您的位置:首页 > 其它

遭遇RootKit.Win32.GameHack,Trojan.PSW.Win32.QQPass,Trojan-PSW.Win32.OnLineGames等1

2008-03-19 21:07 706 查看
遭遇RootKit.Win32.GameHack,Trojan.PSW.Win32.QQPass,Trojan-PSW.Win32.OnLineGames等1

endurer 原创
2008-03-19 第1版

一位网友今天说他的电脑中了QQ盗号木马,按QQ医生的提示重启电脑也不能解决,请偶帮忙清理。

下载 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块中重复的部分有省略):

/===
pe_xscan 08-03-03 by Purple Endurer
2008-3-19 12:15:38
Windows XP Service Pack 2(5.1.2600)
管理员用户组
正常模式
[System Process]  0
    2008-3-19 9:5:14
    2008-3-19 9:5:10
    2008-3-19 9:4:26  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:3:50  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 8:58:22
    2008-3-19 9:5:20
    2008-3-19 9:4:50
    2008-3-19 9:4:6
C:/WINDOWS/System32/winlogon.exe 524  2004-8-17 12:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Windows NT Logon Application  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  winlogon  WINLOGON.EXE
    2008-3-19 9:5:14
    2008-3-19 9:5:10
    2004-8-17 12:0:0  DllProgram Dynamic Link Library  1, 0, 0, 1  DllProgram DLL  版权所有 (C) 2008  1, 0, 0, 1    DllProgram  DllProgram.DLL
C:/WINDOWS/System32/services.exe 576  2004-8-17 12:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Services and Controller app  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  services.exe  services.exe
    2008-3-19 9:5:14
    2008-3-19 9:5:10
C:/WINDOWS/System32/lsass.exe 588  2004-8-17 12:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  LSA Shell (Export Version)  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  lsass.exe  lsass.exe
    2008-3-19 9:5:14
    2008-3-19 9:5:10
C:/WINDOWS/System32/svchost.exe 756  2004-8-17 12:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  Generic Host Process for Win32 Services  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  svchost.exe  svchost.exe
    2008-3-19 9:5:14
    2008-3-19 9:5:10
C:/WINDOWS/System32/alg.exe 220  2004-8-17 12:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  Application Layer Gateway Service  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  ALG.exe  ALG.exe
    2008-3-19 9:5:14
    2008-3-19 9:5:10
C:/WINDOWS/EXPLORER.EXE 1296  2007-6-13 21:21:56  Microsoft(R) Windows(R) Operating System  6.00.2900.3156  Windows Explorer  (C) Microsoft Corporation. All rights reserved.  6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)  Microsoft Corporation ?  explorer  EXPLORER.EXE
    2008-3-19 9:5:10
    2008-3-19 8:58:22
    2008-3-19 8:48:36
    2008-3-19 9:3:50  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:4:6
    2008-3-19 9:4:26  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:4:50
    2008-3-19 9:5:20
    2008-3-19 9:5:14
    2008-3-19 8:48:36
C:/WINDOWS/SOUNDMAN.EXE 2288  2006-3-2 7:22:4  Realtek Sound Manager  5, 1, 0, 52  Realtek Sound Manager  Copyright (c) 2001-2004 Realtek Semiconductor Corp.  5, 1, 0, 52  Realtek Semiconductor Corp.   ALSMTray  ALSMTray.exe
    2008-3-19 9:5:14
    2008-3-19 9:5:10
    2008-3-19 8:58:22
    2008-3-19 9:4:50
    2008-3-19 9:4:26  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:3:50  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:5:20
C:/WINDOWS/System32/ctfmon.exe 2968  2004-8-17 12:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  CTF Loader  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  CTFMON  CTFMON.EXE
    2008-3-19 9:5:14
    2008-3-19 9:5:10
    2008-3-19 9:3:50  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 8:58:22
    2008-3-19 9:4:26  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:4:50
    2008-3-19 9:5:20
C:/QQ/TXPlatform.exe  3904  2007-11-18 9:53:40  TM2008  1, 0, 170, 201  TM2008  Copyright (C) 1998-2007 TENCENT Inc. All Rights Reserved  1, 0, 170, 0  Tencent ?
    2008-3-19 9:5:14
    2008-3-19 9:5:10
    2008-3-19 9:4:26  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:3:50  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 8:58:22
    2008-3-19 9:5:20
    2008-3-19 9:4:50
C:/QQ/QQ.exe  492  2008-2-19 14:15:12  QQ  8,0,714,1791  QQ  Copyright (C) 1998 - 2008 TENCENT Inc. All Rights Reserved  8,0,714,1791  TENCENT   COMQQD  QQ.exe
    2008-3-19 9:5:14
    2008-3-19 9:5:10
    2008-3-19 9:4:26  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 9:3:50  Microsoft(R) Windows(R) Operating System  5.1.2600.3099 (xpsp_sp2_gdr.070308-0222)  Windows XP MSPLAY API DLL  (C) Microsoft Corporation. All rights resad.  5.1.2600.3099  Microsoft Corporation  Microsoft  msplay32  msplay32
    2008-3-19 8:58:22
    2008-3-19 9:5:20
    2008-3-19 9:4:50
    2008-3-19 9:4:6
O2 - BHO - {D29DCEE0-457B-45A2-A92D-741B95B7723B} - 
O4 - HKLM/../Run: [igzwzslm] 
O4 - HKLM/../Run: [LotusHlp] 
O4 - HKLM/../Run: [SHAProc] 
O4 - HKLM/../Run: [igzwzslm] 
O4 - HKLM/../Run: [LotusHlp] 
O4 - HKLM/../Run: [SHAProc] 
O4 - HKLM/../Run: [upxdnd] 
O4 - HKLM/../Run: [msccrt] 
O4 - HKLM/../Run: [cmdbcs] 
O4 - HKLM/../Run: [DbgHlp32] 
O4 - HKLM/../Run: [Kvsc3] 
O4 - HKLM/../Run: [WSockDrv32] 
O20 - AppInit_DLLs = ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
O23 - 服务: B302EC43 (B302EC43) -  -d(自动)
O23 - 服务: drop (drop) - (自动)
O23 - 服务: fpids32 (fpids32) -  2008-3-19 9:5:32(自动)
O23 - 服务: mhfp (mhfp) - (自动)
O23 - 服务: msert (msert) - (自动)
O23 - 服务: RemoteStorage (Windows Accounts Driver) -  2004-8-17 12:0:0(自动)
O24 - ShlExecHook: [] - {D29DCEE0-457B-45A2-A92D-741B95B7723B} = 
O24 - ShlExecHook: [B] - {50632D5C-B71B-4ba0-B012-3DC6F15C011B} = 
O24 - ShlExecHook: [Microsoft] - {5E907A48-400E-4EA8-9792-FFAE052D59E9} = 
===/

 (未完待续)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  microsoft windows system c dll api
相关文章推荐
新的分享
章节导航