PurpleEndurer@blogger: 中了Viking,抓到CONFIG.EXE,NTDLL32.dll,webpnt.exe等

endurer 原创
2007-04-05 第1版

昨天刚上班，一位同事说他的电脑反应很慢，让偶去检修。

打开任务管理器，看到IEXPLORE.New之类的，肯定是中标了。

下载pe_xscan扫描了log，重启电脑到带网络连接的安全模式下，使用在线网页分析，发现可疑项：

pe_xscan 07-03-17 by Purple Endurer
2007-4-4 8:26:38
Windows XP Service Pack 2(5.1.2600)
管理员用户组

[System Process] * 0
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\WINDOWS\system32\winlogon.exe * 548 2004-8-17 12:0:0 Microsoft(R) Windows(R) Operating System 5.1.2600.2180 Windows NT Logon Application (C) Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? winlogon WINLOGON.EXE
C:\WINDOWS\system32\C01B1EF6.DLL 2007-4-4 8:8:8 Microsoft(R) Windows(R) Operating System ? ? (C) Microsoft Corporation. All rights reserved. ? Microsoft Corporation ? ? ?
C:\WINDOWS\system32\FF7A0ADE.DLL 2007-4-4 8:8:8 Microsoft(R) Windows(R) Operating System ? ? (C) Microsoft Corporation. All rights reserved. ? Microsoft Corporation ? ? ?
C:\Program Files\Rising\Rav\CCenter.exe * 872 2006-8-16 17:12:22 Rising Antivirus Software 18, 0, 0, 3 CCenter Copyright Rising 2002 18, 0, 0, 3 Beijing Rising Technology Co., Ltd. Beijing Rising Technology Co., Ltd. CCenter.exe
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\WINDOWS\System32\svchost.exe * 888 2004-8-17 12:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 Generic Host Process for Win32 Services ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? svchost.exe svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
Explorer.EXE * 1312
C:\program files\internet explorer\iexplore.exe * 1612 2004-8-17 20:0:0 Microsoft(R) Windows(R) Operating System 6.00.2900.2180 Internet Explorer (C) Microsoft Corporation. All rights reserved. 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? iexplore IEXPLORE.EXE
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\WINDOWS\system32\mcdsrv32_070402.dll 2007-4-4 8:8:0
C:\WINDOWS\system32\AlxTB1.dll 2006-10-31 8:7:44 AlxTB Module 1, 0, 0, 1 AlxTB Module Copyright 2000-2003 7, 2, 0, 2 Alexa Internet ? AlxTB AlxTB.DLL
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\CONFIG.EXE * 1908 2007-3-30 8:29:24
C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.2dt * 2000 2007-3-29 16:19:30
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\system2.jmp * 2024 2007-3-29 16:24:50
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.ime * 2044 2007-3-30 11:52:22
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.New * 192 2007-3-30 14:50:18
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\WINDOWS\system32\B4C050A.exe * 220 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\WINDOWS\system32\D97A73FB.exe * 224 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.jmp * 248 2007-3-30 14:50:18
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\WINDOWS\SOUNDMAN.EXE * 420 2006-3-2 16:22:4 Realtek Sound Manager 5, 1, 0, 52 Realtek Sound Manager Copyright (c) 2001-2004 Realtek Semiconductor Corp. 5, 1, 0, 52 Realtek Semiconductor Corp. ALSMTray ALSMTray.exe
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Rising\Rav\RavTask.exe * 488 2006-8-16 17:12:22 Rising Antivirus Software 18, 0, 0, 22 RavTimer Copyright (c) 1998-2006 Rising Corp. 18, 0, 0, 22 Beijing Rising Technology Co., Ltd. Beijing Rising Technology Co., Ltd. RavTimer.exe
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Tencent\QQLive\MiniQQLive.exe * 520 2007-3-1 15:18:44 RTX 3,5,200,2281 QQLive 3,5,200,2281 Tencent MiniQQLive
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Common Files\Real\Update_OB\realsched.exe * 744 2006-12-9 18:9:44 RealPlayer (32-bit) 0.1.0.3512 RealNetworks Scheduler Copyright ? RealNetworks, Inc. 1995-2004 0.1.0.3512 RealNetworks, Inc. RealAudio(tm) is a trademark of RealNetworks, Inc. schedapp realsched.exe
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
c:\windows\system32\webpnt.exe * 1072 2007-4-2 14:45:8 Microsoft Web Printer 5.2600.2180 Microsoft Web Printer C) Microsoft Corporation. All rights reserved. 5.2600.2180 Microsoft Corporation ? WEBPNT WEBPNT.EXE
c:\windows\system32\webpnt.exe 2007-4-2 14:45:8 Microsoft Web Printer 5.2600.2180 Microsoft Web Printer C) Microsoft Corporation. All rights reserved. 5.2600.2180 Microsoft Corporation ? WEBPNT WEBPNT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\WINDOWS\system32\ctfmon.exe * 1164 2004-8-17 12:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 CTF Loader ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? CTFMON CTFMON.EXE
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\WINDOWS\system32\conime.exe * 1216 2004-8-17 12:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 Console IME ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? Console CONIME.EXE
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\program files\Internet Explorer\IEXPLORE.EXE * 2236 2004-8-17 20:0:0 Microsoft(R) Windows(R) Operating System 6.00.2900.2180 Internet Explorer (C) Microsoft Corporation. All rights reserved. 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? iexplore IEXPLORE.EXE
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\WINDOWS\system32\AlxTB1.dll 2006-10-31 8:7:44 AlxTB Module 1, 0, 0, 1 AlxTB Module Copyright 2000-2003 7, 2, 0, 2 Alexa Internet ? AlxTB AlxTB.DLL
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.2dt * 2840 2007-3-29 16:19:30
C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.2dt 2007-3-29 16:19:30
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\system2.jmp * 2860 2007-3-29 16:24:50
C:\Program Files\Internet Explorer\PLUGINS\system2.jmp 2007-3-29 16:24:50
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.ime * 2880 2007-3-30 11:52:22
C:\Program Files\Internet Explorer\IEXPLORE.ime 2007-3-30 11:52:22
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.New * 2904 2007-3-30 14:50:18
C:\Program Files\Internet Explorer\IEXPLORE.New 2007-3-30 14:50:18
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.jmp * 2924 2007-3-30 14:50:18
C:\Program Files\Internet Explorer\IEXPLORE.jmp 2007-3-30 14:50:18
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\WINDOWS\system32\dllcache\ykwcs.exe * 2824 2007-4-4 8:9:48
C:\WINDOWS\system32\svchost.exe * 2932 2004-8-17 12:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 Generic Host Process for Win32 Services ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? svchost.exe svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.Dat 2007-4-4 8:8:10
C:\Program Files\Internet Explorer\IEXPLORE.win 2007-4-4 8:8:8
C:\Program Files\Internet Explorer\IEXPLORE.Sys 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys 2007-4-4 8:8:6
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk 2007-4-4 8:8:6
C:\Program Files\Internet Explorer\IEXPLORE.EXE * 652 2004-8-17 20:0:0 Microsoft(R) Windows(R) Operating System 6.00.2900.2180 Internet Explorer (C) Microsoft Corporation. All rights reserved. 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? iexplore IEXPLORE.EXE
C:\WINDOWS\system32\AlxTB1.dll 2006-10-31 8:7:44 AlxTB Module 1, 0, 0, 1 AlxTB Module Copyright 2000-2003 7, 2, 0, 2 Alexa Internet ? AlxTB AlxTB.DLL
iexplore.exe * 3096
iexplore.exe * 3540
SVCHOSI.exe * 3828

F2 - REG: system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\mcdsrv16_070402.dll start

O1 - Hosts: 127.0.0.1 locator.metadata.windowsmedia.com
O1 - Hosts: 127.0.0.1 onlinestore.smgbb.cn

O2 - BHO Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\WINDOWS\system32\NTDLL32.dll
O2 - BHO IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\WINDOWS\system32\IEHelper.dll
O2 - BHO AlxTB BHO Class - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll

O4 - HKCR\..\Run: [msr1e4er6] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\servicer.exe
O4 - HKCR\..\Run: [w48jmh4480mz] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlog0n.exe
O4 - HKCR\..\Run: [h4rr1] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\c0nime.exe
O4 - HKCR\..\Run: [kgs7kj4zt] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cftmon.exe
O4 - HKCR\..\Run: [9erjfccm] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexpl0re.exe
O4 - HKCR\..\Run: [sz] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - HKCR\..\Run: [hc1m1h305f7] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\crasos.exe
O4 - HKCR\..\Run: [zkeczl5mjug1] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rundl132.exe
O4 - HKCR\..\Run: [svc] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\byetmr.exe
O4 - HKCR\..\Run: [System Boot Check] C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CVQ5OL86\qq[1].exe
O4 - HKLM\..\Run: [NMGameX_AutoRun] C:\WINDOWS\system32\Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [SVCHOSI] C:\Program Files\Internet Explorer\SVCHOSI.exe
O4 - HKLM\..\Run: [Windows Media Player] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Windows Media Player.exe

O8 - IE右键菜单附加项 : Alexa Web Search - http://client.alexa.com/holiday/scrīpt/actions/search.htm
O8 - IE右键菜单附加项 : Get Alexa Data - http://client.alexa.com/holiday/scrīpt/actions/sitedata.htm
O8 - IE右键菜单附加项 : Mail to a Friend... - http://client.alexa.com/holiday/scrīpt/actions/mailto.htm
O8 - IE右键菜单附加项 : See Related Links - http://client.alexa.com/holiday/scrīpt/actions/related.htm
O8 - IE右键菜单附加项 : Write a Review... - http://client.alexa.com/holiday/scrīpt/actions/review.htm

O9 - IE工具栏扩展按钮HKCR：雨林木风 - {06A70D58-8D40-49DD-B46B-DC00AA3ADCA4} - http://www.ylmf.com
O9 - IE工具菜单扩展项HKCR： - {06A70D58-8D40-49DD-B46B-DC00AA3ADCA4} - http://www.ylmf.com

O20 - AppInit_DLLs: C:\WINDOWS\system32\NTDLL32.dll

O23 - 服务: C01B1EF6 (C01B1EF6) - C:\WINDOWS\system32\C01B1EF6.EXE -service 2007-3-30 15:12:26 Microsoft(R) Windows(R) Operating System ? ? (C) Microsoft Corporation. All rights reserved. ? Microsoft Corporation ? ? ?(自动)

O23 - 服务: FF7A0ADE (FF7A0ADE) - C:\WINDOWS\system32\FF7A0ADE.EXE -service 2007-4-4 8:27:8 Microsoft(R) Windows(R) Operating System ? ? (C) Microsoft Corporation. All rights reserved. ? Microsoft Corporation ? ? ?(自动)

O23 - 服务: JRAID () - System32\Drivers\JRAID.SYS JMicron JR036X RAID Driver 5.1.2600.1040 JMicron JR036X RAID Driver Copyright (C) JMicron Technology Corp. 2005-2006 5.1.2600.1040 built by: WinDDK JMicron Technology Corp. ? JRAID.SYS 1.04.04 JRAID.SYS(引导)

O23 - 服务: mv614x () - System32\Drivers\mv614x.sys(引导)

O23 - 服务: NPF (Netgroup Packet Filter) - system32\DRIVERS\npf.sys WinPcap Netgroup Packet Filter Driver 3, 1, 0, 27 npf Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. 3, 1, 0, 27 CACE Technologies NPF + TME npf.sys(手动)

O23 - 服务: TomDemoService (TomDemoService) - C:\CONFIG.EXE 2007-3-30 8:29:24(自动)

O23 - 服务: vmscsi () - System32\Drivers\vmscsi.sys VMware, Inc. scrīpt1 Application 1, 2, 0, 0 VMware SCSI Controller Copyright ? 1998-2003 VMware, Inc. 1, 2, 0, 0 VMware, Inc. vmscsi.sys vmscsi.sys(引导)

O23 - 服务: WebPrint (WebPrint) - c:\windows\system32\webprint.exe 2007-4-2 14:45:8 Microsoft Web Printer 5.2600.2180 Microsoft Web Printer C) Microsoft Corporation. All rights reserved. 5.2600.2180 Microsoft Corporation ? WEBPNT WEBPNT.EXE(自动)

O23 - 服务: Windows Firewall (Windows Firewall) - C:\WINDOWS\system32\SVCH0ST.EXE 2007-3-30 16:18:30(自动)

O23 - 服务: wuauserv (Automatic Updates) - C:\WINDOWS\system32\drivers\svchost.exe 2007-4-4 8:9:48(自动)

O24 - [] - {A6011F8F-A7F8-49AA-9ADA-49127D43138F} = C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.rxk
O24 - [] - {754FB7D8-B8FE-4810-B363-A788CD060F1F} = C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys
O24 - [] - {99F1D023-7CEB-4586-80F7-BB1A98DB7602} = C:\Program Files\Internet Explorer\IEXPLORE.Sys
O24 - [] - {923509F1-45CB-4EC0-BDE0-1DED35B8FD60} = C:\Program Files\Internet Explorer\IEXPLORE.win
O24 - [] - {FEB94F5A-69F3-4645-8C2B-9E71D270AF2E} = C:\Program Files\Internet Explorer\IEXPLORE.Dat

这台电脑中的瑞星还是2006的，已经无法升级了。

有一些项目与

昨天才提醒，今天就有网友点击QQ信息中的网址，中Worm.Viking.pk/Worm.Win32.Viking.jg了
http://endurer.bokee.com/6174316.html
http://blog.sina.com.cn/u/49926d910100080b
http://blog.csdn.net/Purpleendurer/archive/2007/03/20/1535711.aspx

相似。

到江民网站下载了Viking专杀工具传给网友查杀，果然清除了一些。

再用瑞星在线免费查毒，又查出一堆：
2007-4-4 10:45:7　瑞星杀毒助手
Windows XP Service Pack 2(5.1.2600)
文件名病毒名
C:\WINDOWS\system32\cmdbcs.dll Trojan.PSW.OnlineGames.aao
C:\WINDOWS\system32\C01B1EF6.EXE Trojan.IMMSG.TBMSG.df
C:\WINDOWS\system32\C01B1EF6T.EXE Trojan.IMMSG.TBMSG.df
C:\WINDOWS\system32\C01B1EF6.DLL Trojan.IMMSG.TBMSG.df
C:\WINDOWS\system32\D97A73FB.exe Trojan.DL.Agent.mry
C:\WINDOWS\system32\FF7A0ADE.EXE Trojan.IMMSG.TBMSG.dh
C:\WINDOWS\system32\FF7A0ADET.EXE Trojan.IMMSG.TBMSG.dh
C:\WINDOWS\system32\FF7A0ADE.DLL Trojan.IMMSG.Tbmsg.dg
C:\WINDOWS\system32\B4C050A.exe Trojan.IMMSG.TBMSG.dh
C:\WINDOWS\system32\kdjs1.exe>>upack0.36 Trojan.Clicker.PopHot.cq
C:\WINDOWS\system32\ridiap070402.exe>>upack0.36 Trojan.Clicker.PopHot.cq
C:\WINDOWS\system32\scrie070402.scr>>upack0.36 Trojan.Clicker.PopHot.cq
C:\WINDOWS\system32\SVCH0ST.EXE Backdoor.Agent.ibv
C:\WINDOWS\cmdbcs.exe Trojan.PSW.OnlineGames.aaq
C:\Documents and Settings\Administrator\Local Settings\Temp\ck3.exe.exe>>UPX Trojan.PSW.Agent.jqu
C:\Documents and Settings\Administrator\Local Settings\Temp\Qqzo0.dll Trojan.PSW.OnlineGames.yo
C:\Documents and Settings\Administrator\Local Settings\Temp\LgSy0.dll>>UPX Trojan.PSW.XYOnline.nc
C:\Documents and Settings\Administrator\Local Settings\Temp\lg.dll Trojan.PSW.LMir.mhl
C:\Documents and Settings\Administrator\Local Settings\Temp\banner.jpg>>UPX Trojan.PSW.QQPass.rtq
C:\Documents and Settings\Administrator\Local Settings\Temp\LgSy1.dll>>UPX Trojan.PSW.XYOnline.nc
C:\Documents and Settings\Administrator\Local Settings\Temp\Qqzo1.dll Trojan.PSW.OnlineGames.yo
C:\Documents and Settings\Administrator\Local Settings\Temp\Rav30.dll>>UPX Trojan.PSW.OnlineGames.yq
C:\Documents and Settings\Administrator\Local Settings\Temp\Msxo1.dll>>UPX Trojan.PSW.OnlineGames.yw
C:\Documents and Settings\Administrator\Local Settings\Temp\LgSy2.dll>>UPX Trojan.PSW.OnlineGames.yv
C:\Documents and Settings\Administrator\Local Settings\Temp\Gjzo1.dll>>UPX Trojan.PSW.OnlineGames.yu
C:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll>>UPX Trojan.PSW.OnlineGames.yq
C:\Documents and Settings\Administrator\Local Settings\Temp\Rav21.dll>>upack0.34 Trojan.PSW.OnlineGames.yx
C:\Documents and Settings\Administrator\Local Settings\Temp\Wmzo1.dll>>UPX Trojan.PSW.OnlineGames.yz
C:\Documents and Settings\Administrator\Local Settings\Temp\Gjzo0.dll>>UPX Trojan.PSW.OnlineGames.yu
C:\Documents and Settings\Administrator\Local Settings\Temp\Msxo0.dll>>UPX Trojan.PSW.OnlineGames.yw
C:\Documents and Settings\Administrator\Local Settings\Temp\Rav20.dll>>upack0.34 Trojan.PSW.OnlineGames.yx
C:\Documents and Settings\Administrator\Local Settings\Temp\Wmzo0.dll>>UPX Trojan.PSW.OnlineGames.yz
C:\Documents and Settings\Administrator\Local Settings\Temp\shua.exe.exe>>UPX Trojan.PSW.QQPass.rvt
C:\Program Files\Common Files\Microsoft Shared\MSInfo\NewInfo.rxk Trojan.PSW.QQPass.rug
C:\Program Files\Internet Explorer\PLUGINS\system2.jmp Trojan.PSW.QQPass.rtw
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys Trojan.PSW.QQPass.rtn
C:\Program Files\Internet Explorer\IEXPLORE.Sys Trojan.PSW.QQPass.rtq
C:\Program Files\Internet Explorer\IEXPLORE.win Trojan.PSW.QQPass.rtp
C:\Program Files\Internet Explorer\IEXPLORE.Dat Trojan.PSW.QQPass.rts
C:\Program Files\Internet Explorer\IEXPLORE.Tmp Trojan.PSW.Agent.jqu
C:\Program Files\Internet Explorer\IEXPLORE.Bak Trojan.PSW.QQPass.rvt
C:\CONFIG.EXE>>fsg2.0 Trojan.DL.Delf.yfw
D:\mie.com>>upack0.36 Trojan.Clicker.PopHot.cq

到 http://endurer.ys168.com 下载瑞星杀毒助手来解决，O24那几个删除不了（需要先用IceSword从内存中卸载），偶用了下次启动时删除功能。

再下载 Dr.Web Cure It扫描，又是一堆，其中很多Windows系统文件infected with Trojan.Starter.171，看来江民的Viking专杀还得继续升级。

Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)
Log generated on: 2007-04-04, 10:49:36 [Administrator]

c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\6yb6gzi7\qq[1].exe infected with Trojan.DownLoader.17951 - deleted
c:\program files\internet explorer\plugins\systemkb.sys infected with Trojan.PWS.Qqpass.510 - will be cured after reboot
c:\windows\inf\unregmp2.exe infected with Trojan.Starter.171 - cured
c:\windows\system32\alg.exe infected with Trojan.Starter.171 - cured
……
c:\windows\system32\vssvc.exe infected with Trojan.Starter.171 - cured
c:\windows\system32\wbem\wmiapsrv.exe infected with Trojan.Starter.171 - cured
c:\windows\system32\wdfmgr.exe infected with Trojan.Starter.171 - cured
C:\Program Files\Common Files\Microsoft Shared\asoee.exe probably infected with DLOADER.Trojan
C:\Program Files\Windows Media Player\hwswl.exe probably infected with DLOADER.Trojan
C:\Program Files\Internet Explorer\Connection Wizard\aanaa.exe probably infected with DLOADER.Trojan
C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys infected with Trojan.PWS.Qqpass.510 - will be cured after reboot
C:\WINDOWS\twunk_32.exe infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\Alcrmv.exe infected with Trojan.Starter.171 - cured
C:\WINDOWS\system32\sort.exe infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\system32\ayhip.exe probably infected with DLOADER.Trojan
C:\WINDOWS\system32\kmoau.exe probably infected with DLOADER.Trojan
C:\WINDOWS\system32\mcdsrv32_070402.dll probably infected with DLOADER.Trojan
C:\WINDOWS\system32\notepad.exe.delete_on_reboot.delete_on_reboot.delete_on_reboot.delete_on_reboot infected with Trojan.Starter.171 - will be cured after reboot
C:\WINDOWS\system32\drivers\kekci.exe probably infected with DLOADER.Trojan
……
C:\WINDOWS\system32\wbem\mofcomp.exe infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\system32\npp\nppagent.exe infected with Trojan.Starter.171 - cured
C:\WINDOWS\system32\dllcache\twunk_32.exe infected with Trojan.Starter.171 - cured
……
>C:\WINDOWS\system32\dllcache\ykwcs.exe probably infected with DLOADER.Trojan
C:\WINDOWS\system32\usmt\migload.exe infected with Trojan.Starter.171 - cured
……
>C:\WINDOWS\system32\IME\kumsu.exe probably infected with DLOADER.Trojan
C:\WINDOWS\system32\IME\PINTLGNT\IMSCINST.EXE infected with Trojan.Starter.171 - cured
C:\WINDOWS\system32\Com\comrepl.exe infected with Trojan.Starter.171 - cured
C:\WINDOWS\system32\Restore\srdiag.exe infected with Trojan.Starter.171 - cured
C:\WINDOWS\system32\Macromed\Flash\genuinst.exe infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\SOUNDMAN.EXE infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\system32\NMGameX\iLobby\ilobby.exe infected with Trojan.Starter.171 - cured
>C:\WINDOWS\system\bmxny.exe probably infected with DLOADER.Trojan
C:\WINDOWS\msagent\agentsvr.exe infected with Trojan.Starter.171 - cured
>C:\WINDOWS\addins\ywwca.exe probably infected with DLOADER.Trojan
C:\WINDOWS\Temp\alcupd.exe infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\ime\jpwb\unins000.exe infected with Trojan.Starter.171 - cured
……
C:\WINDOWS\Installer\{90110804-6000-11D3-8CFE-0150048383C9}\unbndico.exe infected with Trojan.Starter.171 - cured

修复：

最好是格式化硬盘所有分区，重装系统……

因为修复太麻烦了……

O2 - BHO Advance Helper - {8E25AC4A-B129-451B-BEE2-3B510BB751DA} - C:\WINDOWS\system32\NTDLL32.dll
O2 - BHO IE Browser Helper - {D0903A3B-F0EA-434a-9742-98C5335C7946} - C:\WINDOWS\system32\IEHelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\NTDLL32.dll
用IceSword才搞定。

O24项用瑞星卡卡安全助手

其它的用HijackThis

病毒文件太多，把它们拖到bat_do自动打包都手软，不愿测试了……

PurpleEndurer@blogger

2007年4月6日星期五

中了Viking,抓到CONFIG.EXE,NTDLL32.dll,webpnt.exe等

没有评论:

博客归档

我的简介