装了卡巴电脑更卡?原来是Trojan-PSW.Win32.QQPass等盗号木马群作梗1
endurer 原创
2008-04-14 第1版
一位朋友因为QQ医生提示发现盗号木马,从网站下载卡巴斯基8想要查杀病毒,不实安装完成后电脑非常卡,无法操作……让他重启电脑到带网络连接的安全模式下,下载 DrWeb CureIt!扫描,查杀出了一些病毒,正常启动,故障依旧……让偶帮忙检修~
按Ctrl+ Alt + Del 都没没反应,只要 reset 电脑,以带网络连接的安全模式启动。然后下载 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块中相同的部分有省略):
pe_xscan 08-03-27 by Purple Endurer
2008-4-12 11:46:2
Windows XP Service Pack 2(5.1.2600)
管理员用户组
带网络连接的安全模式
[System Process] * 0
C:/WINDOWS/system32/fhdoor1.dll | 2004-8-17 4:0:0
C:/WINDOWS/Fonts/mndoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qhdoor1.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qsdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qzdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qqdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/Explorer.EXE* 276 | 2004-8-17 4:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/system32/qhdoor1.dll | 2004-8-17 4:0:0
C:/Program Files/Internet Explorer/OnlO0r.dll | 2008-3-22 0:36:54 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/Fonts/mndoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qqdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qzdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qsdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/fhdoor1.dll | 2004-8-17 4:0:0
O2 - BHO - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - C:/Program Files/Common Files/fjOs0r.dll
O23 - 服务: 6to4 (6to4) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/system32/6to4ex.dll | 2004-8-17 12:0:0(自动)
O23 - 服务: dvhzso26 (dvhzso26) - System32/DRIVERS/dvhzso26.sys (引导)
O23 - 服务: lybvrlcy (lybvrlcy) - System32/DRIVERS/lybvrlcy.sys (引导)
O23 - 服务: ngaacn74 (ngaacn74) - system32/drivers/ngaacn74.sys
O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手动)
O23 - 服务: vhehnzrh (vhehnzrh) - System32/DRIVERS/vhehnzrh.sys (引导)
O24 - ShlExecHook: [] - {CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C} = C:/Program Files/Internet Explorer/OnlO0r.dll
O24 - ShlExecHook: [1] - {3980134C-D24C-4857-973F-3A08BE8D7E41} = C:/WINDOWS/system32/tlsosa1.dll
O24 - ShlExecHook: [D] - {ABD0935D-B35A-47BD-BA9A-81678DDE74DD} = C:/WINDOWS/system32/qhdoor1.dll
O24 - ShlExecHook: [8] - {61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28} = C:/WINDOWS/Fonts/mndoor0.dll
O24 - ShlExecHook: [F] - {D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF} = C:/WINDOWS/system32/qqdoor0.dll
O24 - ShlExecHook: [7] - {49C496E9-732D-4F5D-BEE9-EC113FAA1C97} = C:/WINDOWS/system32/qzdoor0.dll
O24 - ShlExecHook: [1] - {C26A8AB5-B935-400C-A152-0488714725B1} = C:/WINDOWS/system32/qsdoor0.dll
O24 - ShlExecHook: [3] - {80F15C30-5E9D-4CB9-BE85-F3D5564C6F83} = C:/WINDOWS/system32/fhdoor1.dll
原来是 ??door?.dll 系列 盗号木马在作梗……
(未完待续)
标签:Win32,Trojan,17,WINDOWS,system32,dll,盗号,2004,ShlExecHook From: https://blog.51cto.com/endurer/5878226