瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » Trojan-PSW.Win32.OnLineGames.mu——又一个利用IFEO劫持的变态病毒
rockzonelee - 2007-4-5 11:25:00
要删的东西好多啊

顶了再看~~~~~~~~
guyueseng - 2007-4-5 12:08:00
蜜罐,大家都来当蜜罐,拒绝使用虚拟机
xp123 - 2007-4-5 12:44:00
引用:
【guyueseng的贴子】版主大大是用的虚拟机么?
………………

老班的监空很牛的
没把握别学他哦
guyueseng - 2007-4-5 12:49:00
将C:\WINDOWS\system32文件夹中的verclsid.exe.bak改名为verclsid.exe
这个问题我没有出现?难道这个病毒自己会变异?

此毒貌似不会重复感染同一系统。
杀毒后,再次运行样本————没有任何中毒迹象。

这个病毒肯定有其他机制我们没弄清楚,不然怎么会有这种情况出现。我纳闷啊
瓶子里没有水 - 2007-4-5 12:50:00
变态的病毒。。。
MidnightGhost - 2007-4-5 13:04:00
这个病毒我也中了,不过应该是变种的不太一样,卡巴的提示是这种病毒,但是病毒文件不是这样的。
我中的会system32里出现很多.DLL,.EXE文件,注册表添加开机运行600088c8.exe,有时候服务里也有,system下也有中毒文件,卡巴查出的是winform.exe,winform.dll,但是我发现还有几个文件,卡巴没有报出来,但是可以肯定是这个病毒带来的。都是在系统目录下。我前些天清除过一次,今天又中了。
中毒后系统反应奇慢,病毒占用系统资源
应该怎么能防住这种病毒呢,它是从哪里来的呀
spiritfire - 2007-4-5 13:17:00
搜肠刮肚这么多软件来IFEO,编此毒的人可谓煞费苦心!
guyueseng - 2007-4-5 13:39:00
所以说楼主还没有把这个病毒的机制分析清楚
天月来了 - 2007-4-5 15:44:00
就怕这个病毒现在所作的一切,都只是为了转移注意力。

实际上还有更隐藏的木马。那就完了。

不然怎么会:此毒貌似不会重复感染同一系统。
杀毒后,再次运行样本————没有任何中毒迹象。??????????????????
baohe - 2007-4-5 16:04:00
引用:
【guyueseng的贴子】所以说楼主还没有把这个病毒的机制分析清楚
………………

我也想再次感染,仔细看看。但这个病毒不再给我机会了。
昨天夜里(困的够戗)就粗粗地观察到那么多。
baohe - 2007-4-5 16:07:00
引用:
【天月来了的贴子】就怕这个病毒现在所作的一切,都只是为了转移注意力。

实际上还有更隐藏的木马。那就完了。

不然怎么会:此毒貌似不会重复感染同一系统。
杀毒后,再次运行样本————没有任何中毒迹象。??????????????????
………………

我等着吧。
昨天玩儿过之后,一直没GHOST过。
看看再说。目前系统无异常。
天月来了 - 2007-4-5 17:10:00
呵呵!!!!!!!

baohe啊!!!!

我有件事好奇哩!!!!

想看看你昨夜处理以后还没GHOST过的系统的SRENG日志。

行吗?

不知所有楼上的诸位,有没想看的?

就发这贴里。

行么????
之乎者也 - 2007-4-5 17:12:00
5、取消IceSword的“禁止进程创建”。将autoruns.exe改名为autorun.exe运行:
找到HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
删除:
猫叔,这里用icesword不能删除吗,autoruns没接触过,懒得再学习了
沁水嘉丰人 - 2007-4-5 17:17:00
给大家一个可以申请免费个人主页的网站,无忧免费个人主页网,可以永久免费使用,免费空间6M,模板精美,可以发布文章,还可以做音乐、下载、影视类网站,大家赶紧来抢注吧!
http://www.any2000.com/?jcdqh
guyueseng - 2007-4-5 17:24:00
好像对很多杀毒软件和工具的升级程序做的破坏,我现在毒是杀了,但是很多软件无法更新病毒库了.某个svchost.exe还经常出错,我估计还是没弄干净.
这个病毒不简单啊.作者恶毒的心灵,竟然能收录那么多工具,极度扭曲.
无限001 - 2007-4-5 17:34:00
支持一个,干得漂亮...
最近听闻中这个病毒的人不少!!
baohe - 2007-4-5 17:42:00
引用:
【天月来了的贴子】呵呵!!!!!!!

baohe啊!!!!

我有件事好奇哩!!!!

想看看你昨夜处理以后还没GHOST过的系统的SRENG日志。

行吗?

不知所有楼上的诸位,有没想看的?

就发这贴里。

行么????
………………

2007-04-05,17:27:17

System Repair Engineer 2.3.13.690
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
- 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\windows\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
    <AMonitor><C:\Program Files\Tiny Firewall Pro\amon.exe>  [Computer Associates International, Inc.]
    <IDMan><C:\Program Files\Internet Download Manager\IDMan.exe /onboot>  [Internet Download Manager Corp., Tonec Inc. ]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <TP4EX><tp4ex.exe>  [IBM Corporation]
    <RunShadowTip><C:\windows\system32\shadow\ShadowTip.exe>  [PowerShadow]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe,>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><UmxSbxExw.dll,>  [Computer Associates International, Inc.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\windows\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PFW]
    <WinlogonNotify: PFW><UmxWnp.Dll>  [Computer Associates International, Inc.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
    <WinlogonNotify: System Safety Monitor><SSMWinlogonEx.dll>  [(Verified)System Safety Limited]
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\System32\AMCRYS~1.SCR>  [SereneScreen]

==================================
启动文件夹
N/A
baohe - 2007-4-5 17:43:00
==================================
服务
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\windows\System32\Ati2evxx.exe><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[IBM PM Service / IBMPMSVC][Stopped/Disabled]
  <C:\windows\system32\ibmpmsvc.exe><N/A>
[QCONSVC / QCONSVC][Running/Auto Start]
  <System32\QCONSVC.EXE><N/A>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Shadow System Service / ShadowSystemService][Running/Auto Start]
  <C:\windows\system32\shadow\ShadowService.exe><N/A>
[FW Event Manager / UmxAgent][Running/Auto Start]
  <"C:\Program Files\Tiny Firewall Pro\UmxAgent.exe"><Computer Associates International, Inc.>
[FW Configuration Interpreter / UmxCfg][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\UmxCfg.exe"><Computer Associates International, Inc.>
[FW User-Mode Helper / UmxFwHlp][Running/Auto Start]
  <"C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe"><Computer Associates International, Inc.>
[FW Live Update / UmxLU][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\umxlu.exe"><Tiny Software, Inc.>
[FW Policy Manager / UmxPol][Running/Auto Start]
  <"C:\Program Files\Common Files\PFShared\UmxPol.exe"><Computer Associates International, Inc.>

==================================
驱动程序
[Agere Systems Soft Modem / AgereSoftModem][Running/Manual Start]
  <System32\DRIVERS\AGRSM.sys><Agere Systems>
[ati2mtag / ati2mtag][Running/Manual Start]
  <System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
  <System32\DRIVERS\e100b325.sys><Intel Corporation>
[IBM eGatherer Diagnostics / EGATHDRV][Stopped/Manual Start]
  <\??\C:\WINDOWS\System32\EGATHDRV.SYS><N/A>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\HookSys.sys><Rising>
[IBMPMDRV / IBMPMDRV][Running/Manual Start]
  <System32\DRIVERS\ibmpmdrv.sys><IBM Corp.>
[IBMTPCHK / IBMTPCHK][Running/System Start]
  <System32\drivers\IBMBLDID.SYS><N/A>
[KmxAgent / KmxAgent][Running/System Start]
  <System32\DRIVERS\kmxagent.sys><Computer Associates International, Inc.>
[KmxBiG / KmxBiG][Running/Auto Start]
  <System32\DRIVERS\KmxBiG.sys><Computer Associates International, Inc.>
[KmxCfg / KmxCfg][Running/Manual Start]
  <System32\DRIVERS\kmxcfg.sys><Computer Associates International, Inc.>
[KmxFile / KmxFile][Running/System Start]
  <System32\DRIVERS\KmxFile.sys><Computer Associates International, Inc.>
[KmxFw / KmxFw][Running/System Start]
  <System32\DRIVERS\kmxfw.sys><Computer Associates International, Inc.>
[KmxIds / KmxIds][Running/System Start]
  <System32\DRIVERS\kmxids.sys><Computer Associates International, Inc.>
[KmxNdis / KmxNdis][Running/Boot Start]
  <\SystemRoot\System32\DRIVERS\kmxndis.sys><Computer Associates International, Inc.>
[KmxSbx / KmxSbx][Running/Auto Start]
  <System32\DRIVERS\KmxSbx.sys><Computer Associates International, Inc.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\MEMSCAN.sys><瑞星软件有限公司>
[NSC Infrared Device Driver / NSCIRDA][Running/Manual Start]
  <System32\DRIVERS\nscirda.sys><National Semiconductor Corporation>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rav\RSPPSYS.sys><Rising>
[System Safety Monitor 2.0 Core Engine / safemon][Running/Boot Start]
  <\SystemRoot\system32\drivers\safemon.sys><System Safety Limited>
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>
[Smapint / Smapint][Running/System Start]
  <System32\drivers\Smapint.sys><Microsoft Corporation>
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[TDSMAPI / TDSMAPI][Running/System Start]
  <System32\Drivers\TDSMAPI.SYS><N/A>
[IBM PS/2 TrackPoint Driver / Tp4Track][Running/Manual Start]
  <System32\DRIVERS\tp4track.sys><IBM Corporation>
[TPPWR / TPPWR][Running/System Start]
  <System32\drivers\Tppwr.sys><IBM Corp.>
baohe - 2007-4-5 17:43:00
==================================
浏览器加载项
[IDMIEHlprObj Class]
  {0055C089-8582-441B-A0BF-17B458C2A3A8} <C:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484f-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[卡卡上网安全助手]
  {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} <C:\windows\system32\kakatool.dll, Beijing Rising Technology Co., Ltd.>
[Office Update Installation Engine]
  {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} <C:\WINDOWS\opuc.dll, Microsoft Corporation>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[IDMIEHlprObj Class]
  {0055C089-8582-441B-A0BF-17B458C2A3A8} <C:\Program Files\Internet Download Manager\IDMIECC.dll, Internet Download Manager Corp., Tonec Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Adobe PDF]
  {47833539-D0C5-4125-9FA8-0819E2EAAC93} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[AcroIEToolbarHelper Class]
  {AE7CD045-E861-484F-8273-0445EE161910} <C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll, N/A>
[使用 IDM 下载]
  <C:\Program Files\Internet Download Manager\IEExt.htm, N/A>
[使用 IDM 下载所有链接]
  <C:\Program Files\Internet Download Manager\IEGetAll.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
baohe - 2007-4-5 17:44:00
==================================
正在运行的进程
[PID: 616][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 688][\??\C:\windows\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 712][\??\C:\windows\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxWnp.Dll]  [Computer Associates International, Inc., 6, 0, 0, 2]
    [C:\windows\system32\SSMWinlogonEx.dll]  [System Safety Limited, 2.4.0.613]
[PID: 760][C:\windows\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 772][C:\windows\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 960][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1052][C:\windows\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1196][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1392][C:\windows\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1588][C:\windows\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\WINDOWS\System32\AdobePDF.dll]  [Adobe Systems Incorporated., 6.0.000]
    [C:\Program Files\Adobe\Acrobat 6.0\Distillr\adistres.dll]  [Adobe Systems Incorporated., 6.0.0.2003040700]
[PID: 1636][C:\Program Files\Common Files\PFShared\UmxCfg.exe]  [Computer Associates International, Inc., 6.0.1.48]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Common Files\PFShared\xmlsdp.dll]  [Computer Associates International, Inc., 6.2.0.122]
    [C:\windows\system32\msxml4.dll]  [Microsoft Corporation, 4.20.9818.0]
    [C:\Program Files\Common Files\PFShared\pthexp.dll]  [Computer Associates International, Inc., 6.0.0.19]
    [C:\Program Files\Tiny Firewall Pro\SnortImp.dll]  [Computer Associates International, Inc., 6.5.1.2]
baohe - 2007-4-5 17:45:00
[PID: 1660][C:\Program Files\Tiny Firewall Pro\UmxFwHlp.exe]  [Computer Associates International, Inc., 6.5.3.2]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1700][C:\Program Files\Rising\Rav\RavStub.exe]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 4]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Rising\Rav\psapi.dll]  [Microsoft Corporation, 4.00]
    [C:\Program Files\Rising\Rav\RsCommX.dll]  [rising, 18, 0, 0, 1]
    [C:\Program Files\Rising\Rav\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[PID: 1868][C:\Program Files\Common Files\PFShared\UmxPol.exe]  [Computer Associates International, Inc., 6, 0, 0, 5]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 196][C:\Program Files\Tiny Firewall Pro\UmxAgent.exe]  [Computer Associates International, Inc., 6.0.1.76]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Tiny Firewall Pro\UmxAgentRes.dll]  [Tiny Software, Inc., 6.0.1.63]
    [C:\Program Files\Tiny Firewall Pro\FncIDs.dll]  [Computer Associates International, Inc., 6.0.0.1]
    [C:\windows\system32\msxml4.dll]  [Microsoft Corporation, 4.20.9818.0]
    [C:\Program Files\Common Files\PFShared\pthexp.dll]  [Computer Associates International, Inc., 6.0.0.19]
    [C:\Program Files\Common Files\PFShared\Nag.dll]  [Tiny Software, Inc., 6.0.1.22]
[PID: 216][C:\Program Files\Tiny Firewall Pro\UmxTray.exe]  [Computer Associates International, Inc., 6.5.1.59]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Tiny Firewall Pro\UmxTrayRes.dll]  [Computer Associates International, Inc., 6.5.1.59]
    [C:\Program Files\Common Files\PFShared\Nag.dll]  [Tiny Software, Inc., 6.0.1.22]
[PID: 260][C:\windows\System32\Ati2evxx.exe]  [N/A, N/A]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 304][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE]  [Microsoft Corporation, 7.00.9466]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL]  [Microsoft Corporation, 7.00.9466]
[PID: 548][C:\windows\System32\QCONSVC.EXE]  [N/A, N/A]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 636][C:\windows\system32\shadow\ShadowService.exe]  [N/A, N/A]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 664][C:\Program Files\Common Files\PFShared\umxlu.exe]  [Tiny Software, Inc., 6.0.1.15]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 1964][C:\windows\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\System32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\System32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 672][C:\windows\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\RavExt.dll]  [Beijing Rising Technology Co., Ltd., 19, 0, 0, 9]
    [C:\Program Files\Internet Download Manager\IDMIECC.dll]  [Internet Download Manager Corp., Tonec Inc., 1, 0, 2, 1]
    [C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 6.0.0.2003040700]
    [C:\Program Files\Internet Download Manager\idmmkb.dll]  [N/A, N/A]
[PID: 1084][C:\windows\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
[PID: 2020][C:\Program Files\Tiny Firewall Pro\amon.exe]  [Computer Associates International, Inc., 6.5.3.2]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Tiny Firewall Pro\amonres.dll]  [Computer Associates International, Inc., 6.5.1.2]
    [C:\Program Files\Tiny Firewall Pro\FncIDs.dll]  [Computer Associates International, Inc., 6.0.0.1]
    [C:\Program Files\Tiny Firewall Pro\portnums.dll]  [Computer Associates International, Inc., 6.0.0.1]
baohe - 2007-4-5 17:45:00
[PID: 1924][C:\Program Files\Internet Download Manager\IDMan.exe]  [Internet Download Manager Corp., Tonec Inc. , 5, 0, 0, 0]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Internet Download Manager\idmmkb.dll]  [N/A, N/A]
[PID: 3632][C:\Program Files\Opera\Opera.exe]  [Opera Software, 8679]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Opera\Opera.dll]  [Opera Software, 8679]
    [C:\Program Files\Opera\Program\Plugins\NPSWF32.dll]  [N/A, N/A]
    [C:\windows\system32\UNISPIM.IME]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
    [C:\windows\system32\upengine.dll]  [北京清华紫光软件股份有限公司, 3.0.0.3045]
[PID: 3536][C:\Program Files\Tiny Firewall Pro\cfgtool.exe]  [Computer Associates International, Inc., 6.0.0.52]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\Program Files\Tiny Firewall Pro\cfgtoolres.dll]  [Computer Associates International, Inc., 6.0.0.28]
    [C:\Program Files\Common Files\PFShared\Nag.dll]  [Tiny Software, Inc., 6.0.1.22]
    [C:\Program Files\Common Files\PFShared\cfgwi.dll]  [Computer Associates International, Inc., 6.0.0.127]
    [C:\Program Files\Common Files\PFShared\Cfgwires.dll]  [Computer Associates International, Inc., 6.0.0.27]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL]  [Microsoft Corporation, 7.00.9466]
    [C:\Program Files\Common Files\Microsoft Shared\INK\PENCHS.DLL]  [Microsoft Corporation, 1.0.1038.0]
    [C:\Program Files\Rising\Rav\RavScrCh.dll]  [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
    [C:\Program Files\Common Files\PFShared\IfaceCtrl.dll]  [Computer Associates International, Inc., 6.5.3.3]
    [C:\windows\system32\msxml4.dll]  [Microsoft Corporation, 4.20.9818.0]
[PID: 848][C:\Program Files\SREng2\SREng.exe]  [Smallfrogs Studio, 2.3.13.690]
    [C:\windows\system32\UmxSbxExw.dll]  [Computer Associates International, Inc., 6.0.1.58]
    [C:\windows\system32\UmxSbxw.dll]  [Computer Associates International, Inc., 6.0.1.58]
baohe - 2007-4-5 17:46:00

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost

==================================
API HOOK
警告!System Repair Engineer 提醒
你下面的函数内容与预期值不符,他
们可能被一些恶意的软件所修改:
入口点错误:TerminateProcess
入口点错误:TerminateThread


==================================


[/CODE]
昨夜西风凋碧树 - 2007-4-5 18:02:00
我也是刚中了这个毒,昨天杀了下,好像没杀干净,学习中
mashiyi - 2007-4-5 18:56:00
Logfile of Kaka v2. 0. 3. 0 Scan Module v1. 0. 6. 1
Scan saved at 15:02:52, on 2007-04-05
Platform: Microsoft Windows XP Professional Service Pack 2 (Build 2600)
MSIE: Internet Explorer v6.00 SP2; (6.00.2900.2180 (xpsp_sp2_rtm.040803-2158))


O1 - Hosts: 127.0.0.1      localhost
O2 - BHO: QQCycloneHelper Class - {00000000-12C9-4305-82F9-43058F20E8D2} - C:\Program Files\Tencent\QQDownload\QQIEHelper01.dll
O2 - BHO: Thunder Browser Helper - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_007.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - HKLM\..\Run: [QQDownload] "C:\Program Files\Tencent\QQDownload\QQDownload.exe" autostart
O4 - Startup: desktop.ini =
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: desktop.ini =
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &使用超级旋风下载 - C:\Program Files\Tencent\QQDownload\geturl.htm
O8 - Extra context menu item: &使用超级旋风下载全部链接 - C:\Program Files\Tencent\QQDownload\getAllurl.htm
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra Button: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: 启动迅雷5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: {2354A44B-3CEB-4829-9940-545B03103538} (PowerPlr Control) - http://vod.lanyin.net/plugin/PowerPlr.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A336EFE-2310-43E0-80EE-6F8911184385}: NameServer = 60.191.244.5 60.191.244.2
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
Aofa2007 - 2007-4-5 18:56:00
现在有没有这个的补丁呀?
天月来了 - 2007-4-5 20:12:00
猫叔的系统清理的真干净!!!!

还手提的呢!!!!!!!!!!

呵呵!!!!!!!!!!

eval - 2007-4-5 20:39:00
【回复“guyueseng”的帖子】兄弟你看看你checkedvalue的值是不是DWORD的型的,病毒会把类型给了
★蓝色尘埃★ - 2007-4-5 21:09:00
好。顶
飞逝v流星 - 2007-4-5 21:45:00
学习了,呵呵
123
查看完整版本: Trojan-PSW.Win32.OnLineGames.mu——又一个利用IFEO劫持的变态病毒
© 2000 - 2026 Rising Corp. Ltd.