遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1

简介: 遭遇Trojan-Spy.Win32.Delf.uv,Trojan.PSW.Win32.XYOnline,Trojan.PSW.Win32.ZhengTu等1

昨晚一位网友说他的电脑中了病毒,金山毒霸不停的提示发现病毒WinForm2.dll,使用一段时间后会弹出倒计时关机对话框,让偶通过QQ远程协助。

让网友重启到带网络连接的安全模式,刚连上就出现了倒计时关机对话框,用shutdown -a命令停止了。

下载 pe_xscan 扫描 log 并分析,发现如下可疑项:

/===
pe_xscan 07-07-24 by Purple Endurer
2007-8-13 21:49:9
Windows XP Service Pack 2(5.1.2600)
管理员用户组
[System Process] * 0
    C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/winlogon.exe * 452 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/lsass.exe * 512 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/system32/svchost.exe * 660 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
C:/WINDOWS/Explorer.EXE * 1456 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
    C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/KAV2007/KAV32.EXE * 1968 | 2001-8-3 9:18:3 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft AntiVirus | Copyright (C) 2000 - 2007 Kingsoft Corporation. All rights reserved. | 2007, 7, 23, 229 | Kingsoft Corporation | Kingsoft | KAV32 | KAV32.EXE
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
    C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
C:/WINDOWS/system32/conime.exe * 812 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
    C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/xyhins.exe * 980 | 2007-8-11 22:48:14
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/jzgins.exe * 1092 | 2007-8-11 15:12:30
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/qhcins.exe * 504 | 2007-8-11 22:24:24
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
C:/WINDOWS/system32/ztmins.exe * 1320 | 2007-8-12 15:22:34
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/qjeins.exe * 1372 | 2007-8-12 19:47:24
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/zxgins.exe * 920 | 2007-8-12 20:6:8
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/jhains.exe * 1528 | 2007-8-12 20:3:30
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
C:/WINDOWS/system32/ctfmon.exe * 164 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50
    C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
C:/Program Files/Internet Explorer/iexplore.exe * 1536 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54
    C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54
    C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54
    C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53
    C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50

F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe

O4 - HKCU/../Run: [blin] "C:/Documents and Settings/h/blin/blin.exe" -background 1
C:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
D:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
E:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/
F:/autorun.inf
/-----
[autorun]
open=auto.exe
shell/open=打开(&O)
shell/open/Command=auto.exe
hell/explore=资源管理器(&X)
shell/explore/Command="auto.exe"
-----/

O23 - 服务: 46427F5F (46427F5F) - C:/WINDOWS/system32/61611F9E.EXE -46427F5F(自动)
O23 - 服务: BB7005AC (BB7005AC) - C:/WINDOWS/system32/1CC3706C.EXE -k(自动)
O23 - 服务: dmmuykip (dmmuykip) - System32/DRIVERS/dmmuykip.sys| ? | 1.6.9.1084| ?| ? | 1.8.0.1096 | Yahoo! China Corporation| ?| ?| ?(引导)
O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies |  | NPF + TME  | npf.sys(手动)

O24 - ShlExecHook: [] - {40117B96-998D-4D80-8F89-5E9DBD9F3460} = C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys
O24 - ShlExecHook: [8] - {813AF41A-21B1-131B-1BFC-D2A90DF4A2B8} = C:/WINDOWS/system32/WinForm2.dll
O24 - ShlExecHook: [WindowsVista] - {3495D328-661A-4FB0-BA67-8ACDD1704D1E} = C:/WINDOWS/system32/temp[3].dll
O24 - ShlExecHook: [9] - {913AF41A-21B1-131B-1BFC-D2A90DF4A2B9} = C:/WINDOWS/system32/xyhpri.dll
O24 - ShlExecHook: [7] - {759AFD5B-159F-ACD8-954C-ACD545FA6587} = C:/WINDOWS/system32/jzgpri.dll
O24 - ShlExecHook: [3] - {36368135-64FA-BC34-DA32-DCF4FD431C93} = C:/WINDOWS/system32/qhcpri.dll
O24 - ShlExecHook: [D] - {D1351752-5628-1547-FFAB-BADC13512AFD} = C:/WINDOWS/system32/ztmpri.dll
O24 - ShlExecHook: [5] - {54123FF1-8371-9834-9021-184518451FA5} = C:/WINDOWS/system32/qjepri.dll
O24 - ShlExecHook: [7] - {7A65498A-7653-9801-1647-987114AB7F47} = C:/WINDOWS/system32/zxgpri.dll
O24 - ShlExecHook: [2] - {252D2432-37A2-324F-2A54-21BF5CF2F1A2} = C:/WINDOWS/system32/jhapri.dll

HKLM/SHOWALL    值非1
===/

恶意程序使用了Shell Execute Hook(O24),所以在安全模式下仍然启动了……

用WinRAR检查C、D、E,F盘,没有发现 auto.exe,检查金山毒霸的隔离区,发现是被隔离了,不过毒霸没有删除autorun.inf,换成瑞星是会自动删除autorun.inf的,只能手动删除了。

接下来的处理,留待下回分解……

相关文章
|
2月前
|
监控 安全 数据安全/隐私保护
遭遇Trojan-PSW.Win32.WOW,Trojan.PSW.Win32.OnlineGames,Trojan.MnLess.kks等1
遭遇Trojan-PSW.Win32.WOW,Trojan.PSW.Win32.OnlineGames,Trojan.MnLess.kks等1
|
2月前
|
安全 Windows
遭遇RootKit.Win32.GameHack.GEN,Trojan.PSW.Win32.GameOL.GEN,RootKit.Win32.Mnless等2
遭遇RootKit.Win32.GameHack.GEN,Trojan.PSW.Win32.GameOL.GEN,RootKit.Win32.Mnless等2
|
2月前
|
安全
遭遇RootKit.Win32.GameHack.GEN,Trojan.PSW.Win32.GameOL.GEN,RootKit.Win32.Mnless等1
遭遇RootKit.Win32.GameHack.GEN,Trojan.PSW.Win32.GameOL.GEN,RootKit.Win32.Mnless等1
|
2月前
|
安全 Windows
遭遇Backdoor.Gpigeon.2007.ca,Trojan-PSW.Win32.QQRob.lg,Backdoor.Win32.Agent.bcn等1
遭遇Backdoor.Gpigeon.2007.ca,Trojan-PSW.Win32.QQRob.lg,Backdoor.Win32.Agent.bcn等1
|
2月前
|
安全 网络协议
刘三姐故乡的某网站被植入下载Worm.Win32.Delf.bse, Worm.Win32.Viking.ls等的代码
刘三姐故乡的某网站被植入下载Worm.Win32.Delf.bse, Worm.Win32.Viking.ls等的代码
|
2月前
|
安全
某可人官方网站挂马Trojan-PSW.Win32.OnLineGames.sbg
某可人官方网站挂马Trojan-PSW.Win32.OnLineGames.sbg
|
2月前
|
JavaScript 前端开发 数据安全/隐私保护
下载Trojan-PSW.Win32.QQPass.ra等恶意程序的政府网站
下载Trojan-PSW.Win32.QQPass.ra等恶意程序的政府网站
01-15/某师范学院网站被挂马 sinze.exe/Virus.Win32.Delf.an
01-15/某师范学院网站被挂马 sinze.exe/Virus.Win32.Delf.an
|
2月前
|
网络安全
遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等1
遭遇Win32.Loader.c,Trojan.PSW.Win32.GameOnline,Trojan.PSW.Win32.AskTao等1
|
2月前
|
安全
遭遇RootKit.Win32.GameHack,Trojan.PSW.Win32.QQPass,Trojan-PSW.Win32.OnLineGames等1
遭遇RootKit.Win32.GameHack,Trojan.PSW.Win32.QQPass,Trojan-PSW.Win32.OnLineGames等1