Www.6781.com hijacking of browsers and worm. Snake.

Source: Internet
Author: User

EndurerOriginal

2006-11-30 th1Version

On a computer of a netizen, the homepage of IE browser is forcibly set to www.6781.com.

Download hijackthis and procview from http://endurer.ys168.com.

Scan logs with hijackthis to generate a list of startup items, and upload the list of system processes exported with procview.

The following suspicious items are found in the logs scanned by hijackthis:
/-------
Logfile of hijackthis v1.99.1
Scan saved at 17:58:56, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running Processes:
G:/Windows/system32/rundllfromwin2000.exe
G:/program files/common files/system/update.exe

F2-Reg: system. ini: userinit.exe,

O2-BHO: newweb controller-{9aceee31-1440-471b-aa46-72b061fe7d61}-G:/Windows/system32/scintruder. dll

O4-HKLM/../run: [system] G:/program files/common files/system/update.exe
O4-HKLM/../run: [ravav] G:/Windows/ravmone.exe

O6-hkcu/software/policies/Microsoft/Internet Explorer/restrictions present
O6-hkcu/software/policies/Microsoft/Internet Explorer/Control Panel present
O6-HKLM/software/policies/Microsoft/Internet Explorer/restrictions present
-------/

The following suspicious items are found in the system process list exported by procview:
/-------
Windows XP (5.1.2600 Service Pack 2)
-11-30 18:32:15 Process List
G:/Windows/system32/svchost.exe
G:/Windows/system32/vpgqhi34.dll

G:/Windows/system32/rundllfromwin2000.exe
G:/Windows/system32/rundllfromwin2000.exe
G:/Windows/system32/WBEM/ibhqtw19.dll
G:/Windows/ravmone.exe
G:/Windows/ravmone.exe
-------/

The following suspicious services are found in the startup Item List generated by hijackthis:
/-------
Startuplist report, 18:39:57
Startuplist version: 1.52.2
Started from: G:/tools/hijackthis. exe
Detected: Windows XP SP2 (winnt 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
========================================================== ============
Enumerating Windows NT/2000/XP services
00:/SYSTEMROOT/system32/Drivers/8590312.sys (system)
108375: system32/Drivers/ipv375.sys (system)
63090: system32/Drivers/63090.sys (system)
A0:/SYSTEMROOT/system32/Drivers/ipv375.sys (system)
Paraudio :/?? /G:/Windows/system32/Drivers/paraudio. sys (autostart)
Network IPSec connections: G:/Windows/system32/rundllfromwin2000.exe G:/Windows/system32/WBEM/ibhqtw19.dll, export 1087 (autostart)
<Endurer Note: There is a built-in service in Windows: IPSec services: % SystemRoot %/system32/lsass.exe (autostart). Do not confuse it.>
-------/

Use procview
/-------
G:/Windows/system32/rundllfromwin2000.exe
G:/Windows/ravmone.exe
-------/
Transfer the packages back and terminate them. Forget
/-------
G:/Windows/system32/vpgqhi34.dll
G:/Windows/system32/WBEM/ibhqtw19.dll
-------/
Packed, Khan!

Just found in WinRAR
/-------
G:/Documents ents and settings/user/Local Settings/temp/jh.exe
G:/program files/common files/system/update.exe
G:/Windows/ravmone.exe
-------/
The package is passed back, And the netizen will be off work.

Ravmone.exeDeveloped using Microsoft Visual C ++ 7.0 method2.
/----------
Modification time:
Size: 3515723 bytes 3.361 MB
MD5: 3efdfddfffe5cf4ad40c5368c336a702
----------/
Kaspersky reportsWorm. win32.20.ump.The rising report isWorm. Snake..

Scintruder. dllUse nspack 1.3-> North Star/Liu Xing to ping the shell.
/----------
Modification time: 17:30:34
Size: 104960 bytes, 102.512 KB
MD5: d3c0bbe879ed2acf5a4d519e7121da91
----------/
Kaspersky reportsNot-a-virus: adware. win32.newweb. eThe rising report isTrojan. Spy. neweb. B.

Update.exe
/----------
Modification time: 0:52:20
Size: 143360 bytes, 140.0 KB
MD5: 136e4dceb6d327b337fa44affb376953
----------/
Kaspersky reportsTrojan-Downloader.Win32.QQHelper.odThe rising report isTrojan. DL. qqhelper. EOQ.

Rundllfromwin2000.exeThe Microsoft cab SFX module is shelled.
/----------
Language: Chinese (China)
File version: 5.00.20.4.1
Note: run a DLL as an app
Copyright: Copyright (c) Microsoft Corp. 1981-1999
Note:
Product Version: 5.00.20.4.1
Product Name: Microsoft (r) Windows (r) 2000 operating system
Company Name: Microsoft Corporation
Legal trademark:
Internal name: rundll
Source File Name: rundll. exe
Modification time: 0:52:20
Size: 10240 bytes, 10.0 kb
MD5: 4936a6954ed59700a3c706f9094685ee
----------/

Jh.exeDeveloped using Microsoft Visual Basic 5.0/6.0
/----------
Language: Chinese (China)
File version: 1.00
Note:
Copyright:
Note:
Product: 1.00
Product Name: Workshop
Company Name:
Legal trademark:
Internal name: Internal
Source File Name: jh.exe
Creation Time: 22:25:28
Modification time:
Access time: 22:26:51
Size: 49152 bytes, 48.0 KB
MD5: bda-e60b7db0df8f334f29d62d01605
----------/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.