遭遇Trojan.PSW.Lmir.kyo、Trojan.DL.QQHelper等N多木马

caobihole

浏览: 952071 次

最近访客更多访客>>

u012363178

jerry_shen

fish119

educationAAAA

博主相关

博客

微博

相册

留言

关于我

文章分类

全部博客 (1423)

社区版块

存档分类

2013-09 ( 92)
2013-08 ( 32)
2013-07 ( 23)
更多存档...

endurer　原创

2006-09-23　第1版

有位网友的电脑经常发现病毒，手动扫描也清除不干净。
让我帮忙检查一下。

到 http://endurer.ys168.com 下载HijackThis扫描log，发现以下可疑项：

/----------
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 0:30:24, 日期 2006-9-19
操作系统： Windows XP SP2 (WinNT 5.01.2600)
浏览器： Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：
C:/PROGRA~1/svhost32.exe

F3 - REG:win.ini: load=C:/PROGRA~1/svhost32.exe
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:/Program Files/Common Files/CPUSH/cpush.dll
O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:/Documents and Settings/All Users/Application Data/Microsoft/IEHelper/IEHelper2006814_4593.dll (file missing)
O2 - BHO: (no name) - {3A134B8D-CA84-42A9-BF88-CE45F8C395BF} - C:/WINDOWS/system32/IEOPENGL.DLL
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll
O2 - BHO: (no name) - {8532B305-4486-4388-939F-341C0430CDFC} -
C:/WINDOWS/system32/DxBho.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:/Program Files/kuzhan/kuzhan.dll
O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:/PROGRA~1/CNNIC/Cdn/wmhlpr.dll

O4 - 启动项HKLM//Run: [Update] C:/Program Files/Common Files/UPDATE2/Update.exe (kuzhan的项目)
O4 - 启动项HKLM//Run: [CdnCtr] C:/Program Files/CNNIC/Cdn/cdnup.exe
O4 - 启动项HKCU//Run: [updatereal] C:/WINDOWS/realupdate.exe other
O4 - 启动项HKCU//Run: [msnnt] C:/WINDOWS/winampa.exe

O8 - IE右键菜单中的新增项目: 用炫彩图铃发送该图片 - C:/Program Files/CaiShow Tech/CaiShow/SendMMS.htm
O8 - IE右键菜单中的新增项目: 访问通用网址 - C:/Program Files/CNNIC/Cdn/cnnic.htm
O9 - 浏览器额外的按钮: 酷站导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:/Program Files/kuzhan/kuzhan.dll
O9 - 浏览器额外的按钮: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll
O9 - 浏览器额外的“工具”菜单项: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll

O10 - 未知的文件在 Winsock LSP: c:/windows/system32/cdnns.dll

O11 - Options group: [CDNCLIENT] 中文上网

O23 - NT 服务: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)

到 http://endurer.ys168.com 下载并运行 procview，终止进程：C:/PROGRA~1/svhost32.exe
----------/

停止并禁用服务: Network Logon (NetWorkLogon)，其命令行是：rundll32.exe KB896475.log,start

C:/WINDOWS/system32>dir KB896475.log
驱动器 C 中的卷没有标签。
卷的序列号是 1013-3AFE

C:/WINDOWS/system32 的目录

2006-09-18 13:41 123,141 KB896475.log
1 个文件 123,141 字节

用WinRAR寻找下列文件：

C:/PROGRA~1/svhost32.exe（Kaspersky 报为 Trojan-PSW.Win32.Lineage.ahq）
c:/windows/system32/dllwm.dll（Kaspersky 报为 Trojan-PSW.Win32.Lineage.ahq）
c:/windows/system32/TIMPlatforms.exe
c:/windows/system32/KB896475.log（瑞星报为 Trojan.PSW.Lmir.kyo）

STATUS: FINISHED
Complete scanning result of "KB896475.log.del", received in VirusTotal at 09.18.2006, 19:28:23 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 Win32:Wow-X
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 suspicious
F-Prot 3.16f 09.18.2006 Possibly a new variant of W32/Threat-IKNP-based!Maximus
F-Prot4 4.2.1.29 09.18.2006 W32/Threat-IKNP-based!Maximus
Ikarus 0.2.65.0 09.18.2006 Backdoor.Win32.PcClient.GV
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1761 09.18.2006 no virus found
Norman 5.80.02 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 Suspicious file
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.18.2006 no virus found
VBA32 3.11.1 09.18.2006 no virus found
VirusBuster 4.3.7:9 09.18.2006 no virus found

Aditional Information
File size: 123141 bytes
MD5: 25ea5d35320afb7a4343bed7e205a25c
SHA1: 3a7a6c51873a60f8e327c2e1da41246c6d8f9f47
Packers: Packed

C:/WINDOWS/system32/DxBho.dll

STATUS: FINISHEDComplete scanning result of "dxbho.dll", received in VirusTotal at 09.18.2006, 18:45:58 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 no virus found
F-Prot 3.16f 09.18.2006 no virus found
F-Prot4 4.2.1.29 09.18.2006 no virus found
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1761 09.18.2006 no virus found
Norman 5.90.23 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 no virus found
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.18.2006 no virus found
VBA32 3.11.1 09.18.2006 no virus found
VirusBuster 4.3.7:9 09.18.2006 no virus found

Aditional Information
File size: 234496 bytes
MD5: 721f35dbcd412eb68653092845186048
SHA1: a2bcd6ba5246412323211072909412b9e75fb576
packers: UPX

C:/WINDOWS/system32/IEOPENGL.DLL

STATUS: FINISHEDComplete scanning result of "IEOPENGL.DLL", received in VirusTotal at 09.18.2006, 19:01:37 (CET).

Aditional Information
File size: 233984 bytes
MD5: b430c5978fe008802e9d269901ef9980
SHA1: 7884f2469eff2f55d174ff7c5ad338731db54787
packers: UPX

C:/WINDOWS/system32/0848/baisoa>dir /s /a
驱动器 C 中的卷没有标签。
卷的序列号是 1013-3AFE

C:/WINDOWS/system32/0848/baisoa 的目录

2006-09-17 13:26 <DIR> .
2006-09-17 13:26 <DIR> ..
2006-09-18 13:40 71 up.dat
2006-09-17 13:26 229 verx.dat
2006-09-08 10:59 12,288 novel.exe
2006-09-15 14:14 20,992 dllhosta.dll
2006-09-17 13:26 <DIR> update
2006-09-17 13:26 69 updatefile.lst
2006-09-17 13:27 0 waitdown.lst
2006-09-17 13:27 90,112 avpa.exe
2006-09-18 13:40 18,432 winampa.exe
2006-09-18 13:40 465 adout.dat
9 个文件 142,658 字节

C:/WINDOWS/system32/0848/baisoa/update 的目录

2006-09-17 13:26 <DIR> .
2006-09-17 13:26 <DIR> ..
2006-09-18 13:40 71 up.dat
2006-09-17 13:26 69 updatefile.lst
2006-09-17 13:27 0 waitdown.lst
2006-09-17 13:26 229 verx.dat
2006-09-17 13:27 90,112 avpa.exe
2006-09-18 13:40 465 adout.dat
2006-09-18 13:40 18,432 winampa.exe
7 个文件 109,378 字节

所列文件总数:
16 个文件 252,036 字节
5 个目录 1,359,462,400 可用字节

到 http://endurer.ys168.com 下载并运行瑞星杀毒助手，使用瑞星在线病毒扫描 C:/，结果如下：

/----------
2006-9-19 4:5:15　瑞星杀毒助手
Windows XP Service Pack 2(5.1.2600)
文件名病毒名
C:/WINDOWS/system32/spoolsv/spoolsv.exe Trojan.DL.Agent.kij
C:/WINDOWS/system32/msicn/plugins/bm.dll Trojan.Ourxin.e
C:/WINDOWS/system32/msicn/plugins/as.dll Trojan.Ourxin.c
C:/WINDOWS/system32/msicn/msibm.dll Trojan.Spy.Agent.bhs
C:/WINDOWS/system32/1116/ntjdo/ntjcn.emm Trojan.Spy.Agent.bhs
C:/WINDOWS/system32/1116/ntjdo/plugins/cn.emm Trojan.Ourxin.e
C:/WINDOWS/system32/1116/ntjdo/plugins/bt.emm Trojan.Ourxin.c
C:/WINDOWS/system32/1116/tzt/xnqesn.emm Trojan.Ourxin.d
C:/WINDOWS/system32/1116/tqppmtw/tqppmtw.fyf Trojan.DL.Agent.kij
C:/WINDOWS/system32/0848/baisoa/update/winampa.exe>>Unpack Trojan.DL.Agent.ldt
C:/WINDOWS/system32/0848/baisoa/winampa.exe>>Unpack Trojan.DL.Agent.ldt
C:/WINDOWS/system32/wmpdrm.dll Trojan.Ourxin.d
C:/WINDOWS/system32/WinSC.dll Trojan.Clicker.Qhost.i
C:/WINDOWS/system32/WinSC64.dll Trojan.Clicker.Qhost.i
C:/WINDOWS/system32/UpdateModule.dll.del Trojan.Clicker.Agent.ads
C:/WINDOWS/system32/KB896475.log.del>>NsPack Trojan.PSW.Lmir.kyo
C:/WINDOWS/system32/ejjf.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/system32/icif.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/system32/jjbi.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/system32/ijcj.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/101628.exe.del Trojan.DL.ADLoad.ei
C:/WINDOWS/10045_setup.exe.del Trojan.StartPage.bnx

C:/Documents and Settings/All Users/Application Data/Microsoft/Crypto/dffj.exe.del Trojan.Inject.st
C:/Documents and Settings/All Users/Application Data/Tencent/bind_40040.exe Trojan.DL.Agent.lpu
C:/Documents and Settings/All Users/Application Data/Tencent/bind_40017.exe Trojan.DL.Agent.lpu
C:/Documents and Settings/All Users/Application Data/Tencent/setup72.exe Dropper.TiHs.g

C:/Program Files/Common Files/UPDATE2/Update.exe.1 Trojan.DL.QQHelper.efh
C:/Program Files/Windows Media Player/setup_wm.dll Trojan.DL.Agent.aph
C:/Program Files/Internet Explorer/iedw.dll Trojan.DL.Agent.aph
C:/Program Files/Common Files/System/ddcckl.dat Trojan.Inject.st
C:/Program Files/NetMeeting/nmview.dll Trojan.Agent.dte
C:/Program Files/NetMeeting/conf.dll Trojan.Agent.dte
C:/Program Files/xerox/fcbzc.exe Trojan.Inject.st
C:/Program Files/CNNIC/iebar_v2.exe Trojan.DL.QQHelper.eo

C:/nxldr.dat>>NsPack Trojan.PSW.Lmir.kyo
----------/

打包备份后，用瑞星杀毒助手清除。

关闭所有浏览器和文件夹窗口，用HijackThis扫描并修复上面所列项目。

清空IE临时文件夹

清空 c:/Documents and Settings/user/Local Settings/temp（其中 user 为用户名）

清空 c:/windows/temp

分享到：

小心 alice 发来的带 Email-Worm.Win32.Wa ... | 遇到电脑不定期地弹广告窗口的问题

2006-09-23 18:59
浏览 828
评论(0)
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论