修改系统日期、替换explorer.exe的Trojan-Downloader.Win32.Agent.rjq1

修改系统日期、替换explorer.exe的Trojan-Downloader.Win32.Agent.rjq1

endurer 原创 2008-06-17 第1

一位网友的电脑,最近桌面上的“我的电脑”图标变了,瑞星总发现三个病毒,并提示下启动时删除,但重启电脑后病毒仍然存在。请偶帮忙检修。

下载 pe_xscan 扫描 log并分析,发现如下可疑项: /===

pe_xscan 08-04-26 by Purple Endurer 
-6-14 15:36:58 
Windows XP Service Pack 2(5.1.2600) 
MSIE:6.0.2900.2180 
管理员用户组 
正常模式 

[System Process]  0 
   2000-6-13 13:2:24 
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
   2000-6-14 7:6:3 
   2000-6-14 7:6:2 
   2000-6-14 7:6:2 
   2000-6-14 7:6:2 
C:/Program Files/Rising/Rfw/rfwmain.exe 280  2007-10-18 13:40:10  Rising Personal FireWall 2008  7.00  Rising Personal FireWall Main Program  Rising Corp. All rights reserved.  7.0.1.65  Beijing Rising Technology Co., Ltd. ?  Beijing Rising Technology Co., Ltd.  rfwmain.EXE 
   2000-6-13 13:2:24 
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
 588  2008-6-11 0:45:58 
   2004-8-8 13:3:6 
   2000-6-13 13:2:24 
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
 1700  2004-6-5 22:14:12  Microsoft(R) Windows(R) Operating System  6.00.2900.3156  Windows Explorer  (C) Microsoft Corporation. All rights reserved.  6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)  Microsoft Corporation ?  explorer  EXPLORER.EXE 
   2004-8-8 13:3:6 
   2000-6-13 13:2:8 
   2000-6-13 13:42:7 
   2000-6-13 13:2:24 
   2000-6-14 7:6:2 
   2000-6-14 7:6:2 
   2000-6-14 7:6:2 
   2000-6-14 7:6:3 
C:/Program Files/Rising/Rav/RavTask.exe 388  2007-10-18 13:44:4  Rising Antivirus 2008  20.00  RavTimer  Rising Corp.All rights reserved.  20.0.0.23  Beijing Rising Technology Co., Ltd. ?  Beijing Rising Technology Co., Ltd.  RavTask.exe 
   2000-6-13 13:2:24 
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
C:/Program Files/Rising/Rav/RavMon.exe 496  2007-10-18 13:44:28  Rising AntiVirus 2008  20.00  Rising realtime monitor shell  Rising Corp. All rights reserved.  20.0.01.19  Beijing Rising Technology Co., Ltd. ?  Beijing Rising Technology Co., Ltd.        
   2000-6-13 13:2:24
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
C:/WINDOWS/System32/ctfmon.exe 1188  2004-8-3 16:52:30  Microsoft? Windows? Operating System  5.1.2600.2180  CTF Loader  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  CTFMON  CTFMON.EXE 
   2000-6-13 13:2:24 
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
D:/Program Files/Tencent/QQ/QQ.exe 3612  2007-12-19 11:57:42  QQ  7,0,225,1651  QQ  Copyright (C) 1998 - 2007 TENCENT Inc. All Rights Reserved  7,0,225,1651  TENCENT   COMQQD  QQ.exe 
   2000-6-13 13:2:24 
   2000-6-13 13:42:7 
   2000-6-13 13:2:8 
   2000-6-14 7:6:3 
   2000-6-14 7:6:2 
   2000-6-14 7:6:2 
   2000-6-14 7:6:2 
O2 - BHO - {37AC9076-C898-B098-D098-A18319080973} -
O2 - BHO - {55694105-5108-9405-3695-954187462155} -
O2 - BHO - {5C648541-1025-9650-9057-6541258720C5} -
O2 - BHO - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} -
O2 - BHO - {8AD0F1B1-990D-4F52-A33D-2837E43CEF58} -
O4 - HKLM/../Run: [veobqitk]
O4 - HKLM/../Run: [fmcbbqi]
O4 - HKLM/../Run: [fewqickd]
O4 - HKLM/../Run: [fmschif]

O20 - AppInit_DLLs =,,ieprot.dll 
O21 - SSODL - midimaptl(0) - {4F4F0064-71E0-4f0d-0017-708476C7815F} =
O21 - SSODL - midimapzx(0) - {4F4F0064-71E0-4f0d-0005-708476C7815F} =
O21 - SSODL - midimapwl(0) - {4F4F0064-71E0-4f0d-0004-708476C7815F} =
O21 - SSODL - midimapgj(0) - {4F4F0064-71E0-4f0d-0003-708476C7815F} =
O21 - SSODL - midimapqn3(0) - {4F4F0064-71E0-4f0d-0022-708476C7815F} =
O21 - SSODL - midimapjr(0) - {4F4F0064-71E0-4f0d-0012-708476C7815F} =
O23 - 服务: Hdv32 (Hdv32) -(手动) 
O23 - 服务: IIS Manager (IIS Manager ) - 2000-6-13 13:39:30(手动) 
O23 - 服务: larjphk (larjphk) - 2007-6-6 17:36:21  sys 应用程序  1, 0, 1, 3  sys 应用程序  版权所有 (C) 2006  1, 0, 1, 3  北京三七二一科技有限公司 ?  sys  sys.exe(引导) 
O23 - 服务: NPF (Netgroup Packet Filter) -  WinPcap Netgroup Packet Filter Driver  3, 1, 0, 27  npf  Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino.  3, 1, 0, 27  CACE Technologies   NPF + TME  npf.sys(手动) 
O23 - 服务: seictrl (Security Control) -c:/windows/system32/rundll32.exe ,scan(自动) 
O23 - 服务: SVKP (SVKP) - 2007-11-17 14:58:29  SVKP driver for NT  1.00  SVKP driver for NT  Copyright (C) Microsoft Corp. 1981-1999  4.00  AntiCracking ?  SVKP.sys  SVKP.sys(自动) 
O23 - 服务: wuauserv (Automatic Updates) -(自动) 
O24 - ShlExecHook: [7] - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} =
O24 - ShlExecHook: [3] - {37AC9076-C898-B098-D098-A18319080973} =
O24 - ShlExecHook: [3] - {35671234-7890-ABCD-CDEF-567801237653} =
O24 - ShlExecHook: [5] - {55694105-5108-9405-3695-954187462155} =
O24 - ShlExecHook: [5] - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} =
O24 - ShlExecHook: [5] - {5C648541-1025-9650-9057-6541258720C5} =
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0012-708476C7815F} =
O24 - ShlExecHook: [a] - {242c168c-c3bd-4ad1-849f-e2179437a19a} =
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0003-708476C7815F} =
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0004-708476C7815F} =
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0017-708476C7815F} =
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0005-708476C7815F} =
O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0022-708476C7815F} =
O24 - ShlExecHook: [MICROSOFT] - {DC3D30AE-0380-4151-8934-EE98A34B0370} =
O24 - ShlExecHook: [1] - {17DFD111-BF3A-4CB4-ADB0-88FCBFE69821} =
O24 - ShlExecHook: [MICROSOFT] - {28EB3777-3E23-4E72-8449-A992D09D24C3} =
O24 - ShlExecHook: [MICROSOFT] - {A9895933-6636-4281-BC58-EE6DE2AF96E3} =
O24 - ShlExecHook: [MICROSOFT] - {28766E1C-74B0-4417-8C75-F12AE309EF35} =
O24 - ShlExecHook: [1] - {18e64250-19a8-4d10-828f-30e101a22291} =
O24 - ShlExecHook: [MICROSOFT] - {461D2AB4-29A5-45C2-9134-D52272D3DE38} =
O24 - ShlExecHook: [0] - {8c3dd05d-a6a1-4cb5-a714-94be3c3b4cd0} =
O24 - ShlExecHook: [] - {8AD0F1B1-990D-4F52-A33D-2837E43CEF58} =
O26 - IFEO: 360safebox.exe -> ntsd -D
O26 - IFEO: KPPMain.exe -> ntsd -D
O26 - IFEO: QQDoctor.exe -> ntsd -D
O26 - IFEO: QQDoctorMain.exe -> TASKMAN.EXE
O26 - IFEO: QQKav.exe -> ntsd -D
O26 - IFEO: safeboxTray.exe -> ntsd -D
O26 - IFEO: SelfUpdate.exe -> TASKMAN.EXE
O26 - IFEO: tqat.exe -> ntsd -d

===/

从log中可以发现网友电脑的时间回到2000年了…… 这比《我的电脑图标变了?原来是Trojan-Downloader.Win32.Agent.mkj替换了explorer.exe》中遇到的东东要厉害~

(未完待续)

阅读更多

没有更多推荐了,返回首页