瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 致:“孤独更可靠”——yeyinhi.exe被灭了
baohe - 2007-6-7 21:17:00
1、删除的病毒文件

附件: 155847200767210650.jpg
baohe - 2007-6-7 21:17:00
2、删除的病毒文件

附件: 155847200767210725.jpg
baohe - 2007-6-7 21:18:00
3、用工具恢复IFEO

附件: 155847200767210755.jpg
baohe - 2007-6-7 21:18:00
4、工具的效果不错!

附件: 155847200767210818.jpg
baohe - 2007-6-7 21:19:00
中毒后的SRENG日志:

启动项目
注册表

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <yeyinhi><C:\Program Files\Common Files\Microsoft Shared\pumthsg.exe>  [N/A]
    <ykubdte><C:\Program Files\Common Files\System\rujrmue.exe>  [N/A]
    <cmdbcs><C:\windows\cmdbcs.exe>  [N/A]
    <mppds><C:\windows\mppds.exe>  [N/A]
    <upxdnd><C:\windows\upxdnd.exe>  [N/A]
    <Kvsc3><C:\windows\Kvsc3.exe>  [N/A]

==================================
正在运行的进程
[PID: 636][C:\windows\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\Kvsc3.dll]  [N/A, N/A]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
    [C:\windows\system32\upxdnd.dll]  [N/A, N/A]
    [C:\windows\system32\aadaru.dll]  [N/A, N/A]
    [C:\windows\system32\cmdbcs.dll]  [N/A, N/A]
[PID: 2840][C:\windows\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
[PID: 3092][C:\Program Files\Tiny Firewall Pro\amon.exe]  [Computer Associates International, Inc., 6.5.3.2]
    [C:\windows\system32\Kvsc3.dll]  [N/A, N/A]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
    [C:\windows\system32\upxdnd.dll]  [N/A, N/A]
    [C:\windows\system32\aadaru.dll]  [N/A, N/A]
    [C:\windows\system32\cmdbcs.dll]  [N/A, N/A]
[PID: 3592][C:\Program Files\Tiny Firewall Pro\cfgtool.exe]  [Computer Associates International, Inc., 6.0.0.52]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
[PID: 3292][C:\Program Files\SREng2\SREng.exe]  [Smallfrogs Studio, 2.3.13.690]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
    [C:\windows\system32\upxdnd.dll]  [N/A, N/A]
    [C:\windows\system32\aadaru.dll]  [N/A, N/A]
    [C:\windows\system32\cmdbcs.dll]  [N/A, N/A]
    [C:\windows\system32\Kvsc3.dll]  [N/A, N/A]
[PID: 3916][C:\Program Files\Common Files\System\rujrmue.exe]  [N/A, N/A]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
    [C:\windows\system32\upxdnd.dll]  [N/A, N/A]
    [C:\windows\system32\aadaru.dll]  [N/A, N/A]
    [C:\windows\system32\cmdbcs.dll]  [N/A, N/A]
    [C:\windows\system32\Kvsc3.dll]  [N/A, N/A]
[PID: 1776][C:\Program Files\Common Files\Microsoft Shared\pumthsg.exe]  [N/A, N/A]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
[PID: 2848][C:\Program Files\7G17.exe]  [N/A, N/A]
    [C:\windows\system32\Kvsc3.dll]  [N/A, N/A]
[PID: 2804][C:\windows\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
[PID: 2676][C:\DOCUME~1\baohelin\LOCALS~1\Temp\11.exe]  [N/A, N/A]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
[PID: 3196][C:\DOCUME~1\baohelin\LOCALS~1\Temp\12.exe]  [N/A, N/A]
    [C:\windows\system32\cmdbcs.dll]  [N/A, N/A]
[PID: 3352][C:\DOCUME~1\baohelin\LOCALS~1\Temp\13.exe]  [N/A, N/A]
    [C:\windows\system32\aadaru.dll]  [N/A, N/A]
[PID: 1988][C:\DOCUME~1\baohelin\LOCALS~1\Temp\16.exe]  [N/A, N/A]
    [C:\windows\system32\upxdnd.dll]  [N/A, N/A]
[PID: 2552][C:\Program Files\WinRAR\WinRAR.exe]  [N/A, N/A]
    [C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysWFGQQ2.dll]  [N/A, N/A]
    [C:\windows\system32\upxdnd.dll]  [N/A, N/A]
    [C:\windows\system32\aadaru.dll]  [N/A, N/A]
    [C:\windows\system32\cmdbcs.dll]  [N/A, N/A]
    [C:\windows\system32\Kvsc3.dll]  [N/A, N/A]
==================================
Autorun.inf
[D:\]
[AutoRun]
open=yeyinhi.exe
shell\open=打开(&O)
shell\open\Command=yeyinhi.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=yeyinhi.exe

baohe - 2007-6-7 21:20:00
中毒后的autoruns日志:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ cmdbcsc:\windows\cmdbcs.exe

+ Kvsc3c:\windows\kvsc3.exe

+ mppdsc:\windows\mppds.exe

+ upxdndc:\windows\upxdnd.exe

+ yeyinhic:\program files\common files\microsoft shared\pumthsg.exe

+ ykubdtec:\program files\common files\system\rujrmue.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

+ 360rpt.exec:\program files\common files\microsoft shared\pumthsg.exe

+ 360Safe.exec:\program files\common files\microsoft shared\pumthsg.exe

+ 360tray.exec:\program files\common files\microsoft shared\pumthsg.exe

+ adam.exec:\program files\common files\microsoft shared\pumthsg.exe

+ AgentSvr.exec:\program files\common files\microsoft shared\pumthsg.exe

+ AppSvc32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ ArSwp.exec:\program files\common files\microsoft shared\pumthsg.exe

+ AST.exec:\program files\common files\microsoft shared\pumthsg.exe

+ autoruns.exec:\program files\common files\microsoft shared\pumthsg.exe

+ avconsol.exec:\program files\common files\microsoft shared\pumthsg.exe

+ avgrssvc.exec:\program files\common files\microsoft shared\pumthsg.exe

+ AvMonitor.exec:\program files\common files\microsoft shared\pumthsg.exe

+ avp.comc:\program files\common files\microsoft shared\pumthsg.exe

+ avp.exec:\program files\common files\microsoft shared\pumthsg.exe

+ CCenter.exec:\program files\common files\microsoft shared\pumthsg.exe

+ ccSvcHst.exec:\program files\common files\microsoft shared\pumthsg.exe

+ EGHOST.exec:\program files\common files\microsoft shared\pumthsg.exe

+ FileDsty.exec:\program files\common files\microsoft shared\pumthsg.exe

+ FTCleanerShell.exec:\program files\common files\microsoft shared\pumthsg.exe

+ FYFireWall.exec:\program files\common files\microsoft shared\pumthsg.exe

+ HijackThis.exec:\program files\common files\microsoft shared\pumthsg.exe

+ IceSword.exec:\program files\common files\microsoft shared\pumthsg.exe

+ iparmo.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Iparmor.exec:\program files\common files\microsoft shared\pumthsg.exe

+ isPwdSvc.exec:\program files\common files\microsoft shared\pumthsg.exe

+ kabaload.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KaScrScn.SCRc:\program files\common files\microsoft shared\pumthsg.exe

+ KASMain.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KASTask.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KAV32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KAVDX.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KAVPF.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KAVPFW.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KAVSetup.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KAVStart.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KISLnchr.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KMailMon.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KMFilter.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KPFW32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KPFW32X.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KPfwSvc.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KRegEx.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KRepair.comc:\program files\common files\microsoft shared\pumthsg.exe

+ KsLoader.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KVCenter.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ KvDetect.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KvfwMcl.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KVMonXP.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ KVMonXP_1.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ kvol.exec:\program files\common files\microsoft shared\pumthsg.exe

+ kvolself.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KvReport.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ KVScan.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ KVSrvXP.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KVStub.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ kvupload.exec:\program files\common files\microsoft shared\pumthsg.exe

+ kvwsc.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KvXP.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ KvXP_1.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ KWatch.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KWatch9x.exec:\program files\common files\microsoft shared\pumthsg.exe

+ KWatchX.exec:\program files\common files\microsoft shared\pumthsg.exe

+ loaddll.exec:\program files\common files\microsoft shared\pumthsg.exe

+ MagicSet.exec:\program files\common files\microsoft shared\pumthsg.exe

+ mcconsol.exec:\program files\common files\microsoft shared\pumthsg.exe

+ mmqczj.exec:\program files\common files\microsoft shared\pumthsg.exe

+ mmsk.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Navapsvc.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Navapw32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ nod32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ nod32krn.exec:\program files\common files\microsoft shared\pumthsg.exe

+ nod32kui.exec:\program files\common files\microsoft shared\pumthsg.exe

+ NPFMntor.exec:\program files\common files\microsoft shared\pumthsg.exe

+ PFW.exec:\program files\common files\microsoft shared\pumthsg.exe

+ PFWLiveUpdate.exec:\program files\common files\microsoft shared\pumthsg.exe

+ QHSET.exec:\program files\common files\microsoft shared\pumthsg.exe

+ QQDoctor.exec:\program files\common files\microsoft shared\pumthsg.exe

+ QQKav.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Ras.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Rav.exec:\program files\common files\microsoft shared\pumthsg.exe

+ RavMon.exec:\program files\common files\microsoft shared\pumthsg.exe

+ RavMonD.exec:\program files\common files\microsoft shared\pumthsg.exe

+ RavStub.exec:\program files\common files\microsoft shared\pumthsg.exe

+ RavTask.exec:\program files\common files\microsoft shared\pumthsg.exe

+ RegClean.exec:\program files\common files\microsoft shared\pumthsg.exe

+ rfwcfg.exec:\program files\common files\microsoft shared\pumthsg.exe

+ rfwmain.exec:\program files\common files\microsoft shared\pumthsg.exe

+ rfwsrv.exec:\program files\common files\microsoft shared\pumthsg.exe

+ RsAgent.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Rsaupd.exec:\program files\common files\microsoft shared\pumthsg.exe

+ runiep.exec:\program files\common files\microsoft shared\pumthsg.exe

+ safelive.exec:\program files\common files\microsoft shared\pumthsg.exe

+ scan32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ shcfg32.exec:\program files\common files\microsoft shared\pumthsg.exe

+ SmartUp.exec:\program files\common files\microsoft shared\pumthsg.exe

+ SREng.EXEc:\program files\common files\microsoft shared\pumthsg.exe

+ symlcsvc.exec:\program files\common files\microsoft shared\pumthsg.exe

+ SysSafe.exec:\program files\common files\microsoft shared\pumthsg.exe

+ TrojanDetector.exec:\program files\common files\microsoft shared\pumthsg.exe

+ Trojanwall.exec:\program files\common files\microsoft shared\pumthsg.exe

+ TrojDie.kxpc:\program files\common files\microsoft shared\pumthsg.exe

+ UIHost.exec:\program files\common files\microsoft shared\pumthsg.exe

+ UmxAgent.exec:\program files\common files\microsoft shared\pumthsg.exe

+ UmxAttachment.exec:\program files\common files\microsoft shared\pumthsg.exe

+ UmxCfg.exec:\program files\common files\microsoft shared\pumthsg.exe

+ UmxFwHlp.exec:\program files\common files\microsoft shared\pumthsg.exe

+ UmxPol.exec:\program files\common files\microsoft shared\pumthsg.exe

+ upiea.exec:\program files\common files\microsoft shared\pumthsg.exe

+ UpLive.exec:\program files\common files\microsoft shared\pumthsg.exe

+ USBCleaner.exec:\program files\common files\microsoft shared\pumthsg.exe

+ vsstat.exec:\program files\common files\microsoft shared\pumthsg.exe

+ webscanx.exec:\program files\common files\microsoft shared\pumthsg.exe

+ WoptiClean.exec:\program files\common files\microsoft shared\pumthsg.exe



baohe - 2007-6-7 21:23:00
注意:
瑞星用户,杀毒后,system32文件夹中的bsmain.exe要更名(被病毒bak了)。
火影忍者 - 2007-6-7 21:24:00
额。。。!!MS不强。。!
spiritfire - 2007-6-7 21:26:00
麻烦猫叔了,给我来份!
kyo222222@163.com
baohe - 2007-6-7 21:30:00
引用:
【spiritfire的贴子】麻烦猫叔了,给我来份!
kyo222222@163.com
………………

孤独的网络硬盘有样本下载:http://free.ys168.com/?gudugengkekao1
mopery - 2007-6-7 22:41:00
引用:
【baohe的贴子】
孤独的网络硬盘有样本下载:http://free.ys168.com/?gudugengkekao1
………………



貌似没了.. 猫叔 丢一个到我邮箱..

谢谢哈.
jiuge捷 - 2007-6-7 23:33:00
猫叔 那个恢复IFEO工具哪里下的 我也想要个。。找不到额
rj600700 - 2007-6-8 1:46:00
那个恢复IFEO工具哪里下的???
我也很想要一个啊!!!竟然AUTORUN都被劫持了,都没工具可以解救出来那些工具了!!
天月来了 - 2007-6-8 7:37:00
自己手工去注册表删呗
孤独更可靠 - 2007-6-8 8:26:00
学习了``

baohe - 2007-6-8 8:44:00
【回复“spiritfire ”】
【回复“mopery”】
样本已发到邮箱
baohe - 2007-6-8 8:46:00
引用:
【jiuge捷的贴子】猫叔 那个恢复IFEO工具哪里下的 我也想要个。。找不到额

………………

这个工具是360论坛版主的大作,你可以到那里找找。
我是在卡饭闲逛时发现、下载的。

注意:现在这类病毒的变种基本都增加了监视/关窗功能。未杀净病毒前,这个工具(包括WINRAR等常用工具)均不能正常使用,除非你用其它安全工具(如:SSM)禁止了该毒的此项动作。
天月来了 - 2007-6-8 8:55:00
可先中毒

后安装SSM可以吗?

呵呵

猫猫
孤独更可靠 - 2007-6-8 8:57:00
引用:
【天月来了的贴子】可先中毒

后安装SSM可以吗?

呵呵

猫猫
………………


安装不了```



天月来了 - 2007-6-8 8:58:00
那还不得DOS下解决问题


或挂盘解决咯

天月来了 - 2007-6-8 9:00:00
不知有光盘版的简易小操作系统吗?

就是那种可以用光盘启动后象个视窗界面的支持鼠标的,同时还显示所有磁盘的。可以对磁盘文件,支持鼠标操作的那种。

大家能有这样的光盘,处理就省事多了。

懒得百度了

呵呵!!!!!
baohe - 2007-6-8 9:04:00
引用:
【天月来了的贴子】可先中毒

后安装SSM可以吗?

呵呵

猫猫
………………

估计不行。
因为SysSafe.exe也在被劫持之列。中毒后,即便你能安装上SSM,运行时,也是运行病毒程序。
baohe - 2007-6-8 9:07:00
引用:
【天月来了的贴子】那还不得DOS下解决问题


或挂盘解决咯


………………

我是在WINDOWS下灭掉这个病毒的。
IFEO劫持、关闭窗口等等——————都有办法对付。
我贴的那两份日志已经说明问题————中了以后,只要动动脑子,SRENG、AUTORUNS等被劫持程序照样可以运行起来。
办法吗,就不细说了。否则,以后这些办法可能就不灵了。
孤独更可靠 - 2007-6-8 9:12:00
引用:
【baohe的贴子】
我是在WINDOWS下灭掉这个病毒的。
IFEO劫持、关闭窗口等等——————都有办法对付。
我贴的那两份日志已经说明问题————中了以后,只要动动脑子,SRENG、AUTORUNS等被劫持程序照样可以运行起来。
办法吗,就不细说了。否则,以后这些办法可能就不灵了。

………………


我猜测得到,嘿嘿``




天月来了 - 2007-6-8 9:26:00
呵呵!!!!

你那方法,没几个求助的会弄。

也只我们而已。

对于求助的,还是挂盘最好了。

只要处理得当,应该轻松的。
孤独更可靠 - 2007-6-8 9:34:00
引用:
【天月来了的贴子】呵呵!!!!

你那方法,没几个求助的会弄。

也只我们而已。

对于求助的,还是挂盘最好了。

只要处理得当,应该轻松的。
………………



好像出专杀了``不过````

好像遇到点麻烦``在和作者沟通呢``

希望在病毒屏蔽"关键字"影响下,"专杀"还可以如愿运行```

tankk - 2007-6-8 10:01:00
孤独  给个样本好么??  谢谢啊
天月来了 - 2007-6-8 10:02:00
是啊

专杀最好没“杀”字,没“毒”字。

最好就弄个简单的文字,与电脑没关系的才好。

孤独更可靠 - 2007-6-8 10:09:00
引用:
【tankk的贴子】孤独  给个样本好么??  谢谢啊
………………

http://free.ys168.com/?gudugengkekao1

这里自己找``
33887 - 2007-6-8 10:48:00
引用:
【baohe的贴子】
我是在WINDOWS下灭掉这个病毒的。
IFEO劫持、关闭窗口等等——————都有办法对付。
我贴的那两份日志已经说明问题————中了以后,只要动动脑子,SRENG、AUTORUNS等被劫持程序照样可以运行起来。
办法吗,就不细说了。否则,以后这些办法可能就不灵了。
………………

IFEO截持的话,在注册表里把那个指向病毒的"debugger"值删了,病毒会重写吧?要是只是把这个"debugger"重命名改个名字的话病毒会监控得到吗?
12
查看完整版本: 致:“孤独更可靠”——yeyinhi.exe被灭了
© 2000 - 2026 Rising Corp. Ltd.