endurer 原创
2007-05-08 第1版
一位朋友,说他的电脑最近运行很慢,让偶帮忙检修。
下载 pe_xscan 扫描 log 并分析,发现如下可疑项:
/---
pe_xscan 07-04-12 by Purple Endurer
2007-5-8 12:12:51
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm23.tmp..rom | 2007-5-8 10:59:4
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/hyso0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qqso0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/myso0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgs0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wls0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wos0.dll | 2007-5-8 10:58:50
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-5-8 10:58:48
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-5-8 10:58:48
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-5-8 10:58:46
C:/WINDOWS/System32/svchost.exe * 884 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
c:/windows/system32/syst.dll | 2007-3-22 19:35:54
C:/WINDOWS/Explorer.EXE * 264 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-5-8 10:58:46
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-5-8 10:58:48
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-5-8 10:58:48
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wos0.dll | 2007-5-8 10:58:50
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgs0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wls0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/myso0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qqso0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/hyso0.dll | 2007-5-8 10:58:52
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm23.tmp..rom | 2007-5-8 10:59:4
C:/Program Files/Common Files/Real/Update_OB/realsched.exe * 272 | 2006-8-24 11:18:44 | RealPlayer (32-bit) | 0.1.0.3510 | RealNetworks Scheduler | Copyright ? RealNetworks, Inc. 1995-2004 | 0.1.0.3510 | RealNetworks, Inc. | RealAudio(tm) is a trademark of RealNetworks, Inc. | schedapp | realsched.exe
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
D:/KAVStart.exe * 1688 | 2006-11-11 16:44:34 | Kingsoft Internet Security | 7, 6, 0, 212 | Kingsoft Security Center | Copyright (C) 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. | 2006, 11, 10, 212 | Kingsoft Corporation | Kingsoft | KAVStart | KAVStart.EXE
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
C:/WINDOWS/wos3.exe * 1064 | 2007-3-26 10:10:8
C:/WINDOWS/wos3.exe | 2007-3-26 10:10:8
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wos0.dll | 2007-5-8 10:58:50
C:/WINDOWS/wls3.exe * 1016 | 2007-3-26 10:10:20
C:/WINDOWS/wls3.exe | 2007-3-26 10:10:20
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wls0.dll | 2007-5-8 10:58:52
C:/WINDOWS/wgs3.exe * 976 | 2007-3-26 10:10:28
C:/WINDOWS/wgs3.exe | 2007-3-26 10:10:28
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgs0.dll | 2007-5-8 10:58:52
D:/KMailMon.EXE * 2172 | 2006-11-11 16:44:34 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft Antivirus Mail Monitor | Copyright ? 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. | 2006, 9, 7, 918 | Kingsoft Corporation | Kingsoft | MailMon | KMailMon.EXE
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
C:/WINDOWS/SOUNDMAN.EXE * 2196 | 2006-1-11 23:8:36 | Realtek Sound Manager | 5, 1, 0, 51 | Realtek Sound Manager | Copyright (c) 2001-2004 Realtek Semiconductor Corp. | 5, 1, 0, 51 | Realtek Semiconductor Corp. | | ALSMTray | ALSMTray.exe
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
C:/WINDOWS/system32/ctfmon.exe * 2224 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
D:/KPFW32.EXE * 2412 | 2006-11-11 16:44:36 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft Firewall | Copyright (C) 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. | 2006, 10, 24, 658 | Kingsoft Corporation | Kingsoft | KPFW32.EXE | KPFW32.EXE
C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4
O2 - BHO - {8298D101-F992-43B7-8ECA-5052D885B996} - C:/WINDOWS/system32/rs.bin
O4 - HKCR/../Run: [3u] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/iexpl0re.exe
O4 - HKCR/../Run: [tuj] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rundl132.exe
O4 - HKCR/../Run: [wc2imbevyfqu7g] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/winlog0n.exe
O4 - HKLM/../Run: [mhsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso.exe
O4 - HKLM/../Run: [ztsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso.exe
O4 - HKLM/../Run: [rxsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso.exe
O4 - HKLM/../Run: [wos3] C:/WINDOWS/wos3.exe
O4 - HKLM/../Run: [wls3] C:/WINDOWS/wls3.exe
O4 - HKLM/../Run: [wgs3] C:/WINDOWS/wgs3.exe
O4 - HKLM/../Run: [wms3] C:/WINDOWS/wms3.exe
O4 - HKLM/../Run: [jts3] C:/WINDOWS/jts3.exe
O4 - HKLM/../Run: [qqs3] C:/WINDOWS/qqs3.exe
O4 - HKLM/../Run: [mysa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/myso.exe
O4 - HKLM/../Run: [qqsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qqso.exe
O4 - HKLM/../Run: [hysa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/hyso.exe
O4 - HKLM/../Run: [kernelmh] C:/WINDOWS/Kernelmh.exe
O23 - 服务: ERSvc (Error Reporting Service) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/system32/syst.dll | 2007-3-22 19:35:54(自动)
O24 - [F] - {754FB7D8-B8FE-4810-B363-A788CD060F1F} = F
O24 - [F] - {A6011F8F-A7F8-49AA-9ADA-49127D43138F} = F
O24 - [C] - {729B6C61-BDC5-4C09-A1DE-A296BA0B89EC} = C
O24 - [] - {91B1E846-2BEF-4345-8848-7699C7C9935F} = C:/Program Files/Common Files/Microsoft Shared/MSINFO/SysWFGQQ2.dll
---/
检查c:/windows 和 c:/windows/system32,一大堆的可疑文件,如:
/---
D:/tools/bat_do>dir c:/windows/system32 /a /od
驱动器 C 中的卷没有标签。
卷的序列号是 40FB-AD0B
c:/windows/system32 的目录
(略)
2007-03-22 19:25 70,413 dongdi.exe
2007-03-22 19:35 256,000 syst.dll
2007-03-22 19:35 256,000 sysi.dll
2007-03-22 19:35 21,657 wanmei.exe
2007-03-22 19:35 26,037 moyu.exe
2007-03-22 19:35 70,413 chajian.exe
2007-03-22 19:35 58,369 rs.bin
2007-03-24 09:07 23,657 update.txt.exe
2007-03-24 09:07 23,657 update.txt.bat
2007-03-24 19:45 13,312 NTUP1.dll
2007-03-27 11:42 17,408 WOW3.exe.bat
2007-03-27 11:51 32 sinfo.ini
2007-03-30 09:35 20,845 xy2.exe.bat
2007-04-02 08:18 32,380 xy2ok.exe.bat
2007-04-05 03:06 215,264 FNTCACHE.DAT
2007-04-16 08:18 11,264 mutou.exe.exe
2007-04-16 08:18 11,264 mutou.exe.bat
2007-04-17 08:38 25,088 s159.exe.bat
2007-04-18 12:52 24,086 szzy.exe.bat
(略)
---/
到http://purpleendurer.ys168.com 下载 FileInfo 和 bat_do。用 FileInfo 提取了其中一些文件的信息。
文件说明符 : C:/WINDOWS/10Sy.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:7:25
修改时间 : 2007-3-24 8:42:40
访问时间 : 2007-5-8 0:0:0
大小 : 72568 字节 70.888 KB
MD5 : 12b7b3d7773dcf24492e83ffcc34eb86
瑞星报为 Trojan.PSW.QQhx.af
文件说明符 : C:/WINDOWS/wms3.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-26 10:10:30
修改时间 : 2007-3-26 10:10:32
访问时间 : 2007-5-8 0:0:0
大小 : 69730 字节 68.98 KB
MD5 : d39aa9d7c7448d126ca6cc8f54ce0a21
Kaspersky报为 Trojan.Win32.Pakes,瑞星报为 Trojan.PSW.OnlineGames.xb
文件说明符 : C:/WINDOWS/jts3.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-26 10:10:32
修改时间 : 2007-3-26 10:10:34
访问时间 : 2007-5-8 0:0:0
大小 : 69095 字节 67.487 KB
MD5 : b009e2c68ad3be89fc97365769f50a3a
Kaspersky报为 Trojan-PSW.Win32.OnLineGames.bs,瑞星报为 Trojan.PSW.OnlineGames.xd
文件说明符 : C:/WINDOWS/system32/dongdi.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:25:41
修改时间 : 2007-3-22 19:25:42
访问时间 : 2007-5-8 0:0:0
大小 : 70413 字节 68.781 KB
MD5 : c95ddf24696e51abcc08d83a44dba90b
Kaspersky报为 not-a-virus:AdWare.Win32.Delf.g,瑞星报为 Trojan.DL.Bho.iv
文件说明符 : C:/WINDOWS/system32/wanmei.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:35:52
修改时间 : 2007-3-22 19:35:54
访问时间 : 2007-5-8 0:0:0
大小 : 21657 字节 21.153 KB
MD5 : 9c97cc090d9c87fcb797a212e12b327f
文件说明符 : C:/WINDOWS/system32/moyu.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:35:53
修改时间 : 2007-3-22 19:35:56
访问时间 : 2007-5-8 0:0:0
大小 : 26037 字节 25.437 KB
MD5 : 434ebf20c6532f2fec71c208e53f42aa
文件说明符 : C:/WINDOWS/system32/rs.bin
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:25:42
修改时间 : 2007-3-22 19:35:58
访问时间 : 2007-5-8 0:0:0
大小 : 58369 字节 57.1 KB
MD5 : 536a919d0cc058c00a73cb1a3f266f12
文件说明符 : C:/WINDOWS/system32/chajian.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:35:55
修改时间 : 2007-3-22 19:35:58
访问时间 : 2007-5-8 0:0:0
大小 : 70413 字节 68.781 KB
MD5 : c95ddf24696e51abcc08d83a44dba90b
Kaspersky报为 not-a-virus:AdWare.Win32.Delf.g,瑞星报为 Trojan.DL.Bho.iv
文件说明符 : C:/WINDOWS/system32/update.txt.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-24 9:7:33
修改时间 : 2007-3-24 9:7:34
访问时间 : 2007-5-8 0:0:0
大小 : 23657 字节 23.105 KB
MD5 : c385ed2bc5ea41568892a4a0b6e5f0ab
瑞星报为 Trojan.DL.Multi.whn
文件说明符 : C:/WINDOWS/system32/update.txt.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-24 9:7:33
修改时间 : 2007-3-24 9:7:34
访问时间 : 2007-5-8 0:0:0
大小 : 23657 字节 23.105 KB
MD5 : c385ed2bc5ea41568892a4a0b6e5f0ab
文件说明符 : C:/WINDOWS/system32/xy2.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-30 9:35:7
修改时间 : 2007-3-30 9:35:8
访问时间 : 2007-5-8 0:0:0
大小 : 20845 字节 20.365 KB
MD5 : c168697e596c7183ab28eee23e3ed73e
文件说明符 : C:/WINDOWS/system32/xy2ok.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-2 8:18:30
修改时间 : 2007-4-2 8:18:32
访问时间 : 2007-5-8 0:0:0
大小 : 32380 字节 31.636 KB
MD5 : c014040a36e1ae2c4294a18d24756c88
Kaspersky报为 Backdoor.Win32.PcClient.za,瑞星报为 Backdoor.Gpigeon.voo
文件说明符 : C:/WINDOWS/system32/mutou.exe.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-5 8:31:32
修改时间 : 2007-4-16 8:18:46
访问时间 : 2007-5-8 0:0:0
大小 : 11264 字节 11.0 KB
MD5 : 900c5ccc44a5f7a58952f4bdac0c7e5e
文件说明符 : C:/WINDOWS/system32/mutou.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-5 9:58:1
修改时间 : 2007-4-16 8:18:48
访问时间 : 2007-5-8 0:0:0
大小 : 11264 字节 11.0 KB
MD5 : 900c5ccc44a5f7a58952f4bdac0c7e5e
文件说明符 : C:/WINDOWS/system32/szzy.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-18 12:52:40
修改时间 : 2007-4-18 12:52:42
访问时间 : 2007-5-8 0:0:0
大小 : 24086 字节 23.534 KB
MD5 : 47c6c4411c19f9d3c8f321b9eb299dc1
用bat_do将其中一部分打包备份。
下载Dr.Web CureIt扫描,结果如下:
==========================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-05-08, 12:18:30 [Administrator]
Operating system:Windows XP Professional x86 (Build 2600), Service Pack 2
==========================
c:/documents and settings/administrator/local settings/temp/hyso.exe infected with Trojan.PWS.Wsgame - deleted
c:/documents and settings/administrator/local settings/temp/mhso.exe infected with Trojan.PWS.Wsgame - deleted
c:/documents and settings/administrator/local settings/temp/myso.exe infected with Trojan.PWS.Wsgame- deleted
c:/documents and settings/administrator/local settings/temp/qqso.exe infected with Trojan.PWS.Wsgame- deleted
>c:/documents and settings/administrator/local settings/temp/rundl132.exe infected with Trojan.PWS.Wsgame- deleted
c:/documents and settings/administrator/local settings/temp/rxso.exe infected with Trojan.PWS.Wsgame- deleted
>c:/documents and settings/administrator/local settings/temp/winlog0n.exe infected with Trojan.PWS.Wsgame- deleted
c:/documents and settings/administrator/local settings/temp/ztso.exe infected with Trojan.PWS.Wsgame- deleted
c:/program files/common files/microsoft shared/msinfo/syswfgqq2.dll infected with Trojan.PWS.Qqpass.623 - deleted
c:/windows/jts3.exe - read error
>c:/windows/kernelmh.exe infected with Trojan.PWS.Wow - deleted
c:/windows/qqs3.exe infected with Trojan.PWS.Wsgame- deleted
c:/windows/wgs3.exe infected with Trojan.PWS.Wsgame- deleted
c:/windows/wls3.exe infected with Trojan.PWS.Wsgame- deleted
c:/windows/wms3.exe - read error
c:/windows/wos3.exe infected with Trojan.PWS.Wsgame- deleted
C:/Documents and Settings/Administrator/Local Settings/Temp/mhso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/ztso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/rxso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/wos0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/wls0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/iexpl0re.exe - read error
C:/Documents and Settings/Administrator/Local Settings/Temp/wgs0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/qqso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:/Documents and Settings/Administrator/Local Settings/Temp/hyso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
>C:/Documents and Settings/Administrator/Local Settings/Temp/~Tm22.tmp.rom probably infected with DLOADER.Trojan
C:/Documents and Settings/Administrator/Local Settings/Temp/~Tm23.tmp..rom infected with Trojan.PWS.Wsgame- will be cured after reboot
>C:/Program Files/Common Files/System/commond.pifC:/Program Files/Internet Explorer/WINLOGON.EXE infected with Trojan.PWS.Wsgame- deleted
C:/Program Files/Thunder Network/Thunder/Program/Ad/n1175509284861.swf infected with Trojan.PWS.Wsgame- deleted
>C:/WINDOWS/KB726255.logC:/WINDOWS/SMSS.EXE infected with Trojan.PWS.Wsgame- deleted
C:/WINDOWS/8Sy.exe infected with Trojan.PWS.Wsgame- deleted
C:/WINDOWS/9Sy.exe infected with Trojan.PWS.Wsgame- deleted
C:/WINDOWS/wms3.exe - read error
C:/WINDOWS/jts3.exe - read error
C:/WINDOWS/system32/sysi.dll probably infected with DLOADER.Trojan
C:/WINDOWS/system32/syst.dll probably infected with DLOADER.Trojan
>C:/WINDOWS/system32/moyu.exe>C:/WINDOWS/system32/fengyun.exe infected with Trojan.PWS.Qqpass.503 - deleted
C:/WINDOWS/system32/chuanqi.exe infected with Trojan.PWS.Lineage - deleted
>C:/WINDOWS/system32/windowstools.exe infected with Trojan.PWS.Gamania - deleted
>C:/WINDOWS/system32/xy2.exe.bat>C:/WINDOWS/system32/xy2ok.exe.bat probably infected with BACKDOOR.Trojan
C:/WINDOWS/system32/s159.exe.bat - read error
>>C:/WINDOWS/system32/szzy.exe.bat probably infected with DLOADER.Trojan
C:/WINDOWS/system32/WOW3.exe.bat - read error
>C:/WINDOWS/system32/sl_xy2.exe.bat infected with Trojan.PWS.Wsgame- deleted
>C:/WINDOWS/system32/sl_my0324.exe.bat infected with Trojan.PWS.Wsgame- deleted
C:/WINDOWS/system32/feizhujixi.exe.bat infected with Trojan.PWS.Wsgame- deleted
>C:/WINDOWS/system32/sl_wl0325.exe.bat infected with Trojan.PWS.Wsgame- deleted
到 http://endurer.ys168.com下载 HijackThis,修复除O24以外的项目;下载 auto_del下次启动时删除漏网的(添加待删文件时,如果提示“文件不存在或者是目录,是否添加?”时,点击“是”)。
安装瑞星卡卡安全助手,卸载O24中的项目。