AI 助理
文档备案控制台
开发者社区 安全 文章 正文

中了Viking,抓到CONFIG.EXE,NTDLL32.dll,webpnt.exe等

2024-09-28 93
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 中了Viking,抓到CONFIG.EXE,NTDLL32.dll,webpnt.exe等

昨天刚上班,一位同事说他的电脑反应很慢,让偶去检修。

打开任务管理器,看到IEXPLORE.New之类的,肯定是中标了。

下载pe_xscan扫描了log,重启电脑到带网络连接的安全模式下,使用在线网页分析,发现可疑项:

pe_xscan 07-03-17 by Purple Endurer

2007-4-4 8:26:38

Windows XP Service Pack 2(5.1.2600)

管理员用户组

[System Process] * 0
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
C:/WINDOWS/system32/winlogon.exe * 548 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
    C:/WINDOWS/system32/C01B1EF6.DLL | 2007-4-4 8:8:8 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
    C:/WINDOWS/system32/FF7A0ADE.DLL | 2007-4-4 8:8:8 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
C:/Program Files/Rising/Rav/CCenter.exe * 872 | 2006-8-16 17:12:22 | Rising Antivirus Software | 18, 0, 0, 3 | CCenter | Copyright Rising  2002 | 18, 0, 0, 3 | Beijing Rising Technology Co., Ltd. |  | Beijing Rising Technology Co., Ltd. | CCenter.exe
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/WINDOWS/System32/svchost.exe * 888 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
Explorer.EXE * 1312
C:/program files/internet explorer/iexplore.exe * 1612 | 2004-8-17 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/WINDOWS/system32/mcdsrv32_070402.dll | 2007-4-4 8:8:0
    C:/WINDOWS/system32/AlxTB1.dll | 2006-10-31 8:7:44 | AlxTB Module | 1, 0, 0, 1 | AlxTB Module | Copyright 2000-2003 | 7, 2, 0, 2 | Alexa Internet| ? | AlxTB | AlxTB.DLL
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
C:/CONFIG.EXE * 1908 | 2007-3-30 8:29:24
C:/Program Files/Common Files/Microsoft Shared/MSINFO/system.2dt * 2000 | 2007-3-29 16:19:30
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/PLUGINS/system2.jmp * 2024 | 2007-3-29 16:24:50
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/IEXPLORE.ime * 2044 | 2007-3-30 11:52:22
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/IEXPLORE.New * 192 | 2007-3-30 14:50:18
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/WINDOWS/system32/B4C050A.exe * 220 | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
C:/WINDOWS/system32/D97A73FB.exe * 224 | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
C:/Program Files/Internet Explorer/IEXPLORE.jmp * 248 | 2007-3-30 14:50:18
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/WINDOWS/SOUNDMAN.EXE * 420 | 2006-3-2 16:22:4 | Realtek Sound Manager | 5, 1, 0, 52 | Realtek Sound Manager | Copyright (c) 2001-2004 Realtek Semiconductor Corp. | 5, 1, 0, 52 | Realtek Semiconductor Corp. |  | ALSMTray | ALSMTray.exe
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
C:/Program Files/Rising/Rav/RavTask.exe * 488 | 2006-8-16 17:12:22 | Rising Antivirus Software | 18, 0, 0, 22 | RavTimer | Copyright (c) 1998-2006 Rising Corp. | 18, 0, 0, 22 | Beijing Rising Technology Co., Ltd. |  | Beijing Rising Technology Co., Ltd. | RavTimer.exe
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/Program Files/Tencent/QQLive/MiniQQLive.exe * 520 | 2007-3-1 15:18:44 | RTX | 3,5,200,2281 | QQLive |  | 3,5,200,2281 | Tencent |  | MiniQQLive |
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/Program Files/Common Files/Real/Update_OB/realsched.exe * 744 | 2006-12-9 18:9:44 | RealPlayer (32-bit)  | 0.1.0.3512 | RealNetworks Scheduler | Copyright ? RealNetworks, Inc. 1995-2004 | 0.1.0.3512 | RealNetworks, Inc. | RealAudio(tm) is a trademark of RealNetworks, Inc. | schedapp | realsched.exe
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
c:/windows/system32/webpnt.exe * 1072 | 2007-4-2 14:45:8 | Microsoft Web Printer | 5.2600.2180 | Microsoft Web Printer | C) Microsoft Corporation. All rights reserved. | 5.2600.2180 | Microsoft Corporation| ? | WEBPNT | WEBPNT.EXE
    c:/windows/system32/webpnt.exe | 2007-4-2 14:45:8 | Microsoft Web Printer | 5.2600.2180 | Microsoft Web Printer | C) Microsoft Corporation. All rights reserved. | 5.2600.2180 | Microsoft Corporation| ? | WEBPNT | WEBPNT.EXE
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/WINDOWS/system32/ctfmon.exe * 1164 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
C:/WINDOWS/system32/conime.exe * 1216 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
C:/program files/Internet Explorer/IEXPLORE.EXE * 2236 | 2004-8-17 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/WINDOWS/system32/AlxTB1.dll | 2006-10-31 8:7:44 | AlxTB Module | 1, 0, 0, 1 | AlxTB Module | Copyright 2000-2003 | 7, 2, 0, 2 | Alexa Internet| ? | AlxTB | AlxTB.DLL
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
C:/Program Files/Common Files/Microsoft Shared/MSINFO/system.2dt * 2840 | 2007-3-29 16:19:30
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/system.2dt | 2007-3-29 16:19:30
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/PLUGINS/system2.jmp * 2860 | 2007-3-29 16:24:50
    C:/Program Files/Internet Explorer/PLUGINS/system2.jmp | 2007-3-29 16:24:50
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/IEXPLORE.ime * 2880 | 2007-3-30 11:52:22
    C:/Program Files/Internet Explorer/IEXPLORE.ime | 2007-3-30 11:52:22
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/IEXPLORE.New * 2904 | 2007-3-30 14:50:18
    C:/Program Files/Internet Explorer/IEXPLORE.New | 2007-3-30 14:50:18
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
C:/Program Files/Internet Explorer/IEXPLORE.jmp * 2924 | 2007-3-30 14:50:18
    C:/Program Files/Internet Explorer/IEXPLORE.jmp | 2007-3-30 14:50:18
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
C:/WINDOWS/system32/dllcache/ykwcs.exe * 2824 | 2007-4-4 8:9:48
C:/WINDOWS/system32/svchost.exe * 2932 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/Program Files/Internet Explorer/IEXPLORE.Dat | 2007-4-4 8:8:10
    C:/Program Files/Internet Explorer/IEXPLORE.win | 2007-4-4 8:8:8
    C:/Program Files/Internet Explorer/IEXPLORE.Sys | 2007-4-4 8:8:6
    C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys | 2007-4-4 8:8:6
    C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk | 2007-4-4 8:8:6
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 652 | 2004-8-17 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/system32/AlxTB1.dll | 2006-10-31 8:7:44 | AlxTB Module | 1, 0, 0, 1 | AlxTB Module | Copyright 2000-2003 | 7, 2, 0, 2 | Alexa Internet| ? | AlxTB | AlxTB.DLL
iexplore.exe * 3096
iexplore.exe * 3540
SVCHOSI.exe * 3828

F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/userinit.exe,rundll32.exe C:/WINDOWS/system32/mcdsrv16_070402.dll start

O1 - Hosts: 127.0.0.1     locator.metadata.windowsmedia.com
O1 - Hosts: 127.0.0.1     onlinestore.smgbb.cn

O2 - BHO Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:/WINDOWS/system32/NTDLL32.dll
O2 - BHO IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:/WINDOWS/system32/IEHelper.dll
O2 - BHO AlxTB BHO Class - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:/WINDOWS/system32/AlxTB1.dll

O4 - HKCR/../Run: [msr1e4er6] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/servicer.exe
O4 - HKCR/../Run: [w48jmh4480mz] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/winlog0n.exe
O4 - HKCR/../Run: [h4rr1] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/c0nime.exe
O4 - HKCR/../Run: [kgs7kj4zt] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/cftmon.exe
O4 - HKCR/../Run: [9erjfccm] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/iexpl0re.exe
O4 - HKCR/../Run: [sz] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/Servere.exe
O4 - HKCR/../Run: [hc1m1h305f7] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/crasos.exe
O4 - HKCR/../Run: [zkeczl5mjug1] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rundl132.exe
O4 - HKCR/../Run: [svc] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/byetmr.exe
O4 - HKCR/../Run: [System Boot Check] C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/CVQ5OL86/qq[1].exe
O4 - HKLM/../Run: [NMGameX_AutoRun] C:/WINDOWS/system32/Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM/../Run: [cmdbcs] C:/WINDOWS/cmdbcs.exe
O4 - HKLM/../Run: [SVCHOSI] C:/Program Files/Internet Explorer/SVCHOSI.exe
O4 - HKLM/../Run: [Windows Media Player] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/Windows Media Player.exe

O8 - IE右键菜单附加项 : Alexa Web Search - ​ ​http://client.alexa.com/holiday/script/actions/search.htm​​​O8 - IE右键菜单附加项 : Get Alexa Data - ​ ​http://client.alexa.com/holiday/script/actions/sitedata.htm​​O8 - IE右键菜单附加项 : Mail to a Friend... - ​ ​http://client.alexa.com/holiday/script/actions/mailto.htm​​O8 - IE右键菜单附加项 : See Related Links - ​ ​http://client.alexa.com/holiday/script/actions/related.htm​​O8 - IE右键菜单附加项 : Write a Review... - ​ ​http://client.alexa.com/holiday/script/actions/review.htm​​

O9 - IE工具栏扩展按钮HKCR:雨林木风 - {06A70D58-8D40-49DD-B46B-DC00AA3ADCA4} - ​ ​http://www.ylmf.com​​​O9 - IE工具菜单扩展项HKCR: - {06A70D58-8D40-49DD-B46B-DC00AA3ADCA4} - ​ ​http://www.ylmf.com​​

O20 - AppInit_DLLs: C:/WINDOWS/system32/NTDLL32.dll

O23 - 服务: C01B1EF6 (C01B1EF6) - C:/WINDOWS/system32/C01B1EF6.EXE -service | 2007-3-30 15:12:26 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?(自动)

O23 - 服务: FF7A0ADE (FF7A0ADE) - C:/WINDOWS/system32/FF7A0ADE.EXE -service | 2007-4-4 8:27:8 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?(自动)

O23 - 服务: JRAID () - System32/Drivers/JRAID.SYS | JMicron JR036X RAID Driver | 5.1.2600.1040 | JMicron JR036X RAID Driver | Copyright (C) JMicron Technology Corp. 2005-2006 | 5.1.2600.1040 built by: WinDDK | JMicron Technology Corp.| ? | JRAID.SYS 1.04.04 | JRAID.SYS(引导)

O23 - 服务: mv614x () - System32/Drivers/mv614x.sys(引导)

O23 - 服务: NPF (Netgroup Packet Filter) - system32/DRIVERS/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies |  | NPF + TME  | npf.sys(手动)
 
O23 - 服务: TomDemoService (TomDemoService) - C:/CONFIG.EXE | 2007-3-30 8:29:24(自动)

O23 - 服务: vmscsi () - System32/Drivers/vmscsi.sys | VMware, Inc. Script1 Application | 1, 2, 0, 0 | VMware SCSI Controller | Copyright ? 1998-2003 VMware, Inc. | 1, 2, 0, 0 | VMware, Inc. |  | vmscsi.sys | vmscsi.sys(引导)

O23 - 服务: WebPrint (WebPrint) - c:/windows/system32/webprint.exe | 2007-4-2 14:45:8 | Microsoft Web Printer | 5.2600.2180 | Microsoft Web Printer | C) Microsoft Corporation. All rights reserved. | 5.2600.2180 | Microsoft Corporation| ? | WEBPNT | WEBPNT.EXE(自动)

O23 - 服务: Windows Firewall (Windows Firewall) - C:/WINDOWS/system32/SVCH0ST.EXE | 2007-3-30 16:18:30(自动)

O23 - 服务: wuauserv (Automatic Updates) - C:/WINDOWS/system32/drivers/svchost.exe | 2007-4-4 8:9:48(自动)

O24 - [] - {A6011F8F-A7F8-49AA-9ADA-49127D43138F} = C:/Program Files/Common Files/Microsoft Shared/MSINFO/NewInfo.rxk
O24 - [] - {754FB7D8-B8FE-4810-B363-A788CD060F1F} = C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys
O24 - [] - {99F1D023-7CEB-4586-80F7-BB1A98DB7602} = C:/Program Files/Internet Explorer/IEXPLORE.Sys
O24 - [] - {923509F1-45CB-4EC0-BDE0-1DED35B8FD60} = C:/Program Files/Internet Explorer/IEXPLORE.win
O24 - [] - {FEB94F5A-69F3-4645-8C2B-9E71D270AF2E} = C:/Program Files/Internet Explorer/IEXPLORE.Dat

这台电脑中的瑞星还是2006的,已经无法升级了。

有一些项目与

昨天才提醒,今天就有网友点击QQ信息中的网址,中Worm.Viking.pk/Worm.Win32.Viking.jg了
​​ ​http://endurer.bokee.com/6174316.html​​​ ​http://blog.sina.com.cn/u/49926d910100080b​​javascript:void(0)

相似。

到江民网站下载了Viking专杀工具传给网友查杀,果然清除了一些。

再用瑞星在线免费查毒,又查出一堆:
2007-4-4 10:45:7 瑞星杀毒助手
Windows XP Service Pack 2(5.1.2600)
文件名 病毒名
C:/WINDOWS/system32/cmdbcs.dll Trojan.PSW.OnlineGames.aao
C:/WINDOWS/system32/C01B1EF6.EXE Trojan.IMMSG.TBMSG.df
C:/WINDOWS/system32/C01B1EF6T.EXE Trojan.IMMSG.TBMSG.df
C:/WINDOWS/system32/C01B1EF6.DLL Trojan.IMMSG.TBMSG.df
C:/WINDOWS/system32/D97A73FB.exe Trojan.DL.Agent.mry
C:/WINDOWS/system32/FF7A0ADE.EXE Trojan.IMMSG.TBMSG.dh
C:/WINDOWS/system32/FF7A0ADET.EXE Trojan.IMMSG.TBMSG.dh
C:/WINDOWS/system32/FF7A0ADE.DLL Trojan.IMMSG.Tbmsg.dg
C:/WINDOWS/system32/B4C050A.exe Trojan.IMMSG.TBMSG.dh
C:/WINDOWS/system32/kdjs1.exe>>upack0.36 Trojan.Clicker.PopHot.cq
C:/WINDOWS/system32/ridiap070402.exe>>upack0.36 Trojan.Clicker.PopHot.cq
C:/WINDOWS/system32/scrie070402.scr>>upack0.36 Trojan.Clicker.PopHot.cq
C:/WINDOWS/system32/SVCH0ST.EXE Backdoor.Agent.ibv
C:/WINDOWS/cmdbcs.exe Trojan.PSW.OnlineGames.aaq
C:/Documents and Settings/Administrator/Local Settings/Temp/ck3.exe.exe>>UPX Trojan.PSW.Agent.jqu
C:/Documents and Settings/Administrator/Local Settings/Temp/Qqzo0.dll Trojan.PSW.OnlineGames.yo
C:/Documents and Settings/Administrator/Local Settings/Temp/LgSy0.dll>>UPX Trojan.PSW.XYOnline.nc
C:/Documents and Settings/Administrator/Local Settings/Temp/lg.dll Trojan.PSW.LMir.mhl
C:/Documents and Settings/Administrator/Local Settings/Temp/banner.jpg>>UPX Trojan.PSW.QQPass.rtq
C:/Documents and Settings/Administrator/Local Settings/Temp/LgSy1.dll>>UPX Trojan.PSW.XYOnline.nc
C:/Documents and Settings/Administrator/Local Settings/Temp/Qqzo1.dll Trojan.PSW.OnlineGames.yo
C:/Documents and Settings/Administrator/Local Settings/Temp/Rav30.dll>>UPX Trojan.PSW.OnlineGames.yq
C:/Documents and Settings/Administrator/Local Settings/Temp/Msxo1.dll>>UPX Trojan.PSW.OnlineGames.yw
C:/Documents and Settings/Administrator/Local Settings/Temp/LgSy2.dll>>UPX Trojan.PSW.OnlineGames.yv
C:/Documents and Settings/Administrator/Local Settings/Temp/Gjzo1.dll>>UPX Trojan.PSW.OnlineGames.yu
C:/Documents and Settings/Administrator/Local Settings/Temp/Rav31.dll>>UPX Trojan.PSW.OnlineGames.yq
C:/Documents and Settings/Administrator/Local Settings/Temp/Rav21.dll>>upack0.34 Trojan.PSW.OnlineGames.yx
C:/Documents and Settings/Administrator/Local Settings/Temp/Wmzo1.dll>>UPX Trojan.PSW.OnlineGames.yz
C:/Documents and Settings/Administrator/Local Settings/Temp/Gjzo0.dll>>UPX Trojan.PSW.OnlineGames.yu
C:/Documents and Settings/Administrator/Local Settings/Temp/Msxo0.dll>>UPX Trojan.PSW.OnlineGames.yw
C:/Documents and Settings/Administrator/Local Settings/Temp/Rav20.dll>>upack0.34 Trojan.PSW.OnlineGames.yx
C:/Documents and Settings/Administrator/Local Settings/Temp/Wmzo0.dll>>UPX Trojan.PSW.OnlineGames.yz
C:/Documents and Settings/Administrator/Local Settings/Temp/shua.exe.exe>>UPX Trojan.PSW.QQPass.rvt
C:/Program Files/Common Files/Microsoft Shared/MSInfo/NewInfo.rxk Trojan.PSW.QQPass.rug
C:/Program Files/Internet Explorer/PLUGINS/system2.jmp Trojan.PSW.QQPass.rtw
C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys Trojan.PSW.QQPass.rtn
C:/Program Files/Internet Explorer/IEXPLORE.Sys Trojan.PSW.QQPass.rtq
C:/Program Files/Internet Explorer/IEXPLORE.win Trojan.PSW.QQPass.rtp
C:/Program Files/Internet Explorer/IEXPLORE.Dat Trojan.PSW.QQPass.rts
C:/Program Files/Internet Explorer/IEXPLORE.Tmp Trojan.PSW.Agent.jqu
C:/Program Files/Internet Explorer/IEXPLORE.Bak Trojan.PSW.QQPass.rvt
C:/CONFIG.EXE>>fsg2.0 Trojan.DL.Delf.yfw
D:/mie.com>>upack0.36 Trojan.Clicker.PopHot.cq

到 ​ ​http://endurer.ys168.com​​ 下载 瑞星杀毒助手来解决,O24那几个删除不了(需要先用IceSword从内存中卸载),偶用了下次启动时删除功能。

再下载 Dr.Web Cure It扫描,又是一堆,其中很多Windows系统文件infected with Trojan.Starter.171,看来江民的Viking专杀还得继续升级。

Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)
Log generated on: 2007-04-04, 10:49:36 [Administrator]

c:/documents and settings/localservice/local settings/temporary internet files/content.ie5/6yb6gzi7/qq[1].exe infected with Trojan.DownLoader.17951 - deleted
c:/program files/internet explorer/plugins/systemkb.sys infected with Trojan.PWS.Qqpass.510 - will be cured after reboot
c:/windows/inf/unregmp2.exe infected with Trojan.Starter.171 - cured
c:/windows/system32/alg.exe infected with Trojan.Starter.171 - cured
……
c:/windows/system32/vssvc.exe infected with Trojan.Starter.171 - cured
c:/windows/system32/wbem/wmiapsrv.exe infected with Trojan.Starter.171 - cured
c:/windows/system32/wdfmgr.exe infected with Trojan.Starter.171 - cured
C:/Program Files/Common Files/Microsoft Shared/asoee.exe probably infected with DLOADER.Trojan
C:/Program Files/Windows Media Player/hwswl.exe probably infected with DLOADER.Trojan
C:/Program Files/Internet Explorer/Connection Wizard/aanaa.exe probably infected with DLOADER.Trojan
C:/Program Files/Internet Explorer/PLUGINS/SystemKb.sys infected with Trojan.PWS.Qqpass.510 - will be cured after reboot
C:/WINDOWS/twunk_32.exe infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/Alcrmv.exe infected with Trojan.Starter.171 - cured
C:/WINDOWS/system32/sort.exe infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/system32/ayhip.exe probably infected with DLOADER.Trojan
C:/WINDOWS/system32/kmoau.exe probably infected with DLOADER.Trojan
C:/WINDOWS/system32/mcdsrv32_070402.dll probably infected with DLOADER.Trojan
C:/WINDOWS/system32/notepad.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot infected with Trojan.Starter.171 - will be cured after reboot
C:/WINDOWS/system32/drivers/kekci.exe probably infected with DLOADER.Trojan
……
C:/WINDOWS/system32/wbem/mofcomp.exe infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/system32/npp/nppagent.exe infected with Trojan.Starter.171 - cured
C:/WINDOWS/system32/dllcache/twunk_32.exe infected with Trojan.Starter.171 - cured
……
>C:/WINDOWS/system32/dllcache/ykwcs.exe probably infected with DLOADER.Trojan
C:/WINDOWS/system32/usmt/migload.exe infected with Trojan.Starter.171 - cured
……
>C:/WINDOWS/system32/IME/kumsu.exe probably infected with DLOADER.Trojan
C:/WINDOWS/system32/IME/PINTLGNT/IMSCINST.EXE infected with Trojan.Starter.171 - cured
C:/WINDOWS/system32/Com/comrepl.exe infected with Trojan.Starter.171 - cured
C:/WINDOWS/system32/Restore/srdiag.exe infected with Trojan.Starter.171 - cured
C:/WINDOWS/system32/Macromed/Flash/genuinst.exe infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/system32/ReinstallBackups/0002/DriverFiles/SOUNDMAN.EXE infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/system32/NMGameX/iLobby/ilobby.exe infected with Trojan.Starter.171 - cured
>C:/WINDOWS/system/bmxny.exe probably infected with DLOADER.Trojan
C:/WINDOWS/msagent/agentsvr.exe infected with Trojan.Starter.171 - cured
>C:/WINDOWS/addins/ywwca.exe probably infected with DLOADER.Trojan
C:/WINDOWS/Temp/alcupd.exe infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/ime/jpwb/unins000.exe infected with Trojan.Starter.171 - cured
……
C:/WINDOWS/Installer/{90110804-6000-11D3-8CFE-0150048383C9}/unbndico.exe infected with Trojan.Starter.171 - cured

修复:

最好是格式化硬盘所有分区,重装系统……

因为修复太麻烦了……

O2 - BHO Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:/WINDOWS/system32/NTDLL32.dll
O2 - BHO IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:/WINDOWS/system32/IEHelper.dll
O20 - AppInit_DLLs: C:/WINDOWS/system32/NTDLL32.dll
用IceSword才搞定。
文章标签:
Windows
安全
游客qeoynko2nmbgk
目录
相关文章
你的云
|
1天前
|
人工智能 自然语言处理 JavaScript
2026年Windows+Ollama本地部署OpenClaw保姆级教程:本地AI Agent+阿里云上快速搭建
2026年OpenClaw凭借本地部署、私有化运行的特性,成为打造个人智能体的核心工具,而Ollama作为轻量级本地大模型管理工具,能让OpenClaw摆脱对云端大模型的依赖,实现**本地推理、数据不泄露、全流程私有化**的智能体验。本文基于Windows 11系统,从硬件环境准备、Ollama安装与模型定制、OpenClaw部署配置、技能扩展到常见问题排查,打造保姆级本地部署教程,同时补充阿里云OpenClaw(Clawdbot)快速部署步骤,兼顾本地私有化需求与云端7×24小时运行需求,文中所有代码命令均可直接复制执行,确保零基础用户也能快速搭建属于自己的本地智能体。
你的云
3062 12
ClawdbotMoltbot
|
12天前
|
人工智能 自然语言处理 监控
OpenClaw skills重构量化交易逻辑:部署+AI全自动炒股指南(2026终极版)
2026年,AI Agent领域最震撼的突破来自OpenClaw(原Clawdbot)——这个能自主规划、执行任务的智能体,用50美元启动资金创造了48小时滚雪球至2980美元的奇迹,收益率高达5860%。其核心逻辑堪称教科书级:每10分钟扫描Polymarket近千个预测市场,借助Claude API深度推理,交叉验证NOAA天气数据、体育伤病报告、加密货币链上情绪等多维度信息,捕捉8%以上的定价偏差,再通过凯利准则将单仓位严格控制在总资金6%以内,实现低风险高频套利。
ClawdbotMoltbot
6552 60
你的云
|
8天前
|
存储 人工智能 负载均衡
阿里云OpenClaw多Agent实战宝典:从极速部署到AI团队搭建,一个人=一支高效军团
在AI自动化时代,单一Agent的“全能模式”早已无法满足复杂任务需求——记忆臃肿导致响应迟缓、上下文污染引发逻辑冲突、无关信息加载造成Token浪费,这些痛点让OpenClaw的潜力大打折扣。而多Agent架构的出现,彻底改变了这一现状:通过“单Gateway+多分身”模式,让一个Bot在不同场景下切换独立“大脑”,如同组建一支分工明确的AI团队,实现创意、写作、编码、数据分析等任务的高效协同。
你的云
2957 27
百炼动态广播员
|
30天前
|
人工智能 自然语言处理 Shell
🦞 如何在 OpenClaw (Clawdbot/Moltbot) 配置阿里云百炼 API
本教程指导用户在开源AI助手Clawdbot中集成阿里云百炼API,涵盖安装Clawdbot、获取百炼API Key、配置环境变量与模型参数、验证调用等完整流程,支持Qwen3-max thinking (Qwen3-Max-2026-01-23)/Qwen - Plus等主流模型,助力本地化智能自动化。
百炼动态广播员
43982 157
🦞 如何在 OpenClaw (Clawdbot/Moltbot) 配置阿里云百炼 API
OpenClaw
|
4天前
|
人工智能 JavaScript API
2026年Windows系统本地部署OpenClaw指南:附阿里云简易部署OpenClaw方案,零技术基础也能玩转AI助手
在AI办公自动化全面普及的2026年,OpenClaw(原Clawdbot、Moltbot)凭借“自然语言指令操控、多任务自动化执行、多工具无缝集成”的核心优势,成为个人与轻量办公群体打造专属AI助手的首选。它彻底打破了传统AI“只会对话不会执行”的局限——“手”可读写本地文件、执行代码、操控命令行,“脚”能联网搜索、访问网页并分析内容,“大脑”则可灵活接入通义千问、OpenAI等云端API,或利用本地GPU运行模型,真正实现“聊天框里办大事”。
OpenClaw
1031 2
飞天的小鸟
|
2天前
|
人工智能 JSON JavaScript
手把手教你用 OpenClaw + 飞书,打造专属 AI 机器人
手把手教你用 OpenClaw(v2026.2.22-2)+ 飞书,10分钟零代码搭建专属AI机器人!内置飞书插件,无需额外安装;支持Claude等主流模型,命令行一键配置。告别复杂开发,像聊同事一样自然对话。
飞天的小鸟
1067 5
手把手教你用 OpenClaw + 飞书,打造专属 AI 机器人
小鲸云
|
7天前
|
人工智能 自然语言处理 安全
2026年OpenClaw Skills安装指南:Top20必装清单+阿里云上部署实操(附代码命令)
OpenClaw(原Clawdbot)的强大之处,不仅在于其开源免费的AI执行引擎核心,更在于其庞大的Skills生态——截至2026年2月,官方技能市场ClawHub已收录1700+各类技能插件,覆盖办公自动化、智能交互、生活服务等全场景。但对新手而言,面对海量技能往往无从下手,盲目安装不仅导致功能冗余,还可能引发权限冲突与安全风险。
小鲸云
1527 9
一条云
|
2天前
|
人工智能 运维 安全
OpenClaw极速部署:ZeroNews 远程管理OpenClaw Gateway Dashboard指南+常见错误解决
OpenClaw作为高性能AI智能体网关平台,其Gateway Dashboard是管理模型调用、渠道集成、技能插件的核心操作界面,但默认仅支持本地局域网访问。官方推荐的Tailscale、VPN等远程访问方案在国内网络环境中体验不佳,而ZeroNews凭借轻量化部署、专属域名映射、多重安全防护的特性,成为适配国内网络的最优远程管理解决方案。
一条云
986 2

热门文章

最新文章

  • 1
    函数计算自动化运维实战1 -- 定时任务
  • 2
    什么是 Databricks?它的主要功能是什么?
  • 3
    修改PostgreSQL字段长度导致cached plan must not change result type错误
  • 4
    传奇数学家拉马努金留下的数学神谕,解开了多年悬而未决的神秘难题
  • 5
    QPS 提升60%,揭秘阿里巴巴轻量级开源 Web 服务器 Tengine 负载均衡算法
  • 6
    解决java.lang.IllegalArgumentException: 'Content-Type' cannot contain wildcard type '*'异常(真实有效)
  • 7
    1分钟构建API网关日志解决方案
  • 8
    Hadoop配置LDAP集成Kerberos
  • 9
    深入剖析HashMap:理解Hash、底层实现与扩容机制
  • 10
    CCNA(Stand-ALONE)Lab 12-Static Routes
  • 1
    保姆级!OpenClaw从安装到实战:阿里云轻量服务器超详细指南
    110
  • 2
    2026打工人必备偷懒工具:OpenClaw(Clawdbot)阿里云极速部署+5大高效AI工作流分享
    79
  • 3
    阿里云1分钟部署OpenClaw解锁AI Agent 助手新潜力+ClawHub热门OpenClaw Skills实战指南
    113
  • 4
    效率拉满!OpenClaw + 阿里云轻量服务器,从 0 到 1 搭建指南
    49
  • 5
    零基础也会!玩转 OpenClaw:阿里云轻量部署 + 技能配置全攻略
    74
  • 6
    人体姿态[站着、摔倒、坐、深蹲、跑]检测数据集(6000张图片已划分、已标注)| AI训练适用于目标检测
    53
  • 7
    7种交通场景数据集(千张图片已划分、已标注)|适用于YOLO系列深度学习分类检测任务【数据集分享】
    41
  • 8
    玩转OpenClaw!阿里云轻量服务器一键安装Clawdbot镜像、基于百炼安装Skills
    129
  • 9
    必看!阿里云百炼Coding Plan是什么?Lite和Pro订阅套餐最低7.9元首月攻略
    280
  • 10
    一步到位!OpenClaw Skills 完整部署:阿里云轻量服务器实战教程
    135

    • 相关电子书

    更多
  • 低代码开发师(初级)实战教程
  • 冬季实战营第三期:MySQL数据库进阶实战
  • 阿里巴巴DevOps 最佳实践手册
    • 下一篇
    ECS账号安全防护最佳实践