EndurerOriginal
1Version
Yesterday, a netizen got Trojan. psw. OnlineGames. AMC in his computer. Although it was killed by rising, he was not at ease and asked me to remotely assist in the inspection through QQ.
At first glance, Rising's real-time monitoring was not enabled, but the IE vulnerability Protection patch was running ......
Check Rising's antivirus logs as follows:
/---
Virus name processing result scan method path file virus source
Trojan. mnless. jysScheduled scan successful C:/Windows/system32/drivers ecdacgcf. sys Local Machine
Trojan. mnless. jysScheduled scan C:/Documents and Settings/New/Local Settings/temp/4A cdnprot. sys
Trojan. mnless. jysScheduled scan C:/Documents and Settings/New/Local Settings/temp/4D cdnprot. sys
Trojan. mnless. jysScheduled scan C:/Documents and Settings/New/Local Settings/temp/63 cdnprot. sys
Trojan. psw. OnlineGames. AMCSuccessfully deleted manual scan C:/Windows/system32 ravfy48.dll> UPX Local Machine
Trojan. psw. OnlineGames. AMCSuccessfully deleted manual scan C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/content. ie5/5ope‑zx 2‑1‑.exe> fsg2.0 Local Machine
Trojan. psw. OnlineGames. AMCSuccessfully deleted manual scan C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/content. ie5/5ope+zx 2%2%.exe> fsg2.0 Local Machine
Trojan. psw. OnlineGames. AMCSuccessfully deleted manual scan C:/program files/Internet Explorer iedw02.exe> fsg2.0 Local Machine
---/
It is estimated that the website won the bid when it browsed, but it was blocked by the IE vulnerability Protection patch and failed to run.
Download the pe_xscan scan log analysis and find the following suspicious items:
/---
Pe_xscan 07-03-17 by Purple endurer
2007-4-23 17:42:47
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
[System process] * 0
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/progra ~ 1/3721/helper. dll | 10:29:52
C:/program files/CNNIC/CDN/imaoe. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
C:/Windows/EXPLORER. EXE * 1096 |
C:/program files/CNNIC/CDN/imaoe. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/progra ~ 1/3721/helper. dll | 10:29:52
C:/progra ~ 1/3721/alrex. dll | 17:53:48
C:/progra ~ 1/3721/autolive. dll | 10:58:44
C:/progra ~ 1/3721/alliveex. dll |
C:/progra ~ 1/3721/ske/contmenu. dll |
C:/program files/CNNIC/CDN/cdnup.exe * 1152 |
C:/program files/CNNIC/CDN/cdnup.exe |
C:/program files/CNNIC/CDN/cdnuplib. dll |
C:/program files/CNNIC/CDN/cdnprh. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/imaoe. dll |
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/program files/rising/AntiSpyware/runiep.exe * 1280 | 10:10:34
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/program files/CNNIC/CDN/imaoe. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
C:/Windows/system32/rundll32.exe * 1336 |
C:/progra ~ 1/3721/helper. dll | 10:29:52
C:/program files/CNNIC/CDN/imaoe. dll |
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
C:/progra ~ 1/3721/autolive. dll | 10:58:44
C:/progra ~ 1/3721/notifier. dll | 17:53:50
C:/progra ~ 1/3721/alliveex. dll |
C:/Windows/system32/ctfmon.exe * 2324 |
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/progra ~ 1/3721/helper. dll | 10:29:52
C:/program files/CNNIC/CDN/imaoe. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
D:/software/QQ/timplatform.exe * 2460 |
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/progra ~ 1/3721/helper. dll | 10:29:52
C:/program files/CNNIC/CDN/imaoe. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
D:/software/QQ/qq.exe * 156 |
C:/progra ~ 1/3721/CNSM. dll | 11:25:54
C:/progra ~ 1/3721/helper. dll | 10:29:52
C:/program files/CNNIC/CDN/imaoe. dll |
C:/program files/CNNIC/CDN/cdnforie. dll |
C:/program files/CNNIC/CDN/cdndet. dll |
O2-BHO cdnforie class-{5c3853cf-c7e0-4946-b3fa-1abdb6f48108}-C:/progra ~ 1/CNNIC/CDN/cdnforie. dll
O2-BHO-{669751ed-d558-49ae-b01a-3b374cc7910e}-C:/Windows/system32/ssup. dll
O4-HKLM/../run: [cdnctr] C:/program files/CNNIC/CDN/cdnup.exe
O4-HKLM/../run: [CNSM. dll] rundll32.exe C:/progra ~ 1/3721/CNSM. dll, rundll32
O4-HKLM/../run: [helper. dll] C:/Windows/system32/rundll32.exe C:/progra ~ 1/3721/helper. dll, rundll32
O21-ssodl-rdshost (4)-{CD5BAE98-08ED-4D9C-8D7E-B3B4F958E61C} = rdshost. dll
O23-service: adprot (adprot)-C:/Windows/system32/Drivers/adprot. sys | 18:52:48 (system)
O23-service: cdnprot (cdnprot)-system32/Drivers/cdnprot. sys (pilot)
O23-service: phbpcre (phbpcre)-system32/Drivers/phbpcre. sys (disabled)
O23-service: pjjgkej (pjjgkej)-C:/Windows/system32/Drivers/pjjgkej. sys | (BOOT)
---/
Among them, o21 seems to be a residual project of Dongdong for an MSN worm, while others are mainly rogue software and advertising software.
Use hijackthis, Kaka Security Assistant, and Dr. Web cureit to scan and fix the vulnerability.