C:\Program Files\Internet Explorer\IEXPLORE.EXE: Trojan.Downloader-25397 FOUND
这个木马如何解决 请各位高手指点迷津 此木马已经捆饶我太久了 谢谢
[ 本帖最后由 暗¢翼 于 2008-5-21 12:56 编辑 ]---------
新手发贴提问前必读!!http://bbs.duba.net/thread-21915967-1-1.html---------
复制内容到剪贴板代码:2008-05-21,17:02:35System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能以下内容被选校?
所有的启动项目(包括注册表、启动文件夹、服务等)
浏览器加载项
正在运行的进程(包括进程模块信息)
文件关联
Autorun.inf
HOSTS 文件
进程特权扫描
启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<UnlockerAssistant><"C:\Unlocker\UnlockerAssistant.exe"> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><>
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Publisher]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Publisher]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Windows Publisher]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Publisher]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
<浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
<Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Publisher]==================================
启动文件夹
N/A==================================
服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[SoundMAX Agent Service / SoundMAX Agent Service (default)][Stopped/Auto Start]
<C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.>==================================
驱动程序
[aeaudio / aeaudio][Stopped/Manual Start]
<system32\drivers\aeaudio.sys><Andrea Electronics Corporation>
[MINICD / MINICD][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\minicd.sys><http://www.138soft.com>
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
[smwdm / smwdm][Stopped/Manual Start]
<system32\drivers\smwdm.sys><Analog Devices, Inc.>==================================
浏览器加载项
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[McFreeScan Class]
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} <C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll, McAfee, Inc.>
[Shell Name Space]
{55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\SHDOCVW.dll, N/A>==================================
正在运行的进程
[PID: 168][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 220][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 244][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 288][C:\WINDOWS\system32\services.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 300][C:\WINDOWS\system32\lsass.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 448][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 496][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 564][C:\WINDOWS\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 752][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Unlocker\UnlockerCOM.dll] [N/A, ]
[C:\linshi\ClamWin\bin\ExpShell.dll] [N/A, ]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[PID: 972][C:\sreng2\SREngPS.EXE] [Smallfrogs Studio, 2.5.16.900]
[C:\sreng2\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]==================================
Autorun.inf
N/A==================================
HOSTS 文件
127.0.0.1 localhost==================================
进程特权扫描
N/A==================================
API HOOK
N/A==================================
隐藏进程
N/A==================================那个hidserv.dll 系统一装好就是没此文件存在的 所以对应在服务里的服务也启动不了 C:\WINDOWS\explorer.exe: Trojan.Inject-601 FOUND
C:\WINDOWS\notepad.exe: Trojan.Dropper-1206 FOUND各位高手 我该怎么做才好
[ 本帖最后由 暗¢翼 于 2008-5-21 22:20 编辑 ]附件vir.JPG(77.99 KB)
2008-5-21 22:20
关于explorer.exe
vir2.JPG(76.43 KB)
2008-5-21 22:20
关于explorer.exe
---------
请楼主将以下文件上传
C:\WINDOWS\explorer.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE---------
好的 我立即上传
[ 本帖最后由 暗¢翼 于 2008-5-21 19:43 编辑 ]附件Vir.rar(374.23 KB)
2008-5-21 18:55, 下载次数: 12Vir.rar(375.72 KB)
2008-5-21 19:43, 下载次数: 13---------
由于IE和记事本 被小弟给删除了 所以没办法取得样本 经过测试小弟的安装盘里C:\WINDOWS\explorer.exe: Trojan.Inject-601 FOUND
C:\WINDOWS\notepad.exe: Trojan.Dropper-1206 FOUND 其次网络上下的其他ISO也都被查出有木马程序 郁闷---------
C:\WINDOWS\explorer.exe为误报,属正常文件---------
那为何任务管理器里的CPU曲线图 曲线波幅很大 而且通过在线多引擎查毒 发觉好几个文件都存在着这样的木马文件提示 木马文件名各不相同 快郁闷死了 一个SHELL32 .DLL文件无法上传 这里限制文件大小 发不上来我通过冰刃查看 发觉经常有SYSTEM进程调用SVCHOST进程等 以前这种现象都没的
其次SVCHOST.EXE的I/O的读入字节也很快 平常的话应该读入很慢的 最近I/O读入字节速度很快
[ 本帖最后由 暗¢翼 于 2008-5-21 19:50 编辑 ]---------
最好将报毒的文件上传,否则无法判断。---------
要不你给我你
QQ吧 我打包下 不然发不上来 文件超过发的限制---------
可以分卷压缩---------
引用:原帖由 tanlimo 于 2008-5-21 20:21 发表
可以分卷压缩 不会 怎么用啊?---------
看图:1.gif (22.38 KB)
2008-5-21 20:35---------
什么也没看到 郁闷了---------
最主要的是图片里提到 木马下载者的那个木马文件名 我真的不知道该怎么办好了
