Trojan.dl.multi.wfg(sss.exe, scvhost. EXE, autorun. inf)

Source: Internet
Author: User

EndurerOriginal

2006-12-232Supplementary Revision
2006-12-221Version

Yesterday afternoon, an error message box pops up after a friend's computer connected to the USB flash drive, prompting that disk A or something could not be found. After the USB flash drive is closed, it is called again. Let me help you.

Use WinRAR to open the USB flash drive and find the fileAutorun. infAndSss.exe, Which is generated immediately after deletion.

Download hijackthis and procview from http://endurer.ys168.com.

Run procview and sort by the last modification time. Suspicious processes are found:
/======
C:/program files/Microsoft/svhost32.exe
C:/Windows/system32/scvhsot.exe
=====/
Terminate them, the error message box disappears, and the autorun. inf and sss.exe in the USB flash drive are deleted.

Pe_xscan is used to scan logs and the following suspicious items are found:
/======
Pe_xscan by Purple endurer
2006-12-21 15:30:29
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/Windows/EXPLORER. EXE * 1160 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/program files/common files/real/update_ob/realsched.exe * 1988*0:17:54
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/Windows/system32/rundll32.exe * 2004 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/Windows/Intel/rundll32.exe * 2028*16:58:44
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/Windows/system32/ctfmon.exe * 2036 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/program files/Internet Explorer/iexplore.exe * 188 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/progra ~ 1/Yahoo! /Assist ~ 1/ylive.exe * 1212 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/program files/WinRAR/winrar.exe * 424*9:18:26
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
F:/tools11/hijackthis.exe * 1064 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
C:/Windows/system32/notepad. EXE * 288 *
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36
F:/tools11/3.exe * 2516*15:29:42
C:/Windows/system32/ztdll. dll * 8:24:38
C:/Windows/system32/dllms. dll * 8:24:36

O4-HKLM/../run: [MS] C:/program files/Microsoft/svhost32.exe
O4-HKLM/../run: [rzt] C:/Windows/Intel/rundll32.exe
O4-HKLM/../run: [qqkav] C:/Windows/system32/scvhsot.exe
D:/autorun. inf
/-----
[Autorun]
Opentracing sss.exe
Shellexecutepolicsss.exe
Shell/auto/command#sss.exe
-----/
E:/autorun. inf
/-----
[Autorun]
Opentracing sss.exe
Shellexecutepolicsss.exe
Shell/auto/command#sss.exe
-----/
F:/autorun. inf
/-----
[Autorun]
Opentracing sss.exe
Shellexecutepolicsss.exe
Shell/auto/command#sss.exe
-----/
H:/autorun. inf
/-----
[Autorun]
Opentracing sss.exe
Shellexecutepolicsss.exe
Shell/auto/command#sss.exe
-----/

Use WinRAR to delete the sss.exe and autorun. inf files on disks d, f, and H, and leave the backup files on disks.

Download To http://endurer.ys168.com and run Rising Antivirus assistant, use rising online free scan, the results are as follows:
/-----
16:51:22 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/system32/winscok. dllTrojan. psw. qqpass. poz
C:/Windows/system32/svohost.exeTrojan. psw. qqpass. poz
C:/Windows/system32/wincfgs.exeWorm. usbspy.
C:/Windows/system32/dllms. dllTrojan. psw. wowar. qq
C:/Windows/system32/ztdll. dllTrojan. psw. zhengtu. Sm
C:/Windows/system32/scvhsot.exeTrojan. DL. multi. WFG
C:/Windows/Intel/rundll32.exeTrojan. psw. zhengtu. Th
E:/sxs.exe> fsg2.0Trojan. psw. qqpass. pqb
E:/sss.exeTrojan. DL. multi. WFG
-----/

Many people have seen it before ......

Fileinfo and bat_do were downloaded to the http://purpleendurer.ys168.com.

Pack the virus file with bat_do, use fileinfo to extract the virus file information, and then use the Rising Antivirus assistant to delete it.

Use hijackthis to repair the above O4 items and use WinRAR to delete the autorun. inf file on the E drive.

File description:C:/Windows/system32/dllms. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:57:57
Modification time: 8:24:36
Access time:
Size: 51200 bytes, 50.0 KB
MD5: a6cc05b8ccc4a52a8558fedc7f52cc27

File description:C:/Windows/system32/ztdll. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:58:43
Modification time: 8:24:38
Access time:
Size: 41984 bytes, 41.0 KB
MD5: 8d7a011ff9497d111e0892c93fdb4063

File description:C:/Windows/system32/svohost.exe
Property:-sh-
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 47235 bytes, 46.131 KB
MD5: 6fa72cbba8f23eae2797557c704095e5

File description:C:/Windows/system32/Winsock. dll
Attribute: ---
Language: English (USA)
File version: 3.10
Note: Windows Socket 16-bit DLL
Copyright: copyright? Microsoft Corp. 1981-1996
Note:
Product: 3.10
Product Name: Microsoft? Windows (TM) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: Winsock
Source File Name: Winsock. dll
Creation Time:
Modification time:
Access time:
Size: 2864 bytes, 2.816 KB
MD5: 68485c5ef0e2efcebf21bbb1042b823b

Description:C:/Windows/system32/wincfgs.exe
Property:-SHR
An error occurred while obtaining the file version information!
Creation Time: 5:40:28
Modification time: 18:10:38
Access time:
Size: 47104 bytes, 46.0 KB
MD5: 07adddef653a702b9a11edbcee07e82b

File description:C:/Windows/Intel/rundll32.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 16:58:42
Modification time: 16:58:44
Access time:
Size: 78336 bytes, 76.512 KB
MD5: 5bd9e01b3cb7e1247deedb731c8878d8

File description:E:/sss.exe
Attribute: ashr
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 23:10:54
Access time:
Size: 37376 bytes, 36.512 KB
MD5: f3c31f846ef984cba3a1ef5bb6457d3e

File description:E:/sxs.exe
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 10:57:41
Modification time: 2:12:48
Access time:
Size: 33815 bytes, 33.23 KB
MD5: 1781cb8004dc700ac66d799c35ac5c5a

File description:C:/Windows/system32/scvhsot.exe
Attribute: ashr
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 23:10:54
Access time:
Size: 37376 bytes, 36.512 KB
MD5: f3c31f846ef984cba3a1ef5bb6457d3e

Scvhsot.exeAndSss.exeIdentical, Kaspersky reports:Trojan-Downloader.Win32.Smaill.ecw.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.