又杀了一批病毒(第2版)

endurer 原创

2005.12.21  第2版 补充了瑞星对Tvdpay.exe的反应。

2005.12.20  第1

  昨天帮一位网友杀了一批病毒,包括几个灰鸽子。

  该网友的电脑使用Window XP,连SP1系统补丁也没打。虽然装有江民KV,但还是成了毒窝。不定时弹出多个广告窗口,桌面和开始菜单也被加入恶意网站的链接。

  先用瑞星在线免费扫描,结果如下:



2005-12-19 15:53:30 瑞星杀毒助手
Windows XP (5.1.2600)
文件名 病毒名
C:/WINDOWS/system32/msisexec.exe TrojanSpy.Win32.Delf.da
C:/WINDOWS/system32/inetapi32.dll TrojanSpy.Win32.Delf.dh.dll
C:/WINDOWS/Temp/dvdpaye0.DLL Backdoor.Gpigeon.lz
C:/WINDOWS/Temp/Tvdpay0.DLL Backdoor.Gpigeon.qw
C:/WINDOWS/sllserv.exe Trojan.PSW.Lmir.iwu
C:/WINDOWS/ie.exe>>chk.exe Trojan.Win32.LaSta.ba
C:/WINDOWS/ie.exe>>pj.exe Trojan.Win32.LaSta.bc
C:/WINDOWS/Tvdpay_Hook1.DLL Backdoor.Gpigeon.stv
C:/WINDOWS/Tvdpay_HOOk2.DLL Backdoor.GPigeon.uq
C:/WINDOWS/Tvdpay_HOOk3.DLL Backdoor.GPigeon.uq
C:/WINDOWS/Tvdpay.DLL Backdoor.Gpigeon.qw
C:/WINDOWS/Tvdpay_HOOk.DLL Backdoor.GPigeon.uq
C:/WINDOWS/assistseex.exe Trojan.PSW.Lmir.iwu
C:/WINDOWS/uninstallex.exe Trojan.PSW.Lmir.iwu
C:/WINDOWS/ced.dll Trojan.PSW.Lmir.ivh
C:/Documents and Settings/hengg/Local Settings/Temp/F8D2.exe TrojanSpy.Win32.Delf.da
C:/Documents and Settings/hengg/Local Settings/Application Data/3721TRQua/Backdoor/Backdoor.Win32.BlackHole.2005.c/SysLog.exe.malicious Backdoor.JiaoZhu.a
C:/Documents and Settings/hengg/Local Settings/Application Data/3721TRQua/Trojan-PSW/Trojan-PSW.Win32.QQRob.16/NTdhcp.exe.malicious Trojan.PSW.QQRobber.16
C:/Documents and Settings/hengg/「开始」菜单/程序/启动/run.bat Trojan.WinREG.StartPage.d
C:/hao5.exe Trojan.StartPage.m
C:/$NtUninstallQ1494$/3721.bat Trojan.WinREG.StartPage.d
C:/run.bat Trojan.WinREG.StartPage.d
C:/$NtUninstallQ5926809$/sp4custom.dll Trojan.VBS.Wisis.d
C:/boot.exe Trojan.PSW.Lmir.iwx

把病毒文件逐一打包备份后删除。(顺便预告一下:瑞星杀毒助手的下一个版本可能会加入病毒文件打包功能,就不再需要这样麻烦了!

接下检查控制面板里的“添加删除程序”,卸载了几个流氓软件。

然后用HijackThis扫描了一个LOG如下:


Logfile of HijackThis v1.99.1
Scan saved at 16:49:04, on 2005-12-19
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/csrss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/WINDOWS/Explorer.EXE
C:/WINDOWS/System32/Rundll32.exe
C:/WINDOWS/System32/ctfmon.exe
F:/QQ/QQ.exe
F:/QQ/TIMPlatform.exe
C:/WINDOWS/system32/notepad.exe
C:/Program Files/WinRAR/WinRAR.exe
F:/WUTemp/HijackThis.exe

R3 - URLSearchHook: MyURLSearchHook Class - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - C:/Program Files/P4P/ToolBar.dll
O1 - Hosts: 218.85.133.109www.vodfans.com
O1 - Hosts: 218.85.133.109vodfans.com
O1 - Hosts: 218.85.133.109www.k234.com
O1 - Hosts: 218.85.133.109k234.com
O1 - Hosts: 218.85.133.109www.goodwww.com
O1 - Hosts: 218.85.133.109goodwww.com
O1 - Hosts: 218.85.133.109www.tv66.org
O1 - Hosts: 218.85.133.109tv66.org
O1 - Hosts: 218.85.133.109www.w555.com
O1 - Hosts: 218.85.133.109w555.com
O1 - Hosts: 218.85.133.109www.tkfilm.com
O1 - Hosts: 218.85.133.109tkfilm.com
O1 - Hosts: 218.85.133.109www.163.zhao117.com
O1 - Hosts: 218.85.133.109163.zhao117.com
O1 - Hosts: 218.85.133.109www.v.wg818.com
O1 - Hosts: 218.85.133.109v.wg818.com
O1 - Hosts: 218.85.133.109www.7122.com
O1 - Hosts: 218.85.133.1097122.com
O1 - Hosts: 218.85.133.109www.v.wg818.com
O1 - Hosts: 218.85.133.109v.wg818.com
O1 - Hosts: 218.85.133.109www.hot.3721.com
O1 - Hosts: 218.85.133.109hot.3721.com
O1 - Hosts: 218.85.133.109www.99770.com
O1 - Hosts: 218.85.133.10999770.com
O1 - Hosts: 218.85.133.109www.kk369.net
O1 - Hosts: 218.85.133.109kk369.net
O1 - Hosts: 218.85.133.109www.xunlei.com
O1 - Hosts: 218.85.133.109xunlei.com
O1 - Hosts: 218.85.133.109www.92bt.com
O1 - Hosts: 218.85.133.10992bt.com
O1 - Hosts: 218.85.133.109www.search.onlinedown.net
O1 - Hosts: 218.85.133.109search.onlinedown.net
O1 - Hosts: 218.85.133.109www.ent.da163.net
O1 - Hosts: 218.85.133.109ent.da163.net
O1 - Hosts: 218.85.133.109www.lbxx.net
O1 - Hosts: 218.85.133.109lbxx.net
O1 - Hosts: 218.85.133.109www.44489.com
O1 - Hosts: 218.85.133.10944489.com
O1 - Hosts: 218.85.133.109www.avvip.com
O1 - Hosts: 218.85.133.109avvip.com
O1 - Hosts: 218.85.133.109www.film21cn.com
O1 - Hosts: 218.85.133.109film21cn.com
O1 - Hosts: 218.85.133.109www.y256.com
O1 - Hosts: 218.85.133.109y256.com
O1 - Hosts: 218.85.133.109www.newsw.net
O1 - Hosts: 218.85.133.109newsw.net
O1 - Hosts: 218.85.133.109www.vod99.com
O1 - Hosts: 218.85.133.109vod99.com
O1 - Hosts: 218.85.133.109www.80666666.com
O1 - Hosts: 218.85.133.10980666666.com
O1 - Hosts: 218.85.133.109www.88ty.com
O1 - Hosts: 218.85.133.10988ty.com
O1 - Hosts: 218.85.133.109www.xinglove.com
O1 - Hosts: 218.85.133.109xinglove.com
O1 - Hosts: 218.85.133.109www.99755.com
O1 - Hosts: 218.85.133.10999755.com
O1 - Hosts: 218.85.133.109www.loveba.com
O1 - Hosts: 218.85.133.109loveba.com
O1 - Hosts: 218.85.133.109www.fx120.net
O1 - Hosts: 218.85.133.109fx120.net
O1 - Hosts: 218.85.133.109www.feifanyu.com
O1 - Hosts: 218.85.133.109feifanyu.com
O1 - Hosts: 218.85.133.109www.wg818.com
O1 - Hosts: 218.85.133.109wg818.com
O1 - Hosts: 218.85.133.109www.shan-hua.com.cn
O1 - Hosts: 218.85.133.109shan-hua.com.cn
O1 - Hosts: 218.85.133.109www.7122.com
O1 - Hosts: 218.85.133.1097122.com
O1 - Hosts: 218.85.133.109www.pic21.net
O1 - Hosts: 218.85.133.109pic21.net
O1 - Hosts: 218.85.133.109www.9see.com
O1 - Hosts: 218.85.133.1099see.com
O1 - Hosts: 218.85.133.109www.pztu.com
O1 - Hosts: 218.85.133.109pztu.com
O1 - Hosts: 218.85.133.109www.xunlei.com
O1 - Hosts: 218.85.133.109xunlei.com
O1 - Hosts: 218.85.133.109www.image.yisou.com
O1 - Hosts: 218.85.133.109image.yisou.com
O1 - Hosts: 218.85.133.109www.yes358.com
O1 - Hosts: 218.85.133.109yes358.com
O1 - Hosts: 218.85.133.109www.supsky.com
O1 - Hosts: 218.85.133.109supsky.com
O1 - Hosts: 218.85.133.109www.7c8.com
O1 - Hosts: 218.85.133.1097c8.com
O1 - Hosts: 218.85.133.109www.ccliao.com
O1 - Hosts: 218.85.133.109ccliao.com
O1 - Hosts: 218.85.133.109www.tvliao.com
O1 - Hosts: 218.85.133.109tvliao.com
O1 - Hosts: 218.85.133.109www.dreamdate.com
O1 - Hosts: 218.85.133.109dreamdate.com
O1 - Hosts: 218.85.133.109www.dreamdate.com
O1 - Hosts: 218.85.133.109dreamdate.com
O1 - Hosts: 218.85.133.109www.readnovel.com
O1 - Hosts: 218.85.133.109readnovel.com
O1 - Hosts: 218.85.133.109www.3tom.com
O1 - Hosts: 218.85.133.1093tom.com
O1 - Hosts: 218.85.133.109www.126ww.com
O1 - Hosts: 218.85.133.109126ww.com
O1 - Hosts: 218.85.133.109www.fa123.net
O1 - Hosts: 218.85.133.109fa123.net
O1 - Hosts: 218.85.133.109www.kk119.com

O2 - BHO: SohuDAIEHelper - {0CA51D02-7739-43EA-8D9A-1E8AD4327B03} - C:/Program Files/P4P/sodaie.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - F:/QQ/QQIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - E:/KV2004/KvShell.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:/WINDOWS/DOWNLO~1/CnsHook.dll
O2 - BHO: DragSearch BHO - {EF1D17A9-089F-40cc-8D64-7324CDEBA0DB} - C:/PROGRA~1/yisou/yisoub.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:/PROGRA~1/3721/Assist/asbar.dll
O3 - Toolbar: 一搜工具条 - {115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5} - C:/Program Files/yisou/yisou.dll
O3 - Toolbar: 搜狗直通车 - {DBBB7978-AF21-4EF4-9AD1-B2F4BC75696C} - C:/Program Files/P4P/ToolBar.dll
O3 - Toolbar: 江民杀毒工具栏 - {B5A34A93-D538-43A7-8371-864CB6148D12} - E:/KV2004/KvShell.dll
O4 - HKLM/../Run: [IMJPMIG8.1] C:/WINDOWS/IME/imjp8_1/IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM/../Run: [PHIME2002ASync] C:/WINDOWS/System32/IME/TINTLGNT/TINTSETP.EXE /SYNC
O4 - HKLM/../Run: [PHIME2002A] C:/WINDOWS/System32/IME/TINTLGNT/TINTSETP.EXE /IMEName
O4 - HKLM/../Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [CnsMin] Rundll32.exe C:/WINDOWS/DOWNLO~1/CnsMin.dll,Rundll32
O4 - HKLM/../Run: [TkBellExe] "C:/Program Files/Common Files/Real/Update_OB/realsched.exe"  -osboot
O4 - HKLM/../Run: [internat.exe] internat.exe
O4 - HKLM/../Run: [SysExplr] D:/wu/SysExplr.EXE
O4 - HKLM/../Run: [YDTMain.exe] C:/PROGRA~1/YDT/YDTMain.exe
O4 - HKLM/../Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM/../Run: [3721] C:/$NtUninstallQ5926809$/3721.bat
O4 - HKLM/../Run: [cnyisou_com] http://www.wa110.com
O4 - HKLM/../Run: [WlN32] regedit -s C:/$NtUninstallQ887678$/WINSYS.cer

O4 - HKLM/../Run: [KvMonXP] E:/KV2004/KVMonXP.kxp /auto
O4 - HKCU/../Run: [uninstallex.exe] C:/WINDOWS/uninstallex.exe
O4 - HKCU/../Run: [ctfmon.exe] C:/WINDOWS/System32/ctfmon.exe
O4 - HKCU/../RunServices: [system] C:/WINDOWS/SVC.EXE
O4 - Startup: 腾讯QQ.lnk = F:/qq/QQ.exe
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Restrictions present
O6 - HKCU/Software/Policies/Microsoft/Internet Explorer/Control Panel present

O8 - Extra context menu item: !搜一搜 - res://C:/Program Files/yisou/yisou.dll/232
O8 - Extra context menu item: 上传到QQ网络硬盘 - F:/QQ/AddToNetDisk.htm
O8 - Extra context menu item: 使用搜狗直通车下载 - C:/Program Files/P4P/dl.htm
O8 - Extra context menu item: 发送图片到手机 - C:/Program Files/P4P/cx.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:/QQ/AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:/QQ/AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:/QQ/SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_taijilian_48651 (file missing)
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 我的订阅 - {8755CE6E-0BF7-4441-8751-FB728941B0B4} - C:/Program Files/P4P/rss.dll
O9 - Extra button: SoQ - {8F67DCF3-B1DF-4A39-A787-3775784BF737} - http://www.soq.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:/WINDOWS/web/related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:/WINDOWS/web/related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:/QQ/QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:/QQ/QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - F:/QQ/QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - F:/QQ/QQIEHelper.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O11 - Options group: [!CNS]  网络实名
O16 - DPF: {8819C261-5B61-4628-908C-9BE795EABEC3} (IE Class) - http://www.95599.cn/download/ABC.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM/System/CCS/Services/Tcpip/../{A9F4FDD9-50A8-4C72-A671-6EC43837F3BB}: NameServer = 202.103.224.68,202.103.225.68
O20 - AppInit_DLLs: C:/WINDOWS/System32/SoDAHK.DLL
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:/WINDOWS/System32/nvsvc32.exe
O23 - Service: P4P Service - Sohu.com Inc. - C:/Program Files/P4P/p2psvr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:/WINDOWS/system32/pctspk.exe
O23 - Service: 3721 (Windows Management Instrumenta) - Unknown owner - C:/WINDOWS/Tvdpay.exe


其中红色的部分是需要修复的。

O4 - HKCU/../RunServices: [system] C:/WINDOWS/SVC.EXE

没有找到这一项对应的文件,可能是被江民KV杀掉了。

O23 - Service: 3721 (Windows Management Instrumenta) - Unknown owner - C:/WINDOWS/Tvdpay.exe

这一项应该是灰鸽子的服务启动项,可惜瑞星在线扫描没有报。Kaspersky报为Backdoor.Win32.Hupigon.km。

* 2005.12.21  第2版 补充

瑞星将Tvdpay.exe报为Backdoor.Gpigeon.uhu

病毒分类  WINDOWS下的PE病毒 病毒名称  Backdoor.Gpigeon.uhu  
别    名    病毒长度   
依赖系统   传播途径    
行为类型  WINDOWS下的木马程序 感    染    
病毒发作

瑞 星 版 本 号

   18.06.10

又在c:/windows发现了system.hta和systems.hta两个文件,是弹广告窗口的东东,可惜瑞星和Kaspersky都没有反应。

阅读更多
上一篇某政府网站被加入自动下载病毒文件的代码(第3版)
下一篇挖到进程会隐身的病毒文件Update.exe(第2版)
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭
关闭