RootKit.Win32.Agent,Trojan.PSW.Win32.GameOnline,Trojan.Win32.Mnless等1

RootKit.Win32.Agent,Trojan.PSW.Win32.GameOnline,Trojan.Win32.Mnless等1

endurer 原创
2007-12-07 第1版

一位网友说他的电脑运行很慢，不停地提示d3d.exe出错，让偶帮忙检查一下。
把pe_xscan 传给他扫描 log 传过来。

经分析发现如下可疑项： 

/===

pe_xscan 07-12-02 by Purple Endurer
2007-12-7 12:25:24
Windows XP Service Pack 2(5.1.2600)
管理员用户组

[System Process] * 0
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 |

C:/WINDOWS/system32/services.exe * 632 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Services and Controller app | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | services.exe | services.exe
    C:/WINDOWS/system32/LYMANGR.dll |

C:/WINDOWS/system32/EXPLORER.EXE * 1432 | 2006-10-25 8:32:36 | Microsoft(R) Windows(R) Operating System | 6.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.2900.2180 | Microsoft Corporation| ? | EXPLORER | EXPLORER.EXE
    C:/WINDOWS/system32/SHQMANGR.dll | 2007-12-7 8:29:14
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll |

C:/WINDOWS/Explorer.EXE * 1464 | 2007-6-13 21:21:56 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    C:/WINDOWS/system32/SHQMANGR.dll | 2007-12-7 8:29:14
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    c:/windows/system32/3.dll
    C:/WINDOWS/system32/BRHXN.dll |

C:/WINDOWS/SOUNDMAN.EXE * 1644 | 2004-11-15 18:20:20 | Realtek Sound Manager | 5.1.0.29 | Realtek Sound Manager | Copyright (c) 2001-2004 Realtek Semiconductor Corp. | 5.1.0.30 | Realtek Semiconductor Corp. |    | ALSMTray | ALSMTray.exe
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 |

C:/Program Files/QuickTime/qttask.exe * 1720 | 2007-9-16 9:48:4 | QuickTime | QuickTime 6.5| ? | ? Apple Computer, Inc. 2001-2004 | 6.5 | Apple Computer, Inc.| ? | QuickTime Task | QTTask.exe
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 |

C:/WINDOWS/system32/ctfmon.exe * 1732 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 |

C:/WINDOWS/system32/wscntfy.exe * 3772 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Windows Security Center Notification App | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wscntfy.exe | wscntfy.exe
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 |

C:/WINDOWS/QQRun.exe * 1048 |

C:/Program Files/Internet Explorer/iexplore.exe * 880 | 2004-8-17 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll |

C:/WINDOWS/system32/conime.exe * 2772 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
C:/WINDOWS/system32/spoolsv.exe * 5896 | 2005-6-11 7:53:32 | Microsoft? Windows? Operating System | 5.1.2600.2696 | Spooler SubSystem App | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) | Microsoft Corporation| ? | spoolsv.exe | spoolsv.exe
    E:/QQ/fyngvk.dll | 2007-4-16 23:54:26
    E:/QQ/WSOCK32.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Socket 32-Bit DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wsock32.dll | wsock32.dll
    C:/WINDOWS/system32/ngvod.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/vkdsl.dll | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
C:/WINDOWS/system32/rundll32.exe * 5508 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/WINDOWS/system32/BRHXN.dll | 2007-4-16 23:54:26
    E:/QQ/fyngvk.dll |

F2 - REG: system.ini: UserInit = <userinit.exe,EXPLORER.EXE>

O4 - HKCU/../Run: [wsctf.exe] wsctf.exe
O4 - HKCU/../Run: [EXPLORER.EXE] EXPLORER.EXE

O4 - HKLM/../Policies/Explorer/Run: [comrepl32] C:/windows/system32/com/comrecfg.exe

E:/autorun.inf
/-----
[AutoRun]
open=AutoRun.exe
shellexecute=AutoRun.exe
shell/打开(&O)/command=AutoRun.exe
-----/

O21 - SSODL - Userinit() - <userinit.exe,EXPLORER.EXE>

O23 - 服务: 2tsks1wf (2tsks1wf) - C:/WINDOWS/system32/drivers/2tsks1wf.sys

O23 - 服务: AsyncMac (RAS Asynchronous Media Driver) - system32/DRIVERS/comint32.sys(自动)

O23 - 服务: comint32 (comint32) - C:/WINDOWS/system32/DRIVERS/comint32.sys

O23 - 服务: MS (MS) - C:/DOCUME~1/www/LOCALS~1/Temp/tmp6.tmp

O23 - 服务: Mysee2_Runtime (Mysee2_Runtime) - C:/WINDOWS/System32/svchost.exe -k mysee2 -> C:/WINDOWS/system32/gy/runtime.dll

O23 - 服务: PciHardDisk (PciHardDisk) - C:/WINDOWS/system32/drivers/fat32.sys(手动)

O23 - 服务: q2ahpa9iug (q2ahpa9iug) - system32/DRIVERS/q2ahpa9iug.sys(引导)

O23 - 服务: QQRun (QQRun) - C:/WINDOWS/QQRun.exe

O23 - 服务: rzedsig (rzedsig) - system32/DRIVERS/rzedsig.sys(引导)

O24 - ShlExecHook: [] - {159D159D-9D15-59D1-26AE-7BF37BF37BF3} = C:/WINDOWS/system32/BRHXN.dll

===/