论坛风格切换
正版合作和侵权请联系 sd173@foxmail.com
 
  • 帖子
  • 日志
  • 用户
  • 版块
  • 群组
帖子
购买邀请后未收到邀请联系sdbeta@qq.com
  • 1955阅读
  • 3回复

[已解决]遭遇DOWNLOADER! [复制链接]

上一主题 下一主题
 
发帖
*
今日发帖
最后登录
1970-01-01
只看楼主 倒序阅读 使用道具 楼主  发表于: 2008-07-05 20:21:16
本文原创作者为:lg560852
来自:动物家园计算机咨询中心


1、 今早一时心血来潮,去老早前的一个论坛看看不想鼠标一下子忙,偶就感觉不妙!开进程管理器,果然,2个未知进程出现!杀之,为时已晚。毒中上了。EXPLORER自动关闭,结束浏览器,结果什么也打不开了,只能用快捷键调出进程管理器,而且用进程管理器运行啥都不行(同时管理器也被关闭),用进程管理器查看关键文件夹内容,将几个新建的文件c:\windows\cguu4.exe等等的移动到其他文件夹内,尽量减少损失。


2、无奈进入安全模式,还好,没破坏。但是结果一样,光秃秃的一个桌面,进程管理器能调出,但是连CMD啥的也打不开,执行命令也无效。突然发现个问题:EXPLORER被替换了,而且有个pinyinup.exe进程占CPU100%,结束。又在SYSTEM32文件夹下看了看,发现还有个EXPLORER.EXE,属性里带签名的,看来这个是正品了!移动其到windows文件夹下,用任务管理器打开仍然失败。倒是那个pinyinup.exe又出现了(后来考虑,这个不是搜狗的问题就是被病毒利用了)!


3、这个倒是奇怪的很,不过一个念头涌现出来:我将explorer更名为pinyinup.exe放到搜狗的那个文件夹下,将pinyinup.exe更名,稍微一等,呵呵,资源管理器就出来了!但是还是不能打开任何东西(一开就结束),只能浏览文件。所以我就把wsyscheck更名放进来,过了一会也成功自动执行了。wsyscheck的功能在安全模式下受限,而且为了留下纪念,偶就把sreng更名移动了过来,执行后,扫描一份日志【见2楼】,这下偶就可以安心的清理病毒了。


删除了这三个
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{7C8D1401-A58D-A81C-CD24-A5915C4517C7}> []
<{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}> []
<{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}> []
删除了浏览器加载项
[]
{7C8D1401-A58D-A81C-CD24-A5915C4517C7}
搞定重启,许久不见的EXPLORER终于回来了o(∩_∩)o...
进入系统后,按修改时间看了看几个关键文件夹下的文件,囧了,C盘下有个tmp.dat
内容是:
[oo]
c0=http://121.14.154.193/1.exe
c1=http://121.14.154.193/2.exe
c2=http://121.14.154.193/3.exe
c3=http://121.14.154.193/4.exe
c4=http://121.14.154.193/5.exe
c5=http://121.14.154.193/6.exe
c6=http://121.14.154.193/7.exe
c7=http://121.14.154.193/8.exe
c8=http://121.14.154.193/9.exe
c9=http://121.14.154.193/10.exe
c10=http://121.14.154.193/11.exe
c11=http://121.14.154.193/12.exe
c12=http://121.14.154.193/13.exe
c13=http://121.14.154.193/14.exe
c14=http://121.14.154.193/15.exe
c15=http://121.14.154.193/16.exe
c16=http://121.14.154.193/17.exe
c17=http://121.14.154.193/18.exe
c18=http://121.14.154.193/19.exe
c19=http://121.14.154.193/20.exe
c20=http://121.14.154.194/21.exe
c21=http://121.14.154.194/22.exe
c22=http://121.14.154.194/23.exe
c23=http://121.14.154.194/24.exe
c24=http://121.14.154.194/25.exe
c25=http://121.14.154.194/26.exe
c26=http://121.14.154.194/27.exe
c27=http://121.14.154.194/28.exe
c28=http://121.14.154.194/29.exe
c29=http://121.14.154.194/30.exe
c30=http://121.14.154.194/31.exe
c31=http://121.14.154.194/32.exe
c32=http://121.14.154.194/33.exe
c33=http://121.14.154.194/34.exe
c34=http://121.14.154.194/35.exe
c35=http://121.14.154.194/36.exe
c36=http://121.14.154.194/37.exe
c37=http://121.14.154.194/38.exe
c38=http://121.14.154.194/39.exe
c39=http://121.14.154.194/40.exe
c40=http://121.14.154.194/41.exe

4、看了看偶的临时文件夹,只DOWN了5个,还算好。再用WINDOWS清理助手扫描下,清理了些病毒残留项,至此,整个过程告一段落。呃,这次问题的出现是由于偶没装杀软(组策略也坏了)而且上了很可能有问题的网站(那个BBS以前被挂过马,而且现在鲜有人去),处理过程很简单,就是有点曲折。语文不好,希望大家不要嫌文章无味,仅作参考。



病毒样本偶都留下了,没处理掉,发到样本区去,看看有无达人玩玩。
最后囧一个,为何偶碰上的病毒都是DOWNLOADER?
发帖
*
今日发帖
最后登录
1970-01-01
只看该作者 沙发  发表于: 2008-07-05 20:21:38
附:中毒后安全模式下的日志(这可是偶拼命留下的啊!)
复制内容到剪贴板代码:
2008-07-05,11:12:37
System Repair Engineer 2.6.11.992
Smallfrogs (http://www.KZTechs.com)
Windows Server 2003 Enterprise Edition Service Pack 2 (Build 3790) - 管理权限用户 - 完整功能
以下内容被选中:
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件
进程特权扫描

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[(Verified)Microsoft Windows Component Publisher]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<%SystemRoot%\system32\logonui.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}> [(Verified)Microsoft Windows Component Publisher]
<{7C8D1401-A58D-A81C-CD24-A5915C4517C7}> []
<{17DFD111-BF3A-4CB4-ADB0-88FCBFE69821}> []
<{4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4}> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Component Publisher]
<%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Component Publisher]
<%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Windows Component Publisher]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
<浏览器自定义组件> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
<%IEHARDENADMIN_BASE_DESC%><%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
<%IEHARDENUSER_DESC%><%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser> [(Verified)Microsoft Windows Component Publisher]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<; C:\WINDOWS\system32\CTFMON.EXE> [(Verified)Microsoft Windows Component Publisher]
<; "d:\Program Files\Tencent\TM2008\Bin\TM.exe" /background> [(Verified)Tencent Technology(Shenzhen) Company Limited]
==================================
启动文件夹
[Microsoft Office]
C:\PROGRA~1\MICROS~1\Office\OSA9.EXE [Microsoft Corporation]>
==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
%SystemRoot%\System32\hidserv.dll>
==================================
驱动程序
[Intel(R) PRO Adapter Driver / E100B][Stopped/Manual Start]

[Fujitsu FUJ02B1 Device Driver / FUJ02B1][Running/Manual Start]

[i81x / i81x][Stopped/Manual Start]

[iAimFP0 / iAimFP0][Stopped/Manual Start]

[iAimFP1 / iAimFP1][Stopped/Manual Start]

[iAimFP2 / iAimFP2][Stopped/Manual Start]

[iAimFP3 / iAimFP3][Stopped/Manual Start]

[iAimFP4 / iAimFP4][Stopped/Manual Start]

[iAimFP5 / iAimFP5][Stopped/Manual Start]

[iAimFP6 / iAimFP6][Stopped/Manual Start]

[iAimFP7 / iAimFP7][Stopped/Manual Start]

[iAimTV0 / iAimTV0][Stopped/Manual Start]

[iAimTV1 / iAimTV1][Stopped/Manual Start]

[iAimTV3 / iAimTV3][Stopped/Manual Start]

[iAimTV4 / iAimTV4][Stopped/Manual Start]

[iAimTV5 / iAimTV5][Stopped/Manual Start]

[iAimTV6 / iAimTV6][Stopped/Manual Start]

[IP in IP Tunnel Driver / IpInIp][Stopped/Manual Start]

[Intel(r) 82801 Audio Driver Install Service (WDM) / mnich][Stopped/Manual Start]

[Direct Parallel Link Driver / Ptilink][Stopped/Manual Start]

[Secdrv / Secdrv][Stopped/Manual Start]

==================================
浏览器加载项
[ThunderAtOnce Class]
{01443AEC-0FD1-40fd-9C87-E93D1494C233}
[]
{7C8D1401-A58D-A81C-CD24-A5915C4517C7}
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283}
[ThunderAtOnce Class]
{01443AEC-0FD1-40FD-9C87-E93D1494C233}
[HtmlDlgSafeHelper Class]
{3050F819-98B5-11CF-BB82-00AA00BDCE0B}
[Thunder Agent Class]
{485463B7-8FB2-4B3B-B29B-8B919B0EACCE}
[Thunder Browser Helper]
{889D2FEB-5411-4565-8998-1DD2C5261283}
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36}
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000}
[XML HTTP Request]
{ED8C108E-4349-11D2-91A4-00C04F7969E8}
[XML HTTP]
{F6D90F16-9C73-11D3-B32E-00C04F990BB4}
[使用迅雷下载]

[使用迅雷下载全部链接]

==================================
正在运行的进程
[PID: 156][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 208][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 232][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\SOGOUPY.IME] [Sogou.com Inc., 3.5.0.0]
[PID: 280][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 292][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.2.3790.0 (srv03_rtm.030324-2048)]
[PID: 476][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 540][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 588][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[c:\windows\system32\sfc_os.dll] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[PID: 1744][C:\Program Files\SogouInput\PinyinUp.exe] [Smallfrogs Studio, 2.6.11.992]
[PID: 1752][C:\Program Files\SogouInput\SREf37c4196.EXE] [Smallfrogs Studio, 2.6.11.992]
[C:\WINDOWS\system32\SOGOUPY.IME] [Sogou.com Inc., 3.5.0.0]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\WINDOWS\system32\sfc_os.dll] [Microsoft Corporation, 5.2.3790.3959 (srv03_sp2_rtm.070216-1710)]
[C:\Program Files\SogouInput\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]
==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
==================================
Winsock 提供者
N/A
==================================
Autorun.inf
N/A
==================================
HOSTS 文件
127.0.0.1 localhost
==================================
进程特权扫描
N/A
==================================
API HOOK
N/A
==================================
隐藏进程
N/A
==================================
发帖
*
今日发帖
最后登录
1970-01-01
只看该作者 板凳  发表于: 2008-07-05 20:22:20
解释一下,DOWNLOADER就是木马下载者~~
离线ja2cnc16
发帖
*
今日发帖
最后登录
1970-01-01
只看该作者 地板  发表于: 2008-07-05 23:18:38
kao,这个人也好强呀。