7月8日日志分析练习7 bbs.ikaka.com

lqqk7 - 2009-7-8 12:44:00

即日起每日会给大家提供一些染毒环境的SREng日志，因为部分实习生是第一次接触SREng这个工具，对日志分析不熟悉，如果冒然跑去反病毒区回帖，一旦出现误判，可能对求助者不利，因此采用这种“内部”交流的方式，希望大家能够多练习，真正分析日志的方法是靠自己实践摸索出来的！

注：日志分析练习情况与大家的实习期总成绩没有关联，请大家不要有顾虑，放心大胆的练习！

附件: 您所在的用户组无法下载或查看附件

========以下为参考分析结果========
异常项见附件（仅保留日志中可疑度较高的项）

注意：
1、看到C:\WINDOWS\system32\dnsq.dll、C:\WINDOWS\system32\com\netcfg.dll、C:\WINDOWS\system32\com\lsass.exe、C:\WINDOWS\system32\com\smss.exe这些，基本可以断定是磁碟机病毒，回帖时要充分考虑求助者的情况，在帖子中不要出现“磁碟机”字样或“Diskgen”字样，病毒捕捉到这样的关键字后将窗口直接关闭；
2、手动清理异常项后，记得让求助者使用磁碟机专杀工具全屏查杀，避免运行被感染的文件后再次中毒；

附件: 您所在的用户组无法下载或查看附件

handle - 2009-7-8 13:44:00

<AppInit_DLLs><C:\WINDOWS\system32\dnsq.dll> [ ]应该不正常

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> []这个没见过:kaka3:
看到下面运行的进程的模块里都出现了这两个陌生人~应该就是病毒在捣鬼了

API HOOK
入口点错误：OpenProcess (危险等级: 高, 被下面模块所HOOK: C:\WINDOWS\system32\dnsq.dll)还是不懂~请教老师:kaka2:

handle - 2009-7-8 13:45:00

匆匆忙忙看完了~要去实习单位上班啦~

zapline - 2009-7-8 16:02:00

merrk_chuan - 2009-7-8 16:14:00

在相同的系统中找到以下文件进行替换，替换工具：http://bbs.ikaka.com/showtopic-8442813-2.aspx#9176804

c:\windows\system32\srsvc.dll

用帖子里提供的工具删除以下文件（http://bbs.ikaka.com/showtopic-8442813.aspx）

c:\windows\system32\com\smss.exe
c:\windows\system32\com\lsass.exe
c:\windows\system32\dnsq.dll
c:\windows\system32\com\netcfg.dll
c:\progra~1\iefxz\iefxz.dll

2.不管删除是否成功，请重启下，然后使用SREng修复下面各项：

启动项目－－注册表之如下项删除：
注意该项[AppInit_DLLs]修改：把<C:\WINDOWS\system32\dnsq.dll>修改为<>即清空

系统修复－－　浏览器加载项之如下项删除：
[IfObj Control] <C:\WINDOWS\system32\com\netcfg.dll>
[IEFXZ] <C:\PROGRA~1\IEfxz\iefxz.dll>

请问下老师：这个磁碟机的在日志里是不是缺少点病毒文件啊？那个API HOOK的在把dnsq.dll文件删除后还用不用修复呢？

凡尘之沙 - 2009-7-8 17:57:00

精神病院看门的 - 2009-7-8 21:14:00

该用户帖子内容已被屏蔽

daemonz - 2009-7-8 21:29:00

可疑的文件：
C:\WINDOWS\system32\dnsq.dll
C:\WINDOWS\system32\srsvc.dll
C:\WINDOWS\system32\com\netcfg.dll
C:\WINDOWS\system32\com\lsass.exe
C:\WINDOWS\system32\com\smss.exe

still刀刀 - 2009-7-26 23:40:00

<nwiz><; nwiz.exe /install> [N/A]

<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT> []

服务

[NetMeeting Remote Desktop Sharing / mnmsrvc][Stopped/Manual Start]
<C:\WINDOWS\system32\mnmsrvc.exe><(File is missing)>

==================================
驱动程序

==================================
浏览器加载项
[
[使用迅雷下载]
<C:\Program Files\Thunder Network\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
<C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
<res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程

[C:\WINDOWS\system32\dnsq.dll] [N/A, ]

[C:\WINDOWS\system32\WgaLogon.dll] [, ]
[PID: 768 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 780][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 940 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1004 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1124 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1232 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1344 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1452 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[C:\WINDOWS\system32\OLFMNT40.DLL] [Microsoft Corporation, 9.0.98.0105]
[C:\WINDOWS\System32\spool\PRTPROCS\W32X86\olfpnt40.dll] [Microsoft Corporation, 9.0.98.0105]
[PID: 1760 / Administrator][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1840][C:\WINDOWS\system32\com\lsass.exe] [N/A, ]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[C:\WINDOWS\system32\shdoclc.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\pdm.dll] [Microsoft Corporation, 7.00.9466]
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll] [Microsoft Corporation, 7.00.9466]
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\msdbg2.dll] [Microsoft Corporation, 7.00.9466]
[C:\WINDOWS\system32\com\netcfg.dll] [506, 1, 0, 0, 1]
[PID: 516][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 536 / SYSTEM][C:\Program Files\StormII\stormliv.exe] [北京暴风网际科技有限公司, 3, 8, 3, 15]
[C:\Program Files\StormII\MSVCP60.dll] [Microsoft Corporation, 6.02.3104.0]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]

[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\2052\mdmui.dll] [Microsoft Corporation, 7.00.9466]
[C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\msdbg2.dll] [Microsoft Corporation, 7.00.9466]
[PID: 620 / SYSTEM][C:\WINDOWS\system32\nvsvc32.exe] [NVIDIA Corporation, 6.14.11.7519]
[C:\WINDOWS\system32\nvapi.dll] [NVIDIA Corporation, 6.14.11.7519]
[PID: 1876][C:\WINDOWS\system32\com\smss.exe] [N/A, ]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 3184 / Administrator][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]

[PID: 2304 / Administrator][D:\sreng2\SREf0465bfe.EXE] [Smallfrogs Studio, 2.6.11.992]

[C:\WINDOWS\system32\dnsq.dll] [N/A, ]

零度的穷浪漫 - 2009-7-29 1:48:00

1.[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><C:\WINDOWS\system32\dnsq.dll> []有值？
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
<WinlogonNotify: WgaLogon><WgaLogon.dll> []这是什么？
2.[IEFXZ]
{6A49F431-2A2E-41a5-9080-0F41D1A3AEC2} <C:\PROGRA~1\IEfxz\iefxz.dll, >
[IEFXZTool]
{61F0024B-8278-4999-B7E6-2718426D9FE6} <C:\PROGRA~1\IEfxz\iefxz.dll, >
[IEFXZHelper]
{6A49F431-2A2E-41a5-9080-0F41D1A3AEC1} <C:\PROGRA~1\IEfxz\iefxz.dll, >
[IEFXZ]
{6A49F431-2A2E-41A5-9080-0F41D1A3AEC2} <C:\PROGRA~1\IEfxz\iefxz.dll, >
[IfObj Control]
{D9901239-34A2-448D-A000-3705544ECE9D} <C:\WINDOWS\system32\com\netcfg.dll, 506>这些是什么？
3，[PID: 724 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[C:\WINDOWS\system32\WgaLogon.dll] [, ]和上面遥相呼应啊
4.特殊特权被允许： SeLoadDriverPrivilege [PID = 724, C:\WINDOWS\SYSTEM32\WINLOGON.EXE]又是这个
5.入口点错误：OpenProcess (危险等级: 高, 被下面模块所HOOK: C:\WINDOWS\system32\dnsq.dll)
磁碟机病毒，记住了

零度的穷浪漫 - 2009-7-29 1:53:00

我没用工具一篇一篇都是自己分析的，看到那些什么
在相同的系统中找到以下文件进行替换，替换工具：http://bbs.ikaka.com/showtopic-8442813-2.aspx#9176804
用帖子里提供的工具删除以下文件（http://bbs.ikaka.com/showtopic-8442813.aspx）
2.不管删除是否成功，请重启下，然后使用SREng修复下面各项：
看到这些就火大

乐陶猪 - 2009-8-4 21:22:00

1. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><C:\WINDOWS\system32\dnsq.dll> []

2. ==================================
正在运行的进程

[PID: 724 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[C:\WINDOWS\system32\WgaLogon.dll] [, ]
[PID: 768 / SYSTEM][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 780][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 940 / SYSTEM][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1004 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1124 / SYSTEM][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1232 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1344 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1452 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1760 / Administrator][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1840][C:\WINDOWS\system32\com\lsass.exe] [N/A, ]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 516][C:\WINDOWS\System32\alg.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 536 / SYSTEM][C:\Program Files\StormII\stormliv.exe] [北京暴风网际科技有限公司, 3, 8, 3, 15]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 564 / SYSTEM][C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE] [Microsoft Corporation, 7.00.9466]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 1876][C:\WINDOWS\system32\com\smss.exe] [N/A, ]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 3184 / Administrator][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]
[PID: 2304 / Administrator][D:\sreng2\SREf0465bfe.EXE] [Smallfrogs Studio, 2.6.11.992]
[C:\WINDOWS\system32\dnsq.dll] [N/A, ]

瑞星卡卡安全论坛