遭遇一堆 Trojan.PSW.Win32.OnlineGames / *door0.dll等1
endurer 原创
2007-08-27 第1版
一位网友说他的电脑最近开机时金山毒霸出错,运行很慢,让偶通过QQ远程协助帮忙检查。
由于网友的电脑反应确实慢,让他重启到带网络连接的安全模式下再进行。
下载了 pe_xscan,解压后刚运行,文件忽然不见了……试了几次都是这样,难道pe_xscan也被列入恶意程序狙击的名单了?
把 pe_xscan 解压到 c:/windows/system32 下,文件名也改了,再运行,这次OK!
扫描 log 并分析,发现如下可疑项(进程模块部分有省略):
/===
pe_xscan 07-07-24 by Purple Endurer
2007-8-27 12:38:37
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/dadoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wddoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/fydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qjdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/mydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/tldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/rxdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wmdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qhdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wgdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/jtdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/ztdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wodoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/mhdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/Explorer.EXE * 1448 | 2004-8-16 8:39:14 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/Program Files/Internet Explorer/msvcrt.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/mhdoor0.dll | 2004-8-16 8:39:14
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/wodoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/ztdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/jtdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wgdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qhdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wmdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/rxdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/tldoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/mydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/qjdoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/fydoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/wddoor0.dll | 2004-8-16 8:39:14
C:/WINDOWS/system32/dadoor0.dll | 2004-8-16 8:39:14
C:/Program Files/WinRAR/rarext.dll | 2006-7-20 20:41:30
C:/Program Files/Internet Explorer/rksldk.bak * 1532 | 2007-8-27 11:2:44
C:/Program Files/Internet Explorer/rksldk.bak | 2007-8-27 11:2:44
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/system32/ctfmon.exe * 1232 | 2004-8-16 8:39:14 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/Program Files/Internet Explorer/rksldk.dll | 2007-8-27 11:37:8 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
O2 - BHO - {A1626E66-B26B-C628-A1DF-BDACCFA26EE1} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {C1626E66-C26B-C628-E1DF-CDACCFA26EE1} - C:/Program Files/Common Files/goskdl.dll
O2 - BHO - {D7515C61-A66C-4319-A0E0-D416CB8059E3} - C:/Program Files/Common Files/Relive.dll
O2 - BHO - {E3616E66-C13B-2628-2CDF-EDABCFA235E1} - C:/Program Files/Common Files/Relive.dll
O4 - HKLM/../Run: [aslkgadlkgsl1] C:/WINDOWS/system32/oigdfgdfl1.exe
O4 - HKLM/../Run: [asgfdjs2] C:/WINDOWS/system32/vbsdaas2.exe
O4 - HKLM/../Run: [askasdkcl3] C:/WINDOWS/system32/faskflxld3.exe
O4 - HKLM/../Run: [asfkafsk4] C:/WINDOWS/system32/fdaolfdos4.exe
O4 - HKLM/../Run: [sakdasksd5] C:/WINDOWS/system32/eksdlfs5.exe
O4 - HKLM/../Run: [daskaskfsak6] C:/WINDOWS/system32/dsfids6.exe
O4 - HKLM/../Run: [xcxdsaa7] C:/WINDOWS/system32/slcskxsdl7.exe
O4 - HKLM/../Run: [afskfask8] C:/WINDOWS/system32/fsfjasj8.exe
O4 - HKLM/../Run: [akgkagaksad9] C:/WINDOWS/system32/fsakfask9.exe
O4 - HKLM/../Run: [xzkadsfk10] C:/WINDOWS/system32/afslkfasl10.exe
O4 - HKLM/../Run: [faslkakj11] C:/WINDOWS/system32/kjgagklj11.exe
O4 - HKLM/../Run: [gadkgak12] C:/WINDOWS/system32/fsafsakx12.exe
O4 - HKLM/../Run: [asdsaxcxz13] C:/WINDOWS/system32/dasxcsx13.exe
O4 - HKLM/../Run: [dsadlsa14] C:/WINDOWS/system32/dsakfsak14.exe
O4 - HKLM/../Run: [daskgfkkcx15] C:/WINDOWS/system32/dasdsaads15.exe
O4 - HKLM/../Run: [gajklgasjlkga] C:/WINDOWS/system32/aglajgkd16.exe
O4 - HKLM/../Run: [sakdasj6ksd5] C:/WINDOWS/system32/e656lklfs5.exe
O4 - HKLM/../Run: [apadslasla13] C:/WINDOWS/system32/alsdlaslx13.exe
O4 - HKLM/../Run: [aslgflsdakgsl1] C:/WINDOWS/system32/ogdflsd1.exe
H:/autorun.inf
/-----
[autorun]
open=Ghost.pif
shellexecute=Ghost.pif
shell/Auto/command=Ghost.pif
shell=Auto
-----/
O24 - ShlExecHook: [] - 0CCE6E12-C2EC-56CD+1A62-AE3FD6EF56E6} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {5C7596CB-C3CC-6BA3-BE52-8EEA63F9C61D} = C:/Program Files/Internet Explorer/msvcrt.dll
O24 - ShlExecHook: [] - {DC7596CB-D6CC-DCA3-DE52-DEEA63F6C61D} = C:/Program Files/Internet Explorer/rksldk.dll
O24 - ShlExecHook: [F] - {3422FB0F-95EB-458A-8B56-39552017A4EF} = C:/WINDOWS/system32/mhdoor0.dll
O24 - ShlExecHook: [6] - {5731EA1D-6AAF-4DE9-BDDA-7B390A75B286} = C:/WINDOWS/system32/wodoor0.dll
O24 - ShlExecHook: [9] - {E952B8F8-D91A-4EDD-851C-EE1A0F944469} = C:/WINDOWS/system32/ztdoor0.dll
O24 - ShlExecHook: [1] - {71046DD5-E136-4C4B-A6B5-91C30CB15291} = C:/WINDOWS/system32/jtdoor0.dll
O24 - ShlExecHook: [3] - {E03C23BD-35B7-49C2-BBCA-6D8CEC2507E3} = C:/WINDOWS/system32/wldoor0.dll
O24 - ShlExecHook: [7] - {A3C95A74-638D-4C6B-A856-4B27664A7F47} = C:/WINDOWS/system32/wgdoor0.dll
O24 - ShlExecHook: [D] - {ABD0935D-B35A-47BD-BA9A-81678DDE74DD} = C:/WINDOWS/system32/qhdoor0.dll
O24 - ShlExecHook: [C] - {074616A6-5ADC-4A3F-B252-E1D605228B5C} = C:/WINDOWS/system32/wmdoor0.dll
O24 - ShlExecHook: [0] - {EDFF29C1-5A70-4460-AC1D-16DCB4B672F0} = C:/WINDOWS/system32/rxdoor0.dll
O24 - ShlExecHook: [8] - {08E909A4-B236-48DD-8BCC-90A604B93E68} = C:/WINDOWS/system32/tldoor0.dll
O24 - ShlExecHook: [8] - {4E3FBFA4-F1CC-4B66-B333-B9F0FF4B4748} = C:/WINDOWS/system32/mydoor0.dll
O24 - ShlExecHook: [8] - {6826A3DB-EA8E-4E67-880D-53D04C7C0BD8} = C:/WINDOWS/system32/qjdoor0.dll
O24 - ShlExecHook: [B] - {BD9B003B-0BE6-4528-A9D9-B8DBACAC6B9B} = C:/WINDOWS/system32/fydoor0.dll
O24 - ShlExecHook: [7] - {781FBCC1-99C7-4AE0-95F7-66EA49E86DD7} = C:/WINDOWS/system32/zxdoor0.dll
O24 - ShlExecHook: [2] - {68F7767A-090C-4BBF-A015-720ACC6706E2} = C:/WINDOWS/system32/wddoor0.dll
O24 - ShlExecHook: [B] - {D8CC4845-441C-44F8-9053-28F2EF67655B} = C:/WINDOWS/system32/dadoor0.dll
O25 - InsCom: {11716107-A10D-11cf-64CD-11115FE1CF41} = C:/WINDOWS/system32/nwizzhuxians.exe
===/
禁用系统还原功能。
到 http://endurer.ys168.com 下载 HijackThis,到 http://purpleendurer.ys168.com 下载 bat_do 和 FileInfo。
用pe_xscan 的网页分析工具提取出可疑文件的文件说明符,加入 FileInfo 提取文件信息,加入bat_do,全选,先用rar.exe打包备份,然后延时删除,改所选文件名,再次延时删除。
运行 HijackThis,修复 O2、O4项。
用WinRAR 删除 H:/autorun.inf。
下载 Dr.Web CureIt扫描,发现一堆病毒。
下载安装 瑞星卡卡安全助手备用。
用WinRAR 删除Windows临时文件夹,IE临时文件夹,c:/windows/prefetch 中可以删除的文件和文件夹。
重启电脑,仍然进入带网络连接的安全模式,运行瑞星卡卡安全助手,选[高级功能]->[插件管理及卸载],卸载 O24的项目。
切换到[系统启动项管理]里,单击左边列表中的[资源管理器插件],然后在右边的列表中找到 O25项,右击,从弹出的菜单里选择删除。
标签:Trojan,16,WINDOWS,system32,39,dll,Win32,2004 From: https://blog.51cto.com/endurer/5881511