瑞星卡卡安全论坛

首页 » 综合娱乐区 » 活动专区 » 实习生专区 » 实习生交流区 » 7月8日 日志分析 练习4
lqqk7 - 2009-7-8 12:43:00
即日起每日会给大家提供一些染毒环境的SREng日志,因为部分实习生是第一次接触SREng这个工具,对日志分析不熟悉,如果冒然跑去反病毒区回帖,一旦出现误判,可能对求助者不利,因此采用这种“内部”交流的方式,希望大家能够多练习,真正分析日志的方法是靠自己实践摸索出来的!

注:日志分析练习情况与大家的实习期总成绩没有关联,请大家不要有顾虑,放心大胆的练习!



 附件: 您所在的用户组无法下载或查看附件


========以下为参考分析结果========
异常项见附件(仅保留日志中可疑度较高的项)

注意:
1、C:\WINDOWS\system\QQ.exe和c:\windows\windows自动升级程序.exe显然是伪装的;
2、删除启动文件夹中的可疑文件时,记得要把快捷方式和源文件同时删除掉;
3、C:\windows\system\SitaPlugin.dll不确定是病毒文件还是用户自己安装的软件,可以询问一下或者自己搜索EyeOnIE

 附件: 您所在的用户组无法下载或查看附件
handle - 2009-7-8 13:28:00
<QQ><C:\WINDOWS\system\QQ.exe>  [ ] 这个做得也太假了吧:kaka7:

{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}><C:\Program Files\Internet Explorer\OnlO0r.dll>  [N/A]
    <{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}><C:\WINDOWS\system32\mndoor0.dll>  [N/A]
    <{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}><C:\WINDOWS\system32\qhdoor0.dll>  [N/A]
    <{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}><C:\WINDOWS\system32\qzdoor0.dll>  [N/A]
    <{C26A8AB5-B935-400C-A152-0488714725B1}><C:\WINDOWS\system32\qsdoor0.dll>  [N/A]
    <{F859245F-345D-BC13-AC4F-145D47DA34FF}><C:\WINDOWS\Fonts\avzxomn.dll>  [N/A]
    <{76255dcf-d686-4d89-82d1-78fef7b3dc00}><C:\WINDOWS\system32\IGB_WD_1026.dll>  [N/A]
    <{4FA10261-B890-F432-A453-69F1023513F4}><C:\WINDOWS\Fonts\gjcsdyc.dll>  [N/A]
    <{9963387B-212E-4643-B207-82DAEA0E713D}><C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>  [N/A]
    <{8DFA2904-9664-43AE-8929-4347554D24B6}><C:\WINDOWS\system32\csavpw1.dll>  [N/A]
    <{471B15AD-7A9C-491D-9C19-4E15B12DCE00}><C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>  [N/A]
    <{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}><C:\WINDOWS\system32\fhdoor0.dll>  []


  [C:\WINDOWS\system32\fhdoor0.dll]  [N/A, ]
幽灵楠 - 2009-7-8 14:39:00
***** 该内容需回复才可浏览 *****
merrk_chuan - 2009-7-8 14:47:00
1.用帖子里提供的工具删除以下文件(http://bbs.ikaka.com/showtopic-8442813.aspx

c:\windows\system32\fhdoor0.dll
c:\documents and settings\administrator\「开始」菜单\程序\启动\qq.lnk
c:\windows\system32\drivers\winsys.sys
c:\windows\system32\drivers\msaclue.sys
c:\program files\common files\fjos0r.dll
c:\program files\internet explorer\plugins\nvsys_55.sys
c:\windows\system32\csavpw1.dll
c:\program files\internet explorer\plugins\wn_sys8x.sys
c:\windows\fonts\gjcsdyc.dll
c:\windows\system32\igb_wd_1026.dll
c:\windows\fonts\avzxomn.dll
c:\windows\system32\qsdoor0.dll
c:\windows\system32\qzdoor0.dll
c:\windows\system32\qhdoor0.dll
c:\windows\system32\mndoor0.dll
c:\program files\internet explorer\onlo0r.dll
c:\windows\system\qq.exe
c:\windows\system\sitaplugin.dll

2.不管删除是否成功,请重启,然后使用SREng修复下面各项:

    启动项目 -- 注册表之如下项删除:
[{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}]    <C:\WINDOWS\system32\fhdoor0.dll>
[{471B15AD-7A9C-491D-9C19-4E15B12DCE00}]    <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>
[{8DFA2904-9664-43AE-8929-4347554D24B6}]    <C:\WINDOWS\system32\csavpw1.dll>
[{9963387B-212E-4643-B207-82DAEA0E713D}]    <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>
[{4FA10261-B890-F432-A453-69F1023513F4}]    <C:\WINDOWS\Fonts\gjcsdyc.dll>
[{76255dcf-d686-4d89-82d1-78fef7b3dc00}]    <C:\WINDOWS\system32\IGB_WD_1026.dll>
[{F859245F-345D-BC13-AC4F-145D47DA34FF}]    <C:\WINDOWS\Fonts\avzxomn.dll>
[{C26A8AB5-B935-400C-A152-0488714725B1}]    <C:\WINDOWS\system32\qsdoor0.dll>
[{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}]    <C:\WINDOWS\system32\qzdoor0.dll>
[{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}]    <C:\WINDOWS\system32\qhdoor0.dll>
[{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}]    <C:\WINDOWS\system32\mndoor0.dll>
[{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}]    <C:\Program Files\Internet Explorer\OnlO0r.dll>
[QQ]    <C:\WINDOWS\system\QQ.exe>
注意该项[Userinit]修改:把<userinit.exe,>修改为<C:\WINDOWS\system32\userinit.exe,>逗号不可省略

    启动项目 -- 启动文件夹之如下项删除:
[QQ]    <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\QQ.lnk>

    启动项目 -- 服务-- 驱动程序之如下项禁用:
[Network Monitor Protocol Driver / Ndisprot]    <system32\DRIVERS\winsys.sys>
[msskye / msskye]    <system32\DRIVERS\msaclue.sys>

    系统修复-- 浏览器加载项之如下项删除:
[]    <C:\Program Files\Common Files\fjOs0r.dll>
[]    <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>
[]    <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>
[EyeOnIE Class]    <C:\windows\system\SitaPlugin.dll>
QoS - 2009-7-8 15:43:00
建议使用XDelBox删除以下文件
复制所有要删除文件的路径,在待删除文件列表里点击右键选择从剪贴板导入,重启删除

c:\windows\system32\fhdoor0.dll
c:\windows\system32\csavpw1.dll
c:\program files\internet explorer\plugins\nvsys_55.sys
c:\program files\internet explorer\plugins\wn_sys8x.sys
c:\windows\fonts\gjcsdyc.dll
c:\windows\system32\igb_wd_1026.dll
c:\windows\fonts\avzxomn.dll
c:\windows\system32\qsdoor0.dll
c:\windows\system32\qzdoor0.dll
c:\windows\system32\qhdoor0.dll
c:\windows\system32\mndoor0.dll
c:\program files\internet explorer\onlo0r.dll
c:\windows\system\qq.exe
c:\windows\system32\drivers\winsys.sys
c:\windows\system32\drivers\msaclue.sys
c:\program files\common files\fjos0r.dll
c:\windows\system\sitaplugin.dll

2.删除重启后使用SREng修复下面各项:

    启动项目 -- 注册表之如下项删除:
[{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}]    <C:\WINDOWS\system32\fhdoor0.dll>
[{8DFA2904-9664-43AE-8929-4347554D24B6}]    <C:\WINDOWS\system32\csavpw1.dll>
[{471B15AD-7A9C-491D-9C19-4E15B12DCE00}]    <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>
[{9963387B-212E-4643-B207-82DAEA0E713D}]    <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>
[{4FA10261-B890-F432-A453-69F1023513F4}]    <C:\WINDOWS\Fonts\gjcsdyc.dll>
[{76255dcf-d686-4d89-82d1-78fef7b3dc00}]    <C:\WINDOWS\system32\IGB_WD_1026.dll>
[{F859245F-345D-BC13-AC4F-145D47DA34FF}]    <C:\WINDOWS\Fonts\avzxomn.dll>
[{C26A8AB5-B935-400C-A152-0488714725B1}]    <C:\WINDOWS\system32\qsdoor0.dll>
[{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}]    <C:\WINDOWS\system32\qzdoor0.dll>
[{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}]    <C:\WINDOWS\system32\qhdoor0.dll>
[{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}]    <C:\WINDOWS\system32\mndoor0.dll>
[{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}]    <C:\Program Files\Internet Explorer\OnlO0r.dll>
[QQ]    <C:\WINDOWS\system\QQ.exe>

    启动项目 -- 服务-- 驱动程序之如下项禁用:
[Network Monitor Protocol Driver / Ndisprot]    <system32\DRIVERS\winsys.sys>
[msskye / msskye]    <system32\DRIVERS\msaclue.sys>

    系统修复-- 浏览器加载项之如下项删除:
[]    <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>
[]    <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>
[]    <C:\Program Files\Common Files\fjOs0r.dll>
[]    <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>
[]    <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>
[]    <C:\Program Files\Common Files\fjOs0r.dll>
[EyeOnIE Class]    <C:\windows\system\SitaPlugin.dll>
关闭IE用下面的工具全选,清理系统临时文件和IE临时文件夹     
http://www.atribune.org/public-beta/ATF-Cleaner.exe

下载windows清理助手清理一遍
http://www.arswp.com/download/arswp2/arswp2.rar(升级后使用)
daemonz - 2009-7-8 16:08:00
可疑的文件:
C:\WINDOWS\system\QQ.exe

    <{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}><C:\WINDOWS\system32\mndoor0.dll>  [N/A]
    <{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}><C:\WINDOWS\system32\qhdoor0.dll>  [N/A]
    <{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}><C:\WINDOWS\system32\qzdoor0.dll>  [N/A]
    <{C26A8AB5-B935-400C-A152-0488714725B1}><C:\WINDOWS\system32\qsdoor0.dll>  [N/A]
    <{F859245F-345D-BC13-AC4F-145D47DA34FF}><C:\WINDOWS\Fonts\avzxomn.dll>  [N/A]
    <{76255dcf-d686-4d89-82d1-78fef7b3dc00}><C:\WINDOWS\system32\IGB_WD_1026.dll>  [N/A]
    <{4FA10261-B890-F432-A453-69F1023513F4}><C:\WINDOWS\Fonts\gjcsdyc.dll>  [N/A]
    <{9963387B-212E-4643-B207-82DAEA0E713D}><C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>  [N/A]
    <{8DFA2904-9664-43AE-8929-4347554D24B6}><C:\WINDOWS\system32\csavpw1.dll>  [N/A]
    <{471B15AD-7A9C-491D-9C19-4E15B12DCE00}><C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>  [N/A]
    <{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}><C:\WINDOWS\system32\fhdoor0.dll>  []
  {5F35B79C-CDA0-456F-B3A3-B4DE806E8634} <C:\windows\system\SitaPlugin.dll, N/A>


启动文件夹被篡改
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\QQ.lnk --> C:\WINDOWS\system\QQ.exe [N/A]><N>
浏览器加载项中有 NvSys_55.Sys、Wn_Sys8x.Sys 也要清理

这个东西不太清楚    system32\DRIVERS\msaclue.sys  备份后删除
凡尘之沙 - 2009-7-8 16:19:00
***** 该内容需回复才可浏览 *****
精神病院看门的 - 2009-7-9 8:33:00
该用户帖子内容已被屏蔽
零度的穷浪漫 - 2009-7-29 0:31:00
1.<QQ><C:\WINDOWS\system\QQ.exe>  []QQ都没有公司签名很可疑啊
2.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}><C:\Program Files\Internet Explorer\OnlO0r.dll>  [N/A]
    <{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}><C:\WINDOWS\system32\mndoor0.dll>  [N/A]
    <{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}><C:\WINDOWS\system32\qhdoor0.dll>  [N/A]
    <{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}><C:\WINDOWS\system32\qzdoor0.dll>  [N/A]
    <{C26A8AB5-B935-400C-A152-0488714725B1}><C:\WINDOWS\system32\qsdoor0.dll>  [N/A]
    <{F859245F-345D-BC13-AC4F-145D47DA34FF}><C:\WINDOWS\Fonts\avzxomn.dll>  [N/A]
    <{76255dcf-d686-4d89-82d1-78fef7b3dc00}><C:\WINDOWS\system32\IGB_WD_1026.dll>  [N/A]
    <{4FA10261-B890-F432-A453-69F1023513F4}><C:\WINDOWS\Fonts\gjcsdyc.dll>  [N/A]
    <{9963387B-212E-4643-B207-82DAEA0E713D}><C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>  [N/A]
    <{8DFA2904-9664-43AE-8929-4347554D24B6}><C:\WINDOWS\system32\csavpw1.dll>  [N/A]
    <{471B15AD-7A9C-491D-9C19-4E15B12DCE00}><C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>  [N/A]
    <{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}><C:\WINDOWS\system32\fhdoor0.dll>  []这些是什么/
3.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]这都没有公司签名啊
4.[QQ]
  <C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\QQ.lnk --> C:\WINDOWS\system\QQ.exe [N/A]><N>这个路径对么?还没有签名,与上面的对照很可疑
5.驱动
npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\Program Files\QQ2007\npkcrypt.sys><INCA Internet Co., Ltd.>路径?
[msskye / msskye][Running/Auto Start]
  <system32\DRIVERS\msaclue.sys><N/A>
[Network Monitor Protocol Driver / Ndisprot][Stopped/Manual Start]
  <system32\DRIVERS\winsys.sys><N/A>这个也可疑
6.浏览器加载项
[]
  {471B15AD-7A9C-491D-9C19-4E15B12DCE00} <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys, N/A>
[]
  {9963387B-212E-4643-B207-82DAEA0E713D} <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys, N/A>
[]
  {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} <C:\Program Files\Common Files\fjOs0r.dll, N/A>
[]
  {471B15AD-7A9C-491D-9C19-4E15B12DCE00} <C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys, N/A>
……加载项名称为空还是不明白是什么原因,怎么解决,直接删除么?而且都没有公司签名:kaka6:
7.剩下的大概没什么了,感觉现在才有点入门了
乐陶猪 - 2009-8-4 10:36:00
1. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [N/A]

2. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C}><C:\Program Files\Internet Explorer\OnlO0r.dll>  [N/A]
    <{61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28}><C:\WINDOWS\system32\mndoor0.dll>  [N/A]
    <{ABD0935D-B35A-47BD-BA9A-81678DDE74DD}><C:\WINDOWS\system32\qhdoor0.dll>  [N/A]
    <{49C496E9-732D-4F5D-BEE9-EC113FAA1C97}><C:\WINDOWS\system32\qzdoor0.dll>  [N/A]
    <{C26A8AB5-B935-400C-A152-0488714725B1}><C:\WINDOWS\system32\qsdoor0.dll>  [N/A]
    <{F859245F-345D-BC13-AC4F-145D47DA34FF}><C:\WINDOWS\Fonts\avzxomn.dll>  [N/A]
    <{76255dcf-d686-4d89-82d1-78fef7b3dc00}><C:\WINDOWS\system32\IGB_WD_1026.dll>  [N/A]
    <{4FA10261-B890-F432-A453-69F1023513F4}><C:\WINDOWS\Fonts\gjcsdyc.dll>  [N/A]
    <{9963387B-212E-4643-B207-82DAEA0E713D}><C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys>  [N/A]
    <{8DFA2904-9664-43AE-8929-4347554D24B6}><C:\WINDOWS\system32\csavpw1.dll>  [N/A]
    <{471B15AD-7A9C-491D-9C19-4E15B12DCE00}><C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys>  [N/A]
    <{80F15C30-5E9D-4CB9-BE85-F3D5564C6F83}><C:\WINDOWS\system32\fhdoor0.dll>  []

3. []
  {9963387B-212E-4643-B207-82DAEA0E713D} <C:\Program Files\Internet Explorer\PLUGINS\Wn_Sys8x.Sys, N/A>

[]
  {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} <C:\Program Files\Common Files\fjOs0r.dll, N/A>

4. [PID: 1220 / Administrator][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\fhdoor0.dll]  [N/A, ]

5. [PID: 1068 / Administrator][C:\Program Files\Rising\AntiSpyware\runiep.exe]  [Beijing Rising Technology Co., Ltd., 5.0.0.11]
    [C:\WINDOWS\system32\fhdoor0.dll]  [N/A, ]\

6. [PID: 2964 / Administrator][C:\WINDOWS\msagent\AgentSvr.exe]  [Microsoft Corporation, 2.00.0.3424]
    [C:\WINDOWS\system32\fhdoor0.dll]  [N/A, ]

7. [PID: 4032 / Administrator][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\fhdoor0.dll]  [N/A, ]

8. [PID: 3512 / Administrator][D:\Downloads\sreng\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]
    [C:\WINDOWS\system32\fhdoor0.dll]  [N/A, ]
1
查看完整版本: 7月8日 日志分析 练习4
© 2000 - 2026 Rising Corp. Ltd.