装了卡巴电脑更卡?原来是Trojan-PSW.Win32.QQPass等盗号木马群作梗1
endurer 原创
2008-04-14 第1版
一位朋友因为QQ医生提示发现盗号木马,从网站下载卡巴斯基8想要查杀病毒,不实安装完成后电脑非常卡,无法操作……让他重启电脑到带网络连接的安全模式下,下载 DrWeb CureIt!扫描,查杀出了一些病毒,正常启动,故障依旧……让偶帮忙检修~
按Ctrl+ Alt + Del 都没没反应,只要 reset 电脑,以带网络连接的安全模式启动。然后下载 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块中相同的部分有省略):
pe_xscan 08-03-27 by Purple Endurer
2008-4-12 11:46:2
Windows XP Service Pack 2(5.1.2600)
管理员用户组
带网络连接的安全模式
[System Process] 0
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
C:/WINDOWS/Explorer.EXE 276 2004-8-17 4:0:0 Microsoft(R) Windows(R) Operating System 6.00.2900.3156 Windows Explorer (C) Microsoft Corporation. All rights reserved. 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) Microsoft Corporation ? explorer EXPLORER.EXE
2004-8-17 4:0:0
2008-3-22 0:36:54 Microsoft Windows Operating System 6.00.2900.3028 Microsoft Corporation Windows DLL Copyright (C) 2001.01 1. 0. 0. 1 Microsoft Corporation ? Windows.dll Windows.dll
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
O2 - BHO - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} -
O23 - 服务: 6to4 (6to4) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> 2004-8-17 12:0:0(自动)
O23 - 服务: dvhzso26 (dvhzso26) - (引导)
O23 - 服务: lybvrlcy (lybvrlcy) - (引导)
O23 - 服务: ngaacn74 (ngaacn74) -
O23 - 服务: NPF (Netgroup Packet Filter) - WinPcap Netgroup Packet Filter Driver 3, 1, 0, 27 npf Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. 3, 1, 0, 27 CACE Technologies NPF + TME npf.sys(手动)
O23 - 服务: vhehnzrh (vhehnzrh) - (引导)
O24 - ShlExecHook: [] - {CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C} =
O24 - ShlExecHook: [1] - {3980134C-D24C-4857-973F-3A08BE8D7E41} =
O24 - ShlExecHook: [D] - {ABD0935D-B35A-47BD-BA9A-81678DDE74DD} =
O24 - ShlExecHook: [8] - {61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28} =
O24 - ShlExecHook: [F] - {D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF} =
O24 - ShlExecHook: [7] - {49C496E9-732D-4F5D-BEE9-EC113FAA1C97} =
O24 - ShlExecHook: [1] - {C26A8AB5-B935-400C-A152-0488714725B1} =
O24 - ShlExecHook: [3] - {80F15C30-5E9D-4CB9-BE85-F3D5564C6F83} =
原来是 ??door?.dll 系列 盗号木马在作梗……
(未完待续)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
