endurer 原创
2007-04-03 第1版
昨天一位网友的电脑在接入U盘后,瑞星注册表监控提示有程序试图修改注册表……现在使用QQ,QQ都提示有错误,要重装一次才能用……让偶帮助检查。
到 http://endurer.ys168.com下载 IceSword,发现可疑进程:c:/windows/system32/ime/svchost.exe,终止了。
下载 pe_xscan 扫描 log,经过在线网页分析,发现如下可疑项:
/===
pe_xscan 07-03-17 by Purple Endurer
2007-4-2 20:21:16
Windows XP Service Pack 2(5.1.2600)
管理员用户组
C:/autorun.inf
/-----
[AutoRun]
open=setup.exe
shellexecute=setup.exe
shell/Auto/command=setup.exe
-----/
D:/autorun.inf
/-----
[AutoRun]
open=setup.exe
shellexecute=setup.exe
shell/Auto/command=setup.exe
-----/
E:/autorun.inf
/-----
[AutoRun]
open=setup.exe
shellexecute=setup.exe
shell/Auto/command=setup.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=setup.exe
shellexecute=setup.exe
shell/Auto/command=setup.exe
-----/
O23 - 服务: 00 () - C:/WINDOWS/System32/drivers/213617.sys(引导)
O23 - 服务: ADProt (ADProt) - system32/drivers/ADProt.sys(引导)
O23 - 服务: TDDI (TDDI) - C:/WINDOWS/system32/drivers/tddi.sys | 2007-1-16 15:57:22 | SoftDog | 3, 1, 7, 0 | SoftDog driver | Copyright (C) 2004 SafeNet China Ltd. | 3, 1, 7, 0 | SafeNet China Ltd. | | tddi | tddi.sys(自动)
SHOWALL Value isn't 1
===/
由于病毒写注册表的操作被瑞星拦截了,所有没有在注册表中发现可疑启动项。
/---
文件说明符 : c:/setup.exe
属性 : -SH-
获取文件版本信息大小失败!
创建时间 : 2007-4-3 13:58:42
修改时间 : 2007-3-28 16:40:24
访问时间 : 2007-4-2 0:0:0
大小 : 6041 字节 5.921 KB
MD5 : 019b1d0fe70dbdf7a857d4475c13bd79
---/
Kaspersky 报为 Worm.Win32.Agent.aj。
用WinRAR删除各盘上的autorun.inf
在 C:/windows/system32 下发现:internt.exe.rar、progmon.exe,及c:/windows/system32/ime/svchost.exe,文件大小均与setup.exe相同,Kaspersky 报的病毒名也相同,都删除了。
参照:【系统修复系列之】如何 显示所有的文件和文件夹
修复:SHOWALL Value isn't 1
卸载QQ,重启电脑后,到腾讯网站下载QQ安装程序重装QQ……
检查网友电脑中的瑞星,病毒库是2007-03-29的,晕!升级……
发现一些EXE文件的最后修改时间也变为2007-4-2,将其中一个文件 SurfingPlus.exe 上传在线扫描,结果为:
STATUS: SCANNING
File "SurfingPlus.exe" received on 04.02.2007 at 15:12:50 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.
Antivirus | Version | Update | Result |
AhnLab-V3 | 2007.4.2.2 | 04.02.2007 | no virus found |
AntiVir | 7.3.1.47 | 04.02.2007 | no virus found |
Authentium | 4.93.8 | 03.31.2007 | no virus found |
Avast | 4.7.936.0 | 04.02.2007 | no virus found |
AVG | 7.5.0.447 | 04.01.2007 | no virus found |
BitDefender | 7.2 | 04.02.2007 | Win32.Vimes.A |
CAT-QuickHeal | 9.00 | 04.02.2007 | (Suspicious) - DNAScan |
ClamAV | devel-20070312 | 04.02.2007 | no virus found |
DrWeb | 4.33 | 04.02.2007 | Trojan.Starter.174 |
eSafe | 7.0.15.0 | 04.02.2007 | no virus found |
eTrust-Vet | 30.6.3527 | 03.31.2007 | no virus found |
Ewido | 4.0 | 04.02.2007 | no virus found |
FileAdvisor | 1 | 04.02.2007 | no virus found |
Fortinet | 2.85.0.0 | 04.02.2007 | suspicious |
F-Prot | 4.3.1.45 | 03.30.2007 | no virus found |
F-Secure | 6.70.13030.0 | 04.02.2007 | Virus.Win32.Downloader.c |
Ikarus | T3.1.1.3 | 04.02.2007 | no virus found |
Kaspersky | 4.0.2.24 | 04.02.2007 | Virus.Win32.Downloader.c |
McAfee | 4997 | 03.31.2007 | New Win32.g2 |
Microsoft | 1.2306 | 04.02.2007 | no virus found |
NOD32v2 | 2162 | 04.02.2007 | Win32/Whld.A |
Norman | 5.80.02 | 04.02.2007 | no virus found |
Panda | 9.0.0.4 | 04.01.2007 | Suspicious file |
Prevx1 | V2 | 04.02.2007 | no virus found |
Sophos | 4.16.0 | 03.30.2007 | no virus found |
Sunbelt | 2.2.907.0 | 03.31.2007 | VIPRE.Suspicious |
Aditional Information
File size: 295936 bytes
MD5: bbdf55d55995011871a8ff0597ce011a
SHA1: 4377108fbf7a1af533609b38e7a5956746678ed0
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
