04-17/網友的電腦成灰鴿子窩了/V2

來源:互聯網
上載者:User

endurer 原創
2007-04-17 第2版 補充pe_xscan的log分析,Dr.Web CureIt的掃描結果,部本病毒樣本資訊
2007-04-16 第1

剛才一位網友反應說他的電腦最近工作速度很慢,讓偶通過QQ遠程協助協助檢查。

開啟工作管理員,發現有名為 Down(0).exe 和 iexplore.exe 的進程,而當時並沒有運行IE。估計是中標了。

下載 pe_xscan 和 HijackThis掃描log。

在 pe_xscan 的 log 中發現如下可疑項目:
/===
pe_xscan 07-03-25 by Purple Endurer
2007-4-16 21:59:33
Windows XP Service Pack 2(5.1.2600)
管理使用者組
[System Process] * 0
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/Down(0).exe * 1484 | 1980-4-2 7:1:30
    C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30
C:/WINDOWS/Explorer.EXE * 1644 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) OperatingSystem | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved.| 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer |EXPLORER.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 1720 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 1784 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26C:/program files/internet explorer/iexplore.exe * 1804 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/system32/ok6250522.3322.org.dll | 2007-4-15 14:21:32 | Microsoft?Windows? Operating System | 5.1.2600.2180 | Microsoft? Windows? Operating System | MicrosoftCorporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | MicrosoftCorporation |  | VipDll | msgsvc4.dll
C:/WINDOWS/system32/khooker.exe * 236 | 2002-9-24 1:50:48 | SIS (R) Compatible SuperVGA keyboard daemon for Windows 2000/XP | 0.0.0.2098 | SiS Compatible Super VGA KeyboardDaemon | Copyright (C) Silicon Integrated Systems Corp. 1998-2002 | 0.0.0.2098 | SiliconIntegrated Systems Corporation |  | KHOOKER 2.09j.03 | KHOOKER.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Common Files/Real/Update_OB/realsched.exe * 320 | 2007-2-1415:9:14 | RealPlayer (32-bit)  | 0.1.0.3760 | RealNetworks Scheduler | Copyright ?RealNetworks, Inc. 1995-2004 | 0.1.0.3760 | RealNetworks, Inc. | RealAudio(tm) is atrademark of RealNetworks, Inc. | schedapp | realsched.exe
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/ctfmon.exe * 352 | 2004-8-17 12:0:0 | Microsoft? Windows?Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON |CTFMON.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/SVCHOST.exe * 428 | 2006-11-15 21:59:30    C:/SVCHOST.exe | 2006-11-15 21:59:30    C:/WINDOWS/system32/ntdll.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R)Operating System | 5.1.2600.2180 | NT Layer DLL | (C) Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | ntdll.dll| ntdll.dll
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Messenger/msmsgs.exe * 456 | 2004-10-14 0:24:38 | Messenger |Version 4.7.3001 | Windows Messenger | Copyright (c) Microsoft Corporation 2004 | 4.7.3001 |Microsoft Corporation | Microsoft(R) is a registered trademark of Microsoft Corporation inthe U.S. and/or other countries. | msmsgs | msmsgs.exe
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 932 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/Down(0).exe * 964 | 1980-4-2 7:1:30
    C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30
C:/PROGRA~1/GAMECH~1/GameHall.exe * 3084 | 2007-1-19 13:7:42 | GameHall 應用程式 | 18, 0, 2006, 1012 | 遊戲大廳程式 | 同城遊戲 (C) 2003-2004 | 18, 0, 2006, 1012 | 同城遊戲 |  | GameHall | GameHall.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/conime.exe * 1312 | 2004-8-17 12:0:0 | Microsoft? Windows?Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console |CONIME.EXE
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/YHL2J69S/3[1].exe * 2692 | 2007-4-16 16:50:30
    C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26

O4 - HKCR/../Run: [bgswitch] C:/WINDOWS/system32/bgswitch.exe
O4 - HKCR/../Run: [system] c:/SVCHOST.exe

O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe

D:/autorun.inf
/-----
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell/Auto/command=sxs.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell/Auto/command=sxs.exe
-----/

O9 - IE工具列擴充按鈕HKLM:JUJU貓 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com
O9 - IE工具菜單擴充項HKLM: - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com

O23 - 服務: 110 (110) - C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30(自動)
O23 - 服務: cdnprot (cdnprot) - system32/drivers/cdnprot.sys(引導)
O23 - 服務: cdntran (cdntran) - system32/drivers/cdntran.sys(自動)
O23 - 服務: DHCPmanager (DHCPmanager) - C:/WINDOWS/system32/DHCPmanager.exe | 1980-4-2 7:1:40(自動)
O23 - 服務: ferdr (FERDR) - C:/WINDOWS/system32/Drivers/Ferdr.sys | 2002-5-31 10:26:22(自動)
O23 - 服務: GrayPigeonServer1.23 (Gray_Pigeon_Server1.23) - C:/WINDOWS/G_Server1.23.exe | 2007-3-21 21:40:6(自動)
O23 - 服務: ok6250522.3322.org (ok6250522.3322.org) - C:/WINDOWS/system32/ok6250522.3322.org.exe | 2007-4-16 13:32:18(自動)
O23 - 服務: windows backup for xp (window backup for xp) - c:/backup/backupms0213313751.exe | 2007-3-21 20:49:42(自動)
O23 - 服務: Windows XP Vista         (Windows XP Vista        ) - C:/WINDOWS/Hac.exe(自動)
O23 - 服務: windows_0 (Windows Accounts Driver) - C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30(自動)

SHOWALL    Type isn't dword
===/

再看HijackThis 的 log:
/---
Logfile of HijackThis v1.99.1
Scan saved at 22:01:17, on 2007-4-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:/WINDOWS/system32/Down(0).exe

O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe
O4 - HKCU/../Run: [bgswitch] C:/WINDOWS/system32/bgswitch.exe
O4 - HKCU/../Run: [system] c:/SVCHOST.exe

O23 - Service: 110 - Unknown owner - C:/WINDOWS/system32/Down(0).exe

O23 - Service: DHCPmanager - Unknown owner - C:/WINDOWS/system32/DHCPmanager.exe

O23 - Service: Gray_Pigeon_Server1.23 (GrayPigeonServer1.23) - Unknown owner - C:/WINDOWS/G_Server1.23.exe (file missing)

O23 - Service: ok6250522.3322.org - Unknown owner - C:/WINDOWS/system32/ok6250522.3322.org.exe

O23 - Service: window backup for xp (windows backup for xp) - Unknown owner - c:/backup/backupms0213313751.exe

O23 - Service: Windows XP Vista         - Unknown owner - C:/WINDOWS/Hac.exe (file missing)

O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:/WINDOWS/system32/Down(0).exe

O23 - Service: WinNetwork - Unknown owner - C:/WINDOWS/system32/WinNetwork.exe
---/

用到 http://endurer.ys168.com 下載 IceSword檢查進程,發現還有一個隱藏的IE進程。

終止病毒進程。

停止並禁用O23中的服務。

到 http://purpleendurer.ys168.com 下載 FileInfo 和 bat_do。用FileInfo提取檔案資訊,用 bat_do 將病毒檔案打包。

下載 Dr.Web CureIt(和使用方法可參考:
免費的惡意程式檢測和清除工具---Dr.Web CureIt! http://endurer.bokee.com/5488502.html),因為時間關係,只掃描 c:/windows 和 c:/Documents and Settings,結果……明天補上。

============================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)

[Scan path] c:/windows/htpatch.exe
c:/windows/htpatch.exe is hacktool program Tool.Htpatch
----------------------------

[Scan path] C:/WINDOWS
C:/WINDOWS/htpatch.exe is hacktool program Tool.Htpatch
>C:/WINDOWS/system32/DHCPmanager.exe.vi infected with BackDoor.Pigeon.1220 - deleted
C:/WINDOWS/system32/DHCPmanager.DLL.vi infected with BackDoor.Pigeon.680 - deleted
C:/WINDOWS/system32/DHCPMANAGERKEY.DLL.vi infected with BackDoor.Pigeon.1294 - deleted
C:/WINDOWS/system32/RpcS.dll infected with BackDoor.Klj - deleted
C:/WINDOWS/system32/WinNetwork.exe.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/WinNetwork.DLL.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/WINNETWORKKEY.DLL.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/ok6250522.3322.org.exe.vi probably infected with BINARYRES
C:/WINDOWS/system32/ok6250522.3322.org.dll.vi probably infected with DLOADER.Trojan

C:/WINDOWS/system32/drivers/i.sys is adware program Adware.Cdn
C:/WINDOWS/Temp/DHCPmanager0.DLL infected with BackDoor.Pigeon.680 - deleted
>C:/WINDOWS/Temp/WinNetwork0.DLL infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/Temp/WinNetwork1.DLL infected with BackDoor.Pigeon.1562 - deleted

[Scan path] C:/Documents and Settings
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/WinNetwork.exe.xor infected with BackDoor.Pigeon.1562 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/DHCPMANAGERKEY.DLL.xor infected with BackDoor.Pigeon.1294 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/DHCPmanager.DLL.xor infected with BackDoor.Pigeon.680 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/68YH35WC/icast[1].js>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/LVN1357C/formdatecheck[1].jsC:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/ZVPBN9SW/network[1].exe infected with BackDoor.Pigeon.1562 - deleted

----------------------------
c:/windows/htpatch.exe - deleted
C:/WINDOWS/htpatch.exe - deleted
C:/WINDOWS/system32/ok6250522.3322.org.exe.vi - deleted
C:/WINDOWS/system32/ok6250522.3322.org.dll.vi.vi - will be deleted after reboot
C:/WINDOWS/system32/drivers/i.sys - deleted

============================
Total session statistics
============================
Objects scanned: 30891
Infected objects found: 14
Objects with modifications found: 0
Suspicious objects found: 2
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 2
Objects cured: 0
Objects deleted: 19
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 1800 Kb/s
Scan time: 00:28:41
============================

用HijackThis 修複可疑項。

Dr.Web CureIt未能發現和清除的,對bat_do產生取消檔案所有屬性和刪除檔案命令,下次啟動時執行。

檔案說明符 : C:/WINDOWS/system32/WINNETWORKKEY.DLL
屬性 : -SHR
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-12 18:29:56
修改時間 : 1980-4-2 7:1:26
訪問時間 : 2007-4-16 0:0:0
大小 : 27664 位元組 27.16 KB
MD5 : 66e062502fb59d9157526f25614dfdfc

檔案說明符 : D:/sxs.exe
屬性 : -SH-
擷取檔案版本資訊大小失敗!
建立時間 : 2006-9-2 20:28:51
修改時間 : 2006-8-11 2:12:48
訪問時間 : 2007-4-16 0:0:0
大小 : 33815 位元組 33.23 KB
MD5 : 1781cb8004dc700ac66d799c35ac5c5a

卡巴報為 Trojan-PSW.Win32.QQPass.jn

檔案說明符 : C:/net.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-2 7:1:34
修改時間 : 1980-4-2 7:1:36
訪問時間 : 2007-4-16 0:0:0
大小 : 315697 位元組 308.305 KB
MD5 : 8b50d965ffacdb56e00e670ad105fa53

檔案說明符 : C:/WINDOWS/Hac.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-5 13:33:5
修改時間 : 2007-4-5 13:33:6
訪問時間 : 2007-4-16 0:0:0
大小 : 627712 位元組 613.0 KB
MD5 : 9dd4cae0b290fc6c3183e0b867079ea3

檔案說明符 : C:/WINDOWS/system32/Down(0).exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-2 7:1:31
修改時間 : 1980-4-2 7:1:30
訪問時間 : 2007-4-16 0:0:0
大小 : 17920 位元組 17.512 KB
MD5 : 911c879eba7bc9a474ec8fa5c327d6b6

檔案說明符 : C:/WINDOWS/system32/WinNetwork.DLL
屬性 : ASHR
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-8 22:6:5
修改時間 : 1980-4-2 7:1:12
訪問時間 : 2007-4-16 0:0:0
大小 : 257258 位元組 251.234 KB
MD5 : 3ffee9665b61a4cb9155098b0fa63a01

卡巴報為 Backdoor.Win32.Hupigon.edb

檔案說明符 : C:/WINDOWS/system32/WINNETWORKKEY.DLL
屬性 : ASHR
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-12 18:29:56
修改時間 : 1980-4-2 7:1:26
訪問時間 : 2007-4-16 0:0:0
大小 : 27664 位元組 27.16 KB
MD5 : 66e062502fb59d9157526f25614dfdfc

卡巴報為 Backdoor.Win32.Hupigon.cge

檔案說明符 : C:/WINDOWS/system32/DHCPmanager.exe
屬性 : ASHR
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-3 23:39:46
修改時間 : 1980-4-2 7:1:40
訪問時間 : 2007-4-16 0:0:0
大小 : 293058 位元組 286.194 KB
MD5 : 0c8db59d9480bb0eb745fc97dd2bd729

檔案說明符 : C:/WINDOWS/system32/WinNetwork.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-8 22:6:2
修改時間 : 1980-4-2 7:1:42
訪問時間 : 2007-4-16 0:0:0
大小 : 315697 位元組 308.305 KB
MD5 : 8b50d965ffacdb56e00e670ad105fa53

卡巴報為 Backdoor.Win32.Hupigon.edb

檔案說明符 : C:/backup/backupms0213313751.exe
屬性 : -SHR
擷取檔案版本資訊大小失敗!
建立時間 : 2007-3-21 19:51:1
修改時間 : 2007-3-21 20:49:42
訪問時間 : 2007-4-16 0:0:0
大小 : 624236 位元組 609.620 KB
MD5 : e855d4668047e699077d5b3b5e6eb250

C:/>dir backup /a
 磁碟機 C 中的卷沒有標籤。
 卷的序號是 84E4-56E2

 C:/backup 的目錄

2007-03-21  19:51    <DIR>          .
2007-03-21  19:51    <DIR>          ..
2007-03-21  20:49           624,236 backupms0213313751.exe
2007-04-16  16:52            18,944 Down(0).exe
2007-04-16  13:06            18,944 Down(1).exe
2007-04-13  22:05            18,944 Down(2).exe
2007-04-13  22:08            18,944 Down(3).exe
2007-04-05  17:59            18,944 Down(4).exe
2007-04-05  17:59            18,944 Down(5).exe
2007-04-02  18:53            18,944 Down(6).exe
2007-04-02  18:53            18,944 Down(7).exe
2007-03-31  20:50            18,944 Down(8).exe
2007-03-31  20:13            18,944 Down(9).exe
2007-03-31  20:13            18,944 Down(10).exe
2007-03-31  20:13            18,944 Down(11).exe
2007-03-31  20:13            18,944 Down(12).exe
2007-03-31  20:13            18,944 Down(13).exe
2007-03-31  20:13            18,944 Down(14).exe
              16 個檔案        908,396 位元組
               2 個目錄  3,691,520,000 可用位元組

檔案說明符 : C:/WINDOWS/system32/ok6250522.3322.org.dll
屬性 : -SHR
語言 : 中文(中國)
檔案版本 : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
說明 : Microsoft? Windows? Operating System
著作權 : Microsoft Corporation. All rights reserved.
備忘 :
產品版本 : 5.1.2600.2180
產品名稱 : Microsoft? Windows? Operating System
公司名稱 : Microsoft Corporation
合法商標 :
內部名稱 : VipDll
源檔案名稱 : msgsvc4.dll
建立時間 : 2007-4-15 14:21:31
修改時間 : 2007-4-15 14:21:32
訪問時間 : 2007-4-16 0:0:0
大小 : 17408 位元組 17.0 KB
MD5 : 74d1ab119831c91da4bc22d44761fcd4

檔案說明符 : C:/WINDOWS/system32/ok6250522.3322.org.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-15 14:21:28
修改時間 : 2007-4-16 13:32:18
訪問時間 : 2007-4-16 0:0:0
大小 : 43008 位元組 42.0 KB
MD5 : 212b77e3914735ee18ef5fde966870b4

檔案說明符 : C:/WINDOWS/htpatch.exe
屬性 : A--R
擷取檔案版本資訊大小失敗!
建立時間 : 2007-11-15 10:55:18
修改時間 : 2002-12-20 0:40:24
訪問時間 : 2007-4-16 0:0:0
大小 : 28672 位元組 28.0 KB
MD5 : 47122e4e9b3da3e6ee66e1a56aae8f57

DrWeb 報為 Tool.Htpatch

G_Server1.23.exe 卡巴報為 Packed.Win32.PePatch.ev
DHCPmanager.exe、DHCPmanager.DLL、DHCPMANAGERKEY.DLL 卡巴報為 Backdoor.Win32.Hupigon.emr

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.