抓获Backdoor.Gpigeon.voo和Trojan.PSW.OnlineGames.xd等

endurer 原创
2007-05-08 第1版

一位朋友，说他的电脑最近运行很慢，让偶帮忙检修。

下载 pe_xscan 扫描 log 并分析，发现如下可疑项：
/---
pe_xscan 07-04-12 by Purple Endurer
2007-5-8 12:12:51
Windows XP Service Pack 2(5.1.2600)
管理员用户组

[System Process] * 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm23.tmp..rom 2007-5-8 10:59:4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hyso0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qqso0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myso0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgs0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wls0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wos0.dll 2007-5-8 10:58:50
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll 2007-5-8 10:58:48
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ztso0.dll 2007-5-8 10:58:48
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhso0.dll 2007-5-8 10:58:46
C:\WINDOWS\System32\svchost.exe * 884 2004-8-17 12:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 Generic Host Process for Win32 Services ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? svchost.exe svchost.exe
c:\windows\system32\syst.dll 2007-3-22 19:35:54
C:\WINDOWS\Explorer.EXE * 264 2004-8-17 12:0:0 Microsoft(R) Windows(R) Operating System 6.00.2900.2180 Windows Explorer (C) Microsoft Corporation. All rights reserved. 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? explorer EXPLORER.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhso0.dll 2007-5-8 10:58:46
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ztso0.dll 2007-5-8 10:58:48
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso0.dll 2007-5-8 10:58:48
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wos0.dll 2007-5-8 10:58:50
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgs0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wls0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myso0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qqso0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hyso0.dll 2007-5-8 10:58:52
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm23.tmp..rom 2007-5-8 10:59:4
C:\Program Files\Common Files\Real\Update_OB\realsched.exe * 272 2006-8-24 11:18:44 RealPlayer (32-bit) 0.1.0.3510 RealNetworks Scheduler Copyright ? RealNetworks, Inc. 1995-2004 0.1.0.3510 RealNetworks, Inc. RealAudio(tm) is a trademark of RealNetworks, Inc. schedapp realsched.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
D:\KAVStart.exe * 1688 2006-11-11 16:44:34 Kingsoft Internet Security 7, 6, 0, 212 Kingsoft Security Center Copyright (C) 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. 2006, 11, 10, 212 Kingsoft Corporation Kingsoft KAVStart KAVStart.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
C:\WINDOWS\wos3.exe * 1064 2007-3-26 10:10:8
C:\WINDOWS\wos3.exe 2007-3-26 10:10:8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wos0.dll 2007-5-8 10:58:50
C:\WINDOWS\wls3.exe * 1016 2007-3-26 10:10:20
C:\WINDOWS\wls3.exe 2007-3-26 10:10:20
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wls0.dll 2007-5-8 10:58:52
C:\WINDOWS\wgs3.exe * 976 2007-3-26 10:10:28
C:\WINDOWS\wgs3.exe 2007-3-26 10:10:28
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wgs0.dll 2007-5-8 10:58:52
D:\KMailMon.EXE * 2172 2006-11-11 16:44:34 Kingsoft Internet Security 7, 6, 0, 19 Kingsoft Antivirus Mail Monitor Copyright ? 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. 2006, 9, 7, 918 Kingsoft Corporation Kingsoft MailMon KMailMon.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
C:\WINDOWS\SOUNDMAN.EXE * 2196 2006-1-11 23:8:36 Realtek Sound Manager 5, 1, 0, 51 Realtek Sound Manager Copyright (c) 2001-2004 Realtek Semiconductor Corp. 5, 1, 0, 51 Realtek Semiconductor Corp. ALSMTray ALSMTray.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
C:\WINDOWS\system32\ctfmon.exe * 2224 2004-8-17 12:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 CTF Loader ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? CTFMON CTFMON.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4
D:\KPFW32.EXE * 2412 2006-11-11 16:44:36 Kingsoft Internet Security 7, 6, 0, 19 Kingsoft Firewall Copyright (C) 2000 - 2006 Kingsoft Inc (KIS International Team), All Rights Reserved. 2006, 10, 24, 658 Kingsoft Corporation Kingsoft KPFW32.EXE KPFW32.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~Tm22.tmp.rom 1987-5-8 10:59:4

O2 - BHO - {8298D101-F992-43B7-8ECA-5052D885B996} - C:\WINDOWS\system32\rs.bin

O4 - HKCR\..\Run: [3u] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\iexpl0re.exe
O4 - HKCR\..\Run: [tuj] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rundl132.exe
O4 - HKCR\..\Run: [wc2imbevyfqu7g] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlog0n.exe

O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mhso.exe
O4 - HKLM\..\Run: [ztsa] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ztso.exe
O4 - HKLM\..\Run: [rxsa] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxso.exe
O4 - HKLM\..\Run: [wos3] C:\WINDOWS\wos3.exe
O4 - HKLM\..\Run: [wls3] C:\WINDOWS\wls3.exe
O4 - HKLM\..\Run: [wgs3] C:\WINDOWS\wgs3.exe
O4 - HKLM\..\Run: [wms3] C:\WINDOWS\wms3.exe
O4 - HKLM\..\Run: [jts3] C:\WINDOWS\jts3.exe
O4 - HKLM\..\Run: [qqs3] C:\WINDOWS\qqs3.exe
O4 - HKLM\..\Run: [mysa] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\myso.exe
O4 - HKLM\..\Run: [qqsa] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\qqso.exe
O4 - HKLM\..\Run: [hysa] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hyso.exe
O4 - HKLM\..\Run: [kernelmh] C:\WINDOWS\Kernelmh.exe

O23 - 服务: ERSvc (Error Reporting Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs -> C:\WINDOWS\system32\syst.dll 2007-3-22 19:35:54(自动)

O24 - [F] - {754FB7D8-B8FE-4810-B363-A788CD060F1F} = F
O24 - [F] - {A6011F8F-A7F8-49AA-9ADA-49127D43138F} = F
O24 - [C] - {729B6C61-BDC5-4C09-A1DE-A296BA0B89EC} = C
O24 - [] - {91B1E846-2BEF-4345-8848-7699C7C9935F} = C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll
---/

检查c:\windows 和 c:\windows\system32，一大堆的可疑文件，如：
/---
D:\tools\bat_do>dir c:\windows\system32 /a /od
驱动器 C 中的卷没有标签。
卷的序列号是 40FB-AD0B

c:\windows\system32 的目录

(略)
2007-03-22 19:25 70,413 dongdi.exe
2007-03-22 19:35 256,000 syst.dll
2007-03-22 19:35 256,000 sysi.dll
2007-03-22 19:35 21,657 wanmei.exe
2007-03-22 19:35 26,037 moyu.exe
2007-03-22 19:35 70,413 chajian.exe
2007-03-22 19:35 58,369 rs.bin
2007-03-24 09:07 23,657 update.txt.exe
2007-03-24 09:07 23,657 update.txt.bat
2007-03-24 19:45 13,312 NTUP1.dll
2007-03-27 11:42 17,408 WOW3.exe.bat
2007-03-27 11:51 32 sinfo.ini
2007-03-30 09:35 20,845 xy2.exe.bat
2007-04-02 08:18 32,380 xy2ok.exe.bat
2007-04-05 03:06 215,264 FNTCACHE.DAT
2007-04-16 08:18 11,264 mutou.exe.exe
2007-04-16 08:18 11,264 mutou.exe.bat
2007-04-17 08:38 25,088 s159.exe.bat
2007-04-18 12:52 24,086 szzy.exe.bat
(略)
---/

到http://purpleendurer.ys168.com/ 下载 FileInfo 和 bat_do。用 FileInfo 提取了其中一些文件的信息。

文件说明符 : C:\WINDOWS\10Sy.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:7:25
修改时间 : 2007-3-24 8:42:40
访问时间 : 2007-5-8 0:0:0
大小 : 72568 字节 70.888 KB
MD5 : 12b7b3d7773dcf24492e83ffcc34eb86

瑞星报为 Trojan.PSW.QQhx.af

文件说明符 : C:\WINDOWS\wms3.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-26 10:10:30
修改时间 : 2007-3-26 10:10:32
访问时间 : 2007-5-8 0:0:0
大小 : 69730 字节 68.98 KB
MD5 : d39aa9d7c7448d126ca6cc8f54ce0a21

Kaspersky报为 Trojan.Win32.Pakes，瑞星报为 Trojan.PSW.OnlineGames.xb

文件说明符 : C:\WINDOWS\jts3.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-26 10:10:32
修改时间 : 2007-3-26 10:10:34
访问时间 : 2007-5-8 0:0:0
大小 : 69095 字节 67.487 KB
MD5 : b009e2c68ad3be89fc97365769f50a3a

Kaspersky报为 Trojan-PSW.Win32.OnLineGames.bs，瑞星报为 Trojan.PSW.OnlineGames.xd

文件说明符 : C:\WINDOWS\system32\dongdi.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:25:41
修改时间 : 2007-3-22 19:25:42
访问时间 : 2007-5-8 0:0:0
大小 : 70413 字节 68.781 KB
MD5 : c95ddf24696e51abcc08d83a44dba90b

Kaspersky报为 not-a-virus:AdWare.Win32.Delf.g，瑞星报为 Trojan.DL.Bho.iv

文件说明符 : C:\WINDOWS\system32\wanmei.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:35:52
修改时间 : 2007-3-22 19:35:54
访问时间 : 2007-5-8 0:0:0
大小 : 21657 字节 21.153 KB
MD5 : 9c97cc090d9c87fcb797a212e12b327f

文件说明符 : C:\WINDOWS\system32\moyu.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:35:53
修改时间 : 2007-3-22 19:35:56
访问时间 : 2007-5-8 0:0:0
大小 : 26037 字节 25.437 KB
MD5 : 434ebf20c6532f2fec71c208e53f42aa

文件说明符 : C:\WINDOWS\system32\rs.bin
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:25:42
修改时间 : 2007-3-22 19:35:58
访问时间 : 2007-5-8 0:0:0
大小 : 58369 字节 57.1 KB
MD5 : 536a919d0cc058c00a73cb1a3f266f12

文件说明符 : C:\WINDOWS\system32\chajian.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-22 19:35:55
修改时间 : 2007-3-22 19:35:58
访问时间 : 2007-5-8 0:0:0
大小 : 70413 字节 68.781 KB
MD5 : c95ddf24696e51abcc08d83a44dba90b

Kaspersky报为 not-a-virus:AdWare.Win32.Delf.g，瑞星报为 Trojan.DL.Bho.iv

文件说明符 : C:\WINDOWS\system32\update.txt.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-24 9:7:33
修改时间 : 2007-3-24 9:7:34
访问时间 : 2007-5-8 0:0:0
大小 : 23657 字节 23.105 KB
MD5 : c385ed2bc5ea41568892a4a0b6e5f0ab

瑞星报为 Trojan.DL.Multi.whn

文件说明符 : C:\WINDOWS\system32\update.txt.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-24 9:7:33
修改时间 : 2007-3-24 9:7:34
访问时间 : 2007-5-8 0:0:0
大小 : 23657 字节 23.105 KB
MD5 : c385ed2bc5ea41568892a4a0b6e5f0ab

文件说明符 : C:\WINDOWS\system32\xy2.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-3-30 9:35:7
修改时间 : 2007-3-30 9:35:8
访问时间 : 2007-5-8 0:0:0
大小 : 20845 字节 20.365 KB
MD5 : c168697e596c7183ab28eee23e3ed73e

文件说明符 : C:\WINDOWS\system32\xy2ok.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-2 8:18:30
修改时间 : 2007-4-2 8:18:32
访问时间 : 2007-5-8 0:0:0
大小 : 32380 字节 31.636 KB
MD5 : c014040a36e1ae2c4294a18d24756c88

Kaspersky报为 Backdoor.Win32.PcClient.za，瑞星报为 Backdoor.Gpigeon.voo

文件说明符 : C:\WINDOWS\system32\mutou.exe.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-5 8:31:32
修改时间 : 2007-4-16 8:18:46
访问时间 : 2007-5-8 0:0:0
大小 : 11264 字节 11.0 KB
MD5 : 900c5ccc44a5f7a58952f4bdac0c7e5e

文件说明符 : C:\WINDOWS\system32\mutou.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-5 9:58:1
修改时间 : 2007-4-16 8:18:48
访问时间 : 2007-5-8 0:0:0
大小 : 11264 字节 11.0 KB
MD5 : 900c5ccc44a5f7a58952f4bdac0c7e5e

文件说明符 : C:\WINDOWS\system32\szzy.exe.bat
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-4-18 12:52:40
修改时间 : 2007-4-18 12:52:42
访问时间 : 2007-5-8 0:0:0
大小 : 24086 字节 23.534 KB
MD5 : 47c6c4411c19f9d3c8f321b9eb299dc1

用bat_do将其中一部分打包备份。

下载Dr.Web CureIt扫描，结果如下：
==========================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2007-05-08, 12:18:30 [Administrator]
Operating system:Windows XP Professional x86 (Build 2600), Service Pack 2
==========================
c:\documents and settings\administrator\local settings\temp\hyso.exe infected with Trojan.PWS.Wsgame - deleted
c:\documents and settings\administrator\local settings\temp\mhso.exe infected with Trojan.PWS.Wsgame - deleted
c:\documents and settings\administrator\local settings\temp\myso.exe infected with Trojan.PWS.Wsgame- deleted
c:\documents and settings\administrator\local settings\temp\qqso.exe infected with Trojan.PWS.Wsgame- deleted
>c:\documents and settings\administrator\local settings\temp\rundl132.exe infected with Trojan.PWS.Wsgame- deleted
c:\documents and settings\administrator\local settings\temp\rxso.exe infected with Trojan.PWS.Wsgame- deleted
>c:\documents and settings\administrator\local settings\temp\winlog0n.exe infected with Trojan.PWS.Wsgame- deleted
c:\documents and settings\administrator\local settings\temp\ztso.exe infected with Trojan.PWS.Wsgame- deleted
c:\program files\common files\microsoft shared\msinfo\syswfgqq2.dll infected with Trojan.PWS.Qqpass.623 - deleted
c:\windows\jts3.exe - read error
>c:\windows\kernelmh.exe infected with Trojan.PWS.Wow - deleted
c:\windows\qqs3.exe infected with Trojan.PWS.Wsgame- deleted
c:\windows\wgs3.exe infected with Trojan.PWS.Wsgame- deleted
c:\windows\wls3.exe infected with Trojan.PWS.Wsgame- deleted
c:\windows\wms3.exe - read error
c:\windows\wos3.exe infected with Trojan.PWS.Wsgame- deleted
C:\Documents and Settings\Administrator\Local Settings\Temp\mhso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\ztso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\rxso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\wos0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\wls0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\iexpl0re.exe - read error
C:\Documents and Settings\Administrator\Local Settings\Temp\wgs0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\qqso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
C:\Documents and Settings\Administrator\Local Settings\Temp\hyso0.dll infected with Trojan.PWS.Wsgame- will be cured after reboot
>C:\Documents and Settings\Administrator\Local Settings\Temp\~Tm22.tmp.rom probably infected with DLOADER.Trojan
C:\Documents and Settings\Administrator\Local Settings\Temp\~Tm23.tmp..rom infected with Trojan.PWS.Wsgame- will be cured after reboot
>C:\Program Files\Common Files\System\commond.pifC:\Program Files\Internet Explorer\WINLOGON.EXE infected with Trojan.PWS.Wsgame- deleted
C:\Program Files\Thunder Network\Thunder\Program\Ad\n1175509284861.swf infected with Trojan.PWS.Wsgame- deleted
>C:\WINDOWS\KB726255.logC:\WINDOWS\SMSS.EXE infected with Trojan.PWS.Wsgame- deleted
C:\WINDOWS\8Sy.exe infected with Trojan.PWS.Wsgame- deleted
C:\WINDOWS\9Sy.exe infected with Trojan.PWS.Wsgame- deleted
C:\WINDOWS\wms3.exe - read error
C:\WINDOWS\jts3.exe - read error
C:\WINDOWS\system32\sysi.dll probably infected with DLOADER.Trojan
C:\WINDOWS\system32\syst.dll probably infected with DLOADER.Trojan
>C:\WINDOWS\system32\moyu.exe>C:\WINDOWS\system32\fengyun.exe infected with Trojan.PWS.Qqpass.503 - deleted
C:\WINDOWS\system32\chuanqi.exe infected with Trojan.PWS.Lineage - deleted
>C:\WINDOWS\system32\windowstools.exe infected with Trojan.PWS.Gamania - deleted
>C:\WINDOWS\system32\xy2.exe.bat>C:\WINDOWS\system32\xy2ok.exe.bat probably infected with BACKDOOR.Trojan
C:\WINDOWS\system32\s159.exe.bat - read error
>>C:\WINDOWS\system32\szzy.exe.bat probably infected with DLOADER.Trojan
C:\WINDOWS\system32\WOW3.exe.bat - read error
>C:\WINDOWS\system32\sl_xy2.exe.bat infected with Trojan.PWS.Wsgame- deleted
>C:\WINDOWS\system32\sl_my0324.exe.bat infected with Trojan.PWS.Wsgame- deleted
C:\WINDOWS\system32\feizhujixi.exe.bat infected with Trojan.PWS.Wsgame- deleted
>C:\WINDOWS\system32\sl_wl0325.exe.bat infected with Trojan.PWS.Wsgame- deleted

到 http://endurer.ys168.com/下载 HijackThis，修复除O24以外的项目；下载 auto_del下次启动时删除漏网的（添加待删文件时，如果提示“文件不存在或者是目录，是否添加？”时，点击“是”）。
安装瑞星卡卡安全助手，卸载O24中的项目。