- 浏览: 941392 次
文章分类
最新评论
又遇Trojan.PSW.Win32.QQPass,Trojan.PSW.Win32.GameOL等1
又遇Trojan.PSW.Win32.QQPass,Trojan.PSW.Win32.GameOL等1
endurer 原创 2008-06-13 第1版
一位朋友说最近他的电脑中的瑞星杀毒软件和防火墙软件的实时监控图标不见了,电脑反应很慢,请偶帮忙检修。
下载 pe_xscan 扫描 log 并分析,发现如下可疑项:
pe_xscan 08-04-26 by Purple Endurer 2008-6-12 12:20:52 Windows XP Service Pack 2(5.1.2600) MSIE:6.0.2900.2180 管理员用户组 正常模式[System Process] * 0 C:/WINDOWS/system32/SysDaJcHv.dll | 2008-6-4 2:40:4 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 | msplay32 C:/WINDOWS/system32/msosptfs01.dll | 2008-6-5 10:3:24 C:/WINDOWS/system32/msoscqet01.dll | 2008-6-9 2:20:9 C:/WINDOWS/system32/msosfasq01.dll | 2008-6-9 2:24:37 C:/WINDOWS/system32/msosping01.dll | 2008-6-5 10:3:15 C:/WINDOWS/system32/msoscqit00.dll | 2008-6-1 3:29:26 C:/WINDOWS/system32/msosjtio00.dll | 2008-6-1 3:32:36 C:/WINDOWS/system32/msosfmsq01.dll | 2008-6-2 7:58:15 C:/WINDOWS/system32/msosjtfo01.dll | 2008-6-9 2:24:57 C:/WINDOWS/system32/msosdrop00.dll | 2008-6-1 3:33:9 C:/WINDOWS/system32/ytewcxzsw.dll | 2008-6-8 2:8:22 C:/WINDOWS/system32/wwwwww.dll | 2008-6-9 2:18:42 C:/WINDOWS/system32/qqqqqq.dll | 2008-6-9 8:29:38 C:/WINDOWS/system32/gggggg.dll | 2008-6-10 0:11:23 C:/WINDOWS/system32/kduonz.dll | 2008-6-10 0:11:30 C:/WINDOWS/system32/oooooo.dll | 2008-6-10 6:57:29 C:/WINDOWS/system32/cccccc.dll | 2008-6-11 0:0:15 C:/WINDOWS/system32/eeeeee.dll | 2008-6-11 0:56:8 C:/WINDOWS/system32/mmmmmm.dll | 2008-6-11 2:29:38 C:/WINDOWS/system32/tttttt.dll | 2008-6-11 7:26:26 C:/WINDOWS/system32/xxxxxx.dll | 2008-6-12 0:14:16 C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys | 2008-6-5 10:3:32 C:/WINDOWS/system32/winlogon.exe* 1020 | 2004-8-23 8:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE C:/WINDOWS/system32/SysDaJcHv.dll | 2008-6-4 2:40:4 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 | msplay32 C:/WINDOWS/system32/msosptfs01.dll | 2008-6-5 10:3:24 C:/WINDOWS/system32/msoscqet01.dll | 2008-6-9 2:20:9 C:/WINDOWS/system32/msosfasq01.dll | 2008-6-9 2:24:37 C:/WINDOWS/system32/msosping01.dll | 2008-6-5 10:3:15 C:/WINDOWS/system32/msoscqit00.dll | 2008-6-1 3:29:26 C:/WINDOWS/system32/msosjtio00.dll | 2008-6-1 3:32:36 C:/WINDOWS/system32/msosfmsq01.dll | 2008-6-2 7:58:15 C:/WINDOWS/system32/msosjtfo01.dll | 2008-6-9 2:24:57 C:/WINDOWS/system32/msosdrop00.dll | 2008-6-1 3:33:9 C:/WINDOWS/system32/ytewcxzsw.dll | 2008-6-8 2:8:22 C:/WINDOWS/system32/wwwwww.dll | 2008-6-9 2:18:42 C:/WINDOWS/system32/qqqqqq.dll | 2008-6-9 8:29:38 C:/WINDOWS/system32/gggggg.dll | 2008-6-10 0:11:23 C:/WINDOWS/system32/kduonz.dll | 2008-6-10 0:11:30 C:/WINDOWS/system32/oooooo.dll | 2008-6-10 6:57:29 C:/WINDOWS/system32/cccccc.dll | 2008-6-11 0:0:15 C:/WINDOWS/system32/eeeeee.dll | 2008-6-11 0:56:8 C:/WINDOWS/system32/mmmmmm.dll | 2008-6-11 2:29:38 C:/WINDOWS/system32/tttttt.dll | 2008-6-11 7:26:26 C:/WINDOWS/system32/ctfmon.exe* 956 | 2004-8-23 8:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE C:/WINDOWS/system32/SysDaJcHv.dll | 2008-6-4 2:40:4 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 | msplay32 C:/WINDOWS/system32/msosptfs01.dll | 2008-6-5 10:3:24 C:/WINDOWS/system32/msoscqet01.dll | 2008-6-9 2:20:9 C:/WINDOWS/system32/msosfasq01.dll | 2008-6-9 2:24:37 C:/WINDOWS/system32/msosping01.dll | 2008-6-5 10:3:15 C:/WINDOWS/system32/msoscqit00.dll | 2008-6-1 3:29:26 C:/WINDOWS/system32/msosjtio00.dll | 2008-6-1 3:32:36 C:/WINDOWS/system32/msosfmsq01.dll | 2008-6-2 7:58:15 C:/WINDOWS/system32/msosjtfo01.dll | 2008-6-9 2:24:57 C:/WINDOWS/system32/msosdrop00.dll | 2008-6-1 3:33:9 C:/WINDOWS/system32/ytewcxzsw.dll | 2008-6-8 2:8:22 C:/WINDOWS/system32/wwwwww.dll | 2008-6-9 2:18:42 C:/WINDOWS/system32/qqqqqq.dll | 2008-6-9 8:29:38 C:/WINDOWS/system32/gggggg.dll | 2008-6-10 0:11:23 C:/WINDOWS/system32/kduonz.dll | 2008-6-10 0:11:30 C:/WINDOWS/system32/oooooo.dll | 2008-6-10 6:57:29 C:/WINDOWS/system32/cccccc.dll | 2008-6-11 0:0:15 C:/WINDOWS/system32/eeeeee.dll | 2008-6-11 0:56:8 C:/WINDOWS/system32/mmmmmm.dll | 2008-6-11 2:29:38 C:/WINDOWS/system32/tttttt.dll | 2008-6-11 7:26:26 C:/WINDOWS/system32/xxxxxx.dll | 2008-6-12 0:14:16 C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys | 2008-6-5 10:3:32 C:/WINDOWS/system32/svchost.exe* 1028 | 2004-8-23 8:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe C:/WINDOWS/system32/SysDaJcHv.dll | 2008-6-4 2:40:4 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 | msplay32 C:/WINDOWS/system32/msosptfs01.dll | 2008-6-5 10:3:24 C:/WINDOWS/system32/msoscqet01.dll | 2008-6-9 2:20:9 C:/WINDOWS/system32/msosfasq01.dll | 2008-6-9 2:24:37 C:/WINDOWS/system32/msosping01.dll | 2008-6-5 10:3:15 C:/WINDOWS/system32/msoscqit00.dll | 2008-6-1 3:29:26 C:/WINDOWS/system32/msosjtio00.dll | 2008-6-1 3:32:36 C:/WINDOWS/system32/msosfmsq01.dll | 2008-6-2 7:58:15 C:/WINDOWS/system32/msosjtfo01.dll | 2008-6-9 2:24:57 C:/WINDOWS/system32/msosdrop00.dll | 2008-6-1 3:33:9 C:/WINDOWS/system32/ytewcxzsw.dll | 2008-6-8 2:8:22 C:/WINDOWS/system32/wwwwww.dll | 2008-6-9 2:18:42 C:/WINDOWS/system32/qqqqqq.dll | 2008-6-9 8:29:38 C:/WINDOWS/system32/gggggg.dll | 2008-6-10 0:11:23 C:/WINDOWS/system32/kduonz.dll | 2008-6-10 0:11:30 C:/WINDOWS/system32/oooooo.dll | 2008-6-10 6:57:29 C:/WINDOWS/system32/cccccc.dll | 2008-6-11 0:0:15 C:/WINDOWS/system32/eeeeee.dll | 2008-6-11 0:56:8 C:/WINDOWS/system32/mmmmmm.dll | 2008-6-11 2:29:38 C:/WINDOWS/system32/tttttt.dll | 2008-6-11 7:26:26 C:/WINDOWS/system32/xxxxxx.dll | 2008-6-12 0:14:16 C:/WINDOWS/explorer.exe* 3728 | 2004-8-23 8:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE C:/WINDOWS/system32/SysDaJcHv.dll | 2008-6-4 2:40:4 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 | msplay32 C:/WINDOWS/system32/msosptfs01.dll | 2008-6-5 10:3:24 C:/WINDOWS/system32/msoscqet01.dll | 2008-6-9 2:20:9 C:/WINDOWS/system32/msosfasq01.dll | 2008-6-9 2:24:37 C:/WINDOWS/system32/msosping01.dll | 2008-6-5 10:3:15 C:/WINDOWS/system32/msoscqit00.dll | 2008-6-1 3:29:26 C:/WINDOWS/system32/msosjtio00.dll | 2008-6-1 3:32:36 C:/WINDOWS/system32/msosfmsq01.dll | 2008-6-2 7:58:15 C:/WINDOWS/system32/msosjtfo01.dll | 2008-6-9 2:24:57 C:/WINDOWS/system32/msosdrop00.dll | 2008-6-1 3:33:9 C:/WINDOWS/system32/ytewcxzsw.dll | 2008-6-8 2:8:22 C:/WINDOWS/system32/wwwwww.dll | 2008-6-9 2:18:42 C:/WINDOWS/system32/qqqqqq.dll | 2008-6-9 8:29:38 C:/WINDOWS/system32/gggggg.dll | 2008-6-10 0:11:23 C:/WINDOWS/system32/kduonz.dll | 2008-6-10 0:11:30 C:/WINDOWS/system32/oooooo.dll | 2008-6-10 6:57:29 C:/WINDOWS/system32/cccccc.dll | 2008-6-11 0:0:15 C:/WINDOWS/system32/eeeeee.dll | 2008-6-11 0:56:8 C:/WINDOWS/system32/mmmmmm.dll | 2008-6-11 2:29:38 C:/WINDOWS/system32/tttttt.dll | 2008-6-11 7:26:26 C:/WINDOWS/system32/xxxxxx.dll | 2008-6-12 0:14:16 C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys | 2008-6-5 10:3:32 O2 - BHO - {398C9B84-4EF7-47B5-9862-DE29543B3C42} -C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys O4 - HKLM/../Run: [ytewcxzsw]C:/WINDOWS/ssssss.exe O4 - HKLM/../Run: [juejwcx]C:/WINDOWS/juejwcx.exe O4 - HKLM/../Run: [anistio]C:/WINDOWS/anistio.exE O4 - HKLM/../Run: [isscs32]C:/WINDOWS/isscs32.exe O4 - HKLM/../Run: [dionpis]C:/WINDOWS/dionpis.exe O4 - HKLM/../Run: [hefcndy]C:/WINDOWS/hefcndy.exe O4 - HKLM/../Run: [fmsbbqi]C:/WINDOWS/fmsbbqi.exe O4 - HKLM/../Run: [bincdwsa]C:/WINDOWS/bincdwsa.exe O4 - HKLM/../Run: [dbhlp32]C:/WINDOWS/dbhlp32.exe O4 - HKLM/../Run: [fmsjhif]C:/WINDOWS/fmsjhif.exe O4 - HKLM/../Run: [qrdkntbd]C:/WINDOWS/rktdwvur.exe O4 - HKLM/../Run: [ptshell]C:/WINDOWS/ptshell.exe O4 - HKLM/../Run: [tciocp64]C:/WINDOWS/tciocp64.exe O4 - HKLM/../Run: [mfchlp64]C:/WINDOWS/mfchlp64.exe O4 - HKLM/../Run: [WINSvr64]C:/WINDOWS/WINSvr64.exe O4 - HKLM/../Run: [wrew2ds]C:/WINDOWS/wrew2ds.exe O4 - HKLM/../Run: [isndntio]C:/WINDOWS/isndntio.exe {D92688DA-7FAB-4AB4-8AC9-5EADE1E3C8E4}_234225_user.job O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/restrictions 存在 IE或Internet选项可能受到限制 O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Control Panel 存在 IE或Internet选项可能受到限制 O20 - AppInit_DLLs = SysDaJcHv.dll,msosptfs01.dll,wipicdec.dll,msoscqet01.dll,nicozftp01.dll,rgvxyr.dll,msosmhap00.dll,msosdohs01.dll,msosmnsf01.dll,msosfasq01.dll,msosping01.dll,msosmhfp00.dll,msoscqit00.dll,msosjtio00.dll,msosfmsq01.dll,msosjtfo01.dll,msosdrop00.dll,ytewcxzsw.dll,wwwwww.dll,obrrrz.dll,qqqqqq.dll,gggggg.dll,kduonz.dll,oooooo.dll,cccccc.dll,eeeeee.dll,mmmmmm.dll,tttttt.dll,xxxxxx.dll O23 - 服务: 71BFE972 (71BFE972) -C:/WINDOWS/system32/25847834.EXE -d (自动) O23 - 服务: cqet (cqet) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp88.tmp (自动) O23 - 服务: cqit (cqit) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp7.tmp | 2008-6-1 9:27:57(自动) O23 - 服务: dohs (dohs) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp9.tmp | 2008-6-2 7:57:49(自动) O23 - 服务: drop (drop) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp13.tmp | 2008-6-1 9:29:51(自动) O23 - 服务: fasq (fasq) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp92.tmp (自动) O23 - 服务: fmsq (fmsq) -C:/DOCUME~1/user/LOCALS~1/Temp/tmpF.tmp | 2008-6-1 9:28:15(自动) O23 - 服务: IIS Manager (IIS Manager ) -C:/DOCUME~1/user/LOCALS~1/Temp/1.tmp (手动) O23 - 服务: jtfo (jtfo) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp94.tmp | 2008-6-9 2:22:16(自动) O23 - 服务: jtio (jtio) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp11.tmp | 2008-6-3 7:45:41(自动) O23 - 服务: mhap (mhap) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp1.tmp (自动) O23 - 服务: mhfp (mhfp) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp1.tmp (自动) O23 - 服务: mnsf (mnsf) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp9.tmp | 2008-6-2 7:57:49(自动) O23 - 服务: msfpfis64 (msfpfis64) -C:/WINDOWS/system32/drivers/msosmsfpfis64.sys | 2008-6-1 3:29:16(自动) O23 - 服务: msp2p32 (msp2p32) -C:/WINDOWS/system32/drivers/msosmsp2p32.sys | 2008-6-1 3:28:25(自动) O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手动) O23 - 服务: ping (ping) -C:/DOCUME~1/user/LOCALS~1/Temp/tmpD.tmp | 2008-6-2 0:6:28(自动) O23 - 服务: ptfs (ptfs) -C:/DOCUME~1/user/LOCALS~1/Temp/tmpB.tmp | 2008-6-1 9:28:5(自动) O23 - 服务: zftp (zftp) -C:/DOCUME~1/user/LOCALS~1/Temp/tmp5.tmp | 2008-6-2 0:6:23(自动) O24 - ShlExecHook: [] - {398C9B84-4EF7-47B5-9862-DE29543B3C42} =C:/Program Files/Internet Explorer/PLUGINS/DosSys08.Sys O26 - IFEO: 360rpt.exe -> ntsd -d O26 - IFEO: 360safe.exe -> ntsd -d O26 - IFEO: 360safebox.exe -> ntsd -d O26 - IFEO: 360tray.exe -> ntsd -d O26 - IFEO: avp.exe -> TASKMAN.EXE O26 - IFEO: CCenter.exe -> ntsd -d O26 - IFEO: KPPMain.exe -> ntsd -D O26 - IFEO: KWatch.exe -> ntsd -d O26 - IFEO: QQDoctor.exe -> ntsd -D O26 - IFEO: QQKav.exe -> ntsd -D O26 - IFEO: Rav.exe -> TASKMAN.EXE O26 - IFEO: RavMon.exe -> ntsd -D O26 - IFEO: RavMonD.exe -> ntsd -D O26 - IFEO: RavStub.exe -> TASKMAN.EXE O26 - IFEO: RavTask.exe -> TASKMAN.EXE O26 - IFEO: rfwcfg.exe -> TASKMAN.EXE O26 - IFEO: rfwmain.exe -> TASKMAN.EXE O26 - IFEO: rfwProxy.exe -> TASKMAN.EXE O26 - IFEO: rfwsrv.exe -> TASKMAN.EXE O26 - IFEO: rfwstub.exe -> TASKMAN.EXE O26 - IFEO: runiep.exe -> TASKMAN.EXE O26 - IFEO: safeboxTray.exe -> ntsd -D O26 - IFEO: tqat.exe -> ntsd -d
这与以前的《遭遇 Trojan-PSW.Win32.QQPass,Trojan.PSW.Win32.GameOL等》相似,但在实际处理时要复杂一些~
(未完待续)
相关推荐
Trojan专杀工具,用着真不错;我在网上找了好长时间才长到的,愿意与大家一块来分享.另外,本人是教育行业的,分享一个好的英语资料下载站:http://www.51tjw.com
【病毒名称】:Trojan-Downloader.Win32.Generic.a 【病毒类型】:下载者 【危害程度】:中 【传播方式】:网络 【受影响系统】:windows 98以上 病毒行为: 该病毒为下载者木马类,病毒运行后调用API获取系统文件夹...
俄罗斯安全软件Dr.Web,Trojan. Plastix木马感染文件解除工具plstfix
2020年trojan最新windows64客户端
针对Trojan-Dropper.Win32.Dropkit.a病毒,清除所需要的工具包,包括金山反间谍2007、PowerRmv、sreng2.5
RECYCLER.exe变种,GHOST.PIF变种,KPE.exe(EKS.exe) Trojan.DL.VB.nua,services.exe变种,sysauto.exe变种,myserver变种,pegefile.pif(Trojan.PSW.Win32.Agent.mk), autorun.exe (Worm.Win32.Agent.h)等
安铁诺Trojan.VBS.StartPage.dy专杀 V2010.exe。针对1KB病毒
1、Trojan-Ransom.Win32.Rakhni 2、Trojan-Ransom.Win32.Aura 3、Trojan-Ransom.Win32.Agent.iih 4、Trojan-Ransom.Win32.Autoit 5、Trojan-Ransom.AndroidOS.Pletor (安卓下的勒索软件) 6、Trojan-Ransom.Win32....
俄罗斯安全软件大蜘蛛Dr.Web,木马解锁工具.
敲诈者木马程序以敲诈勒索钱财为目的,使得感染该木马的计算机用户系统中的指定数据文件被恶意隐藏,造成用户数据丢失。截至目前为止,在国内已经出现了因感染该木马程序而导致计算机系统数据文件丢失的情况。...
trojan
增加5个变种的查杀,分别是Trojan.Win32.Undef.iqd,Trojan.Win32.Undef.pun,Trojan.Win32.Undef.kcq等 文件信息: Size: 148992 bytes File Version: 2.03 Modified: 2008年9月3日, 15:21:22 MD5: 0B85E5AFC3E...
js.scob.trojan
RannohDecryptor是卡巴斯基推出的一个Rannoh勒索病毒解密工具,可以解密Rannoh在内的7款勒索软件加密的文件,包括Polyglot、Rannoh、AutoIt、Fury...7、Trojan-Ransom.Win32.CryptXXX (目前能解版本1、版本2,版本3)
我的电脑让学生插了一下U盘,结果电脑出现中毒现象(变慢、经常蓝屏、出错、自动重启),一查是染上了 假冒腾迅TXPLATFORM.EXE 的U盘病毒,属于 Trojan.Generic.Is.536802,此文介绍查杀方法
Trojan is a stable and efficient mobile lightweight log SDK that not only records general logs, such as Http, power changes, component life cycles, but also records the definition of the log, which it...
可查杀最新木马,主要用于查杀Trojan.Malscript!html等易中木马
本软件用于查杀各类已知或未知的...QQ密码使者、 QQ密码大盗、Trojan.QQSender.nicex、 Trojan.QQSender.ok530、 Trojan.QQSender.qiumei、Trojan.QQSender.qq3344 等2300余种病毒、木马测试,查杀准确率达98%以上!
trojan-qt5.app.zip