Trojan.PSW.Win32.GameOL,Trojan.Win32.Undef,Trojan.DL.Win32.Undef等1

原创

PurpleEndurer 2022-12-12 15:17:03 博主文章分类：系统维护 ©著作权

文章标签 microsoft c system windows application 文章分类 运维

©著作权归作者所有：来自51CTO博客作者PurpleEndurer的原创作品，请联系作者获取转载授权，否则将追究法律责任

Trojan.PSW.Win32.GameOL,Trojan.Win32.Undef,Trojan.DL.Win32.Undef等1

endurer 原创
2008-09-11 第1版

今天一位朋友的电脑最近反应很慢，请偶帮忙检修。

打开任务管理器，发现一个名为kcodn32.exe的陌生进程，终止了。

用pe_xscan 扫描 log 分析，发现如下可疑项：

/===
pe_xscan 08-08-01 by Purple Endurer 
2000-9-11 17:36:12 
Windows XP Service Pack 2(5.1.2600) 
MSIE:6.0.2900.2180 
管理员用户组 
正常模式 

[System Process] * 0 
　　 C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
　　 C:/WINDOWS/system32/MMWLANGH1006.dll | 2000-7-9 7:44:43 
　　 C:/WINDOWS/system32/imgutilhx2.dll | 2001-7-9 7:42:53 
　　 C:/WINDOWS/system32/ksuserfy.dll | 2001-7-9 7:42:47 
　　 C:/WINDOWS/system32/dispexcb.dll | 2001-7-9 7:42:40 
　　 C:/WINDOWS/system32/tscfgwmijxsj.dll | 2001-7-9 7:42:34 
　　 C:/WINDOWS/system32/bootvidgj.dll | 2001-7-9 7:42:27 
　　 C:/WINDOWS/system32/msobjstl.dll | 2001-7-9 7:42:21 
　　 C:/WINDOWS/system32/cliconfgzx.dll | 2001-7-9 7:42:14 
　　 C:/WINDOWS/system32/adsntzt.dll | 2001-7-9 7:42:8 
　　 C:/WINDOWS/system32/dpvvoxmh.dll | 2001-7-9 7:42:1 
C:/WINDOWS/System32/winlogon.exe* 640 | 1979-12-31 16:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE 
　　 C:/WINDOWS/system32/nhmxejkl.dll | 2004-8-8 7:41:0 
　　 C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
　　 C:/WINDOWS/system32/MMWLANGH1006.dll | 2000-7-9 7:44:43 
C:/WINDOWS/System32/services.exe* 684 | 2004-8-17 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Services and Controller app | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | services.exe | services.exe 
　　 C:/WINDOWS/system32/nhmxejkl.dll | 2004-8-8 7:41:0 
　　 C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
　　 C:/WINDOWS/system32/MMWLANGH1006.dll | 2000-7-9 7:44:43 
C:/WINDOWS/System32/lsass.exe* 696 | 2004-8-17 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe 
　　 C:/WINDOWS/system32/nhmxejkl.dll | 2004-8-8 7:41:0 
　　 C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
　　 C:/WINDOWS/system32/MMWLANGH1006.dll | 2000-7-9 7:44:43 
C:/WINDOWS/System32/svchost.exe* 840 | 2004-8-17 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe 
　　 C:/WINDOWS/system32/nhmxejkl.dll | 2004-8-8 7:41:0 
　　 C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
　　 C:/WINDOWS/system32/MMWLANGH1006.dll | 2000-7-9 7:44:43 
　　 C:/WINDOWS/system32/kcodn32.dll | 2008-7-5 23:58:35 
　　 C:/WINDOWS/system32/imgutilhx2.dll | 2001-7-9 7:42:53 
　　 C:/WINDOWS/system32/ksuserfy.dll | 2001-7-9 7:42:47 
　　 C:/WINDOWS/system32/dispexcb.dll | 2001-7-9 7:42:40 
　　 C:/WINDOWS/system32/tscfgwmijxsj.dll | 2001-7-9 7:42:34 
　　 C:/WINDOWS/system32/bootvidgj.dll | 2001-7-9 7:42:27 
　　 C:/WINDOWS/system32/msobjstl.dll | 2001-7-9 7:42:21 
　　 C:/WINDOWS/system32/cliconfgzx.dll | 2001-7-9 7:42:14 
　　 C:/WINDOWS/system32/adsntzt.dll | 2001-7-9 7:42:8 
　　 C:/WINDOWS/system32/dpvvoxmh.dll | 2001-7-9 7:42:1 
R3 - URLSearchHook: SrchHook Class - {F08555B0-9CC3-11D2-AA8E-000000000000} - C:/Program Files/HotTools/iebho.dll
F2 - Shell = <Explorer.exe,,gprF.exe>


O2 - BHO - {38093456-9012-4568-9076-908765467183} = C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
O2 - BHO - {43512378-9874-5641-1025-985420368734} = C:/WINDOWS/system32/oswxdttb.dll | 2004-8-8 7:41:35 
O2 - BHO - {57AC9076-C898-B098-D098-A18319080975} = C:/WINDOWS/system32/nhmxejkl.dll | 2004-8-8 7:41:0 
O2 - BHO SrchHook Class - {F08555B0-9CC3-11D2-AA8E-000000000000} = C:/Program Files/HotTools/iebho.dll | 2008-6-27 13:54:4 
O3 - IE工具栏: 快捷工具条3.21 - {BE830FD4-E393-417F-9F4B-CC70ABB3384C} = c:/program files/hottools/ietool.dll | 2008-6-27 13:54:3 

O4 - HKLM/../Run: [SVCHOST] C:/WINDOWS/MDM.EXE
O4 - HKLM/../Policies/Explorer/Run: [kcodn]  kcodn32.exe
C:/autorun.inf
/-----
[AutoRun]
open=RavMon.exe
shell/open=打开(&O)
shell/open/Command=RavMon.exe
shell/explore=资源管理器(&X)
shell/explore/Command="RavMon.exe -e"
-----/
D:/autorun.inf
/-----
[AutoRun]
open=RavMon.exe
shell/open=打开(&O)
shell/open/Command=RavMon.exe
shell/explore=资源管理器(&X)
shell/explore/Command="RavMon.exe -e"
-----/


O20 - AppInit_DLLs = pocolieov.dll,nhmxejkl.dll,tisqctyu.dll,momusi.dll,hwofw.dll,webliso.dll,wisoko.dll,jerryi.dll,xxpopo.dll,jelens.dll,jozasus.dll,zbioscok.dll,MMWLANGH1006.dll


O21 - SSODL - dpvvoxmh.dll(0) - {00070007-0007-0007-0007-00070007BB15} = C:/WINDOWS/system32/dpvvoxmh.dll | 2001-7-9 7:42:1 
O21 - SSODL - adsntzt.dll(0) - {00010001-0001-0001-0001-00010001BB15} = C:/WINDOWS/system32/adsntzt.dll | 2001-7-9 7:42:8 
O21 - SSODL - cliconfgzx.dll(0) - {00050005-0005-0005-0005-00050005BB15} = C:/WINDOWS/system32/cliconfgzx.dll | 2001-7-9 7:42:14 
O21 - SSODL - msobjstl.dll(1) - {00170017-0017-0017-0017-00170017BB15} = C:/WINDOWS/system32/msobjstl.dll | 2001-7-9 7:42:21 
O21 - SSODL - bootvidgj.dll(0) - {00030003-0003-0003-0003-00030003BB15} = C:/WINDOWS/system32/bootvidgj.dll | 2001-7-9 7:42:27 
O21 - SSODL - tscfgwmijxsj.dll(3) - {00330033-0033-0033-0033-00330033BB15} = C:/WINDOWS/system32/tscfgwmijxsj.dll | 2001-7-9 7:42:34 
O21 - SSODL - dispexcb.dll(0) - {00060006-0006-0006-0006-00060006BB15} = C:/WINDOWS/system32/dispexcb.dll | 2001-7-9 7:42:40 
O21 - SSODL - ksuserfy.dll(1) - {00130013-0013-0013-0013-00130013BB15} = C:/WINDOWS/system32/ksuserfy.dll | 2001-7-9 7:42:47 
O21 - SSODL - imgutilhx2.dll(0) - {00300030-0030-0030-0030-00300030BB15} = C:/WINDOWS/system32/imgutilhx2.dll | 2001-7-9 7:42:53 
O23 - 服务: 682247f847c41458 (682247f847c41458) - C:/682247f847c41458.dat (手动) 
O23 - 服务: 807937ac67f36f77 (807937ac67f36f77) - C:/807937ac67f36f77.dat (手动) 
O23 - 服务: aa12ddf439b88b16 (aa12ddf439b88b16) - C:/aa12ddf439b88b16.dat (手动) 
O23 - 服务: HiddFldy (HiddFldy) - C:/WINDOWS/system32/d32dx9.sys | 2000-7-9 7:43:0(自动) 
O23 - 服务: mscodesrv () - C:/WINDOWS/temp/runassrv.exe runsrv /name:"mscodesrv" /prinum:"32" /inter /cmdline: C:/WINDOWS/autohal.exe -PSSP S-1-5-21-2000478354-842925246-1202660629-500" (自动) 
O24 - ShlExecHook: [5] - {55694105-5108-9405-3695-954187462155} = C:/WINDOWS/system32/mpwdeapi.dll | 2004-8-8 7:40:46 
O24 - ShlExecHook: [6] - {6C648541-1025-9650-9057-6541258720C6} = C:/WINDOWS/system32/mndhfdwd.dll | 2004-8-8 7:40:53 
O24 - ShlExecHook: [5] - {57AC9076-C898-B098-D098-A18319080975} = C:/WINDOWS/system32/nhmxejkl.dll | 2004-8-8 7:41:0 
O24 - ShlExecHook: [4] - {4D698451-2015-6358-9871-2015987452D4} = C:/WINDOWS/system32/apzhdtde.dll | 2004-8-8 7:41:7 
O24 - ShlExecHook: [3] - {38093456-9012-4568-9076-908765467183} = C:/WINDOWS/system32/tisqctyu.dll | 2004-8-8 7:41:14 
O24 - ShlExecHook: [4] - {40618412-C528-C784-C056-C164D1F7C504} = C:/WINDOWS/system32/detxdiua.dll | 2004-8-8 7:41:21 
O24 - ShlExecHook: [2] - {25FD6584-698F-BCD2-602C-698745210352} = C:/WINDOWS/system32/rijxbkin.dll | 2004-8-8 7:41:28 
O24 - ShlExecHook: [4] - {43512378-9874-5641-1025-985420368734} = C:/WINDOWS/system32/oswxdttb.dll | 2004-8-8 7:41:35 
O24 - ShlExecHook: [5] - {528DF602-9541-A985-210A-984A698C6F25} = C:/WINDOWS/system32/ptjhehlp.dll | 2004-8-8 7:41:41 
O24 - ShlExecHook: [4] - {49109876-7619-9101-7012-901938475194} = C:/WINDOWS/system32/ietzdpaq.dll | 2004-8-8 7:41:48 
O24 - ShlExecHook: [4] - {470165F1-9F65-569F-F895-F14F58F41074} = C:/WINDOWS/system32/lofsdjbo.dll | 2004-8-8 7:41:55 
O24 - ShlExecHook: [5] - {00070007-0007-0007-0007-00070007BB15} = C:/WINDOWS/system32/dpvvoxmh.dll | 2001-7-9 7:42:1 
O24 - ShlExecHook: [5] - {00010001-0001-0001-0001-00010001BB15} = C:/WINDOWS/system32/adsntzt.dll | 2001-7-9 7:42:8 
O24 - ShlExecHook: [5] - {00050005-0005-0005-0005-00050005BB15} = C:/WINDOWS/system32/cliconfgzx.dll | 2001-7-9 7:42:14 
O24 - ShlExecHook: [5] - {00170017-0017-0017-0017-00170017BB15} = C:/WINDOWS/system32/msobjstl.dll | 2001-7-9 7:42:21 
O24 - ShlExecHook: [5] - {00030003-0003-0003-0003-00030003BB15} = C:/WINDOWS/system32/bootvidgj.dll | 2001-7-9 7:42:27 
O24 - ShlExecHook: [5] - {00330033-0033-0033-0033-00330033BB15} = C:/WINDOWS/system32/tscfgwmijxsj.dll | 2001-7-9 7:42:34 
O24 - ShlExecHook: [5] - {00060006-0006-0006-0006-00060006BB15} = C:/WINDOWS/system32/dispexcb.dll | 2001-7-9 7:42:40 
O24 - ShlExecHook: [5] - {00130013-0013-0013-0013-00130013BB15} = C:/WINDOWS/system32/ksuserfy.dll | 2001-7-9 7:42:47 
O24 - ShlExecHook: [5] - {00300030-0030-0030-0030-00300030BB15} = C:/WINDOWS/system32/imgutilhx2.dll | 2001-7-9 7:42:53 
O24 - ShlExecHook: [c] - {8942ff57-5cf4-4ef5-9ffa-1b6d48b4d3fc} = C:/WINDOWS/system32/MMWLANGH1006.dll | 2000-7-9 7:44:43 
O24 - ShlExecHook: [5] - {6351a63c-4042-433a-a64f-6974e875f835} = C:/WINDOWS/system32/MMWLVAHB1045.dll | 2000-7-9 7:44:50 
O24 - ShlExecHook: [4] - {9a5eed2d-0604-4b25-afc7-f1fd43093b14} = C:/WINDOWS/system32/MMHADPQG1102.dll | 2000-7-9 7:44:56 
O26 - IFEO: Client.exe -> C:/WINDOWS/system32/windg.exe
HKLM/SHOWALL    类型非dword
===/
 (未完待续)