首页 > 其他分享 >一位网友的电脑中了Trojan.PSW.OnlineGames.amc

一位网友的电脑中了Trojan.PSW.OnlineGames.amc

时间:2022-12-07 16:36:45浏览次数:45  
标签:Files Trojan 21 amc CNNIC dll Program 2007 OnlineGames


endurer 原创
2007-04-24 第1

昨天,一位网友的电脑中了Trojan.PSW.OnlineGames.amc,虽然被瑞星查杀了,但他不太放心,让偶通过QQ远程协助帮忙检查。

一看,瑞星实时监控居然没有开,不过IE防漏洞补丁运行了……

检查瑞星的杀毒日志如下:
/---
病毒名称  处理结果  扫描方式 路径 文件 病毒来源
Trojan.MNless.jys  删除成功 定时扫描  C:/WINDOWS/system32/drivers ecdacgcf.sys 本机
Trojan.MNless.jys  删除成功 定时扫描  C:/Documents and Settings/new/Local Settings/Temp/4A cdnprot.sys  本机
Trojan.MNless.jys  删除成功 定时扫描  C:/Documents and Settings/new/Local Settings/Temp/4D cdnprot.sys  本机
Trojan.MNless.jys  删除成功 定时扫描  C:/Documents and Settings/new/Local Settings/Temp/63 cdnprot.sys  本机   

Trojan.PSW.OnlineGames.amc 删除成功  手动扫描  C:/WINDOWS/system32                 RAVFY48.DLL>>UPX  本机
Trojan.PSW.OnlineGames.amc  删除成功  手动扫描  C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/5OPE3GZX     2[1].exe>>fsg2.0 本机
Trojan.PSW.OnlineGames.amc  删除成功  手动扫描  C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/5OPE3GZX                     2[2].exe>>fsg2.0 本机
Trojan.PSW.OnlineGames.amc  删除成功    手动扫描  C:/Program Files/Internet Explorer iedw02.exe>>fsg2.0 本机
---/
估计是浏览网页时中标,不过被IE防漏洞补丁给阻止了,没有跑起来。

下载 pe_xscan 扫描log分析,发现如下可疑项:
/---
pe_xscan 07-03-17 by Purple Endurer
2007-4-23 17:42:47
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
C:/WINDOWS/Explorer.EXE * 1096 | 2004-8-8 4:0:0
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
    C:/PROGRA~1/3721/alrex.dll | 2006-12-21 17:53:48
    C:/PROGRA~1/3721/autolive.dll | 2007-4-9 10:58:44
    C:/PROGRA~1/3721/alLiveEx.dll | 2006-3-21 14:20:6
    C:/PROGRA~1/3721/ske/contmenu.dll | 2005-2-23 17:59:6

C:/Program Files/CNNIC/Cdn/cdnup.exe * 1152 | 2007-4-21 19:1:10
    C:/Program Files/CNNIC/Cdn/cdnup.exe | 2007-4-21 19:1:10
    C:/Program Files/CNNIC/Cdn/cdnuplib.dll | 2007-4-21 19:2:48
    C:/Program Files/CNNIC/Cdn/cdnprh.dll | 2007-4-21 19:2:0
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54

C:/Program Files/Rising/AntiSpyware/runiep.exe * 1280 | 2007-4-23 10:10:34
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32

C:/WINDOWS/system32/rundll32.exe * 1336 | 2004-8-8 4:0:0
    C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
    C:/PROGRA~1/3721/autolive.dll | 2007-4-9 10:58:44
    C:/PROGRA~1/3721/notifier.dll | 2006-12-21 17:53:50
    C:/PROGRA~1/3721/alLiveEx.dll | 2006-3-21 14:20:6

C:/WINDOWS/system32/ctfmon.exe * 2324 | 2004-8-8 4:0:0
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32

D:/软件/QQ/TIMPlatform.exe * 2460 | 2007-2-2 16:41:0
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32
D:/软件/QQ/QQ.exe * 156 | 2007-2-2 19:0:12
    C:/PROGRA~1/3721/CnsM.dll | 2007-4-17 11:25:54
    C:/PROGRA~1/3721/helper.dll | 2006-12-27 10:29:52
    C:/Program Files/CNNIC/Cdn/imaoe.dll | 2007-4-21 19:1:38
    C:/Program Files/CNNIC/Cdn/cdnforie.dll | 2007-4-21 19:2:38
    C:/Program Files/CNNIC/Cdn/cdndet.dll | 2007-4-21 19:1:32

O2 - BHO CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:/PROGRA~1/CNNIC/Cdn/cdnforie.dll

O2 - BHO  - {669751ED-D558-49AE-B01A-3B374CC7910E} - C:/WINDOWS/system32/ssup.dll

O4 - HKLM/../Run: [CdnCtr] C:/Program Files/CNNIC/Cdn/cdnup.exe

O4 - HKLM/../Run: [CnsM.dll] Rundll32.exe C:/PROGRA~1/3721/CnsM.dll,Rundll32

O4 - HKLM/../Run: [helper.dll] C:/WINDOWS/system32/rundll32.exe C:/PROGRA~1/3721/helper.dll,Rundll32

O21 - SSODL - rdshost(4) - {CD5BAE98-08ED-4D9C-8D7E-B3B4F958E61C} = rdshost.dll

O23 - 服务: ADProt (ADProt) - C:/WINDOWS/system32/drivers/ADProt.sys | 2007-4-21 18:52:48(系统)

O23 - 服务: cdnprot (cdnprot) - system32/drivers/cdnprot.sys(引导)

O23 - 服务: phbpcre (phbpcre) - system32/drivers/phbpcre.sys(禁用)

O23 - 服务: pjjgkej (pjjgkej) - C:/WINDOWS/System32/drivers/pjjgkej.sys | 2007-4-23 10:15:4(引导)
---/

其中 O21 好像是某MSN蠕虫用的东东的残留项目,其它的主要是流氓软件和广告软件了

用HijackThis、卡卡安全助手和Dr.Web CureIt查杀修复。 

标签:Files,Trojan,21,amc,CNNIC,dll,Program,2007,OnlineGames
From: https://blog.51cto.com/endurer/5919656

相关文章