浏览某色情网站中机器狗的样本

xf2004

朋友的机器!说浏览某色情网站后(具体哪个他也不知道,因为浏览太多了)机器暴慢,kav7不能打开,只要打开任何有"杀毒","病毒"关键字的网页全部会被关闭!

说说附件压缩包中的东西:

  \du!!\temp.rar  这是病毒在用户临时目录生成的文件
  \du!!\003C1E90.rar  这是病毒在C盘系统根目录生成的文件
  \du!!\003C1E90\windows\system32 这是病毒在系统目录生成的文件

中毒后表现为:
1. 系统超卡, Explorer.exe CPU占用100%
2. 系统时间被改成2001-8-8 而且时间无法改回来,改正确后会自动恢复成2001年
3. 在用户注册表\Run 下有bndfxdh 启动项,启动目标为C:\windows\system32\bndfxdh.exe 这个启动项无法删除,删除会自己恢复!     


因为论坛附件限制,请到下面地址提取样本!压缩包解压缩密码:123456
http://tongice.ys168.com/

[ 本帖最后由 xf2004 于 2008-8-2 22:49 编辑 ]

woai_jolin

Scan Log
Version of virus signature database: 3318 (20080801)
Date: 2008-8-2  Time: 13:05:25
Scanned disks, folders and files: G:\v\temp
G:\v\temp\Temp\11.tmp - is OK
G:\v\temp\Temp\11.tmp.bat - is OK
G:\v\temp\Temp\12.tmp - is OK
G:\v\temp\Temp\12.tmp.bat - is OK
G:\v\temp\Temp\13.tmp - is OK
G:\v\temp\Temp\13.tmp.bat - is OK
G:\v\temp\Temp\14.tmp - is OK
G:\v\temp\Temp\14.tmp.bat - is OK
G:\v\temp\Temp\15.tmp - is OK
G:\v\temp\Temp\15.tmp.bat - is OK
G:\v\temp\Temp\16.tmp - is OK
G:\v\temp\Temp\16.tmp.bat - is OK
G:\v\temp\Temp\17.tmp - is OK
G:\v\temp\Temp\17.tmp.bat - is OK
G:\v\temp\Temp\18.tmp - is OK
G:\v\temp\Temp\18.tmp.bat - is OK
G:\v\temp\Temp\1D.tmp - is OK
G:\v\temp\Temp\1D.tmp.bat - is OK
G:\v\temp\Temp\6.tmp - is OK
G:\v\temp\Temp\Install.exe - is OK
G:\v\temp\Temp\qdtF.tmp - is OK
G:\v\temp\Temp\SETUP.EXE - is OK
G:\v\temp\Temp\tem2.tmp - is OK
G:\v\temp\Temp\tmp1C.tmp - a variant of Win32/PSW.OnLineGames.MUG trojan - cleaned by deleting - quarantined [1]
Number of scanned objects: 24
Number of threats found: 1
Number of cleaned objects: 1
Time of completion: 13:05:25  Total scanning time: 0 sec (00:00:00)

Notes:
[1] Object has been deleted as it only contained the virus body.

woai_jolin

Scan Log
Version of virus signature database: 3318 (20080801)
Date: 2008-8-2  Time: 13:05:50
Scanned disks, folders and files: G:\v\003C1E90
G:\v\003C1E90\emsf.bat - is OK
G:\v\003C1E90\PDOSERR.DAT - is OK
G:\v\003C1E90\003C151A\003C1DD4 » FSG v2.0 - is OK
G:\v\003C1E90\003C1E90\4540109 - Win32/PSW.QQPass.NDO trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\adsntzt.dll - a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\adsntzt.nls - is OK
G:\v\003C1E90\Windows\system32\aliens.dll - a variant of Win32/PSW.OnLineGames.NXN trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\baccops.dll - a variant of Win32/PSW.OnLineGames.NXN trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\bndfxdh.cfg - is OK
G:\v\003C1E90\Windows\system32\bndfxdh.dll - is OK
G:\v\003C1E90\Windows\system32\bndfxdh.exe - a variant of Win32/PSW.OnLineGames.MUG trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\businesn.dll - a variant of Win32/PSW.OnLineGames.NXL trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\ccohole.dll - Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\certmgrkd.dll - probably a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\certmgrkd.nls - is OK
G:\v\003C1E90\Windows\system32\cliconfgzx.dll - probably a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\cliconfgzx.nls - is OK
G:\v\003C1E90\Windows\system32\cmopes.dll - Win32/PSW.OnLineGames.NXN trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\ddserh.dll - a variant of Win32/PSW.OnLineGames.NOA trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\dearnts.dll - probably a variant of Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\esceps.dll - probably a variant of Win32/PSW.OnLineGames.NXN trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\ghjsw.dll - is OK
G:\v\003C1E90\Windows\system32\hourpx2.dll - Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\joause.dll - Win32/PSW.OnLineGames.NXL trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\jolinos.dll - a variant of Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\ksuserfy.dll - a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\ksuserfy.nls - is OK
G:\v\003C1E90\Windows\system32\lweurqhx.dll - a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\lweurqhx.nls - is OK
G:\v\003C1E90\Windows\system32\manleu.dll - is OK
G:\v\003C1E90\Windows\system32\mttwfh.dll - Win32/PSW.OnLineGames.NOA trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\olecli32pt.dll - Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\olecli32pt.nls - is OK
G:\v\003C1E90\Windows\system32\sgdewg.dll - a variant of Win32/PSW.OnLineGames.NOA trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\slbiopfs2.dll - a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\slbiopfs2.nls - is OK
G:\v\003C1E90\Windows\system32\sys07002.sys - is OK
G:\v\003C1E90\Windows\system32\tdggrz.dll - Win32/PSW.OnLineGames.NOA trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\therbrek.dll - a variant of Win32/PSW.OnLineGames.NXR trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\tiplict.dll - probably a variant of Win32/PSW.OnLineGames.NXL trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\tscfgwmijxsj.dll - a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\tscfgwmijxsj.nls - is OK
G:\v\003C1E90\Windows\system32\usbmonjx2.dll - probably a variant of Win32/PSW.Agent.NHQ trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\usbmonjx2.nls - is OK
G:\v\003C1E90\Windows\system32\wcnonpe.dll - Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\wdhotem.dll - probably a variant of Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\wdhotemk.exe - a variant of Win32/PSW.OnLineGames.NXI trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\ytfa.dll - is OK
G:\v\003C1E90\Windows\system32\zlcdps.dll - a variant of Win32/PSW.OnLineGames.NXL trojan - cleaned by deleting - quarantined [1]
G:\v\003C1E90\Windows\system32\zxdtye.dll - is OK
G:\v\003C1E90\Windows\system32\zycdex.dll - Win32/PSW.OnLineGames.NOA trojan - cleaned by deleting - quarantined [1]
Number of scanned objects: 51
Number of threats found: 32
Number of cleaned objects: 32
Time of completion: 13:05:51  Total scanning time: 1 sec (00:00:01)

Notes:
[1] Object has been deleted as it only contained the virus body.

woai_jolin

2008-8-2 13:07:11        Kernel        File  'G:\v\003C1E90\003C1E90.rar' was sent to ESET for analysis.

电影结束了

为什么只能一个个包下。。。~

电影结束了

扫描系统区域...
扫描所选择的目录和文件...
对象: 003C1DD4
        路径: F:\du!!!.part2\003C151A
        Status: 已发现病毒
        病毒: Trojan-Downloader.Win32.Small.zie (KAV 引擎), Generic.Malware.dld!!.DC0A37C1 (BD 引擎)
对象: 4540109
        路径: F:\du!!!.part2\003C1E90
        Status: 已发现病毒
        病毒: Trojan-PSW.Win32.QQPass.cwe (KAV 引擎), Generic.PWStealer.F4A2B8F8 (BD 引擎)
对象: tmp1C.tmp
        路径: F:\du!!!.part2\Temp
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sdaf (KAV 引擎), Trojan.PWS.Onlinegames.6 (BD 引擎)
对象: adsntzt.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.smdc (KAV 引擎)
对象: aliens.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.smll (KAV 引擎), Trojan.OnLineGames.SIJX (BD 引擎)
对象: baccops.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan.Win32.Agent.wrq (KAV 引擎), Trojan.OnLineGames.SIJX (BD 引擎)
对象: bndfxdh.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.skqo (KAV 引擎), Trojan.PWS.OnlineGames.YYD (BD 引擎)
对象: bndfxdh.exe
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sdaf (KAV 引擎), Trojan.PWS.Onlinegames.6 (BD 引擎)
对象: businesn.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan.Win32.Agent.von (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: ccohole.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan.Generic.368144 (BD 引擎)
对象: certmgrkd.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-Downloader.Win32.Agent.ynl (KAV 引擎)
对象: cliconfgzx.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.smdd (KAV 引擎)
对象: cmopes.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.skho (KAV 引擎), Trojan.OnLineGames.SIJX (BD 引擎)
对象: ddserh.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.smma (KAV 引擎), Trojan.Crypt.Delf.F (BD 引擎)
对象: dearnts.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.slcp (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: esceps.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-Spy.Win32.Agent.dhi (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: ghjsw.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sdgf (KAV 引擎), Trojan.PWS.OnLineGames.ZFJ (BD 引擎)
对象: hourpx2.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sjbb (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: joause.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sjgf (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: jolinos.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sncz (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: ksuserfy.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sedr (KAV 引擎)
对象: lweurqhx.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.snbj (KAV 引擎)
对象: mttwfh.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sjyh (KAV 引擎), Trojan.Crypt.Delf.F (BD 引擎)
对象: olecli32pt.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sfpz (KAV 引擎)
对象: sgdewg.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sljc (KAV 引擎), Trojan.Crypt.Delf.F (BD 引擎)
对象: slbiopfs2.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.smdf (KAV 引擎)
对象: tdggrz.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sjad (KAV 引擎), Trojan.Crypt.Delf.F (BD 引擎)
对象: therbrek.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.slmk (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: tiplict.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.slxj (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: tscfgwmijxsj.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.smga (KAV 引擎)
对象: wcnonpe.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan.Win32.Agent.vro (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: wdhotem.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.siyy (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: wdhotemk.exe
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.shhw (KAV 引擎), Trojan.PWS.OnlineGames.ZAY (BD 引擎)
对象: ytfa.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Generic.Malware.Bdld!.B57AAA40 (BD 引擎)
对象: zlcdps.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sjtz (KAV 引擎), Trojan.PWS.OnlineGames.ZKH (BD 引擎)
对象: zxdtye.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sdgf (KAV 引擎), Trojan.PWS.OnLineGames.ZFJ (BD 引擎)
对象: zycdex.dll
        路径: F:\du!!!.part2\Windows\system32
        Status: 已发现病毒
        病毒: Trojan-GameThief.Win32.OnLineGames.sjyi (KAV 引擎), Trojan.Crypt.Delf.F (BD 引擎)
扫描完成: 2008-8-2 13:12
    已检查 75 个文件
    已发现 37 个染毒文件

xf2004

因为第一次上传winzheng的U盘附件上传失败,要求上传文件>2M
所以只能弄成1.9M一个!上密码是为了样本不被杀掉

[ 本帖最后由 xf2004 于 2008-8-2 13:19 编辑 ]

专家

---------------------------
Microsoft Internet Explorer
---------------------------
无此提取码文件！
---------------------------
确定   
---------------------------

xf2004

晕,我刚放提取码就过期了,我已更正
新的 575568534

Palkia

信息        2008-08-02  13:36:27        您此次查毒隔离了38个文件                       
信息        2008-08-02  13:36:27        您此次查毒共查出38个病毒以及危险代码                       
信息        2008-08-02  13:36:27        您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件78个                       
信息        2008-08-02  13:36:27        金山毒霸主程序查毒过程结束，查毒方式：命令行查毒

[ 本帖最后由 tvuser2007 于 2008-8-2 13:37 编辑 ]