1   1  /  1  页   跳转

update.exe查杀

收藏
豪斯登堡新郎
头像
社区嘉宾
  • 帖子:4234
  • 注册: 2007-11-09
  • 来自:
发表于: 2008-06-11 17:13 | 只看楼主 短消息 资料
字号: 1楼

update.exe查杀

文件: C:\Documents and Settings\Administrator\桌面\update\update.exe
大小: 13824 字节
MD5: C6600367C9A17E5E154A9CE6D1D93982
SHA1: 0B2F31E5989E8E9826F3F27E1EDED94C15F7FC65
CRC32: 59A8168F
加壳类型:UPX

行为分析:
运行后
1.添加注册表创建服务,服务键名为随机数字加字母组合,修改时间为2000年:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\98f6ff5c6f94faef
(Type,REG_DWORD,00000001)
(Start,REG_DWORD, 00000003)
(ErrorControl,REG_DWORD,00000000)
(DisplayName,REG_SZ,98f6ff5c6f94faef)
安装一个驱动程序,企图对系统进行完全访问,从文件C:\98f6ff5c6f94faef.dat写入系统注册表键值:
(ImagePath,REG_EXPAND_SZ,\??\C:\98f6ff5c6f94faef.dat)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\98f6ff5c6f94faef\Security
(Security,REG_BINARY,01001480900000009C00000014000000……)

启动IE 连接下列地址下载木马程序:

h**p://sky313.cn//down10/update.exe//PE_Patch.UPX//UPX
h**p://sky313.cn//down10/cc1.exe
h**p://sky313.cn//down10/cc1.exe//#
h**p://sky313.cn//down10/cc2.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc2.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc3.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc3.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc5.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc5.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc5.exe//PE_Patch//UPack//#//UPack
h**p://sky313.cn//down10/cc6.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc6.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc7.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc7.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc8.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc7.exe//PE_Patch//UPack//#//UPack
h**p://sky313.cn//down10/cc8.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc8.exe//PE_Patch//UPack//#//UPack
h**p://sky313.cn//down10/cc9.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc9.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc10.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc9.exe//PE_Patch//UPack//#//UPack
h**p://sky313.cn//down10/cc10.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc12.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc12.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc13.exe//UPack
h**p://sky313.cn//down10/cc12.exe//PE_Patch//UPack//#//UPack
h**p://sky313.cn//down10/cc13.exe//UPack//#
h**p://sky313.cn//down10/cc14.exe//UPack
h**p://sky313.cn//down10/cc14.exe//UPack//#
h**p://sky313.cn//down10/cc15.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc14.exe//UPack//#
h**p://sky313.cn//down10/cc15.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc16.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc15.exe//PE_Patch//UPack//#//UPack
h**p://sky313.cn//down10/cc16.exe//PE_Patch//UPack//#
h**p://sky313.cn//down10/cc17.exe//PE_Patch//UPack
h**p://sky313.cn//down10/cc17.exe//PE_Patch//UPack//#
…………

下载木马存放C:\Documents and Settings\Administrator\Local Settings\Temp\cc**.exe

自动运行下载木马,释放动态链接库文件设置全局挂钩(具体多少病毒文件不一一列举,下面查杀时列出)。

释放C:\WINDOWS\system32\servers.exe,添加服务项CurrentContSetione ;
释放C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys,添加服务项(驱动程序)apcdli;
释放C:\21328ef8479e3a64.dat,添加服务项(驱动程序)21328ef8479e3a64;
释放C:\f05e9ed046eddf2a.dat,添加服务项(驱动程序)f05e9ed046eddf2a;
释放C:\e62f5a205f48de19.dat,添加服务项(驱动程序)e62f5a205f48de19;
释放C:\WINDOWS\system32\drivers\Hdv32.sys(Hdv32_c.sys),添加服务项(驱动程序)Hdv32;
释放C:\WINDOWS\system32\dlbar.exe,添加启动项dlbar;
释放C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys,添加服务项(驱动程序)ntptdb;

修改注册表HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\企图添加劫持项,指向
c:\\我.exe,实机测试时c:\\我.exe文件并未创建成功,因此劫持失败,不过注册表中的项目添加成功。(具体劫持哪些就不一一列举了,看
下面的日志整理)

修改注册表HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows,AppInit_DLLs项的值为:
jkjkll.dll,ghjyer.dll,ilkyu.dll,yukevg.dll,ghkrg.dll,tuker.dll,ujkwet.dll,asfjthj.dll,hmsdvf.dll,jrhhh.dll,sdrfh.dll,vhsdfg.d
ll,dger.dll,losdf.dll,kergt.dll,gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll
,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdf
ntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,fgt
hde.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthkyuk.dll,setrhes.dll,cdxbfxdb.dl
l,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghthhh.dll,yjrfe.dl
l,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rg
ghjj.dll,ghjkdr.dll,hfther.dll,

windows文件夹下释放两个“*****.exe”(*****为5位随机数字)程序,自动运行;

C:\WINDOWS\system32\dlbar.exe文件连接:
255.255.255.255
58.17.36.133
undefined.bjgwbn.net.cn (220.113.15.151)
cncln.online.ln.cn (218.60.21.18)
220.181.20.7


行为大概完成后,后台自动连接IE,后门吧。

用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MAXTHON 2.0)
不认识我没关系,因为我也不认识你。
分享到:
gototop
 
豪斯登堡新郎
头像
社区嘉宾
  • 帖子:4234
  • 注册: 2007-11-09
  • 来自:
发表于: 2008-06-11 17:15 | 只看楼主 短消息 资料
字号: 2楼

回复: update.exe查杀

查杀分析:

不再等了,直接扫描日志分析下 整理后得到:
启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   
<AppInit_DLLs><jkjkll.dll,ghjyer.dll,ilkyu.dll,yukevg.dll,ghkrg.dll,tuker.dll,ujkwet.dll,asfjthj.dll,hmsdvf.dll,jrhhh.dll,sdr
fh.dll,vhsdfg.dll,dger.dll,losdf.dll,kergt.dll,gfcfg.dll,reger.dll,hrergh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfct
t.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dl
l,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll
,oqrthc.dll,fgthde.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthkyuk.dll,setrhes.
dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,ghth
hh.dll,yjrfe.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.d
ll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hfther.dll,>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{189F087F-4378-405F-85FA-37D955AD7A8C}><C:\WINDOWS\system32\mtewdh.dll>  []
    <{28EB3777-3E23-4E72-8449-A992D09D24C3}><C:\WINDOWS\system32\zefdst.dll>  []
    <{47958181-270d-4547-a2c8-d73002b9a922}><C:\WINDOWS\system32\MMKAFNFW1098.dll>  []
    <{84143967-B645-4BFF-B873-DA1DC886E9A7}><C:\WINDOWS\system32\cedafb.dll>  []
    <{f9490b34-5ce8-4b76-8641-de0cc9c4c66b}><C:\WINDOWS\system32\MMDXYBQE1036.dll>  []
    <{254a4ef9-0ae2-453e-b812-be7425c5f322}><C:\WINDOWS\system32\MMWLVAHB1037.dll>  []
    <{8c3dd05d-a6a1-4cb5-a714-94be3c3b4cd0}><C:\WINDOWS\system32\MMHADPQG1091.dll>  []
    <{011DB9B9-44B4-44D9-B17E-BC7608F2E549}><C:\WINDOWS\system32\cdwqfs.dll>  []
    <{03006edb-6cc1-4a8e-8738-ae169845b20b}><C:\WINDOWS\system32\MMCBDKTK1083.dll>  []
    <{4629FF4F-ACDB-5C90-A098-FACB3456A264}><C:\WINDOWS\system32\mpmydapi.dll>  []
    <{AA59145F-315D-BC23-AC1F-145DF81A34AA}><C:\WINDOWS\system32\zyzxjime.dll>  []
    <{EB71E0B3-E97D-4D30-8733-E28266467617}><C:\WINDOWS\system32\wyhesm.dll>  []
    <{1E51C0FD-EE36-434B-AD2A-FD1FF3731C38}><C:\WINDOWS\system32\wyrsdj.dll>  []
    <{8C41B7F7-3168-400D-A702-0E7EFE0BA304}><C:\WINDOWS\system32\sgrefg.dll>  []
    <{461D2AB4-29A5-45C2-9134-D52272D3DE38}><C:\WINDOWS\system32\rfdswc.dll>  []
    <{55694105-5108-9405-3695-954187462155}><C:\WINDOWS\system32\mpwdeapi.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
    <IFEO[360safe.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    <IFEO[360tray.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
    <IFEO[adam.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe]
    <IFEO[ArSwp.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe]
    <IFEO[AvMonitor.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
    <IFEO[avp.com]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
    <IFEO[avp.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccApp.exe]
    <IFEO[ccApp.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
    <IFEO[CCenter.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
    <IFEO[ccSvcHst.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
    <IFEO[EGHOST.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe]
    <IFEO[FileDsty.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe]
    <IFEO[FTCleanerShell.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
    <IFEO[HijackThis.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
    <IFEO[IceSword.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
    <IFEO[iparmo.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe]
    <IFEO[Iparmor.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe]
    <IFEO[isPwdSvc.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
    <IFEO[kabaload.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe]
    <IFEO[KASMain.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe]
    <IFEO[KAV32.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
    <IFEO[KAVStart.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe]
    <IFEO[KISLnchr.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe]
    <IFEO[KPFW32.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe]
    <IFEO[KPFWSvc.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe]
    <IFEO[kvol.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
    <IFEO[KWatch.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
    <IFEO[mmsk.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe]
    <IFEO[nod32.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
    <IFEO[nod32krn.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfw.exe]
    <IFEO[pfw.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
    <IFEO[QQDoctor.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe]
    <IFEO[QQKav.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe]
    <IFEO[ravmon.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe]
    <IFEO[ravmond.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe]
    <IFEO[ravstub.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe]
    <IFEO[ravtask.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe]
    <IFEO[RawCopy.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
    <IFEO[regedit.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe]
    <IFEO[regedt32.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe]
    <IFEO[Rtvscan.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
    <IFEO[runiep.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe]
    <IFEO[UIHost.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTray.exe]
    <IFEO[VPTray.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe]
    <IFEO[vsstat.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe]
    <IFEO[webscanx.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinDbg.exe]
    <IFEO[WinDbg.exe]><c:\\我.exe>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
    <IFEO[WoptiClean.exe]><c:\\我.exe>  [File is missing]
==================================
启动文件夹
N/A
==================================
服务
[Security Control / seictrl][Stopped/Auto Start]
  <c:\windows\system32\rundll32.exe vscript32.dll,scan><Microsoft Corporation>
[CurrentContSetione / Win32ite][Stopped/Auto Start]
  <C:\WINDOWS\system32\servers.exe><N/A>
==================================
驱动程序
[21328ef8479e3a64 / 21328ef8479e3a64][Stopped/Manual Start]
  <\??\C:\21328ef8479e3a64.dat><N/A>
[98f6ff5c6f94faef / 98f6ff5c6f94faef][Stopped/Manual Start]
  <\??\C:\98f6ff5c6f94faef.dat><N/A>
[apcdli / apcdli][Running/Auto Start]
  <\??\C:\Program Files\Microsoft Office\SYSTEM\apcdli.sys><N/A>
[e62f5a205f48de19 / e62f5a205f48de19][Stopped/Manual Start]
  <\??\C:\e62f5a205f48de19.dat><N/A>
[f05e9ed046eddf2a / f05e9ed046eddf2a][Stopped/Manual Start]
  <\??\C:\f05e9ed046eddf2a.dat><N/A>
[ntptdb / ntptdb][Running/Auto Start]
  <\??\C:\Documents and Settings\All Users\Application Data\Microsoft\Office\SYSTEM\ntptdb.sys><N/A>
==================================
浏览器加载项
[CAdLogic Object]
  {11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\CPUSH\cpush.dll, >
[]
  {4629FF4F-ACDB-5C90-A098-FACB3456A264} <C:\WINDOWS\system32\mpmydapi.dll, N/A>
[]
  {55694105-5108-9405-3695-954187462155} <C:\WINDOWS\system32\mpwdeapi.dll, N/A>
[Vodone Objects]
  {986488AF-13D5-9DDF-4FEF-9FB88698CFC1} <C:\Documents and Settings\All Users\Application
Data\Microsoft\OFFICE\USERDATA\webbrowser_2132.dll, >
[]
  {AA59145F-315D-BC23-AC1F-145DF81A34AA} <C:\WINDOWS\system32\zyzxjime.dll, N/A>
[PowerPlr Control]
  {2354A44B-3CEB-4829-9940-545B03103538} <C:\WINDOWS\DOWNLO~1\PowerPlr.ocx, Powerise Digital>
[CAdLogic Object]
  {11F09AFD-75AD-4E51-AB43-E09E9351CE16} <C:\Program Files\Common Files\CPUSH\cpush.dll, >
[]
  {4629FF4F-ACDB-5C90-A098-FACB3456A264} <C:\WINDOWS\system32\mpmydapi.dll, N/A>
[]
  {55694105-5108-9405-3695-954187462155} <C:\WINDOWS\system32\mpwdeapi.dll, N/A>
[Vodone Objects]
  {986488AF-13D5-9DDF-4FEF-9FB88698CFC1} <C:\Documents and Settings\All Users\Application
Data\Microsoft\OFFICE\USERDATA\webbrowser_2132.dll, >
[]
  {AA59145F-315D-BC23-AC1F-145DF81A34AA} <C:\WINDOWS\system32\zyzxjime.dll, N/A>
==================================
正在运行的进程
[PID: 1352 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 1404 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 1416 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 1588 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 1668 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-
2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 1832 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\System32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\System32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\System32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\System32\ghjkdr.dll]  [N/A, ]
[PID: 2028 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-
2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 332 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-
2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 596 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 872 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
    [C:\WINDOWS\system32\sysloader.dll]  [, 3, 2, 9, 0]
    [C:\WINDOWS\system32\mtewdh.dll]  [N/A, ]
    [C:\WINDOWS\system32\zefdst.dll]  [N/A, ]
    [C:\WINDOWS\system32\MMKAFNFW1098.dll]  [N/A, ]
    [C:\WINDOWS\system32\MSetion.dll]  [N/A, ]
    [C:\WINDOWS\system32\cedafb.dll]  [N/A, ]
    [C:\WINDOWS\system32\MMDXYBQE1036.dll]  [N/A, ]
    [C:\WINDOWS\system32\MMWLVAHB1037.dll]  [N/A, ]
    [C:\WINDOWS\system32\MMHADPQG1091.dll]  [N/A, ]
    [C:\WINDOWS\system32\cdwqfs.dll]  [N/A, ]
    [C:\WINDOWS\system32\MMCBDKTK1083.dll]  [N/A, ]
    [C:\WINDOWS\system32\mpmydapi.dll]  [N/A, ]
    [C:\WINDOWS\system32\zyzxjime.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyhesm.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyrsdj.dll]  [N/A, ]
    [C:\WINDOWS\system32\sgrefg.dll]  [N/A, ]
    [C:\WINDOWS\system32\rfdswc.dll]  [N/A, ]
    [C:\WINDOWS\system32\mpwdeapi.dll]  [N/A, ]
[PID: 372 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 304 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 2500 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\System32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\System32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\System32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\System32\ghjkdr.dll]  [N/A, ]
    [C:\WINDOWS\System32\vscript32.dll]  [N/A, ]
[PID: 2920 / Administrator][C:\WINDOWS\VM_STI.EXE]  [Vimicro, 4, 2, 1124, 6]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
    [C:\WINDOWS\system32\vscript32.dll]  [N/A, ]
    [C:\WINDOWS\system32\msdmo.dll]  [, ]
    [C:\WINDOWS\system32\wyrsdj.dll]  [N/A, ]
    [C:\WINDOWS\system32\mtewdh.dll]  [N/A, ]
    [C:\WINDOWS\system32\cdwqfs.dll]  [N/A, ]
    [C:\WINDOWS\system32\cedafb.dll]  [N/A, ]
    [C:\WINDOWS\system32\MSetion.dll]  [N/A, ]
    [C:\WINDOWS\system32\zefdst.dll]  [N/A, ]
    [C:\WINDOWS\system32\sgrefg.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyhesm.dll]  [N/A, ]
    [C:\WINDOWS\system32\rfdswc.dll]  [N/A, ]
[PID: 3088 / Administrator][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-
2158)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
    [C:\WINDOWS\system32\vscript32.dll]  [N/A, ]
    [C:\WINDOWS\system32\mtewdh.dll]  [N/A, ]
    [C:\WINDOWS\system32\cdwqfs.dll]  [N/A, ]
    [C:\WINDOWS\system32\cedafb.dll]  [N/A, ]
    [C:\WINDOWS\system32\MSetion.dll]  [N/A, ]
    [C:\WINDOWS\system32\zefdst.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyrsdj.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyhesm.dll]  [N/A, ]
    [C:\WINDOWS\system32\sgrefg.dll]  [N/A, ]
    [C:\WINDOWS\system32\rfdswc.dll]  [N/A, ]
    [C:\WINDOWS\system32\rfdswc.dll]  [N/A, ]
    [C:\WINDOWS\system32\zefdst.dll]  [N/A, ]
    [C:\WINDOWS\system32\sgrefg.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyhesm.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyrsdj.dll]  [N/A, ]
    [C:\WINDOWS\system32\mtewdh.dll]  [N/A, ]
    [C:\WINDOWS\system32\cdwqfs.dll]  [N/A, ]
    [C:\WINDOWS\system32\cedafb.dll]  [N/A, ]
    [C:\WINDOWS\system32\MSetion.dll]  [N/A, ]
[PID: 2008 / SYSTEM][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 7.0.6000.381 (winmain(wmbla).070730-1740)]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
    [C:\WINDOWS\system32\vscript32.dll]  [N/A, ]
[PID: 3508 / Administrator][E:\手工杀毒工具集\sreng980\我爱新郎.com]  [Smallfrogs Studio, 2.6.8.980]
    [C:\WINDOWS\system32\vscript32.dll]  [N/A, ]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
[PID: 3552 / Administrator][E:\手工杀毒工具集\sreng980\SRE9b4eb966.EXE]  [Smallfrogs Studio, 2.6.8.980]
    [C:\WINDOWS\system32\jkjkll.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjyer.dll]  [N/A, ]
    [C:\WINDOWS\system32\crugd.dll]  [N/A, ]
    [C:\WINDOWS\system32\ghjkdr.dll]  [N/A, ]
    [C:\WINDOWS\system32\vscript32.dll]  [N/A, ]
    [C:\WINDOWS\system32\sgrefg.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyhesm.dll]  [N/A, ]
    [C:\WINDOWS\system32\wyrsdj.dll]  [N/A, ]
    [C:\WINDOWS\system32\mtewdh.dll]  [N/A, ]
    [C:\WINDOWS\system32\cdwqfs.dll]  [N/A, ]
    [C:\WINDOWS\system32\cedafb.dll]  [N/A, ]
    [C:\WINDOWS\system32\rfdswc.dll]  [N/A, ]
    [C:\WINDOWS\system32\zefdst.dll]  [N/A, ]
    [C:\WINDOWS\system32\MSetion.dll]  [N/A, ]
==================================

查杀过程:
习惯于PE中进行文件删除,所以还是老样子,重起进入PE用费尔木马强力删除工具删除以下文件:
c:\windows\system32\crugd.dll
c:\windows\system32\ghjkdr.dll
c:\windows\system32\ghjyer.dll
c:\windows\system32\jkjkll.dll
c:\windows\system32\cdwqfs.dll
c:\windows\system32\cedafb.dll
c:\windows\system32\mmcbdktk1083.dll
c:\windows\system32\mmdxybqe1036.dll
c:\windows\system32\mmhadpqg1091.dll
c:\windows\system32\mmkafnfw1098.dll
c:\windows\system32\mmwlvahb1037.dll
c:\windows\system32\mpmydapi.dll
c:\windows\system32\mpwdeapi.dll
c:\windows\system32\msetion.dll
c:\windows\system32\mtewdh.dll
c:\windows\system32\rfdswc.dll
c:\windows\system32\sgrefg.dll
c:\windows\system32\sysloader.dll
c:\windows\system32\wyhesm.dll
c:\windows\system32\wyrsdj.dll
c:\windows\system32\zefdst.dll
c:\windows\system32\zyzxjime.dll
c:\windows\system32\vscript32.dll
c:\windows\system32\servers.exe
c:\windows\system32\vscript32.dll
c:\21328ef8479e3a64.dat
c:\98f6ff5c6f94faef.dat
c:\documents and settings\all users\application data\microsoft\office\system\ntptdb.sys
c:\f05e9ed046eddf2a.dat
c:\e62f5a205f48de19.dat
c:\program files\microsoft office\system\apcdli.sys
c:\documents and settings\all users\application data\microsoft\office\userdata\webbrowser_2132.dll
c:\program files\common files\cpush\cpush.dll
c:\windows\37451.exe
c:\windows\47188.exe
C:\WINDOWS\system32\drivers\Hdv32.sys
C:\WINDOWS\system32\drivers\Hdv32_c.sys
删除完文件,打开注册表编辑器修复以上对应注册表项  然后重起进入系统,清理残留文件:
c:\windows\system32\MMDXYBQE1036.exe
c:\windows\system32\MMHADPQG1091.exe
c:\windows\system32\MMCBDKTK1083.exe
c:\windows\system32\MMKAFNFW1098.exe
c:\windows\system32\MMWLVAHB1037.exe
c:\windows\system32\SysWoWaVip.dll
清理下系统垃圾文件,已彻底删除刚才下载存放的木马和临时文件
清理系统临时文件和IE临时文件夹
http://www.atribune.org/public-beta/ATF-Cleaner.exe

以上说明过程中的一些用词纯属本人习惯用语,如跟一些专业术语不一,请见谅!
若有遗漏,还请各网友提出!
该样本来自卡饭http://bbs.kafan.cn/viewthread.php?tid=267521&extra=page%3D1
不认识我没关系,因为我也不认识你。
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT