遭遇auto.exe,Hack.ArpCheater.a(ARP欺骗工具),Trojan.PSW.ZhengTu等1
遭遇auto.exe,Hack.ArpCheater.a(ARP欺骗工具),Trojan.PSW.ZhengTu等1
endurer 原创
2007-07-23 第1版
一位网友说他的电脑昨晚使用时出现蓝屏,刚才打开电脑后,进入桌面后时弹出对话框,提示explorer.exe出错,确定后任务栏自动消失,杀毒软件监控也没见影子……让偶通过QQ远程协助。
下载 pe_xscan 扫描 log并分析,发现如下可疑项(进程模块部分有省略):
/===
pe_xscan 07-07-21 by Purple Endurer
2007-7-22 20:27:50
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/svchost.exe * 724 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/ctfmon.exe * 936 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/conime.exe * 908 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/explorer.exe * 3228 | 2004-8-23 16:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/Program Files/Common Files/Relive.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/AlxTB1.dll | 2005-4-14 4:9:8 | AlxTB Module | 1, 0, 0, 1 | AlxTB Module | Copyright 2000-2003 | 7, 0, 1, 57 | Alexa Internet | | AlxTB | AlxTB.DLL
C:/Program Files/Internet Explorer/msvcrt.bak * 2236 | 2007-7-19 15:27:26
C:/Program Files/Internet Explorer/msvcrt.bak | 2007-7-19 15:27:26
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/cmd.exe * 876 | 2004-8-23 16:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Command Processor | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | cmd | Cmd.Exe
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-7-22 16:51:6 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/drivers/smss.exe * 3464 | 2007-7-18 19:57:56
O2 - BHO - {D3626E66-B13B-C628-ACDF-BDABCFA265E1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {D7515C61-A66C-4319-A0E0-D416CB8059E3} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {E3616E66-C13B-2628-2CDF-EDABCFA235E1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO AlxTB BHO Class - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:/WINDOWS/system32/AlxTB1.dll
O4 - HKLM/../Run: [wosa] C:/DOCUME~1/user/LOCALS~1/Temp/woso.exe
O4 - HKLM/../Run: [ztsa] C:/DOCUME~1/user/LOCALS~1/Temp/ztso.exe
O4 - HKLM/../Run: [mhsa] C:/DOCUME~1/user/LOCALS~1/Temp/mhso.exe
O4 - HKLM/../Run: [fysa] C:/DOCUME~1/user/LOCALS~1/Temp/fyso.exe
O4 - HKLM/../Run: [jtsa] C:/DOCUME~1/user/LOCALS~1/Temp/jtso.exe
O4 - HKLM/../Run: [wlsa] C:/DOCUME~1/user/LOCALS~1/Temp/wlso.exe
O4 - HKLM/../Run: [wgsa] C:/DOCUME~1/user/LOCALS~1/Temp/wgso.exe
O4 - HKLM/../Run: [wmsa] C:/DOCUME~1/user/LOCALS~1/Temp/wmso.exe
O4 - HKLM/../Run: [qjsa] C:/DOCUME~1/user/LOCALS~1/Temp/qjso.exe
O4 - HKLM/../Run: [rxsa] C:/DOCUME~1/user/LOCALS~1/Temp/rxso.exe
O4 - HKLM/../Run: [wdsa] C:/DOCUME~1/user/LOCALS~1/Temp/wdso.exe
O4 - HKLM/../Run: [tlsa] C:/DOCUME~1/user/LOCALS~1/Temp/tlso.exe
O4 - HKLM/../Run: [dasa] C:/DOCUME~1/user/LOCALS~1/Temp/daso.exe
O4 - HKLM/../Run: [zxsa] C:/DOCUME~1/user/LOCALS~1/Temp/zxso.exe
O4 - HKLM/../Policies/Explorer/Run: [visin] C:/WINDOWS/system32/visin.exe
C:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
D:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
O8 - IE右键菜单附加项 : Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - IE右键菜单附加项 : Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - IE右键菜单附加项 : Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - IE右键菜单附加项 : See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - IE右键菜单附加项 : Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O11 - IE扩展选项组:TBH (中文搜搜) =
O23 - 服务: WindowsDown (Windows_SystemDown) - C:/WINDOWS/system32/servet.exe | 2007-7-22 16:23:22(自动)
O23 - 服务: WS2IFSL (Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境) - C:/WINDOWS/System32/drivers/ws2ifsl.sys | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.0 | Winsock2 IFS Layer | ? Microsoft Corporation. All rights reserved. | 5.1.2600.0 (xpclient.010817-1148) | Microsoft Corporation| ? | ws2ifsl.sys | ws2ifsl.sys(禁用)
O24 - ShlExecHook: [] - {03F6E661-0D5F-3FAD-3E2B-E261E3CB6CD2} = C:/Program Files/Internet Explorer/PLUGINS/HiJack.dll
O24 - ShlExecHook: [] - {0EA12C16-CDEF-6AC1-236E-CD3FE82F5213} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {05AD2E16-C6EF-6AC1-136A-CE3FD8EF5613} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {0FAD2E16-C8EF-5AC1-1E6A-AE3FD8EF56B3} = C:/Program Files/Internet Explorer/msvcrt.dll
O25 - InsCom: {11716107-A10D-11cf-64CD-11115FE1CF41} = C:/WINDOWS/system32/nwizzhuxians.exe
HKLM/SHOWALL 值非1
===/
大部分以前遇到过~
处理过程留待下回分解~
遭遇auto.exe,Hack.ArpCheater.a(ARP欺骗工具),Trojan.PSW.ZhengTu等1相关推荐
- 遭遇auto.exe,Hack.ArpCheater.a(ARP欺骗工具),Trojan.PSW.ZhengTu等2
遭遇auto.exe,Hack.ArpCheater.a(ARP欺骗工具),Trojan.PSW.ZhengTu等2 endurer 原创 2007-07-24 第1版 很奇怪,今天中午在一位网友的电 ...
- ARP欺骗工具arpspoof的用法
ARP欺骗工具arpspoof的用法 ARP工具 ARP断网攻击 ARP欺骗 ARP工具 arpspoof 是一款进行arp欺骗的工具,攻击者可以通过它来毒化受害者arp缓存,将网关mac替换为攻击者 ...
- 局域网arp攻击_python制作ARP欺骗工具
前面给大家做一些扫描工具,今天小菜给大家带来了ARP欺骗工具.当然啦,工具实现起来也是几行代码呢!(是不是依旧如此简单).这个可以让目标器断网,还可以把数据包转到自己机器上,自己机器开启转发数据包功能 ...
- 关于fi dd ler 手机抓包 网卡地址地址_网络抓包的高级手段:ARP欺骗工具的应用...
网络数据包的捕获有时会遇到条件不具备的情况,就会人为利用一些手段来创造抓包环境,来完成"尴尬"局面下的数据抓取.这里我们介绍一款ARP欺骗工具-Cain&Abel. 主界面 ...
- 遭遇木马Trojan.PSW.ZhengTu.dm、Trojan.PSW.LMir.atb
endurer 原创 2006-08-10 第1版 刚才一位网友的电脑开机时,瑞星开机扫描发现病毒:Trojan.PSW.ZhengTu.dm.Trojan.PSW.LMir.atb,接着瑞星监控小伞 ...
- 最近幻影的两个ARP欺骗工具 挺不错的
arpspoof 3.1b 主要功能:ARP欺骗过程中进行数据修改,实现会话劫持攻击 说明: 本程序公开源代码,为了换取更多朋友的指教 实例: 欺骗192.168.0.108访问百度网站的全过程(注: ...
- 网络安全 中间人攻击-ARP欺骗 工具:Cain
两台虚拟机:A和B,A中有工具Cain A是攻击机, B是靶机 首先,在B中使用cmd查看IP地址,注意网关 再查看B的ARP表 都查看完之后,回带有工具的虚拟机A中,打开Cain 下面开始在Cain ...
- 2021年二月下旬文章导读与开源项目仓库 | scatter-gather DMA,SR-IOV,ARP欺骗,中断,Lockdep,virtio,vhost
目录 文章目录 开源项目仓库 [转]浅谈scatter-gather DMA SR-IOV:网卡直通技术 [黑客入门] 连接公共WIFI有多危险(ARP欺骗) DPDK ACL算法介绍 文章目录 Li ...
- 使用ARP欺骗, 截取局域网中任意一台机器的网页请求,破解用户名密码等信息
ARP欺骗的作用 当你在网吧玩,发现有人玩LOL大吵大闹, 用ARP欺骗把他踢下线吧 当你在咖啡厅看上某一个看书的妹纸,又不好意思开口要微信号, 用arp欺骗,不知不觉获取到她的微信号和聊天记录,吓一 ...
最新文章
- 中国信通院:2019年Q1全球人工智能产业数据报告
- Mac 安装 Jenkins
- 在Linux上安装CHM查看工具
- Go Web:URLs
- 51nod1584加权约数和
- C# 反射 (Reflect)
- 关于JavaScript系列的自学,该怎么学比较好?
- 商业模式匹配乃同质化产品竞争终极大杀器
- php转换ofd文件格式,一种OFD格式文档支持脚本的方法与流程
- Uncaught RangeError: Maximum call stack size exceeded
- 【免费分享】全新DHPST分销系统/YEP分销/云主机分销系统源码
- 项目CSS基础样式模板
- 镁光ssd管理工具 linux,解决BIOS找不到SSD,镁光SSD固态硬盘升级固件方法
- 一种可以自我修改的计算机器
- JAVA实现时间换算
- 最难忘的一节计算机课,最难忘的一节课作文(3篇)
- 酒浓码浓 - ios进入页面自动弹出键盘
- EXCEL表格-数据验证报错弹窗制作
- Android 8.1/GO GMS认证 (GMS认证群:738320435)
- Linux乌班图系统,如何安装和配置mysql