遭遇Trojan.DL.Win32.Autorun.yuz,Trojan.Win32.Inject.gh,Trojan.Win32.Agent.zsq等

endurer 原创
2007-10-23 第1

pe_xscan 07-08-30 by Purple Endurer
2007-10-22 13:13:44
Windows XP Service Pack 2(5.1.2600)
管理员用户组

C:/WINDOWS/system32/winlogon.exe * 604 | 2004-8-8 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
    C:/WINDOWS/system32/winlib .dll
    C:/WINDOWS/system32/msplrct.dll

C:/WINDOWS/Explorer.EXE * 224 | 2007-6-13 21:21:56 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    C:/WINDOWS/Downlo~1/zux.dll | 2007-10-18 9:26:58 | Microsoft(R) Windows(R) Operating System | 5, 3, 2600, 2180 | Microsoft DirectMusic Interactive Engine | 版权所有 (C) 2007 | 5, 3, 2600, 2180 | Microsoft Corporation |  | Microsoft DirectMusic Interactive Engine | miniDll.DLL
    C:/WINDOWS/Downlo~1/fap.dll | 2007-10-22 11:19:40 | Microsoft(R) Windows(R) Operating System | 5, 3, 2600, 2180 | Microsoft DirectMusic Interactive Engine | 版权所有 (C) 2007 | 5, 3, 2600, 2180 | Microsoft Corporation |  | Microsoft DirectMusic Interactive Engine | miniDll.DLL
    C:/WINDOWS/Downlo~1/khy.dll | 2007-10-22 11:19:40 | Microsoft(R) Windows(R) Operating System | 5, 3, 2600, 2180 | Microsoft DirectMusic Interactive Engine | 版权所有 (C) 2007 | 5, 3, 2600, 2180 | Microsoft Corporation |  | Microsoft DirectMusic Interactive Engine | miniDll.DLL
    C:/WINDOWS/system32/2b41.dll | 2007-10-22 11:21:46 | IEHpr Module | 1, 0, 0, 2 | IEHpr Module | Copyright 2007 | 1, 0, 0, 2 |  |  | IEHpr | IEHpr.DLL

C:/WINDOWS/system32/rundll32.exe * 1096 | 2004-8-8 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/WINDOWS/system32/wincheck071013.dll | 1987-10-13 9:31:38

C:/scktsrvr.exe * 1440 | 2006-2-11 9:40:34 | Borland Socket Server | 7.0 | Borland Socket Server | Copyright ? 1997-2001 Borland Software Corporation | 7.0.4.453 | Borland Software Corporation |  | SCKTSRVR | SCKTSRVR.EXE

C:/DOCUME~1/new/LOCALS~1/Temp/rundll.exe * 3280 | 2007-9-1 10:46:2
    C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/loader.dll | 2007-10-22 9:35:58 | loader | 3.0.4 | system event loader | Microsoft.  All rights reserved. | 3.0.4 | Microsoft| ? | loader.dll | loader.dll

C:/Program Files/OCINS/idnsvr.exe * 4072 | 2007-10-22 9:37:22 |  | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 0 | 中国互联网信息中心(CNNIC) |  | idnsvr | idnsvr.exe
    C:/Program Files/OCINS/idnsvr.exe | 2007-10-22 9:37:22 |  | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 0 | 中国互联网信息中心(CNNIC) |  | idnsvr | idnsvr.exe

C:/WINDOWS/system32/rundll32.exe * 2300 | 2004-8-8 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/WINDOWS/system32/winsys16_071017.dll | 1987-10-22 9:39:30

C:/program files/internet explorer/iexplore.exe * 3852 | 2004-8-8 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
    C:/WINDOWS/system32/winsys32_071017.dll | 1987-10-22 9:41:22

C:/ah.exe * 14452 | 2007-10-6 19:54:54

C:/WINDOWS/system32/b4591.exe * 15012 | 2007-10-22 10:11:28 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Progman Group Converter | Copyright Zhongsou(C) 2005 | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | GrpConv| ?

C:/WINDOWS/system32/rundll32.exe * 15192 | 2004-8-8 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/WINDOWS/system32/921.dll | 2007-10-22 11:21:46 |  Player 动态链接库 | 1, 0, 0, 3 | Player 动态链接库 |    版权所有 (C) 2006 | 1, 0, 0, 3 |   | ? | Player | Player.dll

O2 - BHO CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:/Program Files/Common Files/CPUSH/cpush0.dll
O2 - BHO Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:/Documents and Settings/All Users/Application Data/Microsoft/PCTools/pctools.dll
O2 - BHO Invoke Class - {42A3A616-FF3C-4713-A5C2-4F1B566CEF51} - C:/WINDOWS/system32/2b41.dll
O2 - BHO IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:/PROGRA~1/OCINS/ieaux.dll
O2 - BHO ff Class - {B9751A53-4494-4d7c-9732-AE3058D8145F} - C:/WINDOWS/system32/2b41.dll
O2 - BHO Windows Browser - {C86488AF-13D5-4FEF-9DDF-9FB88698CFC1} - C:/Documents and Settings/All Users/Application Data/Microsoft/OFFICE/USERDATA/a5eUwXqfYU.dll

O4 - HKCU/../Policies/Explorer/Run: [mscheck] rundll32.exe C:/WINDOWS/system32/wincheck071013.dll mymain
O4 - HKLM/../Run: [igfxpers] C:/WINDOWS/system32/igfxpers.exe
O4 - HKLM/../Run: [IdnSvr] C:/Program Files/OCINS/idnsvr.exe
O4 - HKLM/../Policies/Explorer/Run: [Userinit] rundll32.exe C:/WINDOWS/system32/winsys16_071017.dll start
O4 - HKLM/../Policies/Explorer/Run: [melove] C:/WINDOWS/system32/dream.exe
O4 - HKLM/../Policies/Explorer/Run: [dream] C:/WINDOWS/system32/dream.exe
O4 - HKLM/../Policies/Explorer/Run: [khy] rundll32 "C:/WINDOWS/Downlo~1/khy.dll",Run

O4 - Global Startup: scktsrvr.lnk -> c:/scktsrvr.exe

CmdProcAuto = d:/myplay.exe

C:/autorun.inf
/-----
[autorun]
OPEN=ah.exe
shellexecute=ah.exe
shell/Auto/command=ah.exe
shell=open
-----/
D:/autorun.inf
/-----
[autorun]
OPEN=ah.exe
shellexecute=ah.exe
shell/Auto/command=ah.exe
shell=open
-----/
E:/autorun.inf
/-----
[autorun]
OPEN=ah.exe
shellexecute=ah.exe
shell/Auto/command=ah.exe
shell=open
-----/
F:/autorun.inf
/-----
[autorun]
OPEN=ah.exe
shellexecute=ah.exe
shell/Auto/command=ah.exe
shell=open
-----/
O8 - IE右键菜单附加项 : &访问通用网址 - C:/Program Files/OCINS/cnrbtn.html
O8 - IE右键菜单附加项 : 易趣购物 - C:/Program Files/AD4All/link1/eachlink.htm

O23 - 服务: 1ot8pminre (1ot8pminre) - C:/WINDOWS/system32/drivers/1ot8pminre.sys | 2004-8-8 4:0:0(自动)

O23 - 服务: acpidisk (acpidisk) - C:/WINDOWS/system32/drivers/acpidisk.sys | 2007-9-25 14:31:2(自动)

O23 - 服务: cnprov (cnprov) - system32/drivers/cnprov.sys | 中文上网官方版 | 2, 6, 0, 0 | 国际化域名辅助模块 | Copyright (c) . All rights reserved. | 2.6.0.0 | 中国互联网络信息中心(CNNIC)| ? | cnprov.sys | cnprov.sys(引导)

O23 - 服务: idnaux (idnaux) - system32/drivers/idnaux.sys | CNNIC idnaux | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright ? 2005 | 2, 6, 0, 0 | 中国互联网络信息中心(CNNIC) |  | idnaux | idnaux.sys(自动)

O23 - 服务: lcyi7wceil (lcyi7wceil) - System32/DRIVERS/lcyi7wceil.sys(引导)

O23 - 服务: ms_2fax (ms_2fax) - C:/WINDOWS/system32/b4591.exe | 2007-10-22 10:11:28 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Progman Group Converter | Copyright Zhongsou(C) 2005 | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | GrpConv| ?(自动)

O23 - 服务: mxdispdr (mxdispdr) - C:/WINDOWS/system32/drivers/mxdispdr.sys | 2007-9-30 20:18:14(自动)

O23 - 服务: sysloader (System Event loader) - "C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/sysloader.exe" | 2007-10-17 10:18:48 | sysloader | 3.0.4 | system event loader | Microsoft.  All rights reserved. | 3.0.4 | Microsoft| ? | sysloader.exe | sysloader.exe(自动)

O23 - 服务: Yiqilai (一起来音乐助手) - "C:/Program Files/Yiqilai/wmp/YiqilaiLyrics.exe" | 2007-10-18 10:15:40 | YiqilaiLyrics | 1.0.1 | YiqilaiLyrics | Yiqilai.  All rights reserved. | 1.0.1 | Yiqilai| ? | YiqilaiLyrics.exe | YiqilaiLyrics.exe(自动)

文件说明符 : c:/a.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-10-22 16:56:33
修改时间 : 2007-10-22 16:57:6
访问时间 : 2007-10-22 0:0:0
大小 : 102356 字节 99.980 KB
MD5 : 7ed8ee6a124e1b69581b0e38435c123c
SHA1: A873CBFFC796E8D211684DE509BB951BBEAD3C64
CRC32: dbf1a17a

瑞星报为:Trojan.Clicker.Win32.PopHot.cg
Kaspersky已检测到: 木马程序 Trojan-Spy.Win32.Agent.afl 文件: D:/test/a.exe.rar/a.exe/PE_Patch/UPack

d:/myplay.exe 与 c:/a.exe 相同

文件说明符 : c:/ah.exe
属性 : -SH-
获取文件版本信息大小失败!
创建时间 : 2007-10-18 16:10:4
修改时间 : 2007-10-6 19:54:54
访问时间 : 2007-10-22 0:0:0
大小 : 18432 字节 18.0 KB
MD5 : b329e5d20a1636f2a7eb7051a8ed55a1
SHA1: 4AAE08CB65BFBCC0F5F086AEDB3042ED16332F2F
CRC32: 8300cea6

瑞星报为:Trojan.DL.Win32.Autorun.yuz

Kaspersky 报为: Virus.Win32.AutoRun.og

文件说明符 : C:/WINDOWS/system32/dream.exe 与 c:/ah.exe 相同。

文件说明符 : c:/scktsrvr.exe
属性 : ----
语言 : 英语(美国)
文件版本 : 7.0.4.453
说明 : Borland Socket Server
版权 : Copyright ? 1997-2001 Borland Software Corporation
备注 :
产品版本 : 7.0
产品名称 : Borland Socket Server
公司名称 : Borland Software Corporation
合法商标 :
内部名称 : SCKTSRVR
源文件名 : SCKTSRVR.EXE
创建时间 : 2007-10-11 17:9:32
修改时间 : 2006-2-11 9:40:34
访问时间 : 2007-10-22 0:0:0
大小 : 725504 字节 708.512 KB
MD5 : c3ef0622b13655bc68cef169e52afb6a
SHA1: 9457F32E964F4040580D8B82B1AC512E96640673
CRC32: 30ec29d7

文件说明符 : C:/Documents and Settings/All Users/Application Data/Microsoft/OFFICE/USERDATA/a5eUwXqfYU.dll
属性 : A---
语言 : 英语(美国)
文件版本 : 3, 0, 6, 0
说明 : MSN Browser
版权 : Copyright 2006
备注 :
产品版本 : 3, 0, 6, 0
产品名称 : MSN Browser
公司名称 : Microsoft Corporation
合法商标 :
内部名称 : webbrowser
源文件名 : webbrowser.DLL
创建时间 : 2007-10-22 9:41:59
修改时间 : 2007-10-22 9:42:0
访问时间 : 2007-10-22 0:0:0
大小 : 170496 字节 166.512 KB
MD5 : df8ff7499023477733bb020473625618
SHA1: F9117D64F0F47450FD49539EAC0CC826D1CC76F9
CRC32: 0e45cf62

主 题:

RE: [?? Probable Spam] a5eUwXqfYU.dll [KLAB-3146835]

  发件人:

"" <newvirus@kaspersky.com>    <script language="JavaScript" type="text/javascript">

</script>

发送时间:2007-10-23 12:35:37

Hello,
a5eUwXqfYU.dll - not-a-virus:AdWare.Win32.IEHlpr.ai
This file is an Advertizing Tool, It's detection will be included in the next
update of extended databases set. See more info about
extended databases here: ​​​http://www.kaspersky.com/extraavupdates​​​Please quote all when answering.
--
Best regards, Denis Maslennikov
Virus analyst, Kaspersky Lab.

文件说明符 : C:/WINDOWS/system32/2b41.dll
属性 : A--R
语言 : 英语(美国)
文件版本 : 1, 0, 0, 2
说明 : IEHpr Module
版权 : Copyright 2007
备注 :
产品版本 : 1, 0, 0, 2
产品名称 : IEHpr Module
公司名称 :
合法商标 :
内部名称 : IEHpr
源文件名 : IEHpr.DLL
创建时间 : 2001-2-3 11:22:36
修改时间 : 2007-10-22 11:21:46
访问时间 : 2007-10-22 0:0:0
大小 : 53248 字节 52.0 KB
MD5 : 7dd94ef20e40e0de728112675904811a
SHA1: B41E790374214A54C147CBA26736F0BA8E265022
CRC32: 2445c774

主 题:

RE: [?? Probable Spam] 2b41.dll [KLAB-3146836]

  发件人:

"" <newvirus@kaspersky.com>    <script language="JavaScript" type="text/javascript">

</script>

发送时间:2007-10-23 12:44:09

Hello,

2b41.dll - not-a-virus:AdWare.Win32.BHO.ih
This file is an Advertizing Tool, It's detection will be included in the next
update of extended databases set. See more info about
extended databases here: ​​​http://www.kaspersky.com/extraavupdates​​​Please quote all when answering.
--
Best regards, Denis Maslennikov
Virus analyst, Kaspersky Lab.

文件说明符 : C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/sysloader.exe
属性 : A---
语言 : 英语(美国)
文件版本 : 3.0.4
说明 : system event loader
版权 : Microsoft.  All rights reserved.
备注 :
产品版本 : 3.0.4
产品名称 : sysloader
公司名称 : Microsoft
合法商标 :
内部名称 : sysloader.exe
源文件名 : sysloader.exe
创建时间 : 2007-10-17 10:18:48
修改时间 : 2007-10-17 10:18:48
访问时间 : 2007-10-22 0:0:0
大小 : 357376 字节 349.0 KB
MD5 : c18ceab29fac37d570190a12436d9c8b
SHA1: CB4744B9841B5F9C21CBA1039A46FCE1EAF6E3CD
CRC32: 348f2431

瑞星报为:Trojan.Win32.Inject.gh

主 题:

RE:sysloader.exe [KLAB-3146870]

  发件人:

"" <newvirus@kaspersky.com>   <script language="JavaScript" type="text/javascript">

</script>

发送时间:2007-10-23 12:48:10

Hello.
New malicious software was found in the attached file. Trojan-Downloader.Win32.Agent.ekyIt's detection will be included in the next update. Thank you for your help.
Please quote all when answering. Do not forget to include you registration data.
-----------------
Regards, Maslennikov Denis
Virus Analyst, Kaspersky Lab.

文件说明符 : C:/WINDOWS/Downlo~1/khy.dll属性 : A--R
语言 : 中文(中国)
文件版本 : 5, 3, 2600, 2180
说明 : Microsoft DirectMusic Interactive Engine
版权 : 版权所有 (C) 2007
备注 : DirectMusic
产品版本 : 5, 3, 2600, 2180
产品名称 : Microsoft(R) Windows(R) Operating System
公司名称 : Microsoft Corporation
合法商标 :
内部名称 : Microsoft DirectMusic Interactive Engine
源文件名 : miniDll.DLL
创建时间 : 1987-10-22 14:46:33
修改时间 : 2007-10-22 11:19:40
访问时间 : 2007-10-22 0:0:0
大小 : 49152 字节 48.0 KB
MD5 : 3d6d8766c8436ea20457123a7363095d
SHA1: C93850C662823C02F596F80E129995EC93CF5CF1
CRC32: f5a4e191

主 题:

RE: khy.dll [KLAB-3146872]

  发件人:

"" <newvirus@kaspersky.com>  

发送时间:2007-10-23 12:49:41


Hello,



khy.dll -

Trojan-Downloader.Win32.Agent.ekz

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.


Please quote all when answering.


--


Best regards, Denis Maslennikov


Virus analyst, Kaspersky Lab.


文件说明符 : C:/WINDOWS/system32/winsys16_071017.dll属性 : -SHR
获取文件版本信息大小失败!
创建时间 : 1987-10-18 9:34:39
修改时间 : 1987-10-22 9:39:30
访问时间 : 2007-10-22 0:0:0
大小 : 24576 字节 24.0 KB
MD5 : bd5ad170a8b0fec28e972b314c8668e0
SHA1: 408CB216C2A27187C841A0F9ACAF319BBBEC2D0D
CRC32: a9647ec5

瑞星报为:Trojan.Win32.Agent.zsq
Kaspersky已检测到: 木马程序 Trojan-Spy.Win32.Agent.aga 文件: D:/test/winsys16_071017.dll.rar/winsys16_071017.dll

文件说明符 : C:/WINDOWS/system32/wincheck071013.dll属性 : -SHR
获取文件版本信息大小失败!
创建时间 : 1987-10-13 9:31:37
修改时间 : 1987-10-13 9:31:38
访问时间 : 2007-10-22 0:0:0
大小 : 27648 字节 27.0 KB
MD5 : eb5929a3a390a519729d1e4dea37d34f
SHA1: 31A75B68CC4A03A7BE1A0265AB0DF271AF3F1887
CRC32: 697c1572

瑞星报为:Trojan.DL.Win32.MyDown.h

 

主 题:

RE: wincheck071013.dll [KLAB-3146878]

  发件人:

"" <newvirus@kaspersky.com>   <script language="JavaScript" type="text/javascript">

</script>

发送时间:2007.10.23 13:12

Hello.
New malicious software was found in the attached file. Trojan.Win32.Delf.ajtIt's detection will be included in the next update. Thank you for your help.
Please quote all when answering. Do not forget to include you registration data.
-----------------
Regards, Maslennikov Denis
Virus Analyst, Kaspersky Lab.