遭遇auto.exe,Hack.ArpCheater.a(ARP欺骗工具),Trojan.PSW.ZhengTu等1
endurer 原创
2007-07-23 第1版
一位网友说他的电脑昨晚使用时出现蓝屏,刚才打开电脑后,进入桌面后时弹出对话框,提示explorer.exe出错,确定后任务栏自动消失,杀毒软件监控也没见影子……让偶通过QQ远程协助。
下载 pe_xscan 扫描 log并分析,发现如下可疑项(进程模块部分有省略):
/===
pe_xscan 07-07-21 by Purple Endurer
2007-7-22 20:27:50
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/svchost.exe * 724 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/ctfmon.exe * 936 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/conime.exe * 908 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/explorer.exe * 3228 | 2004-8-23 16:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/Program Files/Common Files/Relive.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/AlxTB1.dll | 2005-4-14 4:9:8 | AlxTB Module | 1, 0, 0, 1 | AlxTB Module | Copyright 2000-2003 | 7, 0, 1, 57 | Alexa Internet | | AlxTB | AlxTB.DLL
C:/Program Files/Internet Explorer/msvcrt.bak * 2236 | 2007-7-19 15:27:26
C:/Program Files/Internet Explorer/msvcrt.bak | 2007-7-19 15:27:26
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/cmd.exe * 876 | 2004-8-23 16:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Command Processor | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | cmd | Cmd.Exe
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/drivers/smss.exe * 3464 | 2007-7-18 19:57:56
O2 - BHO - {D3626E66-B13B-C628-ACDF-BDABCFA265E1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {D7515C61-A66C-4319-A0E0-D416CB8059E3} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {E3616E66-C13B-2628-2CDF-EDABCFA235E1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO AlxTB BHO Class - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:/WINDOWS/system32/AlxTB1.dll
O4 - HKLM/../Run: [wosa] C:/DOCUME~1/user/LOCALS~1/Temp/woso.exe
O4 - HKLM/../Run: [ztsa] C:/DOCUME~1/user/LOCALS~1/Temp/ztso.exe
O4 - HKLM/../Run: [mhsa] C:/DOCUME~1/user/LOCALS~1/Temp/mhso.exe
O4 - HKLM/../Run: [fysa] C:/DOCUME~1/user/LOCALS~1/Temp/fyso.exe
O4 - HKLM/../Run: [jtsa] C:/DOCUME~1/user/LOCALS~1/Temp/jtso.exe
O4 - HKLM/../Run: [wlsa] C:/DOCUME~1/user/LOCALS~1/Temp/wlso.exe
O4 - HKLM/../Run: [wgsa] C:/DOCUME~1/user/LOCALS~1/Temp/wgso.exe
O4 - HKLM/../Run: [wmsa] C:/DOCUME~1/user/LOCALS~1/Temp/wmso.exe
O4 - HKLM/../Run: [qjsa] C:/DOCUME~1/user/LOCALS~1/Temp/qjso.exe
O4 - HKLM/../Run: [rxsa] C:/DOCUME~1/user/LOCALS~1/Temp/rxso.exe
O4 - HKLM/../Run: [wdsa] C:/DOCUME~1/user/LOCALS~1/Temp/wdso.exe
O4 - HKLM/../Run: [tlsa] C:/DOCUME~1/user/LOCALS~1/Temp/tlso.exe
O4 - HKLM/../Run: [dasa] C:/DOCUME~1/user/LOCALS~1/Temp/daso.exe
O4 - HKLM/../Run: [zxsa] C:/DOCUME~1/user/LOCALS~1/Temp/zxso.exe
O4 - HKLM/../Policies/Explorer/Run: [visin] C:/WINDOWS/system32/visin.exe
C:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
D:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
O8 - IE右键菜单附加项 : Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - IE右键菜单附加项 : Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - IE右键菜单附加项 : Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - IE右键菜单附加项 : See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - IE右键菜单附加项 : Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O11 - IE扩展选项组:TBH (中文搜搜) =
O23 - 服务: WindowsDown (Windows_SystemDown) - C:/WINDOWS/system32/servet.exe | 2007-7-22 16:23:22(自动)
O23 - 服务: WS2IFSL (Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境) - C:/WINDOWS/System32/drivers/ws2ifsl.sys | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.0 | Winsock2 IFS Layer | ? Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | ws2ifsl.sys | ws2ifsl.sys(禁用)
O24 - ShlExecHook: [] - {03F6E661-0D5F-3FAD-3E2B-E261E3CB6CD2} = C:/Program Files/Internet Explorer/PLUGINS/HiJack.dll
O24 - ShlExecHook: [] - {0EA12C16-CDEF-6AC1-236E-CD3FE82F5213} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {05AD2E16-C6EF-6AC1-136A-CE3FD8EF5613} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3} = C:/Program Files/Internet Explorer/msvcrt.dll
O25 - InsCom: {11716107-A10D-11cf-64CD-11115FE1CF41} = C:/WINDOWS/system32/nwizzhuxians.exe
HKLM/SHOWALL 值非1
===/
大部分以前遇到过~
处理过程留待下回分解~
分享到:
相关推荐
Churrasco.exe+nc.exe+http.exe提权工具
我的电脑让学生插了一下U盘,结果电脑出现中毒现象(变慢、经常蓝屏、出错、自动重启),一查是染上了 假冒腾迅TXPLATFORM.EXE 的U盘病毒,属于 Trojan.Generic.Is.536802,此文介绍查杀方法
安铁诺Trojan.VBS.StartPage.dy专杀 V2010.exe。针对1KB病毒
inst.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.
Trojan专杀工具,用着真不错;我在网上找了好长时间才长到的,愿意与大家一块来分享.另外,本人是教育行业的,分享一个好的英语资料下载站:http://www.51tjw.com
dbg_x86_6.0.17.0.exe版本6.0.0是最常见的目录“的Windows调试工具” ,以创建日期2005年3月26日。 This is not a known spyware, adware, or trojan executable.这是不是一个已知的间谍软件,广告软件或木马程序可...
RECYCLER.exe变种,GHOST.PIF变种,KPE.exe(EKS.exe) Trojan.DL.VB.nua,services.exe变种,sysauto.exe变种,myserver变种,pegefile.pif(Trojan.PSW.Win32.Agent.mk), autorun.exe (Worm.Win32.Agent.h)等
ARP地址欺骗类病毒(以下简称ARP病毒)是一类特殊的病毒,该病毒一般属于木马(Trojan)病毒,不具备主动传播的特性,不会自我复制。但是由于其发作的时候会向全网发送伪造的ARP数据包,干扰全网的运行,因此它的危害...
【病毒名称】:Trojan-Downloader.Win32.Generic.a 【病毒类型】:下载者 【危害程度】:中 【传播方式】:网络 【受影响系统】:windows 98以上 病毒行为: 该病毒为下载者木马类,病毒运行后调用API获取系统文件夹...
针对Trojan-Dropper.Win32.Dropkit.a病毒,清除所需要的工具包,包括金山反间谍2007、PowerRmv、sreng2.5
“落雪”木马也叫“游戏大盗”( Trojan/PSW.GamePass),由VB 程序语言编写,通过 nSPack 3.1 加壳处理(即通常所说的“北斗壳”North Star),该木马文件图标一般是红色的图案,伪装成网络游戏的登陆器。...
软件中绝对不含任何形式的后门和trojan程序,如果您发现任何木马迹象,请发邮件和我联系 软件使用说明: 请大家自己测试,软件支持命令行输入,也可以安装成服务,如果安装成服务,服务器端口可以走通本软件的...
俄罗斯安全软件Dr.Web,Trojan. Plastix木马感染文件解除工具plstfix
俄罗斯安全软件大蜘蛛Dr.Web,木马解锁工具.
Trojan Client
2020年trojan最新windows64客户端
trojan-qt5.app.zip
trojan-qt5 for linux
trojan