遭遇使用映像劫持/IFEO 的 Worm.Win32.Avkiller.i/gavuusg.exe
endurer 原创
2007-07-21 第2版 补充 Kaspersky 的回复
2007-07-21 第1版
中午时一位网友说他的电脑中的金山毒霸和网镖无法启动,估计是中标了,让偶通过QQ远程协助。
下载 pe_xscan,扫描log并分析,发现如下可疑项:
/===
pe_xscan 07-06-23 by Purple Endurer
2007-7-21 12:52:28
Windows XP Service Pack 2(5.1.2600)
管理员用户组
C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe * 1908 | 2007-7-18 14:44:54
C:/Program Files/Common Files/System/xcjjjpw.exe * 1924 | 2007-7-18 14:44:54
c:/temp/svchost.exe * 1176 | 2007-7-18 14:49:18
F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 222.189.238.182 www.9605899.com
O1 - Hosts: 222.189.238.182 hyap98.com
O1 - Hosts: 222.189.238.182 www.hyap98.com
O1 - Hosts: 222.189.238.182 82087871.com
O1 - Hosts: 222.189.238.182 www.82087871.com
O1 - Hosts: 222.189.238.182 47555.cn
O1 - Hosts: 222.189.238.182 nc.47555.cn
O1 - Hosts: 222.189.238.182 cn.47555.cn
O1 - Hosts: 222.189.238.182 crsky.47555.cn
O1 - Hosts: 222.189.238.182 www.47555.cn
O2 - BHO Promote Class - {0FA24E3E-422C-4D94-A125-104F32352C90} - C:/WINDOWS/system32/promote.dll
O2 - BHO CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:/Program Files/Common Files/CPUSH/cpush.dll
O4 - HKLM/../Run: [hpouysv] C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O4 - HKLM/../Run: [bifvgqc] C:/Program Files/Common Files/System/xcjjjpw.exe
D:/autorun.inf
/-----
[AutoRun]
open=hpouysv.exe
shell/open=打开(&O)
shell/open/Command=hpouysv.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=hpouysv.exe
-----/
E:/autorun.inf
/-----
[AutoRun]
open=hpouysv.exe
shell/open=打开(&O)
shell/open/Command=hpouysv.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=hpouysv.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=hpouysv.exe
shell/open=打开(&O)
shell/open/Command=hpouysv.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=hpouysv.exe
-----/
O21 - SSODL - SysTime(88Dog.Kalendar) - {724C75F1-B757-408D-A50A-4CF99DA35D73} = C:/PROGRA~1/WinKld/WinKld.dll
O23 - 服务: ADProt (ADProt) - C:/WINDOWS/system32/drivers/ADProt.sys(系统)
O23 - 服务: Application (COM+ Windows Application) - C:/WINDOWS/system32/explorer.exe . ..exe(自动)
O23 - 服务: Messager (Messager) - c:/temp/svchost.exe | 2007-7-18 14:49:18(自动)
O23 - 服务: qgqelbr (qgqelbr) - C:/WINDOWS/System32/drivers/qgqelbr.sys | 2007-4-7 14:13:22 | sys 应用程序 | 1, 0, 1, 3 | sys 应用程序 | 版权所有 (C) 2006 | 1, 0, 1, 3 | 北京三七二一科技有限公司| ? | sys | sys.exe(引导)
O23 - 服务: TesSafe (TesSafe) - C:/WINDOWS/system32/TesSafe.sys | 2007-7-5 13:39:28(手动)
O26 - IFEO: 360rpt.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: 360Safe.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: 360tray.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: adam.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: AgentSvr.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: AppSvc32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: ArSwp.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: AST.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: autoruns.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: avconsol.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: avgrssvc.exe -> C:/Program Files/Common Files/Micosoft Shared/gavuusg.exe
O26 - IFEO: AvMonitor.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: avp.com -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: avp.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: CCenter.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: ccSvcHst.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: EGHOST.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: FileDsty.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: FTCleanerShell.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: FYFireWall.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: HijackThis.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: IceSword.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: iparmo.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Iparmor.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: isPwdSvc.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: kabaload.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KaScrScn.SCR -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KASMain.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KASTask.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KAV32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KAVDX.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KAVPF.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KAVPFW.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KAVSetup.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KAVStart.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KISLnchr.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KMailMon.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KMFilter.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KPFW32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KPFW32X.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KPfwSvc.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KRegEx.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KRepair.com -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KsLoader.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KVCenter.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KvDetect.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KvfwMcl.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KVMonXP.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KVMonXP_1.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: kvol.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: kvolself.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KvReport.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KVScan.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KVSrvXP.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KVStub.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: kvupload.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: kvwsc.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KvXP.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KvXP_1.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KWatch.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KWatch9x.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: KWatchX.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: loaddll.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: MagicSet.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: mcconsol.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: mmqczj.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: mmsk.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Navapsvc.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Navapw32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: nod32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: nod32krn.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: nod32kui.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: NPFMntor.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: PFW.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: PFWLiveUpdate.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: QHSET.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: QQDoctor.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: QQKav.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Ras.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Rav.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: RavMon.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: RavMonD.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: RavStub.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: RavTask.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: RegClean.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: rfwcfg.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: rfwmain.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: rfwsrv.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: RsAgent.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Rsaupd.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: rstrui.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: runiep.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: safelive.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: scan32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: shcfg32.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: SmartUp.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: SREng.EXE -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: symlcsvc.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: SysSafe.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: TrojanDetector.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: Trojanwall.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: TrojDie.kxp -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UIHost.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UmxAgent.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UmxAttachment.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UmxCfg.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UmxFwHlp.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UmxPol.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: upiea.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: UpLive.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: USBCleaner.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: vsstat.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: webscanx.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
O26 - IFEO: WoptiClean.exe -> C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
HKCU/SHOWALL 未能打开key
HKLM/SHOWALL 值非1
===/
果然不出所料,中了使用映像劫持的东东。
先把O23 - 服务 中的 Application 和 Messager 停止并禁用了。
到 http://purpleendurer.ys168.com 下载 bat_do,FreeDLL 和 FileInfo。
到 http://endurer.ys168.com 下载 ProcView 和 HijackThis。
运行 ProcView 和 WinRAR,结果程序窗口都是一闪而过,被恶意程序关闭了。
把 HijackThis.exe 改名为 h.exe,再运行,用内置任务管理器终止三个恶意进程,结果只有xcjjjpw.exe不能终止!
运行 bat_do,把三个恶意进程文件加入,打包备份后,能删则删,不能删的就改名。
由于regedit.exe没有被映像劫持,所以可以直接打开,删除注册表中的O26(映像劫持)的项目和O23的项目。
到 http://endurer.ys168.com 下载 IceSword,终止进程xcjjjpw.exe。
这下WinRAR可以正常使用了。
用 HijackThis 修复 F2 —— O22的项目。
到 http://tool.ikaka.com 下载安装瑞星卡卡安全助手,查杀流氓软件并修复:HKLM/SHOWALL 值非1
用 bat_do 打包备份其它的恶意程序文件,不过 O23 - 服务: Application 对应的文件没有找到,只发现
文件说明符 : C:/WINDOWS/system32/explorer.exe . ..cfg
属性 : -SHR
获取文件版本信息大小失败!
创建时间 : 2007-5-7 9:34:29
修改时间 : 2007-5-7 9:34:30
访问时间 : 2007-7-21 0:0:0
大小 : 5 字节
MD5 : a2c30105fd50d783461280c1570c9be3
文件内容为:huaye
下载Dr.Web CureIt!查杀,在IE缓存文件夹里又发现一些利用ANI漏洞的文件和几个病毒程序文件。
文件说明符 : c:/temp/svchost.exe
属性 : ----
获取文件版本信息大小失败!
创建时间 : 2007-7-18 14:48:58
修改时间 : 2007-7-18 14:49:18
访问时间 : 2007-7-21 0:0:0
大小 : 237567 字节 231.1023 KB
MD5 : aa625321f589128c5a8229741bb23b80
主 题: | RE: c:/temp/svchost.exe [KLAB-2472027] | ||
发件人: | "" | 发送时间:2007-07-21 20:20:35 |
Hello,
svchost.exe_ - Trojan-Downloader.Win32.Delf.asz
New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.
Please quote all when answering.
--
Best regards, Alexander Romanenko
Virus analyst, Kaspersky Lab.
文件说明符 : C:/Program Files/Common Files/Microsoft Shared/gavuusg.exe
属性 : ----
获取文件版本信息大小失败!
创建时间 : 2007-7-18 14:44:54
修改时间 : 2007-7-18 14:44:54
访问时间 : 2007-7-21 0:0:0
大小 : 26763 字节 26.139 KB
MD5 : e9add3941f09f2ea89ecf35968ba181f
瑞星报为 Worm.Win32.Avkiller.i,Dr.Web 报为 probably infected with DLOADER.Trojan
主 题: | RE: Rising___Worm.Win32.Avkiller.i----gavuusg .exe.rar [KLAB-2471896] | ||
发件人: | "" | 发送时间:2007-07-21 22:48:14 |
Hello.
New malicious software was found in the attached file. Virus.Win32.AutoRun.f
It's detection will be included in the next update. Thank you for your help.
Please quote all when answering. Do not forget to include you registration data.
-----------------
Regards, Maslennikov Denis
Virus Analyst, Kaspersky Lab.
C:/Program Files/Common Files/System/xcjjjpw.exe、c:/Program Files/meex.exe 及各盘下的 hpouysv.exe 内容均与 gavuusg.exe 相同。
文件说明符 : C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/WVQ9YYLV/3[1].exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-7-17 17:20:2
修改时间 : 2007-7-18 15:41:34
访问时间 : 2007-7-21 0:0:0
大小 : 22774 字节 22.246 KB
MD5 : c626fa31eaeb93be7028977ae461b8ee
Kaspersky 报为 Trojan-PSW.Win32.Delf.qc,瑞星 报为 Trojan.PSW.Agent.kat,Dr.Web 报为 Trojan.PWS.Gamania
文件说明符 : C:/Documents and Settings/LocalService/Local Settings/Temporary Internet Files/Content.IE5/KUG2OAW3/go[1].exe
属性 : ----
获取文件版本信息大小失败!
创建时间 : 2007-7-18 17:24:23
修改时间 : 2007-7-19 16:18:40
访问时间 : 2007-7-21 0:0:0
大小 : 36352 字节 35.512 KB
MD5 : 2156e3683cf4724ff4009975f424ff5c
Kaspersky 报为 Trojan-Downloader.Win32.Delf.bko,瑞星 报为 Trojan.DL.Win32.Delf.yqo,Dr.Web 报为 BackDoor.WebDor