endurer 原创
2007-04-24 第1版
昨天,一位网友的电脑中了Trojan.PSW.OnlineGames.amc,虽然被瑞星查杀了,但他不太放心,让偶通过QQ远程协助帮忙检查。
一看,瑞星实时监控居然没有开,不过IE防漏洞补丁运行了……
检查瑞星的杀毒日志如下:
/---
病毒名称 处理结果 扫描方式 路径 文件 病毒来源
Trojan.MNless.jys 删除成功 定时扫描 C:/WINDOWS/system32/drivers ecdacgcf.sys 本机
Trojan.MNless.jys 删除成功 定时扫描 C:/Documents and Settings/new/Local Settings/Temp/4A cdnprot.sys 本机
Trojan.MNless.jys 删除成功 定时扫描 C:/Documents and Settings/new/Local Settings/Temp/4D cdnprot.sys 本机
Trojan.MNless.jys 删除成功 定时扫描 C:/Documents and Settings/new/Local Settings/Temp/63 cdnprot.sys 本机
Trojan.PSW.OnlineGames.amc 删除成功 手动扫描 C:/WINDOWS/system32 RAVFY48.DLL>>UPX 本机
Trojan.PSW.OnlineGames.amc 删除成功 手动扫描 C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/5OPE3GZX 2[1].exe>>fsg2.0 本机
Trojan.PSW.OnlineGames.amc 删除成功 手动扫描 C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/5OPE3GZX 2[2].exe>>fsg2.0 本机
Trojan.PSW.OnlineGames.amc 删除成功 手动扫描 C:/Program Files/Internet Explorer iedw02.exe>>fsg2.0 本机
---/
估计是浏览网页时中标,不过被IE防漏洞补丁给阻止了,没有跑起来。
下载 pe_xscan 扫描log分析,发现如下可疑项:
/---
pe_xscan 07-03-17 by Purple Endurer
2007-4-23 17:42:47
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
C:/WINDOWS/Explorer.EXE * 1096 | 2004-8-8 4:0:0
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
C:/PROGRA~1/3721/alrex.dll | 2006-12-21 17:53:48
C:/PROGRA~1/3721/autolive.dll | 2007-4-9 10:58:44
C:/PROGRA~1/3721/alLiveEx.dll | 2006-3-21 14:20:6
C:/PROGRA~1/3721/ske/contmenu.dll | 2005-2-23 17:59:6
C:/Program Files/CNNIC/Cdn/cdnup.exe * 1152 | 2007-4-21 19:1:10
C:/Program Files/CNNIC/Cdn/cdnup.exe | 2007-4-21 19:1:10
C:/Program Files/CNNIC/Cdn/cdnuplib.dll | 2007-4-21 19:2:48
C:/Program Files/CNNIC/Cdn/cdnprh.dll | 2007-4-21 19:2:0
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/Program Files/Rising/AntiSpyware/runiep.exe * 1280 | 2007-4-23 10:10:34
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
C:/WINDOWS/system32/rundll32.exe * 1336 | 2004-8-8 4:0:0
C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
C:/PROGRA~1/3721/autolive.dll | 2007-4-9 10:58:44
C:/PROGRA~1/3721/notifier.dll | 2006-12-21 17:53:50
C:/PROGRA~1/3721/alLiveEx.dll | 2006-3-21 14:20:6
C:/WINDOWS/system32/ctfmon.exe * 2324 | 2004-8-8 4:0:0
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
D:/软件/QQ/TIMPlatform.exe * 2460 | 2007-2-2 16:41:0
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
D:/软件/QQ/QQ.exe * 156 | 2007-2-2 19:0:12
C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
O2 - BHO CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll
O2 - BHO - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:/WINDOWS/system32/ssup.dll
O4 - HKLM/../Run: [CdnCtr] C:/Program Files/CNNIC/Cdn/cdnup.exe
O4 - HKLM/../Run: [CnsM.dll] Rundll32.exe C:/PROGRA~1/3721/CnsM.dll,Rundll32
O4 - HKLM/../Run: [helper.dll] C:/WINDOWS/system32/rundll32.exe C:/PROGRA~1/3721/helper.dll,Rundll32
O21 - SSODL - rdshost(4) - {CD5BAE98-08ED-4D9C-8D7E-B3B4F958E61C} = rdshost.dll
O23 - 服务: ADProt (ADProt) - C:/WINDOWS/system32/drivers/ADProt.sys | 2007-4-21 18:52:48(系统)
O23 - 服务: cdnprot (cdnprot) - system32/drivers/cdnprot.sys(引导)
O23 - 服务: phbpcre (phbpcre) - system32/drivers/phbpcre.sys(禁用)
O23 - 服务: pjjgkej (pjjgkej) - C:/WINDOWS/System32/drivers/pjjgkej.sys | 2007-4-23 10:15:4(引导)
---/
其中 O21 好像是某MSN蠕虫用的东东的残留项目,其它的主要是流氓软件和广告软件了
用HijackThis、卡卡安全助手和Dr.Web CureIt查杀修复。
标签:Files,Trojan,21,amc,CNNIC,dll,Program,2007,OnlineGames From: https://blog.51cto.com/endurer/5919656