老冈 - 2005-9-2 23:08:00
求助各位大虾,染上了这个trojan.adclient和e型的变种,用端星可以查出来,也显示清除成功,但是一会又会生成出来,是不是没杀干净呀?
怎么可以手动清除呢?
谢谢各位了。
老冈 - 2005-9-3 0:48:00
还是不行呀,在安全模式下可以给删除了,但是一到普通模式下就又来了。
命运里の金色 - 2005-9-3 9:12:00
trojan.adclient和e型的变种,他们的完整路径?
老冈 - 2005-9-3 9:45:00
用端星查出来一个是在c:\windows\system32\下随机生成无规律名称的.exe文件。另一个e型变种主要c;\Explorer.exe中感染。有时也交换生成。
老冈 - 2005-9-3 10:06:00
用端星听诊器扫了一下,出了份报告,在附件。最后的程序就是病毒进程,如果停止以后,会随机生成新的不定名的。exe程序出来
下面的就是截获病毒进程里的内容
Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 5 Deferred Procedure Calls
System 4 2
smss.exe 532 Windows NT Session Manager Microsoft Corporation
csrss.exe 592 Client Server Runtime Process Microsoft Corporation
winlogon.exe 768 Windows NT Logon Application Microsoft Corporation
services.exe 812 Services and Controller app Microsoft Corporation
svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1020 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1224 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1644 Generic Host Process for Win32 Services Microsoft Corporation
rfwsrv.exe 1712 Rising Personal FireWall Service Beijing Rising Technology Corporation Limited
RfwMain.exe 1240 Rising Personal FireWall Main Program Beijing Rising Technology Corporation Limited
snmp.exe 1764 SNMP Service Microsoft Corporation
svchost.exe 1796 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 824 LSA Shell (Export Version) Microsoft Corporation
Explorer.EXE 1184 2 Windows Explorer Microsoft Corporation
mocqgnj.exe 1472 89
wdnmgr.exe 1884 Services and Controller app Microsoft Corporation
Hcontrol.exe 2024 HControl ASUSTeK COMPUTER INC.
ATKOSD.exe 236 ATKOSD ASUSTeK COMPUTER INC.
AGRSMMSG.EXE 2040 SoftModem Messaging Applet Agere Systems
KHOOKER.EXE 212 SiS Compatible Super VGA Keyboard Daemon Silicon Integrated Systems Corporation
CTFMON.EXE 356 CTF Loader Microsoft Corporation
dslmon.exe 588 ADIMON MFC Application
Rav.exe 1284 Rising Antivirus Main exe Beijing Rising Technology Co., Ltd.
TTraveler.exe 888 2 Tencent Traveler 腾讯公司
Explorer.EXE 880 Windows Explorer Microsoft Corporation
872 Autostart program viewer Sysinternals - www.sysinternals.com
1836 2 Sysinternals Process Explorer Sysinternals
Process: mocqgnj.exe Pid: 1472
Name Description Company Name Version
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.1106
clbcatq.dll Microsoft Corporation 2001.12.4414.0042
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2800.1106
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2800.1106
comres.dll Microsoft Corporation 2001.12.4414.0042
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.1106
ctype.nls
fastprox.dll WMI Microsoft Corporation 5.01.2600.1106
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.1346
imm32.dll Windows XP IMM32 API Client DLL Microsoft Corporation 5.01.2600.1106
index.dat
index.dat
index.dat
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.1106
locale.nls
lpk.dll Language Pack Microsoft Corporation 5.01.2600.0000
mocqgnj.exe 1.01.0000.0008
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.1362
MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.01.2600.1106
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.1106
msxml3.dll MSXML 3.0 SP 3 Microsoft Corporation 8.30.9926.0000
msxml3r.dll XML Resources Microsoft Corporation 8.20.8730.0001
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.1343
ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.1106
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.1106
oleaut32.dll Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems Microsoft Corporation 3.50.5016.0000
R000000000007.clb
rasapi32.dll Remote Access API Microsoft Corporation 5.01.2600.1106
rasman.dll Remote Access Connection Manager Microsoft Corporation 5.01.2600.1106
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.1106
rsaenh.dll Microsoft Base Cryptographic Provider Microsoft Corporation 5.01.2600.1029
rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.0000
secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.1106
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2800.1106
SHLWAPI.DLL Shell Light-weight Utility Library Microsoft Corporation 6.00.2800.1584
sortkey.nls
sorttbls.nls
tapi32.dll Microsoft(R) Windows(TM) Telephony API Client DLL Microsoft Corporation 5.01.2600.1106
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.1106
userenv.dll Userenv Microsoft Corporation 5.01.2600.1106
usp10.dll Uniscribe Unicode script processor Microsoft Corporation 1.409.2600.1106
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2800.1106
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.0000
wbemcomn.dll WMI Microsoft Corporation 5.01.2600.1106
wbemprox.dll WMI Microsoft Corporation 5.01.2600.1106
wbemsvc.dll WMI Microsoft Corporation 5.01.2600.0000
WININET.DLL Internet Extensions for Win32 Microsoft Corporation 6.00.2800.1468
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.1106
winspool.drv Windows Spooler Driver Microsoft Corporation 5.01.2600.1106
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.0000
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.0000
独孤豪侠 - 2005-9-3 10:12:00
晕啦,这个看不懂,我说的是论谈上大家都用的HJ日志,不是这个!!
命运里の金色 - 2005-9-3 10:15:00
c;\Explorer.exe和c:\windows\system32\下随机生成无规律名称的.exe文件都打包上传
命运里の金色 - 2005-9-3 10:25:00
请耐心等待,我会PM斑竹来拿样本
老冈 - 2005-9-3 10:26:00
ogfile of HijackThis v1.99.1
Scan saved at 10:23:14, on 2005-9-3
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\System32\wdnmgr.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link\D-Link DSL-200 USB ADSL Modem\dslmon.exe
C:\WINDOWS\System32\dxzcur.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis1991\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - D:\TENCENT\QQ\QQIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\FLASHGET\jccatch.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\System32\qylhelper.dll
O2 - BHO: update wnwb - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\FLASHGET\fgiebar.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [gkddwc] C:\WINDOWS\System32\dxzcur.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: 使用搜狗直通车下载 - F:\P4P\dl.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\TENCENT\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\TENCENT\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\TENCENT\QQ\SendMMS.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\TENCENT\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\TENCENT\QQ\QQ.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FLASHGET\flashget.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\TENCENT\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\TENCENT\QQ\QQIEHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game.qq.com/QQGame2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29c496e3084013b47b16/netzip/RdxIE601_cn.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AxSafeControls.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown4.cab
O16 - DPF: {DA984A6D-508E-11D6-AA49-0050FF3C628D} (Ravonline) - http://download.rising.com.cn/QQ/QQkill/rsonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6AE4081-9C6F-4744-9551-7325A3D02509}: NameServer = 202.106.46.151 202.106.0.20
O23 - Service: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Corporation Limited - c:\program files\rising\rfw\rfwsrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
请问是这个吗?
命运里の金色 - 2005-9-3 13:35:00
不要着急,好象今天斑竹有事,我已经发悄悄话给他了,如果让我来看样本,手工查杀我写的肯定乱七八糟
baohe - 2005-9-3 18:44:00
【回复“老冈”的帖子】
此木马禁用任务管理器,但未禁用注册表编辑器,也无注册表监控功能。
因此,手工查杀过程可从此木马的这一“软肋”入手。
1、展开:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\分支,
删除"rxhufh"="C:\\windows\\system32\\uvylvuo.exe r"
(注意:此注册表项名称及木马文件名均为随机生成)
2、重启系统。
3、删除木马创建的文件(及文件夹):
C:\windows\system32\uvylvuo.exe
C:\Documents and Settings\当前用户名\Application Data\Microsoft\Crypto
4、用RegFix和SREng修复文件关联。
老冈 - 2005-9-3 20:17:00
谢谢baohe版主,不过我要如何打开这个呢?用注册表吗?为什么我在注册表里找不到HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\分支这一部分呢?
请您详细说说说,谢谢。
命运里の金色 - 2005-9-3 20:23:00
就是HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
baohe - 2005-9-3 20:28:00
| 引用: |
【老冈的贴子】谢谢baohe版主,不过我要如何打开这个呢?用注册表吗?为什么我在注册表里找不到HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\分支这一部分呢?
请您详细说说说,谢谢。
........................... |
HKLM是HKEY_LOCAL_MACHINE的缩略写法。你要展开的是——
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
老冈 - 2005-9-3 20:55:00
谢谢楼上二位,我试过了。可是还是不行
当我删除完注册表中病毒生成的项以后,重启机器,病毒会生成一个新随机文件名的.exe文件。
进而如果我要是直接想删除病毒生成的.exe文件时,必须先停止系统中的进程,可是当我一旦停止,在windows\system32中的可执行文件也就会自动删除。导致无法彻底删除。
我也打开了C:\Documents and Settings\RL0(我的文件夹名)\Application Data\Microsoft这一目录,可是找不到Crypto这个名字的文件夹,也没有任何随机生成的文件夹存在。
还请版主费心,给处理一下我又新传上了个样本,这是最新生成的。
附件:
404063200593205532.rar
© 2000 - 2026 Rising Corp. Ltd.