裝了卡巴電腦更卡?原來是Trojan-PSW.Win32.QQPass等盜號木馬群作梗1
endurer 原創
2008-04-14 第1版
一位朋友因為QQ醫生提示發現盜號木馬,從網站下載卡巴斯基8想要查殺病毒,不實安裝完成後電腦非常卡,無法操作……讓他重啟電腦到帶網路連接的安全模式下,下載 DrWeb CureIt!掃描,查殺出了一些病毒,正常啟動,故障依舊……讓偶幫忙檢修~
按Ctrl+ Alt + Del 都沒沒反應,只要 reset 電腦,以帶網路連接的安全模式啟動。然後下載 pe_xscan 掃描 log 並分析,發現如下可疑項(進程模組中相同的部分有省略):
pe_xscan 08-03-27 by Purple Endurer
2008-4-12 11:46:2
Windows XP Service Pack 2(5.1.2600)
管理使用者組
帶網路連接的安全模式
[System Process] * 0
C:/WINDOWS/system32/fhdoor1.dll | 2004-8-17 4:0:0
C:/WINDOWS/Fonts/mndoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qhdoor1.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qsdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qzdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qqdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/Explorer.EXE* 276 | 2004-8-17 4:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/system32/qhdoor1.dll | 2004-8-17 4:0:0
C:/Program Files/Internet Explorer/OnlO0r.dll | 2008-3-22 0:36:54 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll
C:/WINDOWS/Fonts/mndoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qqdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qzdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/qsdoor0.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/fhdoor1.dll | 2004-8-17 4:0:0
O2 - BHO - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - C:/Program Files/Common Files/fjOs0r.dll
O23 - 服務: 6to4 (6to4) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/system32/6to4ex.dll | 2004-8-17 12:0:0(自動)
O23 - 服務: dvhzso26 (dvhzso26) - System32/DRIVERS/dvhzso26.sys (引導)
O23 - 服務: lybvrlcy (lybvrlcy) - System32/DRIVERS/lybvrlcy.sys (引導)
O23 - 服務: ngaacn74 (ngaacn74) - system32/drivers/ngaacn74.sys
O23 - 服務: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies | | NPF + TME | npf.sys(手動)
O23 - 服務: vhehnzrh (vhehnzrh) - System32/DRIVERS/vhehnzrh.sys (引導)
O24 - ShlExecHook: [] - {CC3596CB-D6C1-ECA1-AE51-DEEA63F6C21C} = C:/Program Files/Internet Explorer/OnlO0r.dll
O24 - ShlExecHook: [1] - {3980134C-D24C-4857-973F-3A08BE8D7E41} = C:/WINDOWS/system32/tlsosa1.dll
O24 - ShlExecHook: [D] - {ABD0935D-B35A-47BD-BA9A-81678DDE74DD} = C:/WINDOWS/system32/qhdoor1.dll
O24 - ShlExecHook: [8] - {61C1B9CE-1A6F-4994-B4A4-0E7C99AD4C28} = C:/WINDOWS/Fonts/mndoor0.dll
O24 - ShlExecHook: [F] - {D64AC2E4-95B1-40DD-90D9-0C60F7CA64BF} = C:/WINDOWS/system32/qqdoor0.dll
O24 - ShlExecHook: [7] - {49C496E9-732D-4F5D-BEE9-EC113FAA1C97} = C:/WINDOWS/system32/qzdoor0.dll
O24 - ShlExecHook: [1] - {C26A8AB5-B935-400C-A152-0488714725B1} = C:/WINDOWS/system32/qsdoor0.dll
O24 - ShlExecHook: [3] - {80F15C30-5E9D-4CB9-BE85-F3D5564C6F83} = C:/WINDOWS/system32/fhdoor1.dll
原來是 ??door?.dll 系列 盜號木馬在作梗……
(未完待續)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
