遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1

endurer 原创

2007-08-14 第1

昨晚一位网友说他的电脑中了病毒,金山毒霸不停的提示发现病毒WinForm2.dll,使用一段时间后会弹出倒计时关机对话框,让偶通过QQ远程协助。

让网友重启到带网络连接的安全模式,刚连上就出现了倒计时关机对话框,用shutdown -a命令停止了。

下载 pe_xscan 扫描 log 并分析,发现如下可疑项:

/===
pe_xscan 07-07-24 by Purple Endurer
2007-8-13 21:49:9
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/winlogon.exe * 452 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/lsass.exe * 512 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/svchost.exe * 660 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/Explorer.EXE * 1456 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/KAV2007/KAV32.EXE * 1968 | 2001-8-3 9:18:3 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft AntiVirus | Copyright (C) 2000 - 2007 Kingsoft Corporation. All rights reserved. | 2007, 7, 23, 229 | Kingsoft Corporation | Kingsoft | KAV32 | KAV32.EXE
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/WINDOWS/system32/conime.exe * 812 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/xyhins.exe * 980 | 2007-8-11 22:48:14
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgins.exe * 1092 | 2007-8-11 15:12:30
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/qhcins.exe * 504 | 2007-8-11 22:24:24
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/ztmins.exe * 1320 | 2007-8-12 15:22:34
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjeins.exe * 1372 | 2007-8-12 19:47:24
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgins.exe * 920 | 2007-8-12 20:6:8
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/jhains.exe * 1528 | 2007-8-12 20:3:30
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/ctfmon.exe * 164 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/Program Files/Internet Explorer/iexplore.exe * 1536 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50

F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe

O4 - HKCU/../Run: [blin] "C:/Documents and Settings/h/blin/blin.exe" -background 1
C:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
D:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
E:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
F:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/

O23 - 服务: 46427F5F (46427F5F) - C:/WINDOWS/system32/61611F9E.EXE -46427F5F(自动)
O23 - 服务: BB7005AC (BB7005AC) - C:/WINDOWS/system32/1CC3706C.EXE -k(自动)
O23 - 服务: dmmuykip (dmmuykip) - System32/DRIVERS/dmmuykip.sys| ? | 1.6.9.1084| ?| ? | 1.8.0.1096 | Yahoo! China Corporation| ?| ?| ?(引导)
O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手动)

O24 - ShlExecHook: [] - {40117B96-998D-4D80-8F89-5E9DBD9F3460} = C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys
O24 - ShlExecHook: [8] - {813AF41A-21B1-131B-1BFC-D2A90DF4A2B8} = C:/WINDOWS/system32/WinForm2.dll
O24 - ShlExecHook: [WindowsVista] - {3495D328-661A-4FB0-BA67-8ACDD1704D1E} = C:/WINDOWS/system32/temp[3].dll
O24 - ShlExecHook: [9] - {913AF41A-21B1-131B-1BFC-D2A90DF4A2B9} = C:/WINDOWS/system32/xyhpri.dll
O24 - ShlExecHook: [7] - {759AFD5B-159F-ACD8-954C-ACD545FA6587} = C:/WINDOWS/system32/jzgpri.dll
O24 - ShlExecHook: [3] - {36368135-64FA-BC34-DA32-DCF4FD431C93} = C:/WINDOWS/system32/qhcpri.dll
O24 - ShlExecHook: [D] - {D1351752-5628-1547-FFAB-BADC13512AFD} = C:/WINDOWS/system32/ztmpri.dll
O24 - ShlExecHook: [5] - {54123FF1-8371-9834-9021-184518451FA5} = C:/WINDOWS/system32/qjepri.dll
O24 - ShlExecHook: [7] - {7A65498A-7653-9801-1647-987114AB7F47} = C:/WINDOWS/system32/zxgpri.dll
O24 - ShlExecHook: [2] - {252D2432-37A2-324F-2A54-21BF5CF2F1A2} = C:/WINDOWS/system32/jhapri.dll

HKLM/SHOWALL 值非1
===/

恶意程序使用了Shell Execute Hook(O24),所以在安全模式下仍然启动了……
用WinRAR检查C、D、E,F盘,没有发现 auto.exe,检查金山毒霸的隔离区,发现是被隔离了,不过毒霸没有删除autorun.inf,换成瑞星是会自动删除autorun.inf的,只能手动删除了。
接下来的处理,留待下回分解……

遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1相关推荐

  1. 遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2

    遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2 endurer 原创 2007-08-1 ...

  2. 遭遇Trojan-Spy Win32 Delf uv Trojan PSW Win32 XYOnline Trojan

    遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等2 endurer 原创 2007-08-1 ...

  3. 又一位网友中了Viking Trojan PSW OnLineGames abo Trojan PSW SBoy b等

    endurer 原创 2007-04-04 第1版 昨晚,一位网友说,他的电脑工作速度很慢,浏览网页时自动弹广告,让偶帮助检查一下. 让他先用HijackThis(可到http://endurer.y ...

  4. 又一位网友中了Viking,Trojan.PSW.OnLineGames.abo,Trojan.PSW.SBoy.b等

    endurer 原创 2007-04-04 第1版 昨晚,一位网友说,他的电脑工作速度很慢,浏览网页时自动弹广告,让偶帮助检查一下. 让他先用HijackThis(可到http://endurer.y ...

  5. 遭遇Worm.UsbSpy.a/Worm.Win32.Delf.aj

    endurer 原创 2006-09-12 第1版 有一位朋友,他把移动硬盘接到电脑上使用,上午还正常,但下午用时则有数据保护的出错提示信息. 该朋友电脑使用的是Win XP SP2,因未联网,所以不 ...

  6. 某论坛被加入下载Trojan-Downloader.Win32.Delf.ajm的代码

    endurer 原创 2006-12-15 第1版 论坛首被加入代码: /-------- <iframe src=hxxp://www.z*z***yqr.com.**/lpf/wm.htm ...

  7. Worm.Win32.Delf.bg专杀【萧心论坛发】

    民间杀毒高手"农夫"最新推出的专杀工具.本站首发.Worm.Win32.Delf.bg专杀工具. 下载地址:[url]http://down.crfly.com/DownLoadS ...

  8. 解决灰鸽子变种、Rootkit.Win32.Vanti、Win32.Delf、Win32.Small等

    endurer 原创 2006-08-17 第1版 一位网友的电脑,这两天瑞星开机扫描总报告发现Backdoor.Gpigeon.uql.如: /------------ 病毒名称 处理结果 发现日期 ...

  9. 传播Virus.Win32.AutoRun.f/Worm.Win32.Delf.b的网页

    endurer 原创 2007-06-15 第1版 一位网友说他的电脑不管打开什么网站的网页,显示的都是hxxp://218.*1*.1*4.170的VIP1.HTM.VIP2.HTM等. hxxp: ...

最新文章

  1. 数据结构与算法 / 排序算法(1)
  2. 【Android】Eclipse JNI开发
  3. 【Java】HashMap的数据结构、源码解析 - 公开课笔记
  4. spring源码分析,聊聊PropertyPlaceholderConfigurer
  5. ODAC(V9.5.15) 学习笔记(四)TCustomDADataSet(2)
  6. 计算机不能进入桌面,电脑开机无法进入桌面,请高手解决。
  7. html大小写字符串转换成整数,c++字符串大小写转换
  8. JEECG 3.6.3版本发布 企业级JAVA快速开发平台
  9. 马斯克称面临巨大通胀压力 暗示特斯拉可能涨价
  10. 『重构--改善既有代码的设计』读书笔记----Replace Temp with Query
  11. Android中发现蓝牙设备的广播是,Android 蓝牙设备的查找和连接
  12. Android第一个程序Say Hello To Android
  13. 反序列化时出现“base-64 字符数组的无效长度”错误提示的解决
  14. PaddleOCR二次全流程——1. 确定字体
  15. 调节汉化版Eclipse的字体大小
  16. XPS Silverlight Reader
  17. keystore java_Java KeyStore getEntry()用法及代码示例
  18. html5 图片合成,H5案例分享:图片合成
  19. 解决:浏览器下载的Excel文件显示“文件已损坏,无法打开”
  20. acm新手小白必看系列之(5)——枚举进阶例题精讲

热门文章

  1. Gradle version 和 Android Plugin Version
  2. C语言结构体和结构体排序
  3. MYSQL 获取本周、本月每天,本季度、近半年、本年、近一年的每个月份
  4. avcodec_receive_frame 和 avcodec_send_packet的调用顺序
  5. canon 佳能相机识别文件的格式
  6. 【C++---const引用】数组进行指针引用传递给函数error: non-const lvalue reference of type ‘int*‘ to an rvalue
  7. 光纤端面问题尽收眼底——神枪手FI-3000 PART2
  8. python_opencv实现图像分割(多分类彩色图像)孔洞填充后处理
  9. 【图像融合】基于小波变换算法实现可见光与红外光图像融合系统matlab代码
  10. 介紹卷积神经网络(CNN)模型结构