抓获Backdoor.Gpigeon.voo和Trojan.PSW.OnlineGames.xd等盗号木马

一位朋友，说他的电脑最近运行很慢，让偶帮忙检修。

下载 pe_xscan 扫描 log 并分析，发现如下可疑项：

/---

pe_xscan 07-04-12 by Purple Endurer

2007-5-8 12:12:51

Windows XP Service Pack 2(5.1.2600)

管理员用户组

[System Process] * 0

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm23.tmp..rom | 2007-5-8 10:59:4

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/hyso0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qqso0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/myso0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgs0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wls0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wos0.dll | 2007-5-8 10:58:50

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-5-8 10:58:48

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-5-8 10:58:48

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-5-8 10:58:46

C:/WINDOWS/System32/svchost.exe * 884 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe

   c:/windows/system32/syst.dll | 2007-3-22 19:35:54

C:/WINDOWS/Explorer.EXE * 264 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso0.dll | 2007-5-8 10:58:46

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso0.dll | 2007-5-8 10:58:48

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso0.dll | 2007-5-8 10:58:48

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wos0.dll | 2007-5-8 10:58:50

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgs0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wls0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/myso0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qqso0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/hyso0.dll | 2007-5-8 10:58:52

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm23.tmp..rom | 2007-5-8 10:59:4

C:/Program Files/Common Files/Real/Update_OB/realsched.exe * 272 | 2006-8-24 11:18:44 | RealPlayer (32-bit)  | 0.1.0.3510 | RealNetworks Scheduler | Copyright ? RealNetworks, Inc. 1995-2004 | 0.1.0.3510 | RealNetworks, Inc. | RealAudio(tm) is a trademark of RealNetworks, Inc. | schedapp | realsched.exe

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

D:/KAVStart.exe * 1688 | 2006-11-11 16:44:34 | Kingsoft Internet Security | 7, 6, 0, 212 | Kingsoft Security Center | Copyright (C) 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. | 2006, 11, 10, 212 | Kingsoft Corporation | Kingsoft | KAVStart | KAVStart.EXE

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

C:/WINDOWS/wos3.exe * 1064 | 2007-3-26 10:10:8

   C:/WINDOWS/wos3.exe | 2007-3-26 10:10:8

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wos0.dll | 2007-5-8 10:58:50

C:/WINDOWS/wls3.exe * 1016 | 2007-3-26 10:10:20

   C:/WINDOWS/wls3.exe | 2007-3-26 10:10:20

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wls0.dll | 2007-5-8 10:58:52

C:/WINDOWS/wgs3.exe * 976 | 2007-3-26 10:10:28

   C:/WINDOWS/wgs3.exe | 2007-3-26 10:10:28

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/wgs0.dll | 2007-5-8 10:58:52

D:/KMailMon.EXE * 2172 | 2006-11-11 16:44:34 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft Antivirus Mail Monitor | Copyright ? 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. | 2006, 9, 7, 918 | Kingsoft Corporation | Kingsoft | MailMon | KMailMon.EXE

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

C:/WINDOWS/SOUNDMAN.EXE * 2196 | 2006-1-11 23:8:36 | Realtek Sound Manager | 5, 1, 0, 51 | Realtek Sound Manager | Copyright (c) 2001-2004 Realtek Semiconductor Corp. | 5, 1, 0, 51 | Realtek Semiconductor Corp. |  | ALSMTray | ALSMTray.exe

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

C:/WINDOWS/system32/ctfmon.exe * 2224 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

D:/KPFW32.EXE * 2412 | 2006-11-11 16:44:36 | Kingsoft Internet Security | 7, 6, 0, 19 | Kingsoft Firewall | Copyright (C) 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. | 2006, 10, 24, 658 | Kingsoft Corporation | Kingsoft | KPFW32.EXE | KPFW32.EXE

   C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/~Tm22.tmp.rom | 1987-5-8 10:59:4

O2 - BHO  - {8298D101-F992-43B7-8ECA-5052D885B996} - C:/WINDOWS/system32/rs.bin

O4 - HKCR/../Run: [3u] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/iexpl0re.exe

O4 - HKCR/../Run: [tuj] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rundl132.exe

O4 - HKCR/../Run: [wc2imbevyfqu7g] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/winlog0n.exe

O4 - HKLM/../Run: [mhsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/mhso.exe

O4 - HKLM/../Run: [ztsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/ztso.exe

O4 - HKLM/../Run: [rxsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/rxso.exe

O4 - HKLM/../Run: [wos3] C:/WINDOWS/wos3.exe

O4 - HKLM/../Run: [wls3] C:/WINDOWS/wls3.exe

O4 - HKLM/../Run: [wgs3] C:/WINDOWS/wgs3.exe

O4 - HKLM/../Run: [wms3] C:/WINDOWS/wms3.exe

O4 - HKLM/../Run: [jts3] C:/WINDOWS/jts3.exe

O4 - HKLM/../Run: [qqs3] C:/WINDOWS/qqs3.exe

O4 - HKLM/../Run: [mysa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/myso.exe

O4 - HKLM/../Run: [qqsa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/qqso.exe

O4 - HKLM/../Run: [hysa] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/hyso.exe

O4 - HKLM/../Run: [kernelmh] C:/WINDOWS/Kernelmh.exe

O23 - 服务: ERSvc (Error Reporting Service) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/system32/syst.dll | 2007-3-22 19:35:54(自动)

O24 - [F] - {754FB7D8-B8FE-4810-B363-A788CD060F1F} = F

O24 - [F] - {A6011F8F-A7F8-49AA-9ADA-49127D43138F} = F

O24 - [C] - {729B6C61-BDC5-4C09-A1DE-A296BA0B89EC} = C

O24 - [] - {91B1E846-2BEF-4345-8848-7699C7C9935F} = C:/Program Files/Common Files/Microsoft Shared/MSINFO/SysWFGQQ2.dll

---/

检查c:/windows 和 c:/windows/system32，一大堆的可疑文件，如：

/---

D:/tools/bat_do>dir c:/windows/system32 /a /od

驱动器 C 中的卷没有标签。

卷的序列号是 40FB-AD0B

c:/windows/system32 的目录