:/program files/common files/cpush. dll
O2-BHO: myiehelper class-{tags}-C:/Documents and Settings/all users/Application Data/Microsoft/iehelper/iehelper2006814_4593.dll (file missing)
O2-BHO: (No Name)-{3a134b8d-ca84-42a9-bf88-ce45f8c395bf}-C:/Windows/system32/ieopengl. dll
O2-BHO: cdnforie class-{5c3853cf-c7e0-4946-b3fa-1abdb6f48108}-C:/progra ~ 1/CNNIC/CDN/cdnforie. dll
O2-BHO: (No Name)-{8532b305-4486-4388-939f-341c01_cdfc }-
C:/Windows/system32/dxbho. dll
O2-BHO: quickbtn-{D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7}-C:/program files/kuzhan. dll
O2-BHO: (No Name)-{D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF}-(no file)
O2-BHO: wmhlprobj class-{F5824EFB-728A-4726-A5A5-85A68B20EDC3}-C:/progra ~ 1/CNNIC/CDN/wmhlpr. dll

O4-startup Item HKLM // run: [update] C:/program files/common files/update2/update.exe (kuzhan Project)
O4-startup Item HKLM // run: [cdnctr] C:/program files/CNNIC/CDN/cdnup.exe
O4-startup Item hkcu // run: [updatereal] C:/Windows/realupdate.exe other
O4-startup Item hkcu // run: [msnnt] C:/Windows/winampa.exe

Add a project in the right-click o8-ie menu: Send the image with a colorful image bell-C:/program files/caishow tech/caishow/sendmms.htm
Add a project in the right-click o8-ie menu: access the General website-C:/program files/CNNIC/CDN/cnnic.htm
O9-Additional browser buttons: Cool station navigation-{1d903167-2529-4a9b-9b6b-7a1db3a44cb5}-C:/program files/kuzhan. dll
O9-Additional buttons in the browser: Chinese surfing-{5c3853cf-c7e0-4946-b3fa-1abdb6f48108}-C:/progra ~ 1/CNNIC/CDN/cdnforie. dll
O9-Additional "tool" menu items in the browser: Chinese surfing-{5c3853cf-c7e0-4946-b3fa-1abdb6f48108}-C:/progra ~ 1/CNNIC/CDN/cdnforie. dll

O10-unknown file in Winsock LSP: C:/Windows/system32/cdnns. dll

O11-Options Group: [cdnclient] accessing Chinese

O23-NT Service: network logon (networklogon)-unknown owner-rundll32.exe (file missing)

Download To The http://endurer.ys168.com and run procview to terminate the process: C:/progra ~ 1/svhost32.exe
----------/

Stop and disable the service: network logon (networklogon). The command line is rundll32.exe kb896475.log, start

C:/Windows/system32> dir kb896475.log
The volume in drive C is not labeled.
The serial number of the volume is 1013-3afe.

C:/Windows/system32 directory

123,141 kb896475.log
1 file, 123,141 bytes

Use WinRAR to search for the following files:

C:/progra ~ 1/svhost32.exe (Kaspersky reportsTrojan-PSW.Win32.Lineage.ahq)
C:/Windows/system32/dllwm. dll (the value of Kaspersky isTrojan-PSW.Win32.Lineage.ahq)
C:/Windows/system32/timplatforms.exe
C:/Windows/system32/kb896475.logTrojan. psw. lmir. Large)

Status: finished
Complete scanning result of "kb896475.log. Del", received in virustotal at 09.18.2006, 19:28:23 (CET ).

Antivirus version update result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006Win32: wow-x
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
Cat-quickheal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
ETrust-inoculateit 23.72.127 09.16.2006 no virus found
ETrust-vet 30.3.3084 09.18.2006 no virus found
Drweb 4.33 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006Suspicious
F-Prot 3.16f 09.18.2006Possibly a new variant of W32/threat-iknp-based! Maximus
F-Prot4 4.2.1.29 09.18.2006W32/threat-iknp-based! Maximus
Ikarus 0.2.65.0 09.18.2006Backdoor. win32.pcclient. gv
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
Nod32v2 1.1761 09.18.2006 no virus found
Norman 5.80.02 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 Suspicious File
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
Thehacker 6.0.1.071 09.17.2006 no virus found
Una 1.83 09.18.2006 no virus found
Vba32 3.11.1 09.18.2006 no virus found
Virusbuster 4.3.7: 9 09.18.2006 no virus found

Aditional Information
File Size: 123141 bytes
MD5: 25ea5d35320afb7a4343bed7e205a25c
Sha1: 3a7a6c51873a60f8e327c2e1da41246c6d8f9f47
Packers: packed

C:/Windows/system32/dxbho. dll

Status: finishedcomplete scanning result of "dxbho. dll", received in virustotal at 09.18.2006, 18:45:58 (CET ).

Antivirus version update result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
Cat-quickheal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
Drweb 4.33 09.18.2006 no virus found
ETrust-inoculateit 23.72.127 09.16.2006 no virus found
ETrust-vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 no virus found
F-Prot 3.16f 09.18.2006 no virus found
F-Prot4 4.2.1.29 09.18.2006 no virus found
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
Nod32v2 1.1761 09.18.2006 no virus found
Norman 5.90.23 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 no virus found
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
Thehacker 6.0.1.071 09.17.2006 no virus found
Una 1.83 09.18.2006 no virus found
Vba32 3.11.1 09.18.2006 no virus found
Virusbuster 4.3.7: 9 09.18.2006 no virus found

Aditional Information
File Size: 234496 bytes
MD5: 721f35dbcd412eb68653092845186048
Sha1: a2bcd6ba5246412323211072909412b9e75fb576
Packers: UPX

C:/Windows/system32/ieopengl. dll

Status: finishedcomplete scanning result of "ieopengl. dll", received in virustotal at 09.18.2006, 19:01:37 (CET ).

Antivirus version update result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
Cat-quickheal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
Drweb 4.33 09.18.2006 no virus found
ETrust-inoculateit 23.72.127 09.16.2006 no virus found
ETrust-vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 no virus found
F-Prot 3.16f 09.18.2006 no virus found
F-Prot4 4.2.1.29 09.18.2006 no virus found
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
Nod32v2 1.1761 09.18.2006 no virus found
Norman 5.90.23 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 no virus found
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
Thehacker 6.0.1.071 09.17.2006 no virus found
Una 1.83 09.18.2006 no virus found
Vba32 3.11.1 09.18.2006 no virus found
Virusbuster 4.3.7: 9 09.18.2006 no virus found

Aditional Information
File Size: 233984 bytes
MD5: bda-c5978fe008802e9d269901ef9980
Sha1: 7884f2469eff2f55d174ff7c5ad338731db54787
Packers: UPX

 

C:/Windows/system32/0848/baisoa> DIR/S/
The volume in drive C is not labeled.
The serial number of the volume is 1013-3afe.

C:/Windows/system32/0848/baisoa directory

<Dir>.
<Dir> ..
71 up. dat
229 verx. dat
12,288 novel.exe
20,992 dllhosta. dll
<Dir> Update
69 updatefile. lst
0 waitdown. lst
90,112 avpa.exe
18,432 winampa.exe
465 adout. dat
9 files in 142,658 bytes

C:/Windows/system32/0848/baisoa/update directory

<Dir>.
<Dir> ..
71 up. dat
69 updatefile. lst
0 waitdown. lst
229 verx. dat
90,112 avpa.exe
465 adout. dat
18,432 winampa.exe
109,378 bytes for 7 files

Total number of files listed:
16 files in 252,036 bytes
1,359,462,400 bytes available for five Directories

Download To The http://endurer.ys168.com and run the Rising Antivirus assistant, use rising Online Virus Scan C:/, the results are as follows:

/----------
Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/system32/spoolsv/spoolsv.exeTrojan. DL. Agent. kij
C:/Windows/system32/msicn/plugins/BM. dllTrojan. ourxin. e
C:/Windows/system32/msicn/plugins/AS. dllTrojan. ourxin. c
C:/Windows/system32/msicn/msibm. dllTrojan. Spy. Agent. BHS
C:/Windows/system32/1116/ntjdo/ntjcn. EmmTrojan. Spy. Agent. BHS
C:/Windows/system32/1116/ntjdo/plugins/CN. EmmTrojan. ourxin. e
C:/Windows/system32/1116/ntjdo/plugins/BT. EmmTrojan. ourxin. c
C:/Windows/system32/1116/tzt/xnqesn. EmmTrojan. ourxin. d
C: // Windows/system32/1116/tqppmtw. fyfTrojan. DL. Agent. kij
C:/Windows/system32/0848/baisoa/update/winampa.exe> unpackTrojan. DL. Agent. LDT
C:/Windows/system32/0848/baisoa/winampa.exe> unpackTrojan. DL. Agent. LDT
C:/Windows/system32/wmpdrm. dllTrojan. ourxin. d
C:/Windows/system32/winsc. dllTrojan. Clicker. qhost. I
C:/Windows/system32/winsc64.dllTrojan. Clicker. qhost. I
C:/Windows/system32/updatemodule. dll. DELTrojan. Clicker. Agent. Ads
C:/Windows/system32/kb896475.log. Del> nspackTrojan. psw. lmir. Large
C:/Windows/system32/ejjf. dll. DELTrojan. DL. Direct. AA
C:/Windows/system32/icif. dll. DELTrojan. DL. Direct. AA
C:/Windows/system32/jjbi. dll. DELTrojan. DL. Direct. AA
C:/Windows/system32/ijcj. dll. DELTrojan. DL. Direct. AA
C:/Windows/101628.exe. DELTrojan. DL. adload. EI
C:/Windows/10045_setup.exe.delTrojan. startpage. bnx

C:/Documents and Settings/all users/Application Data/Microsoft/crypto/dffj.exe. DELTrojan. Inject. St
C:/Documents and Settings/all users/Application Data/Tencent/bind_40040.exeTrojan. DL. Agent. LPU
C:/Documents and Settings/all users/Application Data/Tencent/bind_40017.exeTrojan. DL. Agent. LPU
C:/Documents and Settings/all users/Application Data/Tencent/setup72.exeDropper. Tihs. g

C:/program files/common files/update2/update.exe. 1Trojan. DL. qqhelper. EFH
C:/program files/Windows Media Player/setup_wm.dllTrojan. DL. Agent. APH
C:/program files/Internet Explorer/iedw. dllTrojan. DL. Agent. APH
C:/program files/common files/system/ddw.l. datTrojan. Inject. St
C:/program files/netmeeting/nmview. dllTrojan. Agent. DTE
C:/program files/netmeeting/CONF. dllTrojan. Agent. DTE
C:/program files/Xerox/fcbzc.exeTrojan. Inject. St
C:/program files/CNNIC/iebar_v2.exeTrojan. DL. qqhelper. EO

C:/nxldr. dat> nspackTrojan. psw. lmir. Large
----------/

After the backup is packaged, use the Rising Antivirus assistant to clear the backup.
 
Close all browsers and folders, use hijackthis to scan and fix the items listed above.

Clear temporary ie folders

Clear C:/Documents ents and settings/user/Local Settings/temp (where user is the user name)

Clear C:/Windows/temp

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
trojan destroyer trojan colors trojan olympics spyeye trojan trojan detector docusign trojan trojan reliant

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More