endurer 原创

2006-09-23 第1

有位网友的电脑经常发现病毒,手动扫描也清除不干净。
让我帮忙检查一下。

到 http://endurer.ys168.com 下载HijackThis扫描log,发现以下可疑项:

/----------
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 0:30:24, 日期 2006-9-19
操作系统: Windows XP SP2 (WinNT 5.01.2600)
浏览器: Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程:
C:/PROGRA~1/svhost32.exe

F3 - REG:win.ini: load=C:/PROGRA~1/svhost32.exe
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:/Program Files/Common Files/CPUSH/cpush.dll
O2 - BHO: MyIEHelper Class - {16B770A0-0E87-4278-B748-2460D64A8386} - C:/Documents and Settings/All Users/Application Data/Microsoft/IEHelper/IEHelper2006814_4593.dll (file missing)
O2 - BHO: (no name) - {3A134B8D-CA84-42A9-BF88-CE45F8C395BF} - C:/WINDOWS/system32/IEOPENGL.DLL
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll
O2 - BHO: (no name) - {8532B305-4486-4388-939F-341C0430CDFC} -
C:/WINDOWS/system32/DxBho.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:/Program Files/kuzhan/kuzhan.dll
O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:/PROGRA~1/CNNIC/Cdn/wmhlpr.dll

O4 - 启动项HKLM//Run: [Update] C:/Program Files/Common Files/UPDATE2/Update.exe (kuzhan的项目)
O4 - 启动项HKLM//Run: [CdnCtr] C:/Program Files/CNNIC/Cdn/cdnup.exe
O4 - 启动项HKCU//Run: [updatereal] C:/WINDOWS/realupdate.exe other
O4 - 启动项HKCU//Run: [msnnt] C:/WINDOWS/winampa.exe

O8 - IE右键菜单中的新增项目: 用炫彩图铃发送该图片 - C:/Program Files/CaiShow Tech/CaiShow/SendMMS.htm
O8 - IE右键菜单中的新增项目: 访问通用网址 - C:/Program Files/CNNIC/Cdn/cnnic.htm
O9 - 浏览器额外的按钮: 酷站导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:/Program Files/kuzhan/kuzhan.dll
O9 - 浏览器额外的按钮: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll
O9 - 浏览器额外的“工具”菜单项: 中文上网 - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll

O10 - 未知的文件在 Winsock LSP: c:/windows/system32/cdnns.dll

O11 - Options group: [CDNCLIENT] 中文上网

O23 - NT 服务: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)

到 http://endurer.ys168.com 下载 并 运行 procview,终止进程:C:/PROGRA~1/svhost32.exe
----------/

停止并禁用服务: Network Logon (NetWorkLogon),其命令行是:rundll32.exe KB896475.log,start

C:/WINDOWS/system32>dir KB896475.log
驱动器 C 中的卷没有标签。
卷的序列号是 1013-3AFE

C:/WINDOWS/system32 的目录

2006-09-18 13:41 123,141 KB896475.log
1 个文件 123,141 字节

用WinRAR寻找下列文件:

C:/PROGRA~1/svhost32.exe(Kaspersky 报为 Trojan-PSW.Win32.Lineage.ahq
c:/windows/system32/dllwm.dll(Kaspersky 报为 Trojan-PSW.Win32.Lineage.ahq
c:/windows/system32/TIMPlatforms.exe
c:/windows/system32/KB896475.log(瑞星报为 Trojan.PSW.Lmir.kyo

STATUS: FINISHED
Complete scanning result of "KB896475.log.del", received in VirusTotal at 09.18.2006, 19:28:23 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 Win32:Wow-X
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 suspicious
F-Prot 3.16f 09.18.2006 Possibly a new variant of W32/Threat-IKNP-based!Maximus
F-Prot4 4.2.1.29 09.18.2006 W32/Threat-IKNP-based!Maximus
Ikarus 0.2.65.0 09.18.2006 Backdoor.Win32.PcClient.GV
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1761 09.18.2006 no virus found
Norman 5.80.02 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 Suspicious file
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.18.2006 no virus found
VBA32 3.11.1 09.18.2006 no virus found
VirusBuster 4.3.7:9 09.18.2006 no virus found

Aditional Information
File size: 123141 bytes
MD5: 25ea5d35320afb7a4343bed7e205a25c
SHA1: 3a7a6c51873a60f8e327c2e1da41246c6d8f9f47
Packers: Packed

C:/WINDOWS/system32/DxBho.dll

STATUS: FINISHEDComplete scanning result of "dxbho.dll", received in VirusTotal at 09.18.2006, 18:45:58 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 no virus found
F-Prot 3.16f 09.18.2006 no virus found
F-Prot4 4.2.1.29 09.18.2006 no virus found
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1761 09.18.2006 no virus found
Norman 5.90.23 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 no virus found
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.18.2006 no virus found
VBA32 3.11.1 09.18.2006 no virus found
VirusBuster 4.3.7:9 09.18.2006 no virus found

Aditional Information
File size: 234496 bytes
MD5: 721f35dbcd412eb68653092845186048
SHA1: a2bcd6ba5246412323211072909412b9e75fb576
packers: UPX

C:/WINDOWS/system32/IEOPENGL.DLL

STATUS: FINISHEDComplete scanning result of "IEOPENGL.DLL", received in VirusTotal at 09.18.2006, 19:01:37 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.18.2006 no virus found
Authentium 4.93.8 09.18.2006 no virus found
Avast 4.7.844.0 09.15.2006 no virus found
AVG 386 09.18.2006 no virus found
BitDefender 7.2 09.18.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.18.2006 no virus found
DrWeb 4.33 09.18.2006 no virus found
eTrust-InoculateIT 23.72.127 09.16.2006 no virus found
eTrust-Vet 30.3.3084 09.18.2006 no virus found
Ewido 4.0 09.18.2006 no virus found
Fortinet 2.82.0.0 09.18.2006 no virus found
F-Prot 3.16f 09.18.2006 no virus found
F-Prot4 4.2.1.29 09.18.2006 no virus found
Ikarus 0.2.65.0 09.18.2006 no virus found
Kaspersky 4.0.2.24 09.18.2006 no virus found
McAfee 4854 09.18.2006 no virus found
Microsoft 1.1560 09.17.2006 no virus found
NOD32v2 1.1761 09.18.2006 no virus found
Norman 5.90.23 09.18.2006 no virus found
Panda 9.0.0.4 09.18.2006 no virus found
Sophos 4.09.0 09.18.2006 no virus found
Symantec 8.0 09.18.2006 no virus found
TheHacker 6.0.1.071 09.17.2006 no virus found
UNA 1.83 09.18.2006 no virus found
VBA32 3.11.1 09.18.2006 no virus found
VirusBuster 4.3.7:9 09.18.2006 no virus found

Aditional Information
File size: 233984 bytes
MD5: b430c5978fe008802e9d269901ef9980
SHA1: 7884f2469eff2f55d174ff7c5ad338731db54787
packers: UPX

C:/WINDOWS/system32/0848/baisoa>dir /s /a
驱动器 C 中的卷没有标签。
卷的序列号是 1013-3AFE

C:/WINDOWS/system32/0848/baisoa 的目录

2006-09-17 13:26 <DIR> .
2006-09-17 13:26 <DIR> ..
2006-09-18 13:40 71 up.dat
2006-09-17 13:26 229 verx.dat
2006-09-08 10:59 12,288 novel.exe
2006-09-15 14:14 20,992 dllhosta.dll
2006-09-17 13:26 <DIR> update
2006-09-17 13:26 69 updatefile.lst
2006-09-17 13:27 0 waitdown.lst
2006-09-17 13:27 90,112 avpa.exe
2006-09-18 13:40 18,432 winampa.exe
2006-09-18 13:40 465 adout.dat
9 个文件 142,658 字节

C:/WINDOWS/system32/0848/baisoa/update 的目录

2006-09-17 13:26 <DIR> .
2006-09-17 13:26 <DIR> ..
2006-09-18 13:40 71 up.dat
2006-09-17 13:26 69 updatefile.lst
2006-09-17 13:27 0 waitdown.lst
2006-09-17 13:26 229 verx.dat
2006-09-17 13:27 90,112 avpa.exe
2006-09-18 13:40 465 adout.dat
2006-09-18 13:40 18,432 winampa.exe
7 个文件 109,378 字节

所列文件总数:
16 个文件 252,036 字节
5 个目录 1,359,462,400 可用字节

到 http://endurer.ys168.com 下载并运行 瑞星杀毒助手,使用瑞星在线病毒扫描 C:/,结果如下:

/----------
2006-9-19 4:5:15 瑞星杀毒助手
Windows XP Service Pack 2(5.1.2600)
文件名 病毒名
C:/WINDOWS/system32/spoolsv/spoolsv.exe Trojan.DL.Agent.kij
C:/WINDOWS/system32/msicn/plugins/bm.dll Trojan.Ourxin.e
C:/WINDOWS/system32/msicn/plugins/as.dll Trojan.Ourxin.c
C:/WINDOWS/system32/msicn/msibm.dll Trojan.Spy.Agent.bhs
C:/WINDOWS/system32/1116/ntjdo/ntjcn.emm Trojan.Spy.Agent.bhs
C:/WINDOWS/system32/1116/ntjdo/plugins/cn.emm Trojan.Ourxin.e
C:/WINDOWS/system32/1116/ntjdo/plugins/bt.emm Trojan.Ourxin.c
C:/WINDOWS/system32/1116/tzt/xnqesn.emm Trojan.Ourxin.d
C:/WINDOWS/system32/1116/tqppmtw/tqppmtw.fyf Trojan.DL.Agent.kij
C:/WINDOWS/system32/0848/baisoa/update/winampa.exe>>Unpack Trojan.DL.Agent.ldt
C:/WINDOWS/system32/0848/baisoa/winampa.exe>>Unpack Trojan.DL.Agent.ldt
C:/WINDOWS/system32/wmpdrm.dll Trojan.Ourxin.d
C:/WINDOWS/system32/WinSC.dll Trojan.Clicker.Qhost.i
C:/WINDOWS/system32/WinSC64.dll Trojan.Clicker.Qhost.i
C:/WINDOWS/system32/UpdateModule.dll.del Trojan.Clicker.Agent.ads
C:/WINDOWS/system32/KB896475.log.del>>NsPack Trojan.PSW.Lmir.kyo
C:/WINDOWS/system32/ejjf.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/system32/icif.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/system32/jjbi.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/system32/ijcj.dll.del Trojan.DL.Direct.aa
C:/WINDOWS/101628.exe.del Trojan.DL.ADLoad.ei
C:/WINDOWS/10045_setup.exe.del Trojan.StartPage.bnx

C:/Documents and Settings/All Users/Application Data/Microsoft/Crypto/dffj.exe.del Trojan.Inject.st
C:/Documents and Settings/All Users/Application Data/Tencent/bind_40040.exe Trojan.DL.Agent.lpu
C:/Documents and Settings/All Users/Application Data/Tencent/bind_40017.exe Trojan.DL.Agent.lpu
C:/Documents and Settings/All Users/Application Data/Tencent/setup72.exe Dropper.TiHs.g

C:/Program Files/Common Files/UPDATE2/Update.exe.1 Trojan.DL.QQHelper.efh
C:/Program Files/Windows Media Player/setup_wm.dll Trojan.DL.Agent.aph
C:/Program Files/Internet Explorer/iedw.dll Trojan.DL.Agent.aph
C:/Program Files/Common Files/System/ddcckl.dat Trojan.Inject.st
C:/Program Files/NetMeeting/nmview.dll Trojan.Agent.dte
C:/Program Files/NetMeeting/conf.dll Trojan.Agent.dte
C:/Program Files/xerox/fcbzc.exe Trojan.Inject.st
C:/Program Files/CNNIC/iebar_v2.exe Trojan.DL.QQHelper.eo

C:/nxldr.dat>>NsPack Trojan.PSW.Lmir.kyo
----------/

打包备份后,用瑞星杀毒助手清除。

关闭所有浏览器和文件夹窗口,用HijackThis扫描并修复上面所列项目。

清空IE临时文件夹

清空 c:/Documents and Settings/user/Local Settings/temp(其中 user 为用户名)

清空 c:/windows/temp

遭遇Trojan.PSW.Lmir.kyo、Trojan.DL.QQHelper等N多木马相关推荐

  1. 遭遇Trojan PSW Lmir等病毒(第4版)

    分享一下我老师大神的人工智能教程.零基础!通俗易懂!风趣幽默!还带黄段子!希望你也加入到我们人工智能的队伍中来!https://blog.csdn.net/jiangjunshow endurer 原 ...

  2. 遭遇木马Trojan.PSW.ZhengTu.dm、Trojan.PSW.LMir.atb

    endurer 原创 2006-08-10 第1版 刚才一位网友的电脑开机时,瑞星开机扫描发现病毒:Trojan.PSW.ZhengTu.dm.Trojan.PSW.LMir.atb,接着瑞星监控小伞 ...

  3. 再战Trojan.PSW.Lmir.kuo、Trojan.PSW.Misc.kcc等网游盗号木马(第2版)

    endurer 原创 2006-08-13 第2版 补充一个漏网的 2006-08-12 第1版 今早一上网,就有网友求助.他电脑屏幕右下角的瑞星实时监控小伞图标不见了,手动启动也不行. 通过QQ远程 ...

  4. 遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等1

    遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等1 endurer 原创 2007-11-22 第1版 昨天中 ...

  5. 遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等2

    遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等2 endurer 原创 2007-11-22 第1版 检查发 ...

  6. 遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2

    遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2 endurer 原创 2007-08-1 ...

  7. 遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1

    遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1 endurer 原创 2007-08-1 ...

  8. 遭遇Trojan-Spy Win32 Delf uv Trojan PSW Win32 XYOnline Trojan

    遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2 endurer 原创 2007-08-1 ...

  9. 又遇Trojan.PSW.Win32.QQPass,Trojan.PSW.Win32.GameOL等1

    又遇Trojan.PSW.Win32.QQPass,Trojan.PSW.Win32.GameOL等1 endurer 原创 2008-06-13 第1版 一位朋友说最近他的电脑中的瑞星杀毒软件和防火 ...

最新文章

  1. python如何创建函数对列表里的元素进行分类_列表(List)操作方法详解
  2. PHP大势已去,PHP宝藏可为我所用
  3. 外国小哥,把整个 CNN 都给可视化了,卷积、池化清清楚楚!
  4. Silverlight4 ColorPicker控件
  5. 千元内无敌!红米两款新机发布 小米9侧目?
  6. ES6新特性_使用babel对ES6模块化代码转换_使用browserify对代码进行打包_实现es6兼容其他浏览器--JavaScript_ECMAScript_ES6-ES11新特性工作笔记045
  7. 智能手机的超性能语音识别技术简介
  8. 【应用赏析】Las Vegas利用ParkPad(基于ArcPad)实现公园资产管理
  9. Mac的Adobe Creative Cloud无法连接至服务器解决方法
  10. Django 3.1中的WebSockets
  11. C#ADO连接修改Paradox表时“操作必须使用一个可更新的查询”错误的处理办法
  12. html+css+javascript实现乾坤八卦风水罗盘时钟 (免费附源码)
  13. coherence-based label propagation over time series for accelerated active learning
  14. 百度研发工程师编程题——买帽子
  15. java8之CompletableFuture
  16. 视频原理和FFmpeg
  17. ubuntu eclipse java_ubuntu 下安装eclipse amp;java环境配置
  18. python中os.listdir的用法
  19. Memory and Crow(CodeForces 712A)
  20. fctix 中文输入法如何翻页

热门文章

  1. Lesson 39
  2. 按头安利 好看又实用的虚幻UE场景模型素材看这里
  3. python语言运行出现ValueError: empty vocabulary; perhaps the documents only contain stop words
  4. python之输出0-100所有的素数
  5. 【面试宝典】软件测试工程师2021烫手精华版(第三章Mysql基础篇)
  6. SCS【8】单细胞转录组之筛选标记基因 (Monocle 3)
  7. sys文件系统的创建和初始化过程
  8. 手机服务器怎么修改密码,手机服务器ip地址修改密码
  9. 只要思想不滑坡办法总比困难多
  10. 用Docker搭建WordPress博客