endurer原创
2005.12.21 第2版补充了瑞星对Tvdpay.exe的反应。
2005.12.20 第1版
昨天帮一位网友杀了一批病毒,包括几个灰鸽子。
该网友的电脑使用Window XP,连SP1系统补丁也没打。虽然装有江民KV,但还是成了毒窝。不定时弹出多个广告窗口,桌面和开始菜单也被加入恶意网站的链接。
先用瑞星在线免费扫描,结果如下:
2005-12-19 15:53:30瑞星杀毒助手
Windows XP (5.1.2600)
文件名 病毒名
C:\WINDOWS\system32\msisexec.exe TrojanSpy.Win32.Delf.da
C:\WINDOWS\system32\inetapi32.dll TrojanSpy.Win32.Delf.dh.dll
C:\WINDOWS\Temp\dvdpaye0.DLL Backdoor.Gpigeon.lz
C:\WINDOWS\Temp\Tvdpay0.DLL Backdoor.Gpigeon.qw
C:\WINDOWS\sllserv.exe Trojan.PSW.Lmir.iwu
C:\WINDOWS\ie.exe>>chk.exe Trojan.Win32.LaSta.ba
C:\WINDOWS\ie.exe>>pj.exe Trojan.Win32.LaSta.bc
C:\WINDOWS\Tvdpay_Hook1.DLL Backdoor.Gpigeon.stv
C:\WINDOWS\Tvdpay_HOOk2.DLL Backdoor.GPigeon.uq
C:\WINDOWS\Tvdpay_HOOk3.DLL Backdoor.GPigeon.uq
C:\WINDOWS\Tvdpay.DLL Backdoor.Gpigeon.qw
C:\WINDOWS\Tvdpay_HOOk.DLL Backdoor.GPigeon.uq
C:\WINDOWS\assistseex.exe Trojan.PSW.Lmir.iwu
C:\WINDOWS\uninstallex.exe Trojan.PSW.Lmir.iwu
C:\WINDOWS\ced.dll Trojan.PSW.Lmir.ivh
C:\Documents and Settings\hengg\Local Settings\Temp\F8D2.exe TrojanSpy.Win32.Delf.da
C:\Documents and Settings\hengg\Local Settings\Application Data\3721TRQua\Backdoor\Backdoor.Win32.BlackHole.2005.c\SysLog.exe.malicious Backdoor.JiaoZhu.a
C:\Documents and Settings\hengg\Local Settings\Application Data\3721TRQua\Trojan-PSW\Trojan-PSW.Win32.QQRob.16\NTdhcp.exe.malicious Trojan.PSW.QQRobber.16
C:\Documents and Settings\hengg\「开始」菜单\程序\启动\run.bat Trojan.WinREG.StartPage.d
C:\hao5.exe Trojan.StartPage.m
C:\$NtUninstallQ1494$\3721.bat Trojan.WinREG.StartPage.d
C:\run.bat Trojan.WinREG.StartPage.d
C:\$NtUninstallQ5926809$\sp4custom.dll Trojan.VBS.Wisis.d
C:\boot.exe Trojan.PSW.Lmir.iwx
把病毒文件逐一打包备份后删除。(顺便预告一下:瑞星杀毒助手的下一个版本可能会加入病毒文件打包功能,就不再需要这样麻烦了!
)接下检查控制面板里的“添加删除程序”,卸载了几个流氓软件。
然后用HijackThis扫描了一个LOG如下:
Logfile of HijackThis v1.99.1
Scan saved at 16:49:04, on 2005-12-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
F:\QQ\QQ.exe
F:\QQ\TIMPlatform.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
F:\WUTemp\HijackThis.exe
R3 - URLSearchHook: MyURLSearchHook Class - {982CB676-38F0-4D9A-BB72-D9371ABE876E} - C:\Program Files\P4P\ToolBar.dll
O1 - Hosts: 218.85.133.109www.vodfans.com
O1 - Hosts: 218.85.133.109vodfans.com
O1 - Hosts: 218.85.133.109www.k234.com
O1 - Hosts: 218.85.133.109k234.com
O1 - Hosts: 218.85.133.109www.goodwww.com
O1 - Hosts: 218.85.133.109goodwww.com
O1 - Hosts: 218.85.133.109www.tv66.org
O1 - Hosts: 218.85.133.109tv66.org
O1 - Hosts: 218.85.133.109www.w555.com
O1 - Hosts: 218.85.133.109w555.com
O1 - Hosts: 218.85.133.109www.tkfilm.com
O1 - Hosts: 218.85.133.109tkfilm.com
O1 - Hosts: 218.85.133.109www.163.zhao117.com
O1 - Hosts: 218.85.133.109163.zhao117.com
O1 - Hosts: 218.85.133.109www.v.wg818.com
O1 - Hosts: 218.85.133.109v.wg818.com
O1 - Hosts: 218.85.133.109www.7122.com
O1 - Hosts: 218.85.133.1097122.com
O1 - Hosts: 218.85.133.109www.v.wg818.com
O1 - Hosts: 218.85.133.109v.wg818.com
O1 - Hosts: 218.85.133.109www.hot.3721.com
O1 - Hosts: 218.85.133.109hot.3721.com
O1 - Hosts: 218.85.133.109www.99770.com
O1 - Hosts: 218.85.133.10999770.com
O1 - Hosts: 218.85.133.109www.kk369.net
O1 - Hosts: 218.85.133.109kk369.net
O1 - Hosts: 218.85.133.109www.xunlei.com
O1 - Hosts: 218.85.133.109xunlei.com
O1 - Hosts: 218.85.133.109www.92bt.com
O1 - Hosts: 218.85.133.10992bt.com
O1 - Hosts: 218.85.133.109www.search.onlinedown.net
O1 - Hosts: 218.85.133.109search.onlinedown.net
O1 - Hosts: 218.85.133.109www.ent.da163.net
O1 - Hosts: 218.85.133.109ent.da163.net
O1 - Hosts: 218.85.133.109www.lbxx.net
O1 - Hosts: 218.85.133.109lbxx.net
O1 - Hosts: 218.85.133.109www.44489.com
O1 - Hosts: 218.85.133.10944489.com
O1 - Hosts: 218.85.133.109www.avvip.com
O1 - Hosts: 218.85.133.109avvip.com
O1 - Hosts: 218.85.133.109www.film21cn.com
O1 - Hosts: 218.85.133.109film21cn.com
O1 - Hosts: 218.85.133.109www.y256.com
O1 - Hosts: 218.85.133.109y256.com
O1 - Hosts: 218.85.133.109www.newsw.net
O1 - Hosts: 218.85.133.109newsw.net
O1 - Hosts: 218.85.133.109www.vod99.com
O1 - Hosts: 218.85.133.109vod99.com
O1 - Hosts: 218.85.133.109www.80666666.com
O1 - Hosts: 218.85.133.10980666666.com
O1 - Hosts: 218.85.133.109www.88ty.com
O1 - Hosts: 218.85.133.10988ty.com
O1 - Hosts: 218.85.133.109www.xinglove.com
O1 - Hosts: 218.85.133.109xinglove.com
O1 - Hosts: 218.85.133.109www.99755.com
O1 - Hosts: 218.85.133.10999755.com
O1 - Hosts: 218.85.133.109www.loveba.com
O1 - Hosts: 218.85.133.109loveba.com
O1 - Hosts: 218.85.133.109www.fx120.net
O1 - Hosts: 218.85.133.109fx120.net
O1 - Hosts: 218.85.133.109www.feifanyu.com
O1 - Hosts: 218.85.133.109feifanyu.com
O1 - Hosts: 218.85.133.109www.wg818.com
O1 - Hosts: 218.85.133.109wg818.com
O1 - Hosts: 218.85.133.109www.shan-hua.com.cn
O1 - Hosts: 218.85.133.109shan-hua.com.cn
O1 - Hosts: 218.85.133.109www.7122.com
O1 - Hosts: 218.85.133.1097122.com
O1 - Hosts: 218.85.133.109www.pic21.net
O1 - Hosts: 218.85.133.109pic21.net
O1 - Hosts: 218.85.133.109www.9see.com
O1 - Hosts: 218.85.133.1099see.com
O1 - Hosts: 218.85.133.109www.pztu.com
O1 - Hosts: 218.85.133.109pztu.com
O1 - Hosts: 218.85.133.109www.xunlei.com
O1 - Hosts: 218.85.133.109xunlei.com
O1 - Hosts: 218.85.133.109www.image.yisou.com
O1 - Hosts: 218.85.133.109image.yisou.com
O1 - Hosts: 218.85.133.109www.yes358.com
O1 - Hosts: 218.85.133.109yes358.com
O1 - Hosts: 218.85.133.109www.supsky.com
O1 - Hosts: 218.85.133.109supsky.com
O1 - Hosts: 218.85.133.109www.7c8.com
O1 - Hosts: 218.85.133.1097c8.com
O1 - Hosts: 218.85.133.109www.ccliao.com
O1 - Hosts: 218.85.133.109ccliao.com
O1 - Hosts: 218.85.133.109www.tvliao.com
O1 - Hosts: 218.85.133.109tvliao.com
O1 - Hosts: 218.85.133.109www.dreamdate.com
O1 - Hosts: 218.85.133.109dreamdate.com
O1 - Hosts: 218.85.133.109www.dreamdate.com
O1 - Hosts: 218.85.133.109dreamdate.com
O1 - Hosts: 218.85.133.109www.readnovel.com
O1 - Hosts: 218.85.133.109readnovel.com
O1 - Hosts: 218.85.133.109www.3tom.com
O1 - Hosts: 218.85.133.1093tom.com
O1 - Hosts: 218.85.133.109www.126ww.com
O1 - Hosts: 218.85.133.109126ww.com
O1 - Hosts: 218.85.133.109www.fa123.net
O1 - Hosts: 218.85.133.109fa123.net
O1 - Hosts: 218.85.133.109www.kk119.com
O2 - BHO: SohuDAIEHelper - {0CA51D02-7739-43EA-8D9A-1E8AD4327B03} - C:\Program Files\P4P\sodaie.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - F:\QQ\QQIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - E:\KV2004\KvShell.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\DOWNLO~1\CnsHook.dll
O2 - BHO: DragSearch BHO - {EF1D17A9-089F-40cc-8D64-7324CDEBA0DB} - C:\PROGRA~1\yisou\yisoub.dll
O3 - Toolbar: 上网助手 - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\Assist\asbar.dll
O3 - Toolbar: 一搜工具条 - {115F6E46-FCBC-41ed-B3B5-3BDDD4AAB5E5} - C:\Program Files\yisou\yisou.dll
O3 - Toolbar: 搜狗直通车 - {DBBB7978-AF21-4EF4-9AD1-B2F4BC75696C} - C:\Program Files\P4P\ToolBar.dll
O3 - Toolbar: 江民杀毒工具栏 - {B5A34A93-D538-43A7-8371-864CB6148D12} - E:\KV2004\KvShell.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SysExplr] D:\wu\SysExplr.EXE
O4 - HKLM\..\Run: [YDTMain.exe] C:\PROGRA~1\YDT\YDTMain.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [3721] C:\$NtUninstallQ5926809$\3721.bat
O4 - HKLM\..\Run: [cnyisou_com] http://www.wa110.com
O4 - HKLM\..\Run: [WlN32] regedit -s C:\$NtUninstallQ887678$\WINSYS.cer
O4 - HKLM\..\Run: [KvMonXP] E:\KV2004\KVMonXP.kxp /auto
O4 - HKCU\..\Run: [uninstallex.exe] C:\WINDOWS\uninstallex.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunServices: [system] C:\WINDOWS\SVC.EXE
O4 - Startup: 腾讯QQ.lnk = F:\qq\QQ.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: !搜一搜 - res://C:\Program Files\yisou\yisou.dll/232
O8 - Extra context menu item: 上传到QQ网络硬盘 - F:\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用搜狗直通车下载 - C:\Program Files\P4P\dl.htm
O8 - Extra context menu item: 发送图片到手机 - C:\Program Files\P4P\cx.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - F:\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - F:\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - F:\QQ\SendMMS.htm
O9 - Extra button: 手机短信 - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm?pid=U_taijilian_48651 (file missing)
O9 - Extra button: Yahoo 1G电邮 - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: 寻宝乐趣多 - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 上网助手 - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.3721.com/index.htm?fb=Cns (file missing)
O9 - Extra button: 我的订阅 - {8755CE6E-0BF7-4441-8751-FB728941B0B4} - C:\Program Files\P4P\rss.dll
O9 - Extra button: SoQ - {8F67DCF3-B1DF-4A39-A787-3775784BF737} - http://www.soq.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - F:\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - F:\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - F:\QQ\QQIEHelper.dll
O9 - Extra button: 情景聊天 - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 修复浏览器 - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.3721.com/security1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: 清理上网记录 - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.3721.com/clean1.htm?fb=Cns (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O11 - Options group: [!CNS] 网络实名
O16 - DPF: {8819C261-5B61-4628-908C-9BE795EABEC3} (IE Class) - http://www.95599.cn/download/ABC.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9F4FDD9-50A8-4C72-A671-6EC43837F3BB}: NameServer = 202.103.224.68,202.103.225.68
O20 - AppInit_DLLs: C:\WINDOWS\System32\SoDAHK.DLL
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: P4P Service - Sohu.com Inc. - C:\Program Files\P4P\p2psvr.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: 3721 (Windows Management Instrumenta) - Unknown owner - C:\WINDOWS\Tvdpay.exe
其中红色的部分是需要修复的。
O4 - HKCU\..\RunServices: [system] C:\WINDOWS\SVC.EXE
没有找到这一项对应的文件,可能是被江民KV杀掉了。
O23 - Service: 3721 (Windows Management Instrumenta) - Unknown owner - C:\WINDOWS\Tvdpay.exe
这一项应该是灰鸽子的服务启动项,可惜瑞星在线扫描没有报。Kaspersky报为Backdoor.Win32.Hupigon.km。
*2005.12.21 第2版补充
瑞星将Tvdpay.exe报为Backdoor.Gpigeon.uhu
病毒分类
WINDOWS下的PE病毒
病毒名称
Backdoor.Gpigeon.uhu
别 名
病毒长度
依赖系统
传播途径
行为类型
WINDOWS下的木马程序
感 染
病毒发作
瑞 星 版 本 号
18.06.10
又在c:\windows发现了system.hta和systems.hta两个文件,是弹广告窗口的东东,可惜瑞星和Kaspersky都没有反应。