遭遇一堆 Trojan.PSW.Win32.OnlineGames / *door0.dll等1
endurer 原创
2007-08-27 第1版
一位网友说他的电脑最近开机时金山毒霸出错,运行很慢,让偶通过QQ远程协助帮忙检查。
由于网友的电脑反应确实慢,让他重启到带网络连接的安全模式下再进行。
下载了 pe_xscan,解压后刚运行,文件忽然不见了……试了几次都是这样,难道pe_xscan也被列入恶意程序狙击的名单了?
把 pe_xscan 解压到 c:/windows/system32 下,文件名也改了,再运行,这次OK!
扫描 log 并分析,发现如下可疑项(进程模块部分有省略):
/===
pe_xscan 07-07-24 by Purple Endurer
2007-8-27 12:38:37
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/dadoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wddoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/fydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qjdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/mydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/tldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/rxdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wmdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qhdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wgdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/jtdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/ztdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wodoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/mhdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/Explorer.EXE * 1448 | 2004-8-16 8:39:14 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/mhdoor0.dll | 2004-8-16 8:39:14
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/wodoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/ztdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/jtdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wgdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qhdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wmdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/rxdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/tldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/mydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qjdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/fydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wddoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/dadoor0.dll | 2004-8-16 8:39:14
C:/Program Files/WinRAR/rarext.dll | 2006-7-20 20:41:30
C:/Program Files/Internet Explorer/rksldk.bak * 1532 | 2007-8-27 11:2:44
C:/Program Files/Internet Explorer/rksldk.bak | 2007-8-27 11:2:44
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/ctfmon.exe * 1232 | 2004-8-16 8:39:14 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
O2 - BHO - {A1626E66-B26B-C628-A1DF-BDACCFA26EE1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:/Program Files/Common Files/goskdl.dll
O2 - BHO - {D7515C61-A66C-4319-A0E0-D416CB8059E3} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {E3616E66-C13B-2628-2CDF-EDABCFA235E1} - C:/Program Files/Common Files/Relive.dll
O4 - HKLM/../Run: [aslkgadlkgsl1] C:/WINDOWS/system32/oigdfgdfl1.exe
O4 - HKLM/../Run: [asgfdjs2] C:/WINDOWS/system32/vbsdaas2.exe
O4 - HKLM/../Run: [askasdkcl3] C:/WINDOWS/system32/faskflxld3.exe
O4 - HKLM/../Run: [asfkafsk4] C:/WINDOWS/system32/fdaolfdos4.exe
O4 - HKLM/../Run: [sakdasksd5] C:/WINDOWS/system32/eksdlfs5.exe
O4 - HKLM/../Run: [daskaskfsak6] C:/WINDOWS/system32/dsfids6.exe
O4 - HKLM/../Run: [xcxdsaa7] C:/WINDOWS/system32/slcskxsdl7.exe
O4 - HKLM/../Run: [afskfask8] C:/WINDOWS/system32/fsfjasj8.exe
O4 - HKLM/../Run: [akgkagaksad9] C:/WINDOWS/system32/fsakfask9.exe
O4 - HKLM/../Run: [xzkadsfk10] C:/WINDOWS/system32/afslkfasl10.exe
O4 - HKLM/../Run: [faslkakj11] C:/WINDOWS/system32/kjgagklj11.exe
O4 - HKLM/../Run: [gadkgak12] C:/WINDOWS/system32/fsafsakx12.exe
O4 - HKLM/../Run: [asdsaxcxz13] C:/WINDOWS/system32/dasxcsx13.exe
O4 - HKLM/../Run: [dsadlsa14] C:/WINDOWS/system32/dsakfsak14.exe
O4 - HKLM/../Run: [daskgfkkcx15] C:/WINDOWS/system32/dasdsaads15.exe
O4 - HKLM/../Run: [gajklgasjlkga] C:/WINDOWS/system32/aglajgkd16.exe
O4 - HKLM/../Run: [sakdasj6ksd5] C:/WINDOWS/system32/e656lklfs5.exe
O4 - HKLM/../Run: [apadslasla13] C:/WINDOWS/system32/alsdlaslx13.exe
O4 - HKLM/../Run: [aslgflsdakgsl1] C:/WINDOWS/system32/ogdflsd1.exe
H:/autorun.inf
/-----
[autorun]
open=Ghost.pif
shellexecute=Ghost.pif
shell/Auto/command=Ghost.pif
shell=Auto
-----/
O24 - ShlExecHook: [] - 0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {5C7596CB-C3CC-6BA3-BE52-8EEA63F9C61D} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D} = C:/Program Files/Internet Explorer/rksldk.dll
O24 - ShlExecHook: [F] - {3422FB0F-95EB-458A-8B56-39552017A4EF} = C:/WINDOWS/system32/mhdoor0.dll
O24 - ShlExecHook: [6] - {5731EA1D-6AAF-4DE9-BDDA-7B390A75B286} = C:/WINDOWS/system32/wodoor0.dll
O24 - ShlExecHook: [9] - {E952B8F8-D91A-4EDD-851C-EE1A0F944469} = C:/WINDOWS/system32/ztdoor0.dll
O24 - ShlExecHook: [1] - {71046DD5-E136-4C4B-A6B5-91C30CB15291} = C:/WINDOWS/system32/jtdoor0.dll
O24 - ShlExecHook: [3] - {E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3} = C:/WINDOWS/system32/wldoor0.dll
O24 - ShlExecHook: [7] - {A3C95A74-638D-4C6B-A856-4B27664A7F47} = C:/WINDOWS/system32/wgdoor0.dll
O24 - ShlExecHook: [D] - {ABD0935D-B35A-47BD-BA9A-81678DDE74DD} = C:/WINDOWS/system32/qhdoor0.dll
O24 - ShlExecHook: [C] - {074616A6-5ADC-4A3F-B252-E1D605228B5C} = C:/WINDOWS/system32/wmdoor0.dll
O24 - ShlExecHook: [0] - {EDFF29C1-5A70-4460-AC1D-16DCB4B672F0} = C:/WINDOWS/system32/rxdoor0.dll
O24 - ShlExecHook: [8] - {08E909A4-B236-48DD-8BCC-90A604B93E68} = C:/WINDOWS/system32/tldoor0.dll
O24 - ShlExecHook: [8] - {4E3FBFA4-F1CC-4B66-B333-B9F0FF4B4748} = C:/WINDOWS/system32/mydoor0.dll
O24 - ShlExecHook: [8] - {6826A3DB-EA8E-4E67-880D-53D04C7C0BD8} = C:/WINDOWS/system32/qjdoor0.dll
O24 - ShlExecHook: [B] - {BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B} = C:/WINDOWS/system32/fydoor0.dll
O24 - ShlExecHook: [7] - {781FBCC1-99C7-4AE0-95F7-66EA49E86DD7} = C:/WINDOWS/system32/zxdoor0.dll
O24 - ShlExecHook: [2] - {68F7767A-090C-4BBF-A015-720ACC6706E2} = C:/WINDOWS/system32/wddoor0.dll
O24 - ShlExecHook: [B] - {D8CC4845-441C-44F8-9053-28F2EF67655B} = C:/WINDOWS/system32/dadoor0.dll
O25 - InsCom: {11716107-A10D-11cf-64CD-11115FE1CF41} = C:/WINDOWS/system32/nwizzhuxians.exe
===/
禁用系统还原功能。
到 http://endurer.ys168.com 下载 HijackThis,到 http://purpleendurer.ys168.com 下载 bat_do 和 FileInfo。
用pe_xscan 的网页分析工具提取出可疑文件的文件说明符,加入 FileInfo 提取文件信息,加入bat_do,全选,先用rar.exe打包备份,然后延时删除,改所选文件名,再次延时删除。
运行 HijackThis,修复 O2、O4项。
用WinRAR 删除 H:/autorun.inf。
下载 Dr.Web CureIt扫描,发现一堆病毒。
下载安装 瑞星卡卡安全助手备用。
用WinRAR 删除Windows临时文件夹,IE临时文件夹,c:/windows/prefetch 中可以删除的文件和文件夹。
重启电脑,仍然进入带网络连接的安全模式,运行瑞星卡卡安全助手,选[高级功能]->[插件管理及卸载],卸载 O24的项目。
切换到[系统启动项管理]里,单击左边列表中的[资源管理器插件],然后在右边的列表中找到 O25项,右击,从弹出的菜单里选择删除。
分享到:
相关推荐
Trojan专杀工具,用着真不错;我在网上找了好长时间才长到的,愿意与大家一块来分享.另外,本人是教育行业的,分享一个好的英语资料下载站:http://www.51tjw.com
【病毒名称】:Trojan-Downloader.Win32.Generic.a 【病毒类型】:下载者 【危害程度】:中 【传播方式】:网络 【受影响系统】:windows 98以上 病毒行为: 该病毒为下载者木马类,病毒运行后调用API获取系统文件夹...
针对Trojan-Dropper.Win32.Dropkit.a病毒,清除所需要的工具包,包括金山反间谍2007、PowerRmv、sreng2.5
2020年trojan最新windows64客户端
俄罗斯安全软件Dr.Web,Trojan. Plastix木马感染文件解除工具plstfix
RECYCLER.exe变种,GHOST.PIF变种,KPE.exe(EKS.exe) Trojan.DL.VB.nua,services.exe变种,sysauto.exe变种,myserver变种,pegefile.pif(Trojan.PSW.Win32.Agent.mk), autorun.exe (Worm.Win32.Agent.h)等
敲诈者木马程序以敲诈勒索钱财为目的,使得感染该木马的计算机用户系统中的指定数据文件被恶意隐藏,造成用户数据丢失。截至目前为止,在国内已经出现了因感染该木马程序而导致计算机系统数据文件丢失的情况。...
安铁诺Trojan.VBS.StartPage.dy专杀 V2010.exe。针对1KB病毒
trojan
1、Trojan-Ransom.Win32.Rakhni 2、Trojan-Ransom.Win32.Aura 3、Trojan-Ransom.Win32.Agent.iih 4、Trojan-Ransom.Win32.Autoit 5、Trojan-Ransom.AndroidOS.Pletor (安卓下的勒索软件) 6、Trojan-Ransom.Win32....
俄罗斯安全软件大蜘蛛Dr.Web,木马解锁工具.
增加5个变种的查杀,分别是Trojan.Win32.Undef.iqd,Trojan.Win32.Undef.pun,Trojan.Win32.Undef.kcq等 文件信息: Size: 148992 bytes File Version: 2.03 Modified: 2008年9月3日, 15:21:22 MD5: 0B85E5AFC3E...
1、后台下载无数的木马,包括伪迅雷木马等,导致大量占用系统内存,电脑特可,频繁自动重启。 2、360安全卫士能查到伪linkinfo,却无法彻底删除.用文件粉碎机粉碎也无效。 3、有两个文件C:\WINDOWS\AppPatch\AcSpecf...
js.scob.trojan
RannohDecryptor是卡巴斯基推出的一个Rannoh勒索病毒解密工具,可以解密Rannoh在内的7款勒索软件加密的文件,包括Polyglot、Rannoh、AutoIt、Fury...7、Trojan-Ransom.Win32.CryptXXX (目前能解版本1、版本2,版本3)
Trojan is a stable and efficient mobile lightweight log SDK that not only records general logs, such as Http, power changes, component life cycles, but also records the definition of the log, which it...
Trojan Client
我的电脑让学生插了一下U盘,结果电脑出现中毒现象(变慢、经常蓝屏、出错、自动重启),一查是染上了 假冒腾迅TXPLATFORM.EXE 的U盘病毒,属于 Trojan.Generic.Is.536802,此文介绍查杀方法
trojan-qt5.app.zip