Endurer original
2006-06-26 Item 3 Supplement: Kaspersky confirmed as virus: Trojan.win32.Agent.ut2006-06-26 2nd version of the complement: Kaspersky (2006-06-26 09:06:15), Jiangmin KV2006 engine version : 9.02.2040 Date of viral library: 2006-06-26 Never report.
2006-06-25 1st Edition
A netizen said that his computer has recently viewed the web. Sometimes, sometimes it will pop up a inexplicable web hxxp://www.88u.com. And sent the Log of HijackThis scan.
In the log, find the following suspicious items:
O2 - BHO: IEHLPROBJ CLASS - {A3803141-3CF5-4D66-B7EA-8D2674FE152C} - C: /Windows/stdie.dll
O4 - hkcu /../ Run: [localsystem] c: /windows/system/svchost.exe
After replying, the netizen packed two files.
Among them: SVCHOST.EXE Ruixing is Trojan.dl.Agent.Alb
This file is written in Microsoft Visual C 7.0 [Debug]
Download by creating a naming pipeline micpip:
HXXP: //www.ad***369.com/filmweb/webad.asphxxp: //www.ad***369.com/filmweb/file.asphxxp: //www.ad***369.com/ Filmweb / file.dathxxp://www.ad***369.com/filmweb/ehu.up
Create a file 1,% windir% / setupsvc.txt
2,% userprofile% / local settings / temp / run1.bat
The file content is:
Rundll32 Syssetup, SetupinfobjectInstallAction DefaultInstall 128 Drv1.inf
3,% userprofile% / local settings / temp // drv1.inf
The file content is:
[Version] Signature = "$ Windows NT $" [DefaultInstall] DELREG = MyDEL [MyDel] HKCU, Software / Microsoft / Windows / CurrentVersion / Policies / System, DisableregistryTrytools
4, NetInfo.xml
5,% windir% / system / svchost.exe
6,% windir% / system / netshell.dll
7,% WINDIR% / Netshell.dll
Modify the registry multiple key values
One of the most important items is:
Software / Microsoft / Windows / CurrentVersion / Policies / Explorer% S.dll
To load NetShell.dll.
This item will not be reported in the concise log of HijackThis.
