运行后下载不少DD
中招后的SRENG日志:
启动项目
注册表
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{37C3125C-9CB6-4503-8F38-63D80ADEFA07}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\System6.ins> []
<{E418E9ED-9221-4661-B1F3-4AA35BD83832}><C:\Program Files\Internet Explorer\PLUGINS\WinSys88.Sys> [N/A]
<{5D47B341-43DF-4563-753F-345FFA3157D5}><C:\windows\system32\kvmxema.dll> []
<{4E32FA58-3453-FA2D-BC49-F340348ACCE4}><C:\windows\system32\rsmydpm.dll> []
<{3C87A354-ABC3-DEDE-FF33-3213FD7447C3}><C:\windows\system32\kvdxcma.dll> []
<{334345F1-DACF-3452-CB7D-4620F34A1533}><C:\windows\system32\rsztcpm.dll> []
<{3A1247C1-53DA-FF43-ABD3-345F323A48D3}><C:\windows\system32\avwgcmn.dll> []
<{4859245F-345D-BC13-AC4F-145D47DA34F4}><C:\windows\system32\avzxdmn.dll> []
<{57D81718-1314-5200-2597-587901018075}><C:\windows\system32\kaqhezy.dll> []
<{28907901-1416-3389-9981-372178569982}><C:\windows\system32\kawdbzy.dll> []
<{24783410-4F90-34A0-7820-3230ACD05F42}><C:\windows\system32\raqjbpi.dll> []
<{2598FF45-DA60-F48A-BC43-10AC47853D52}><C:\windows\system32\rarjbpi.dll> []
==================================
正在运行的进程
[PID: 3164 / baohelin][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
[C:\Program Files\Common Files\Microsoft Shared\MSINFO\System6.ins] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[PID: 3784 / baohelin][C:\WINDOWS\system32\shadow\ShadowTip.exe] [PowerShadow, 1, 0, 0, 1]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[PID: 4092 / baohelin][C:\Program Files\SRENG\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[PID: 1220 / baohelin][C:\Program Files\TuneUp Utilities 2006\Integrator.exe] [TuneUp Software GmbH, 2.1.0.270]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[PID: 520 / baohelin][C:\Program Files\TuneUp Utilities 2006\RegistryEditor.exe] [TuneUp Software GmbH, 1.1.0.478]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[PID: 2584 / baohelin][C:\windows\system32\kvmxeis.exe] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[PID: 3552 / baohelin][C:\windows\system32\rsmydsp.exe] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[PID: 3548 / baohelin][C:\windows\system32\kvdxcis.exe] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[PID: 1452 / baohelin][C:\windows\system32\rsztcsp.exe] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[PID: 3192 / baohelin][C:\windows\system32\avwgcst.exe] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[PID: 2732 / baohelin][C:\windows\system32\avzxdst.exe] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[PID: 2728 / baohelin][C:\windows\system32\kaqheaz.exe] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[PID: 4008 / baohelin][C:\windows\system32\kawdbaz.exe] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[PID: 3400 / baohelin][C:\windows\system32\raqjbtl.exe] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[PID: 3864 / baohelin][C:\windows\system32\rarjbtl.exe] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[PID: 2896 / baohelin][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[PID: 3896 / baohelin][C:\Program Files\Tiny Firewall Pro\UmxTray.exe] [Computer Associates International, Inc., 6.5.1.59]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
[PID: 1800 / baohelin][C:\Program Files\Tiny Firewall Pro\tralogan.exe] [Computer Associates International, Inc., 6.0.0.17]
[C:\windows\system32\rsztcpm.dll] [N/A, ]
[C:\windows\system32\kaqhezy.dll] [N/A, ]
[C:\windows\system32\rsmydpm.dll] [N/A, ]
[C:\windows\system32\kvdxcma.dll] [N/A, ]
[C:\windows\system32\raqjbpi.dll] [N/A, ]
[C:\windows\system32\kvmxema.dll] [N/A, ]
[C:\windows\system32\kawdbzy.dll] [N/A, ]
[C:\windows\system32\rarjbpi.dll] [N/A, ]
[C:\windows\system32\avzxdmn.dll] [N/A, ]
[C:\windows\system32\avwgcmn.dll] [N/A, ]
==================================
进程特权扫描
特殊特权被允许: SeDebugPrivilege [PID = 2584, C:\WINDOWS\SYSTEM32\KVMXEIS.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2584, C:\WINDOWS\SYSTEM32\KVMXEIS.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3552, C:\WINDOWS\SYSTEM32\RSMYDSP.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 3548, C:\WINDOWS\SYSTEM32\KVDXCIS.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3548, C:\WINDOWS\SYSTEM32\KVDXCIS.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 1452, C:\WINDOWS\SYSTEM32\RSZTCSP.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 1452, C:\WINDOWS\SYSTEM32\RSZTCSP.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3192, C:\WINDOWS\SYSTEM32\AVWGCST.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 2732, C:\WINDOWS\SYSTEM32\AVZXDST.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2732, C:\WINDOWS\SYSTEM32\AVZXDST.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 2728, C:\WINDOWS\SYSTEM32\KAQHEAZ.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2728, C:\WINDOWS\SYSTEM32\KAQHEAZ.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 4008, C:\WINDOWS\SYSTEM32\KAWDBAZ.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 4008, C:\WINDOWS\SYSTEM32\KAWDBAZ.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 3400, C:\WINDOWS\SYSTEM32\RAQJBTL.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3400, C:\WINDOWS\SYSTEM32\RAQJBTL.EXE]
特殊特权被允许: SeDebugPrivilege [PID = 3864, C:\WINDOWS\SYSTEM32\RARJBTL.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3864, C:\WINDOWS\SYSTEM32\RARJBTL.EXE]
那些dll插用户应用程序进程。
用IceSword,先禁止进程创建,再结束那些.exe进程(路径见下图)以及被病毒插入的进程后,才能删净病毒文件。
