昨天新装了GOOGLE捆绑的IE8,今天觉得有GOOGLE插件太烦琐,打开电脑重新安装/更新IE8重新启动之后,却发现变回了IE7,再重新启动,变成没有GOOGLE捆绑的IE8,但是IE上所有登陆密码都无法输入,用户名也无法输入。
进入事件管理器查看,发现有人用GUEST用户反复登陆,删除/停用GUEST用户,又发现仍被NETWORK Service反复登陆(见后面附部分),发现登陆进程advapi, 网上某些资料显示它是特洛伊木馬病毒NETDEVIL.12的一个进程。
发现防火墙被更改设置:“允许远程协助”,“ICMP允许传入回显请求”等等
用瑞星查杀,发现不到。
搜索到9个advapi32,除了在c:\window\system32\advapi32.dll
发现其他位置的都删掉了,安全模式也删不掉
把注册表里的删掉,SYSTEM32下的dll文件始终删不掉,反复出现,也找不到备份文件。
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:42, on 2009-6-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\Program Files\Rising\Rfw\CCENTER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rfw\RavTask.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Rising\Rfw\rfwsrv.exe
C:\Program Files\Rising\Rav\RavMonD.exe
C:\Program Files\Rising\Rav\rsnetsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Rising\Rav\RsAgent.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Rising\KakaToolBar\rstray.exe
C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDCertM_CCB.exe
C:\Program Files\Rising\Rav\RsTray.exe
C:\Program Files\Rising\Rfw\RsTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Rising\Rav\rssafety.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Rising\KakaToolBar\knownsvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe
C:\Documents and Settings\coco\桌面\HijackThis.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live 登录帮助程序 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [runeip] "C:\Program Files\Rising\KakaToolBar\rstray.exe" /startup
O4 - HKLM\..\Run: [wdcertm_ccb] C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDCertM_CCB.exe
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\Run: [RFWTray] "C:\Program Files\Rising\Rfw\RsTray.exe" -system
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [safety3] "C:\Program Files\Rising\Rav\rssafety.exe" /startup
O4 - HKLM\..\RunOnce: [KKDelay] C:\Program Files\Rising\KakaToolBar\RunOnce.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {488A4255-3236-44B3-8F27-FA1AECAA8844} (EditCtrl Class) -
https://img.alipay.com/download/2121/aliedit.cabO16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) -
http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -
http://cdn.scan.onecare.live.com ... er/wlscbase9563.cabO16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) -
https://mybank.icbc.com.cn/icbc/newperbank/AxSafeControls.cabO16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) -
http://lovedingding.spaces.live.com/PhotoUpload/MsnPUpld.cabO16 - DPF: {9C3C2C08-C494-4F52-AE94-85156A447D43} -
http://photos.i.cn.yahoo.com/yphotoseasy.cabO16 - DPF: {9CE079AF-AA90-44F4-BBB3-7C6DB300F5C9} (pEdit Control) -
https://mima.help.163.com/pEdit.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://fpdownload2.macromedia.co ... current/swflash.cabO16 - DPF: {D82303B7-A754-4DCB-8AFC-8CF99435AACE} (KUpdateObj2 Class) -
http://shadu.duba.net/kosclean_v2/KOSInit.cabO16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) -
http://www.leonardotravelebooks.com/ebooks/DIGITALDM2.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{E024A711-ED26-426E-971B-41F02D849F4B}: NameServer = 202.106.195.68 202.106.46.151
O18 - Protocol: KuGoo - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: KuGoo3 - {6AC4FBC7-AA38-45EC-9634-D6D20B679EFC} - C:\WINDOWS\system32\KuGoo3DownXControl.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: kmon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kingsoft Basic Service (kaccore) - Kingsoft Corporation - C:\Program Files\Kingsoft\KAC\Service\kaccore.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Rfw Process Communication Center (RfwCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\CCENTER.EXE
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\rfwsrv.exe
O23 - Service: Rising RfwTask Manager (RfwTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rfw\RavTask.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WatchData ccb V3.2 (WDMonitorCCB) - Beijing WatchData System Co., Ltd. - C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: (no name) -
http://album.sina.com.cn/pic/48494d8302000bth--
End of file - 12202 bytes
事件管理器里记录:
登录成功:
用户名: NETWORK SERVICE
域: NT AUTHORITY
登录 ID: (0x0,0x3E4)
登录类型: 5
登录过程: Advapi
身份验证程序包: Negotiate
工作站名:
登录 GUID:
安全帐户管理器已被加载到通知程序包。 任何帐户或密码更改信息会通知这个通知程序包。
通知程序包名: scecli
(这个木马更改策略:)
Windows 防火墙启动时一个端口列为例外。
原始策略: 本地策略
使用的配置文件: 标准
接口: 全部接口
名称: ActiveSync Service
端口号: 26675
协议: TCP
状态: 已启用
范围: 169.254.2.0/255.255.255.0
(查询结果→ IP地址:169.254.2.0, 地理位置: 美国弗吉尼亚州
用户系统信息:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; InfoPath.1; .NET CLR 2.0.50727)