qqhxwg.exe(35楼有更新)

sam.to

857bde13e8e673cd53ef26d3e1bce474  qqhxwg.exe+

to kl

Hello,

qqhxwg.exe_ - Trojan-Dropper.Win32.Agent.ahzq

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

>
>
Please quote all when answering.
-----------------
Regards, Davidow Dmitriy
Virus Analyst, Kaspersky Lab.
10/1, 1st Volokolamsky Proezd, Moscow, 123060, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com

[ 本帖最后由 sam.to 于 2009-3-18 00:25 编辑 ]

ledled

VirusBuster found nothing

saga3721

运行红伞报'TR/Rootkit.Gen [trojan]'

leonfg

ESET不认

红心王子

2009-2-27        12:18:35        1235708315        Administrator        2148        Sign of "Win32:Trojan-gen {Other}" has been found in "d:\我的文档\桌面\vv\qqhxwg.exe+\qqhxwg.exe\TaoTie.exe" file.  
2009-2-27        12:18:38        1235708318        Administrator        2148        Sign of "Win32:Agent-ADVJ [Rtk]" has been found in "d:\我的文档\桌面\vv\qqhxwg.exe+\567.exe\[Upack]\[Embedded_I#1584]" file.

328397663

2009-2-27 12:22:10        检测到威胁: Trojan-Dropper.Win32.Agent.ahzq        C:\Documents and Settings\Administrator\桌面\qqhxwg.part1\qqhxwg.exe+               
2009-2-27 12:22:21        已删除: Trojan-Dropper.Win32.Agent.ahzq        C:\Documents and Settings\Administrator\桌面\qqhxwg.part1\qqhxwg.exe+

wrq

2009-2-27 13:07:26        已删除: Trojan-Dropper.Win32.Agent.ahzq        C:\Documents and Settings\Administrator\桌面\qqhxwg\qqhxwg.exe+

mikzh

----------------------------------
Keys added:13
----------------------------------
HKLM\SOFTWARE\Microsoft\InjectData
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\Control
HKLM\SYSTEM\ControlSet001\Services\SafeMon1
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Security
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Security
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Enum

----------------------------------
Values added:43
----------------------------------
HKLM\SOFTWARE\Microsoft\InjectData\0x7CE838DA: ...<帖子放不下，省略>
HKLM\SOFTWARE\Microsoft\InjectData\0x7249ADB0: ...<帖子放不下，省略>
HKLM\SOFTWARE\Microsoft\InjectData\0x5899CC7B: ...<帖子放不下，省略>
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\Control\ActiveService: "SafeMon1"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\Service: "SafeMon1"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-
0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\0000\DeviceDesc: "SafeMa0"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAFEMON1\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Enum\0: "Root\LEGACY_SAFEMON1\0000"
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00
00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00
01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00
00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02
00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00
00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\ImagePath: "\??\C:\WINDOWS\system32\93D21B43.dat"
HKLM\SYSTEM\ControlSet001\Services\SafeMon1\DisplayName: "SafeMa0"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\Control\ActiveService: "SafeMon1"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\Service: "SafeMon1"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\ClassGUID: "{8ECC055D-047F-11D1-
A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\0000\DeviceDesc: "SafeMa0"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAFEMON1\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Enum\0: "Root\LEGACY_SAFEMON1\0000"
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Security\Security: 01 00 14 80 90 00 00 00 9C 00
00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00
00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00
00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01
02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00
00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\ImagePath: "\??\C:\WINDOWS\system32\93D21B43.dat"
HKLM\SYSTEM\CurrentControlSet\Services\SafeMon1\DisplayName: "SafeMa0"
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\桌面\funer\ddukjt.rkr:
00 00 00 00 06 00 00 00 D0 33 70 EB C8 98 C9 01
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\桌面
\share\qqhxwg.exe: "qqhxwg"
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0
\qqhxwg.exe: "qqhxwg"
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RarSFX0
\567.exe: "567"

----------------------------------
Values modified:3
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 69 DF 98 B6 32 EB 32 B3 31 0A EB 78 43 6A EB C1 D0
B5 6A 5D C5 E6 1F 00 CD 7D 9B 6A 62 C5 C9 13 33 5E 51 D0 4E 81 14 DE 26 2C 92 4D B4 92 57 7F 7E
D4 9B 53 AB 84 55 09 0B F5 03 49 FE 85 B0 B7 4F 02 F3 02 73 40 DF 10 63 BD 4B 4E A7 57 3C 19
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 95 8C F7 F4 29 70 A2 0C AF AB AD 16 6E 83 1A 1E D1
07 74 3E 63 1A 89 33 37 3E C3 72 B4 4E 9A D8 22 E2 10 C2 A1 A4 07 B1 BE F6 3B 3C 88 91 DD E2 91
64 EB 12 E8 58 C8 F1 01 22 A5 1A D8 74 F8 51 F7 34 15 26 54 C3 93 4F F4 32 CF F4 A5 3E F4 D7
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count\HRZR_EHACNGU: 00 00 00 00 19 00 00 00 00 1E 73 DD C8 98 C9 01
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count\HRZR_EHACNGU: 00 00 00 00 1A 00 00 00 D0 33 70 EB C8 98 C9 01
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C
00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 F0
BB 46 B5 F5 55 C9 01 01 00 00 00 02 02 02 0A 00 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1214440339-839522115-500
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C
00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 F0
BB 46 B5 F5 55 C9 01 01 00 00 00 02 02 02 0A 00 00 00 00 00 00 00 00
----------------------------------
Files added:6
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\adv_api.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\b.bat
C:\WINDOWS\Prefetch\567.EXE-23C497D6.pf
C:\WINDOWS\Prefetch\QQHXWG.EXE-00C3BA9F.pf
C:\WINDOWS\Prefetch\QQHXWG.EXE-22E71AB9.pf
C:\WINDOWS\system32\93D21B43.dat

----------------------------------
Files[attr]modified:9
----------------------------------
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
\index.dat
C:\Documents and Settings\Administrator\NTUSER.DAT
C:\Documents and Settings\Administrator\ntuser.dat.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\Prefetch\CONIME.EXE-13EEEA1A.pf
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
----------------------------------
Folders added:1
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0
----------------------------------
Total changes:75
----------------------------------

mikzh

...<帖子放不下，省略>
为 exe文件16进制文件

Palkia

to rs