RootKit.Win32.Agent,Trojan.PSW.Win32.GameOnline,Trojan.Win32.Mnless等3
endurer 原创
2007-12-09 第1版
网友说他进入桌面后,按提示设置了瑞星,并立即进行升级,然后打开网页测试是否正常,不料系统卡了一会,又出现了pps出错的提示,然后升级中的瑞星消失了,手动启动瑞星,提示ccenter.exe、rav.exe 程序出错,硬盘灯长亮……
网友只好强制重启到带网络连接的安全模式,运行卡卡安全助手,检查[高级功能]—> [插件管理及卸载],发现 原来那个 O24 项又出来了,还多了一个,把它们选中,点击[卸载]按钮,这时怪事发生了:卡卡安全助手的窗口 和 主程序文件 Ras.exe 消失了……
网友还说迅雷莫名其妙的自己启动了……
让网友再用 pe_xscan 扫描 log 传过来分析一看(进程模块有省略),晕!
/===
pe_xscan 07-12-02 by Purple Endurer
2007-12-7 13:9:33
Windows XP Service Pack 2(5.1.2600)
管理员用户组 C:/WINDOWS/Explorer.EXE * 1292 | 2007-6-13 21:21:56 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
C:/WINDOWS/system32/MCSIY.dll | 2007-4-16 23:54:26
C:/WINDOWS/system32/BRHXN.dll | 2007-4-16 23:54:26
C:/WINDOWS/system32/rundll32.exe * 1524 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
C:/WINDOWS/system32/BRHXN.dll |O1 - Hosts: 219.235.3.16 search.114.vnet.cn
O1 - Hosts: 219.235.3.16 keyword.vnet.cn
O1 - Hosts: 219.235.3.16 auto.search.msn.com
O1 - Hosts: 219.235.3.16 search.msn.com
O1 - Hosts: 219.235.3.16 cnweb.search.live.com
O1 - Hosts: 219.235.3.16 www.hao123.com
O1 - Hosts: 219.235.3.16 hao123.com
O1 - Hosts: 219.235.3.16 www.360safe.com
O1 - Hosts: 219.235.3.16 360safe.com
O1 - Hosts: 222.73.126.115 update.360safe.com
O1 - Hosts: 219.235.3.16 dl.360safe.com
O1 - Hosts: 219.235.3.16 bbs.360safe.com
O1 - Hosts: 219.235.3.16 www.btbaicai.com
O1 - Hosts: 219.235.3.16 btbaicai.com
O1 - Hosts: 219.235.3.16 www.pctutu.com
O1 - Hosts: 219.235.3.16 www.7322.com
O1 - Hosts: 219.235.3.16 www.5566.net
O1 - Hosts: 219.235.3.16 www.9991.com
O1 - Hosts: 219.235.3.16 9991.com
O1 - Hosts: 219.235.3.16 forum.ikaka.com
O1 - Hosts: 219.235.3.16 www.ikaka.com
O1 - Hosts: 222.73.126.115 update.ikaka.com
O1 - Hosts: 219.235.3.16 forum.jiangmin.com
O1 - Hosts: 222.73.126.115 update.jiangmin.com
O1 - Hosts: 219.235.3.16 post.baidu.com
O1 - Hosts: 222.73.126.115 update.rising.com.cn
O1 - Hosts: 219.235.3.16 online.rising.com.cn
O1 - Hosts: 222.73.126.115 center.rising.com.cn
O1 - Hosts: 219.235.3.16 up.duba.net
O1 - Hosts: 219.235.3.16 shadu.baidu.com
O1 - Hosts: 219.235.3.16 du.baidu.com
O1 - Hosts: 219.235.3.16 security.symantec.com
O1 - Hosts: 219.235.3.16 shadu.duba.net
O1 - Hosts: 219.235.3.16 bbs.duba.net
O1 - Hosts: 219.235.3.16 www.duba.net
O1 - Hosts: 219.235.3.16 online.jiangmin.com
O1 - Hosts: 219.235.3.16 cn.mcafee.com
O1 - Hosts: 219.235.3.16 www.ahn.com.cn
O1 - Hosts: 219.235.3.16 www.kaspersky.com.cn
O1 - Hosts: 219.235.3.16 www.pcav.cn
O1 - Hosts: 219.235.3.16 mopery.hits.io
O1 - Hosts: 219.235.3.16 www.luosoft.com
O1 - Hosts: 219.235.3.16 luosoft.com
O1 - Hosts: 219.235.3.16 www.im286.com
O1 - Hosts: 219.235.3.16 bbs.htmlman.net
O1 - Hosts: 219.235.3.16 10000.286er.com
O1 - Hosts: 219.235.3.16 im286.net
O1 - Hosts: 219.235.3.16 cool.47555.com
O1 - Hosts: 219.235.3.16 ju.qihoo.com
O1 - Hosts: 219.235.3.16 bbs.chinaz.com
O1 - Hosts: 219.235.3.16 www.qihoo.com
O1 - Hosts: 222.73.126.115 dnl-cn1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-jp15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-kr15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cd15.kaspersky-labs.com
O1 - Hosts: 219.235.3.16 ishare.sina.com.cn
O1 - Hosts: 219.235.3.16 search.cn.yahoo.com
O1 - Hosts: 219.235.3.16 www.google.com
O1 - Hosts: 219.235.3.16 google.com
O1 - Hosts: 219.235.3.16 www.google.cn
O1 - Hosts: 219.235.3.16 www.sogou.com
O1 - Hosts: 219.235.3.16 www.yahoo.com.cn
O1 - Hosts: 219.235.3.16 cn.yahoo.com
O1 - Hosts: 222.73.210.148 www.comewz.com
O1 - Hosts: 219.235.3.16 search.tom.com
O1 - Hosts: 219.235.3.16 zhuansha.duba.net
O1 - Hosts: 219.235.3.16 buy.duba.net
O1 - Hosts: 219.235.3.16 page.so.163.com
O1 - Hosts: 219.235.3.16 www.soso.com
O1 - Hosts: 219.235.3.16 sou.china.com
O1 - Hosts: 219.235.3.16 toolsbar.kuaiso.com
O1 - Hosts: 219.235.3.16 www.kuaiso.comO4 - HKCU/../Run: [wsctf.exe] wsctf.exe
O4 - HKLM/../RunOnce: [xoz8ilkfqy] %systemroot%/system32/Rundll32.exe %systemroot%/system32/xoz8ilkfqy.dll,DllUnregisterServerO21 - SSODL - ngvkd() - {94fa50b6-94fa-50b6-50b6-94fa50b61c72} = C:/WINDOWS/system32/zohwp.latO23 - 服务: AsyncMac (RAS Asynchronous Media Driver) - system32/DRIVERS/comint32.sys(自动)
O23 - 服务: Mysee2_Runtime (Mysee2_Runtime) - C:/WINDOWS/System32/svchost.exe -k mysee2 -> C:/WINDOWS/system32/gy/runtime.dll(禁用)
O23 - 服务: PciHardDisk (PciHardDisk) - C:/WINDOWS/system32/drivers/fat32.sys(手动)
O23 - 服务: rzedsig (rzedsig) - System32/DRIVERS/rzedsig.sys(引导)O24 - ShlExecHook: [] - {048C048C-8C04-48C0-159D-6AE26AE26AE2} = C:/WINDOWS/system32/MCSIY.dll
O24 - ShlExecHook: [] - {159D159D-9D15-59D1-26AE-7BF37BF37BF3} = C:/WINDOWS/system32/BRHXN.dll
===/询问得知,网友觉得删除文件麻烦,只在卡卡安全助手里删除了启动项……
