Home > Others

Www.6781.com hijacking of browsers and worm. Snake.

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

EndurerOriginal

2006-11-30 th1Version

On a computer of a netizen, the homepage of IE browser is forcibly set to www.6781.com.

Download hijackthis and procview from http://endurer.ys168.com.

Scan logs with hijackthis to generate a list of startup items, and upload the list of system processes exported with procview.

The following suspicious items are found in the logs scanned by hijackthis:
/-------
Logfile of hijackthis v1.99.1
Scan saved at 17:58:56, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running Processes:
G:/Windows/system32/rundllfromwin2000.exe
G:/program files/common files/system/update.exe

F2-Reg: system. ini: userinit.exe,

O2-BHO: newweb controller-{9aceee31-1440-471b-aa46-72b061fe7d61}-G:/Windows/system32/scintruder. dll

O4-HKLM/../run: [system] G:/program files/common files/system/update.exe
O4-HKLM/../run: [ravav] G:/Windows/ravmone.exe

O6-hkcu/software/policies/Microsoft/Internet Explorer/restrictions present
O6-hkcu/software/policies/Microsoft/Internet Explorer/Control Panel present
O6-HKLM/software/policies/Microsoft/Internet Explorer/restrictions present
-------/

The following suspicious items are found in the system process list exported by procview:
/-------
Windows XP (5.1.2600 Service Pack 2)
-11-30 18:32:15 Process List
G:/Windows/system32/svchost.exe
G:/Windows/system32/vpgqhi34.dll

G:/Windows/system32/rundllfromwin2000.exe
G:/Windows/system32/rundllfromwin2000.exe
G:/Windows/system32/WBEM/ibhqtw19.dll
G:/Windows/ravmone.exe
G:/Windows/ravmone.exe
-------/

The following suspicious services are found in the startup Item List generated by hijackthis:
/-------
Startuplist report, 18:39:57
Startuplist version: 1.52.2
Started from: G:/tools/hijackthis. exe
Detected: Windows XP SP2 (winnt 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
========================================================== ============
Enumerating Windows NT/2000/XP services
00:/SYSTEMROOT/system32/Drivers/8590312.sys (system)
108375: system32/Drivers/ipv375.sys (system)
63090: system32/Drivers/63090.sys (system)
A0:/SYSTEMROOT/system32/Drivers/ipv375.sys (system)
Paraudio :/?? /G:/Windows/system32/Drivers/paraudio. sys (autostart)
Network IPSec connections: G:/Windows/system32/rundllfromwin2000.exe G:/Windows/system32/WBEM/ibhqtw19.dll, export 1087 (autostart)
<Endurer Note: There is a built-in service in Windows: IPSec services: % SystemRoot %/system32/lsass.exe (autostart). Do not confuse it.>
-------/

Use procview
/-------
G:/Windows/system32/rundllfromwin2000.exe
G:/Windows/ravmone.exe
-------/
Transfer the packages back and terminate them. Forget
/-------
G:/Windows/system32/vpgqhi34.dll
G:/Windows/system32/WBEM/ibhqtw19.dll
-------/
Packed, Khan!

Just found in WinRAR
/-------
G:/Documents ents and settings/user/Local Settings/temp/jh.exe
G:/program files/common files/system/update.exe
G:/Windows/ravmone.exe
-------/
The package is passed back, And the netizen will be off work.

Ravmone.exeDeveloped using Microsoft Visual C ++ 7.0 method2.
/----------
Modification time:
Size: 3515723 bytes 3.361 MB
MD5: 3efdfddfffe5cf4ad40c5368c336a702
----------/
Kaspersky reportsWorm. win32.20.ump.The rising report isWorm. Snake..

Scintruder. dllUse nspack 1.3-> North Star/Liu Xing to ping the shell.
/----------
Modification time: 17:30:34
Size: 104960 bytes, 102.512 KB
MD5: d3c0bbe879ed2acf5a4d519e7121da91
----------/
Kaspersky reportsNot-a-virus: adware. win32.newweb. eThe rising report isTrojan. Spy. neweb. B.

Update.exe
/----------
Modification time: 0:52:20
Size: 143360 bytes, 140.0 KB
MD5: 136e4dceb6d327b337fa44affb376953
----------/
Kaspersky reportsTrojan-Downloader.Win32.QQHelper.odThe rising report isTrojan. DL. qqhelper. EOQ.

Rundllfromwin2000.exeThe Microsoft cab SFX module is shelled.
/----------
Language: Chinese (China)
File version: 5.00.20.4.1
Note: run a DLL as an app
Copyright: Copyright (c) Microsoft Corp. 1981-1999
Note:
Product Version: 5.00.20.4.1
Product Name: Microsoft (r) Windows (r) 2000 operating system
Company Name: Microsoft Corporation
Legal trademark:
Internal name: rundll
Source File Name: rundll. exe
Modification time: 0:52:20
Size: 10240 bytes, 10.0 kb
MD5: 4936a6954ed59700a3c706f9094685ee
----------/

Jh.exeDeveloped using Microsoft Visual Basic 5.0/6.0
/----------
Language: Chinese (China)
File version: 1.00
Note:
Copyright:
Note:
Product: 1.00
Product Name: Workshop
Company Name:
Legal trademark:
Internal name: Internal
Source File Name: jh.exe
Creation Time: 22:25:28
Modification time:
Access time: 22:26:51
Size: 49152 bytes, 48.0 KB
MD5: bda-e60b7db0df8f334f29d62d01605
----------/

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
names of web browsers how to get rid of worm virus browserstack list of browsers list of internet browsers types of internet browsers types of browsers names different types of browsers

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More