晚,一位朋友说他家的电脑最近经常死机、重启,让偶帮忙检修看看。
到 http://endurer.ys168.com 下载 HijackThis 扫描log,发现如下可疑项:
/---------
Logfile of HijackThis v1.99.1
Scan saved at 19:43:59, on 2007-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:/WINDOWS/system32/-413513.exe
C:/WINDOWS/system32/-986176.exe
C:/WINDOWS/system32/rnmkflk.exe
C:/WINDOWS/system32/tfkeeef.exe
O2 - BHO: ComBho - {1F80EA54-211C-4A3A-9C4E-C3F19D589079} - C:/WINDOWS/system32/iScreensaver.dll (file missing)
O2 - BHO: BHOImp Class - {70AFF2CB-9DA2-499C-8D15-900729FCE83D} - C:/WINDOWS/system32/YHBO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:/program files/google/googletoolbar4.dll
O2 - BHO: QuickBtn - {D1BB7CF4-4463-4e91-88D7-ECC3CE0A13B7} - C:/Program Files/kuzhan/kuzhan.dll
O4 - HKLM/../Run: [-413513] C:/WINDOWS/system32/-413513.exe
O4 - HKLM/../Run: [-986176] C:/WINDOWS/system32/-986176.exe
O4 - HKLM/../Run: [rnmkflk] C:/WINDOWS/system32/rnmkflk.exe
O4 - HKLM/../Run: [tfkeeef] C:/WINDOWS/system32/tfkeeef.exe
O4 - HKCU/../Run: [swg] C:/Program Files/Google/GoogleToolbarNotifier/1.2.1128.5462/GoogleToolbarNotifier.exe
O4 - Global Startup: WanSo.lnk = ?
O4 - Global Startup: WNSO.lnk = C:/Program Files/Common Files/RGGZS/WNSO.exe
O4 - Global Startup: ylhkle.lnk = C:/WINDOWS/system32/ylhklek.exe
O9 - Extra button: 酷站导航 - {1D901067-2529-4A9B-9B6B-7A1DB3A44CB5} - C:/Program Files/kuzhan/kuzhan.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:/Program Files/Google/Common/Google Updater/GoogleUpdaterService.exe
---------/
看到O4组那几个启动项,可以确定是中标了。
卸载:酷站导航(kuzhan)、中文上网
到 http://endurer.ys168.com 下载 瑞星杀毒助手,使用瑞星在线免费扫描,发现下列病毒:
/---------
2007-2-12 20:29:24 瑞星杀毒助手
Windows XP Service Pack 2(5.1.2600)
文件名 病毒名
C:/Documents and Settings/PLAY/Local Settings/Temp/DATA0000.EXE Harm.RavFree.lb
C:/Documents and Settings/PLAY/Local Settings/Temp/exe1.tmp Trojan.DL.QQHelper.ewg
C:/Documents and Settings/PLAY/Local Settings/Temp/fsprot.sys Trojan.Agent.yja
C:/Documents and Settings/PLAY/Local Settings/Temp/HTTPDll.dll.0.tmp Trojan.DL.Agent.mex
C:/Documents and Settings/PLAY/Local Settings/Temp/HTTPDll.tmp Trojan.DL.Agent.mex
C:/Documents and Settings/PLAY/Local Settings/Temp/moprot.sys Trojan.Agent.yiz
C:/Documents and Settings/PLAY/Local Settings/Temp/rg_lyric_039.exe>>$WINDIR/system32/YHBO.dll Trojan.DL.YBHO.a
C:/Documents and Settings/PLAY/Local Settings/Temp/rg_lyric_039.exe>>$WINDIR/system32/HTTPDll.dll Trojan.DL.Agent.mex
C:/Documents and Settings/PLAY/Local Settings/Temp/rg_lyric_039.exe>>$WINDIR/system32/lrcsys.exe Trojan.DL.YBHO.a
C:/Documents and Settings/PLAY/Local Settings/Temp/YHBO.dll.0.tmp Trojan.DL.YBHO.a
C:/Documents and Settings/PLAY/Local Settings/Temp/YHBO.tmp Trojan.DL.YBHO.a
C:/Program Files/Common Files/WANSO/Player.dll Trojan.AdPlayer.a
C:/WINDOWS/11.tmp Trojan.Agent.wxx
C:/WINDOWS/14.tmp Trojan.Agent.xqw
C:/WINDOWS/16.tmp Trojan.DL.QQHelper.eqg
C:/WINDOWS/17.tmp Trojan.Agent.zqn
C:/WINDOWS/18.tmp Trojan.DL.Adload.aer
C:/WINDOWS/20.tmp Trojan.DL.QQHelper.eqb
C:/WINDOWS/21.tmp Trojan.DL.QQHelper.eqb
C:/WINDOWS/22.tmp Trojan.DL.QQHelper.eqg
C:/WINDOWS/27.tmp Trojan.DL.QQHelper.eqb
C:/WINDOWS/28.tmp Trojan.DL.QQHelper.eqb
C:/WINDOWS/30.tmp Trojan.DL.Adload.aer
C:/WINDOWS/31.tmp Trojan.DL.Adload.aer
C:/WINDOWS/3B.tmp Trojan.DL.QQHelper.exl
C:/WINDOWS/41.tmp Trojan.Agent.ail
C:/WINDOWS/4C.tmp Trojan.Agent.xxa
C:/WINDOWS/4D.tmp Trojan.DL.QQHelper.eqf
C:/WINDOWS/4E.tmp Trojan.Agent.xxa
C:/WINDOWS/53.tmp Trojan.DL.QQHelper.eye
C:/WINDOWS/5B.tmp Trojan.Agent.xxc
C:/WINDOWS/5C.tmp Trojan.Agent.xxc
C:/WINDOWS/77.tmp Trojan.DL.QQHelper.evx
C:/WINDOWS/7B.tmp Trojan.DL.QQHelper.evx
C:/WINDOWS/81.tmp Trojan.DL.QQHelper.iq
C:/WINDOWS/82.tmp Trojan.DL.QQHelper.iq
C:/WINDOWS/88.tmp>>UPX Trojan.Agent.xex
C:/WINDOWS/89.tmp>>UPX Trojan.Agent.xex
C:/WINDOWS/8C.tmp Trojan.DL.Agent.zal
C:/WINDOWS/8E.tmp Trojan.DL.Agent.zal
C:/WINDOWS/90.tmp>>UPX Trojan.DL.Adload.amj
C:/WINDOWS/91.tmp Trojan.DL.QQHelper.eqx
C:/WINDOWS/93.tmp Trojan.DL.QQHelper.iq
C:/WINDOWS/94.tmp>>UPX Trojan.DL.Adload.amj
C:/WINDOWS/98.tmp Trojan.DL.QQHelper.iq
C:/WINDOWS/A5.tmp Trojan.DL.QQHelper
C:/WINDOWS/A6.tmp Trojan.DL.Adload.aeq
C:/WINDOWS/A7.tmp Trojan.DL.QQHelper
C:/WINDOWS/A9.tmp Trojan.DL.Adload.aeq
C:/WINDOWS/AC.tmp>>UPX Trojan.Agent.xkq
C:/WINDOWS/B2.tmp Trojan.Resun.a
C:/WINDOWS/B8.tmp Trojan.DL.QQHelper.eqx
C:/WINDOWS/BA.tmp Trojan.Agent.xxc
C:/WINDOWS/BB.tmp Trojan.Agent.xxc
C:/WINDOWS/kw_rg_lyric_039.exe Dropper.TiHs.ak
C:/WINDOWS/Setup2.exe>>$SYSDIR/rundll32.dll Trojan.Clicker.Agent.acd
C:/WINDOWS/Setup2.exe Dropper.QQHelper.a
C:/WINDOWS/system32/-15441.exe>>UPX Trojan.Agent.wou
C:/WINDOWS/system32/-413513.exe Trojan.DL.QQHelper.emb
C:/WINDOWS/system32/-986176.exe Trojan.Agent.zqn
C:/WINDOWS/system32/drivers/fkwld.sys RootKit.Agent.sa
C:/WINDOWS/system32/drivers/nwlnksipx.sys Trojan.StartPage.tns
C:/WINDOWS/system32/mssapi.dll Trojan.DL.QQHelper.eks
C:/WINDOWS/system32/rdkghdi.exe>>UPX Trojan.DL.AdLoad.aaa
C:/WINDOWS/system32/rundll32.dll Trojan.Clicker.Agent.acd
C:/WINDOWS/system32/sethp.exe Dropper.Agent.bfj
C:/WINDOWS/system32/szdj.dll Trojan.DL.QQHelper.eyw
C:/WINDOWS/system32/tfkeeef.exe Trojan.DL.Agent.cqe
C:/WINDOWS/system32/wbem/irjit.dll Trojan.DL.QQHelper.faf
C:/WINDOWS/system32/wbem/setupcnn.exe Trojan.Xema.kt
C:/WINDOWS/system32/wbem/smtpconfs.dll Trojan.DL.Agent.daa
C:/WINDOWS/system32/ylhklek.exe Trojan.DL.Agent.cqe
C:/WINDOWS/system32/zneihmh.exe Trojan.DL.Agent.cqe
C:/WINDOWS/Temp/fkwld.sys RootKit.Agent.sa
---------/
到 http://purpleendurer.ys168.com 下载了bat_do,将几个病毒文件打包备份了。
然后删除,有几个无法删除,使用了“下次启动时删除”功能。
电脑中装有的江民KV2006已过期,卸载了。
重启电脑到安全模式,江民的年卡虽然有几个,不过都送人了。下载了1个月免费版本江民KV2007安装,升级后扫描,发现了几个病毒,其中WANSO文件夹里的那几个提示重启时删除。
用 HijackThis 修复了 除 Google 外的项目。
用 pe_xscan 扫描,找到并删除注册表中包含的病毒有关项目:
/---------
pe_xscan by Purple Endurer
2007-2-12 21:23:31
Windows XP Service Pack 2(5.1.2600)
管理员用户组
O23 - 服务: front (front) - system32/drivers/front.sys | Microsoft(R) Windows NT(R) Operating System | 5.00.1639.6 | NT file system | Copyright (C) Microsoft Corp. 2006-2008 | 5.00.1639.6 | Microsoft Corporation | | front.sys | front.sys(系统)
O23 - 服务: fkwld (fkwld) - system32/drivers/fkwld.sys | Microsoft(R) Windows NT(R) Operating System | 5.00.1639.6 | NT file system | Copyright (C) Microsoft Corp. 2006-2008 | 5.00.1639.6 | Microsoft Corporation| ? | fkwld.sys | fkwld.sys(系统)
O23 - 服务: MouTALS (QoS Service) - C:/WINDOWS/SYSTEM32/RUNDLL32.EXE C:/WINDOWS/SYSTEM32/WBEM/SMTPCONFS.DLL,Export 1087(自动启动)
O23 - 服务: nwlnksipx (nwlnksipx) - C:/WINDOWS/system32/drivers/nwlnksipx.sys | Microsoft Windows Operating System | 5.1.2600.80 | NWLINK2 SIPX Protocol Driver | Microsoft Corporation. All rights reserved. | 5.1.2600.80 | Microsoft Corporation| ? | nwlnksipx.sys | nwlnksipx.sys(自动启动)
O23 - 服务: Trial (Cryptographic Machine) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/system32/szdj.dll | Microsoft(R) Windows(R) Operating System | 5.1.2600.0 | szdj | Copyright (C) Microsoft Corporation 1990-2000 | 5.1.2600.0 | Microsoft Corporation| ? | szdj | szdj.dll(自动启动)
---------/
重启电脑后,江民KV2007开机扫描又报告WANSO文件夹里的那几个东东,要重启删除。
重启电脑,还是报告……
看来江民是搞不定了。
用pe_xscan 扫描,又发现了
/---------
O4 - Global Startup: WanSo.lnk ->
O4 - Global Startup: WNSO.lnk -> C:/Program Files/Common Files/RGGZS/WNSO.exe
---------/
估计是这两项引起的,用HijackThis修复, 总不成功。
下载安装了卡卡安全助手,升级后扫描,发现了万能搜索(WANSO),清理了。
重启电脑,江民KV2007开机扫描没有报告了,但又弹出对话框,提示加载C:/PROGRA~1/COMMON~1/WANSO/Player.dll出现问题。
检查发现
O4 - Global Startup: WanSo.lnk ->
还存在。
用 IceSword 强制删除了。
重启电脑,这次没有出错信息框。
后来江民KV又报告google的东东有问题……明天再回忆整理
今天认真检查了 pe_xscan 的 log,又发现两个可疑服务项:
一个是:
/---------
O23 - 服务: npkcusb (npkcusb) - C:/WINDOWS/system32/npkcusb.sys | nProtect KeyCrypt Driver | 4. 0. 0. 0 | nProtect KeyCrypt Driver | Copyright (C) INCA Internet. 2000-2005 | 2005. 9. 10. 1 | INCA Internet Co., Ltd.| ? | npkcusb.sys | npkcusb.sys(自动启动)
---------/
腾讯QQ 使用的 npkcusb.sys 应该是在QQ程序文件夹里。
另一个是:
/---------
O23 - 服务: roreg (roreg) - system32/drivers/roreg.sys | roreg for Windows NT | 4.027 | Windows NT Registry Driver | Copyright (C) Microsoft Corp. 2006-2008 | 4.027 | Windows System Internal| ? | roreg.sys | roreg.sys(系统)
---------/
用google在网上搜索,有资料说这个服务是WanSo用来保护自身的东东。
分析pe_xscan 的 log 的网页前几天已经写好了,就是 Windows 系统文件和服务一直偷懒没有整理,看来要尽快整理出来……
