昨晚一位网友说他的电脑中了病毒,金山毒霸不停的提示发现病毒WinForm2.dll,使用一段时间后会弹出倒计时关机对话框,让偶通过QQ远程协助。
让网友重启到带网络连接的安全模式,刚连上就出现了倒计时关机对话框,用shutdown -a命令停止了。
下载 pe_xscan 扫描 log 并分析,发现如下可疑项:
/=== pe_xscan 07-07-24 by Purple Endurer 2007-8-13 21:49:9 Windows XP Service Pack 2(5.1.2600) 管理员用户组 [System Process] * 0 C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/winlogon.exe * 452 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/lsass.exe * 512 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/svchost.exe * 660 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/Explorer.EXE * 1456 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54 C:/KAV2007/KAV32.EXE * 1968 | 2001-8-3 9:18:3 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft AntiVirus | Copyright (C) 2000 - 2007 Kingsoft Corporation. All rights reserved. | 2007, 7, 23, 229 | Kingsoft Corporation | Kingsoft | KAV32 | KAV32.EXE C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54 C:/WINDOWS/system32/conime.exe * 812 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/xyhins.exe * 980 | 2007-8-11 22:48:14 C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgins.exe * 1092 | 2007-8-11 15:12:30 C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/qhcins.exe * 504 | 2007-8-11 22:24:24 C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/ztmins.exe * 1320 | 2007-8-12 15:22:34 C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjeins.exe * 1372 | 2007-8-12 19:47:24 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/zxgins.exe * 920 | 2007-8-12 20:6:8 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/jhains.exe * 1528 | 2007-8-12 20:3:30 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/ctfmon.exe * 164 | 2005-5-2 4:30:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/Program Files/Internet Explorer/iexplore.exe * 1536 | 2005-5-2 4:30:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE C:/WINDOWS/system32/zxgpri.dll | 2004-8-4 15:31:54 C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys | 2007-8-13 15:31:54 C:/WINDOWS/system32/jhapri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qjepri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/ztmpri.dll | 2004-8-4 15:31:54 C:/WINDOWS/system32/qhcpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/xyhpri.dll | 2004-8-4 15:31:53 C:/WINDOWS/system32/WinForm2.dll | 2004-8-4 17:2:50 F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe O4 - HKCU/../Run: [blin] "C:/Documents and Settings/h/blin/blin.exe" -background 1 C:/autorun.inf /----- [autorun] open=auto.exe shell/open=打开(&O) shell/open/Command=auto.exe hell/explore=资源管理器(&X) shell/explore/Command="auto.exe" -----/ D:/autorun.inf /----- [autorun] open=auto.exe shell/open=打开(&O) shell/open/Command=auto.exe hell/explore=资源管理器(&X) shell/explore/Command="auto.exe" -----/ E:/autorun.inf /----- [autorun] open=auto.exe shell/open=打开(&O) shell/open/Command=auto.exe hell/explore=资源管理器(&X) shell/explore/Command="auto.exe" -----/ F:/autorun.inf /----- [autorun] open=auto.exe shell/open=打开(&O) shell/open/Command=auto.exe hell/explore=资源管理器(&X) shell/explore/Command="auto.exe" -----/ O23 - 服务: 46427F5F (46427F5F) - C:/WINDOWS/system32/61611F9E.EXE -46427F5F(自动) O23 - 服务: BB7005AC (BB7005AC) - C:/WINDOWS/system32/1CC3706C.EXE -k(自动) O23 - 服务: dmmuykip (dmmuykip) - System32/DRIVERS/dmmuykip.sys| ? | 1.6.9.1084| ?| ? | 1.8.0.1096 | Yahoo! China Corporation| ?| ?| ?(引导) O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手动) O24 - ShlExecHook: [] - {40117B96-998D-4D80-8F89-5E9DBD9F3460} = C:/Program Files/Internet Explorer/PLUGINS/WinSys64.Sys O24 - ShlExecHook: [8] - {813AF41A-21B1-131B-1BFC-D2A90DF4A2B8} = C:/WINDOWS/system32/WinForm2.dll O24 - ShlExecHook: [WindowsVista] - {3495D328-661A-4FB0-BA67-8ACDD1704D1E} = C:/WINDOWS/system32/temp[3].dll O24 - ShlExecHook: [9] - {913AF41A-21B1-131B-1BFC-D2A90DF4A2B9} = C:/WINDOWS/system32/xyhpri.dll O24 - ShlExecHook: [7] - {759AFD5B-159F-ACD8-954C-ACD545FA6587} = C:/WINDOWS/system32/jzgpri.dll O24 - ShlExecHook: [3] - {36368135-64FA-BC34-DA32-DCF4FD431C93} = C:/WINDOWS/system32/qhcpri.dll O24 - ShlExecHook: [D] - {D1351752-5628-1547-FFAB-BADC13512AFD} = C:/WINDOWS/system32/ztmpri.dll O24 - ShlExecHook: [5] - {54123FF1-8371-9834-9021-184518451FA5} = C:/WINDOWS/system32/qjepri.dll O24 - ShlExecHook: [7] - {7A65498A-7653-9801-1647-987114AB7F47} = C:/WINDOWS/system32/zxgpri.dll O24 - ShlExecHook: [2] - {252D2432-37A2-324F-2A54-21BF5CF2F1A2} = C:/WINDOWS/system32/jhapri.dll HKLM/SHOWALL 值非1 ===/
恶意程序使用了Shell Execute Hook(O24),所以在安全模式下仍然启动了……
用WinRAR检查C、D、E,F盘,没有发现 auto.exe,检查金山毒霸的隔离区,发现是被隔离了,不过毒霸没有删除autorun.inf,换成瑞星是会自动删除autorun.inf的,只能手动删除了。
接下来的处理,留待下回分解……