修改系统日期、替换explorer.exe的Trojan-Downloader.Win32.Agent.rjq1
endurer 原创 2008-06-17 第1版
一位网友的电脑,最近桌面上的“我的电脑”图标变了,瑞星总发现三个病毒,并提示下启动时删除,但重启电脑后病毒仍然存在。请偶帮忙检修。
下载 pe_xscan 扫描 log并分析,发现如下可疑项: /===
pe_xscan 08-04-26 by Purple Endurer
2000-6-14 15:36:58
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
正常模式
[System Process] * 0
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/WINDOWS/system32/fmschif.dll | 2000-6-14 7:6:3
C:/WINDOWS/system32/fewqickd.dlL | 2000-6-14 7:6:2
C:/WINDOWS/system32/fmcbbqi.dll | 2000-6-14 7:6:2
C:/WINDOWS/system32/ioliuacd.dll | 2000-6-14 7:6:2
C:/Program Files/Rising/Rfw/rfwmain.exe* 280 | 2007-10-18 13:40:10 | Rising Personal FireWall 2008 | 7.00 | Rising Personal FireWall Main Program | Rising Corp. All rights reserved. | 7.0.1.65 | Beijing Rising Technology Co., Ltd.| ? | Beijing Rising Technology Co., Ltd. | rfwmain.EXE
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/WINDOWS/conime.exe * 588 | 2008-6-11 0:45:58
C:/WINDOWS/system32/mndhedwd.dll | 2004-8-8 13:3:6
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/WINDOWS/System32/Explorer.EXE * 1700 | 2004-6-5 22:14:12 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/system32/mndhedwd.dll | 2004-8-8 13:3:6
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ioliuacd.dll | 2000-6-14 7:6:2
C:/WINDOWS/system32/fmcbbqi.dll | 2000-6-14 7:6:2
C:/WINDOWS/system32/fewqickd.dlL | 2000-6-14 7:6:2
C:/WINDOWS/system32/fmschif.dll | 2000-6-14 7:6:3
C:/Program Files/Rising/Rav/RavTask.exe* 388 | 2007-10-18 13:44:4 | Rising Antivirus 2008 | 20.00 | RavTimer | Rising Corp.All rights reserved. | 20.0.0.23 | Beijing Rising Technology Co., Ltd.| ? | Beijing Rising Technology Co., Ltd. | RavTask.exe
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/Program Files/Rising/Rav/RavMon.exe* 496 | 2007-10-18 13:44:28 | Rising AntiVirus 2008 | 20.00 | Rising realtime monitor shell | Rising Corp. All rights reserved. | 20.0.01.19 | Beijing Rising Technology Co., Ltd.| ? | Beijing Rising Technology Co., Ltd. | RavTray.EXE
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/WINDOWS/System32/ctfmon.exe* 1188 | 2004-8-3 16:52:30 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
D:/Program Files/Tencent/QQ/QQ.exe* 3612 | 2007-12-19 11:57:42 | QQ | 7,0,225,1651 | QQ | Copyright (C) 1998 - 2007 TENCENT Inc. All Rights Reserved | 7,0,225,1651 | TENCENT | | COMQQD | QQ.exe
C:/WINDOWS/system32/rfdswc.dll | 2000-6-13 13:2:24
C:/WINDOWS/system32/ddserh.dll | 2000-6-13 13:42:7
C:/WINDOWS/system32/zefdst.dll | 2000-6-13 13:2:8
C:/WINDOWS/system32/fmschif.dll | 2000-6-14 7:6:3
C:/WINDOWS/system32/fewqickd.dlL | 2000-6-14 7:6:2
C:/WINDOWS/system32/fmcbbqi.dll | 2000-6-14 7:6:2
C:/WINDOWS/system32/ioliuacd.dll | 2000-6-14 7:6:2
O2 - BHO - {37AC9076-C898-B098-D098-A18319080973} -C:/WINDOWS/system32/nhmxcjkl.dll
O2 - BHO - {55694105-5108-9405-3695-954187462155} -C:/WINDOWS/system32/mpwdeapi.dll
O2 - BHO - {5C648541-1025-9650-9057-6541258720C5} -C:/WINDOWS/system32/mndhedwd.dll
O2 - BHO - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} -C:/WINDOWS/system32/mnmhgsrv.dll
O2 - BHO - {8AD0F1B1-990D-4F52-A33D-2837E43CEF58} -C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys
O4 - HKLM/../Run: [veobqitk]C:/WINDOWS/ebikedxl.exe
O4 - HKLM/../Run: [fmcbbqi]C:/WINDOWS/fmcbbqi.exe
O4 - HKLM/../Run: [fewqickd]C:/WINDOWS/fewqickd.exe
O4 - HKLM/../Run: [fmschif]C:/WINDOWS/fmschif.exe
DDD_Install_Program.job
O20 - AppInit_DLLs = wipxcdec.dll ,ytewcxzsw.dll,ieprot.dll
O21 - SSODL - midimaptl(0) - {4F4F0064-71E0-4f0d-0017-708476C7815F} =C:/WINDOWS/system32/midimaptl.dll
O21 - SSODL - midimapzx(0) - {4F4F0064-71E0-4f0d-0005-708476C7815F} =C:/WINDOWS/system32/midimapzx.dll
O21 - SSODL - midimapwl(0) - {4F4F0064-71E0-4f0d-0004-708476C7815F} =C:/WINDOWS/system32/midimapwl.dll
O21 - SSODL - midimapgj(0) - {4F4F0064-71E0-4f0d-0003-708476C7815F} =C:/WINDOWS/system32/midimapgj.dll
O21 - SSODL - midimapqn3(0) - {4F4F0064-71E0-4f0d-0022-708476C7815F} =C:/WINDOWS/system32/midimapqn3.dll
O21 - SSODL - midimapjr(0) - {4F4F0064-71E0-4f0d-0012-708476C7815F} =C:/WINDOWS/system32/midimapjr.dll
O23 - 服务: Hdv32 (Hdv32) -C:/WINDOWS/system32/drivers/Hdv32_c.sys (手动)
O23 - 服务: IIS Manager (IIS Manager ) -C:/DOCUME~1/lnh/LOCALS~1/Temp/1.tmp | 2000-6-13 13:39:30(手动)
O23 - 服务: larjphk (larjphk) -C:/WINDOWS/System32/drivers/larjphk.sys | 2007-6-6 17:36:21 | sys 应用程序 | 1, 0, 1, 3 | sys 应用程序 | 版权所有 (C) 2006 | 1, 0, 1, 3 | 北京三七二一科技有限公司| ? | sys | sys.exe(引导)
O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手动)
O23 - 服务: seictrl (Security Control) -c:/windows/system32/rundll32.exe dbi100.dll ,scan(自动)
O23 - 服务: SVKP (SVKP) -C:/WINDOWS/system32/SVKP.sys | 2007-11-17 14:58:29 | SVKP driver for NT | 1.00 | SVKP driver for NT | Copyright (C) Microsoft Corp. 1981-1999 | 4.00 | AntiCracking| ? | SVKP.sys | SVKP.sys(自动)
O23 - 服务: wuauserv (Automatic Updates) -C:/WINDOWS/system32/drivers/svchost.exe (自动)
O24 - ShlExecHook: [7] - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} =C:/WINDOWS/system32/mnmhgsrv.dll
O24 - ShlExecHook: [3] - {37AC9076-C898-B098-D098-A18319080973} =C:/WINDOWS/system32/nhmxcjkl.dll
O24 - ShlExecHook: [3] - {35671234-7890-ABCD-CDEF-567801237653} = 3
O24 - ShlExecHook: [5] - {55694105-5108-9405-3695-954187462155} =C:/WINDOWS/system32/mpwdeapi.dll
O24 - ShlExecHook: [5] - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} = 5
O24 - ShlExecHook: [5] - {5C648541-1025-9650-9057-6541258720C5} =C:/WINDOWS/system32/mndhedwd.dll
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0012-708476C7815F} =C:/WINDOWS/system32/midimapjr.dll
O24 - ShlExecHook: [a] - {242c168c-c3bd-4ad1-849f-e2179437a19a} =C:/WINDOWS/system32/MMWLANGH1005.dll
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0003-708476C7815F} =C:/WINDOWS/system32/midimapgj.dll
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0004-708476C7815F} =C:/WINDOWS/system32/midimapwl.dll
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0017-708476C7815F} =C:/WINDOWS/system32/midimaptl.dll
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0005-708476C7815F} =C:/WINDOWS/system32/midimapzx.dll
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0022-708476C7815F} =C:/WINDOWS/system32/midimapqn3.dll
O24 - ShlExecHook: [MICROSOFT] - {DC3D30AE-0380-4151-8934-EE98A34B0370} =C:/WINDOWS/system32/mfdesy.dll
O24 - ShlExecHook: [1] - {17DFD111-BF3A-4CB4-ADB0-88FCBFE69821} = 1
O24 - ShlExecHook: [MICROSOFT] - {28EB3777-3E23-4E72-8449-A992D09D24C3} =C:/WINDOWS/system32/zefdst.dll
O24 - ShlExecHook: [MICROSOFT] - {A9895933-6636-4281-BC58-EE6DE2AF96E3} =C:/WINDOWS/system32/ddserh.dll
O24 - ShlExecHook: [MICROSOFT] - {28766E1C-74B0-4417-8C75-F12AE309EF35} =C:/WINDOWS/system32/wzcfsw.dll
O24 - ShlExecHook: [1] - {18e64250-19a8-4d10-828f-30e101a22291} =C:/WINDOWS/system32/MMBAIKOK1092.dll
O24 - ShlExecHook: [MICROSOFT] - {461D2AB4-29A5-45C2-9134-D52272D3DE38} =C:/WINDOWS/system32/rfdswc.dll
O24 - ShlExecHook: [0] - {8c3dd05d-a6a1-4cb5-a714-94be3c3b4cd0} =C:/WINDOWS/system32/MMHADPQG1091.dll
O24 - ShlExecHook: [] - {8AD0F1B1-990D-4F52-A33D-2837E43CEF58} =C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys
O26 - IFEO: 360safebox.exe -> ntsd -D
O26 - IFEO: KPPMain.exe -> ntsd -D
O26 - IFEO: QQDoctor.exe -> ntsd -D
O26 - IFEO: QQDoctorMain.exe -> TASKMAN.EXE
O26 - IFEO: QQKav.exe -> ntsd -D
O26 - IFEO: safeboxTray.exe -> ntsd -D
O26 - IFEO: SelfUpdate.exe -> TASKMAN.EXE
O26 - IFEO: tqat.exe -> ntsd -d
===/
从log中可以发现网友电脑的时间回到2000年了……
这比《我的电脑图标变了?原来是Trojan-Downloader.Win32.Agent.mkj替换了explorer.exe》中遇到的东东要厉害~
(未完待续)
分享到:
相关推荐
【病毒名称】:Trojan-Downloader.Win32.Generic.a 【病毒类型】:下载者 【危害程度】:中 【传播方式】:网络 【受影响系统】:windows 98以上 病毒行为: 该病毒为下载者木马类,病毒运行后调用API获取系统文件夹...
1、Trojan-Ransom.Win32.Rakhni 2、Trojan-Ransom.Win32.Aura 3、Trojan-Ransom.Win32.Agent.iih 4、Trojan-Ransom.Win32.Autoit 5、Trojan-Ransom.AndroidOS.Pletor (安卓下的勒索软件) 6、Trojan-Ransom.Win32....
trojan
2020年trojan最新windows64客户端
V0.0.4c The Emergency Bug Fix for V0.0.4b V0.0.4b的紧急Bug修复 @TheWanderingCoel TheWanderingCoel released this 3 ...[Bug修复] 修改PAC立即生效 [Bug修复] 修复不开启http模式还检查http端口是否占用的bug
Trojan Client
针对Trojan-Dropper.Win32.Dropkit.a病毒,清除所需要的工具包,包括金山反间谍2007、PowerRmv、sreng2.5
trojan-qt5.app.zip
trojan-qt5 for linux
RannohDecryptor是卡巴斯基推出的一个Rannoh勒索病毒解密工具,可以解密Rannoh在内的7款勒索软件加密的文件,包括Polyglot、Rannoh、AutoIt、Fury...7、Trojan-Ransom.Win32.CryptXXX (目前能解版本1、版本2,版本3)
trojan-Qt5客户端-windows版本,小巧好用,图形化界面。
2020.05.26更新 1.修复Safari PAC不工作 2.修复断开连接后privoxy不会释放端口 3.修改PAC立即生效 4.修复不开启http模式还检查http端口是否占用的bug
Trojan专杀工具,用着真不错;我在网上找了好长时间才长到的,愿意与大家一块来分享.另外,本人是教育行业的,分享一个好的英语资料下载站:http://www.51tjw.com
我的电脑让学生插了一下U盘,结果电脑出现中毒现象(变慢、经常蓝屏、出错、自动重启),一查是染上了 假冒腾迅TXPLATFORM.EXE 的U盘病毒,属于 Trojan.Generic.Is.536802,此文介绍查杀方法
[confluence插件] yasoon.calendar-3.2.0.jar [confluence插件] yasoon.calendar-3.2.0.jar [confluence插件] yasoon.calendar-3.2.0.jar [confluence插件] yasoon.calendar-3.2.0.jar [confluence插件] yasoon....
java-trojan-源码.rar
config.json-trojan协议
Churrasco.exe+nc.exe+http.exe提权工具
trojan-1.14.1-macos命令行客户端,运行界面进行上网认证,不受版本影响!版本为004a版本中的其中一项