病毒名称:NhYPcmW.com
发作时会自动在用户temp文件夹下面创建NhYPcmW.com和VTuWsFT.vbs文件,然后自动运行NhYPcmW.com
连接到www.s233.com这个网址去下载木马文件,已经是今天最新的病毒库了,求助解决方法!
SRE报告如下:
- 2007-06-02,12:20:15
- System Repair Engineer 2.4.12.806
- Smallfrogs (http://www.KZTechs.com)
- Windows 2000 Professional Service Pack 4 (Build 2195) - 管理权限用户 - 完整功能
- 以下内容被选中:
- 所有的启动项目(包括注册表、启动文件夹、服务等)
- 浏览器加载项
- 正在运行的进程(包括进程模块信息)
- 文件关联
- Winsock 提供者
- Autorun.inf
- HOSTS 文件
- 启动项目
- 注册表
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- <Internat.exe><internat.exe> [(Verified)Microsoft Windows 2000 Publisher]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- <Synchronization Manager><mobsync.exe /logon> [(Verified)Microsoft Windows 2000 Publisher]
- <NvCplDaemon><RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
- <nwiz><nwiz.exe /install> [NVIDIA Corporation]
- <NvMediaCenter><RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
- <SoundMan><SOUNDMAN.EXE> [(Verified)Microsoft Windows Hardware Compatibility Publisher]
- <AVP><"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"> [Kaspersky Lab]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- <shell><Explorer.exe> [(Verified)Microsoft Windows 2000 Publisher]
- <Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Windows 2000 Publisher]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
- <WinlogonNotify: klogon><C:\WINNT\System32\klogon.dll> [Kaspersky Lab]
- [HKEY_CURRENT_USER\Control Panel\Desktop]
- <SCRNSAVE.EXE><(无)> [N/A]
- ==================================
- 启动文件夹
- [Microsoft Office]
- <C:\Documents and Settings\xxzx1\「开始」菜单\程序\启动\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office\OSA9.EXE [Microsoft Corporation]><N>
- ==================================
- 服务
- [卡巴斯基反病毒6.0 / AVP][Running/Auto Start]
- <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r><Kaspersky Lab>
- [Microsoft Update Service / BARCASE][Stopped/Auto Start]
- <><N/A>
- [Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
- <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
- [NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
- <C:\WINNT\System32\nvsvc32.exe><NVIDIA Corporation>
- [Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
- <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\System32\mspmsnsv.dll><Microsoft Corporation>
- ==================================
- 驱动程序
- [Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
- <system32\drivers\ALCXSENS.SYS><Sensaura Ltd>
- [Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
- <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
- [dmboot / dmboot][Stopped/Disabled]
- <System32\drivers\dmboot.sys><VERITAS Software Corp.>
- [Logical Disk Manager Driver / dmio][Running/Boot Start]
- <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
- [dmload / dmload][Running/Boot Start]
- <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
- [kl1 / kl1][Running/Boot Start]
- <\SystemRoot\System32\drivers\kl1.sys><Kaspersky Lab>
- [klif / klif][Running/System Start]
- <\??\C:\WINNT\System32\drivers\klif.sys><Kaspersky Lab>
- [npkcrypt / npkcrypt][Running/Auto Start]
- <\??\C:\Program Files\Tencent\qq\npkcrypt.sys><INCA Internet Co., Ltd.>
- [nv / nv][Running/Manual Start]
- <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
- [Direct Parallel Link Driver / Ptilink][Running/Manual Start]
- <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
- [Realtek RTL8139-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Running/Manual Start]
- <System32\DRIVERS\RTL8139.SYS><Realtek Semiconductor Corporation>
- [sptd / sptd][Running/Boot Start]
- <\SystemRoot\System32\Drivers\sptd.sys><N/A>
- [4954531 / 4954531][Running/Manual Start]
- <2 - 系统找不到指定的文件。
- ><N/A>
- ==================================
- 浏览器加载项
- [ThunderAtOnce Class]
- {01443AEC-0FD1-40fd-9C87-E93D1494C233} <C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll, Thunder Networking Technologies,LTD>
- [Thunder Browser Helper]
- {889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll, Thunder Networking Technologies,LTD>
- [启动迅雷5]
- {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <C:\Program Files\Thunder Network\Thunder\Thunder.exe, Thunder Networking Technologies,LTD>
- [Web反病]
- {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll, Kaspersky Lab>
- [@shdoclc.dll,-866]
- {c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
- [@msdxmLC.dll,-1@2052,电台(&R)]
- {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\System32\msdxm.ocx, Microsoft Corporation>
- [Windows Genuine Advantage Validation Tool]
- {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINNT\System32\LegitCheckControl.DLL, Microsoft Corporation>
- [Thunder Agent Class]
- {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <C:\Program Files\Thunder Network\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
- [上传到QQ网络硬盘]
- <C:\Program Files\Tencent\qq\AddToNetDisk.htm, N/A>
- [使用迅雷下载]
- <C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm, N/A>
- [使用迅雷下载全部链接]
- <C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm, N/A>
- [添加到QQ自定义面板]
- <C:\Program Files\Tencent\qq\AddPanel.htm, N/A>
- [添加到QQ表情]
- <C:\Program Files\Tencent\qq\AddEmotion.htm, N/A>
- [用QQ彩信发送该图片]
- <C:\Program Files\Tencent\qq\SendMMS.htm, N/A>
- ==================================
- 正在运行的进程
- [PID: 232][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
- [PID: 256][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
- [PID: 252][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6714]
- [C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
- [C:\WINNT\System32\klogon.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
- [PID: 304][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.6700]
- [C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
- [PID: 1080][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
- [C:\WINNT\AppPatch\AcLayers.DLL] [Microsoft Corporation, 5.00.2195.6717]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll] [Kaspersky Lab, 1.0.6.411]
- [C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
- [C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
- [C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prremote.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.1.411]
- [C:\WINNT\system32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
- [C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 1, 4]
- [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsBho_00.dll] [, 1, 0, 0, 2]
- [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 4]
- [C:\Program Files\WinRAR\rarext.dll] [N/A, ]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll] [Kaspersky Lab, 6.0.1.411]
- [PID: 1236][C:\WINNT\system32\RUNDLL32.EXE] [Microsoft Corporation, 5.00.2134.1]
- [C:\WINNT\System32\NvMcTray.dll] [NVIDIA Corporation, 6.14.10.5664]
- [PID: 1244][C:\WINNT\SOUNDMAN.EXE] [Realtek Semiconductor Corp., 5.1.0.24]
- [PID: 1264][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
- [PID: 1440][C:\WINNT\system32\conime.exe] [Microsoft Corporation, 5.00.2195.6655]
- [PID: 1008][C:\WINNT\system32\taskmgr.exe] [Microsoft Corporation, 5.00.2195.6620]
- [PID: 1408][C:\Program Files\Maxthon\Maxthon.exe] [Maxthon International Ltd., 1, 5, 9, 30]
- [C:\Program Files\Maxthon\maxzlib.dll] [ , 1, 0, 0, 2]
- [C:\Program Files\Maxthon\Plugin\FloatBar\FloatBar.dll] [, 1, 8, 0, 0]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll] [Kaspersky Lab, 1.0.6.411]
- [C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prremote.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Maxthon\Services\RealTime\real_time.dll] [, 1, 0, 0, 1]
- [C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\nfio.ppl] [Kaspersky Lab, 6.0.1.411]
- [C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\fsdrvplgn.ppl] [Kaspersky Lab, 6.0.1.411]
- [C:\WINNT\system32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\basegui.ppl] [Crsky, 6.0.1]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\winreg.ppl] [Kaspersky Lab, 6.0.1.411]
- [C:\WINNT\System32\msxml3.dll] [Microsoft Corporation, 8.30.9926.0]
- [C:\WINNT\system32\PINTLGNT.IME] [Microsoft Corporation, 4.2.32]
- [C:\WINNT\system32\MSDART.DLL] [Microsoft Corporation, 2.71.9030.0 built by: Lab06_N(dagbuild)]
- [C:\WINNT\system32\msratelc.dll] [Microsoft Corporation, 6.00.2800.1106]
- [PID: 980][C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe] [Thunder Networking Technologies,LTD, 5, 6, 2, 300]
- [C:\WINNT\system32\MSVCP60.dll] [Microsoft Corporation, 6.00.8168.0]
- [C:\Program Files\Thunder Network\Thunder\Program\TaskManager.dll] [Thunder Networking Technologies,LTD, 1, 1, 0, 21]
- [C:\Program Files\Thunder Network\Thunder\Program\download_interface.dll] [Thunder Networking Technologies,LTD, 2, 15, 2, 85]
- [C:\Program Files\Thunder Network\Thunder\Program\stlport_vc646.dll] [STLport Consulting, Inc., 4.6.2003.1031]
- [C:\Program Files\Thunder Network\Thunder\Program\asyn_dns.dll] [Thunder Networking Technologies,LTD, 2, 15, 2, 85]
- [C:\Program Files\Thunder Network\Thunder\Program\BHOStub.dll] [Thunder Networking Technologies,LTD, 1, 1, 0, 8]
- [C:\Program Files\Thunder Network\Thunder\Components\DownAndPlay\DownAndPlay.dll] [, 1, 0, 0, 3]
- [C:\Program Files\Thunder Network\Thunder\Program\iTargetAD.dll] [Thunder Networking Technologies,LTD, 1, 0, 2, 26]
- [C:\WINNT\System32\Macromed\Flash\Flash9c.ocx] [Adobe Systems, Inc., 9,0,45,0]
- [C:\WINNT\system32\wdmaud.drv] [Microsoft Corporation, 5.00.2195.6673]
- [C:\WINNT\system32\msacm32.drv] [Microsoft Corporation, 5.00.2134.1]
- [C:\Program Files\Thunder Network\Thunder\Components\InMedia\iEmbedShell.dll] [ , 1, 0, 0, 17]
- [C:\Program Files\Thunder Network\Thunder\Components\Community\XLCommunity.dll] [Thunder Networking Technologies,LTD, 1, 0, 8, 30]
- [C:\Program Files\Thunder Network\Thunder\Components\Security\ThunderSafe.dll] [深圳市迅雷网络技术有限公司, 1.0.0.10]
- [C:\Program Files\Thunder Network\Thunder\Components\Search\XLSearch.dll] [Thunder Networking Technologies,LTD, 1, 1, 2, 12]
- [C:\Program Files\Thunder Network\Thunder\Components\P4PClient\P4PClient.dll] [Thunder Networking Technologies,LTD, 2, 2, 1, 46]
- [C:\Program Files\Thunder Network\Thunder\Program\LiveUpdate.dll] [Thunder Networking Technologies,LTD, 1, 2, 1, 20]
- [C:\Program Files\Thunder Network\Thunder\Components\ExplorerHelper\ExplorerHelper.dll] [Thunder Networking Technologies,LTD, 1, 0, 4, 15]
- [C:\Program Files\Thunder Network\Thunder\Components\Tips\TipsClient.dll] [Thunder Networking Technologies,LTD, 2, 1, 3, 58]
- [C:\Program Files\Thunder Network\Thunder\Components\VPSHELL\VPSHELL.dll] [XunLei, 1, 2, 0, 10]
- [C:\Program Files\Thunder Network\Thunder\Components\UserExperience\UserExperience.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 1]
- [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DsXlCom.dll] [, 1, 0, 0, 9]
- [C:\Program Files\Thunder Network\Thunder\Components\InMedia\iEmbed09.dll] [ , 3, 3, 0, 80]
- [C:\Program Files\Thunder Network\Thunder\Program\RegisterDll.dll] [Thunder Networking Technologies,LTD, 2, 13, 2, 61]
- [C:\Program Files\Thunder Network\Thunder\Program\XLNet.Dll] [Thunder Networking Technologies,LTD, 1, 2, 0, 8]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll] [Kaspersky Lab, 1.0.6.411]
- [C:\Program Files\Thunder Network\Thunder\Plugins\BhoAdv\bho_adv.dll] [深圳市迅雷网络技术有限公司, 1.0.1.0]
- [C:\Program Files\Thunder Network\Thunder\Components\VPSHELL\VideoPicture.dll] [XunLei, 1, 2, 0, 11]
- [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\DataProcessor_00.dll] [Thunder Networking Technologies,LTD, 1, 0, 0, 4]
- [C:\Program Files\Thunder Network\Thunder\Components\ResWorker\MediaWorker.dll] [Thunder Networking Technologies,LTD, 1, 2, 0, 8]
- [C:\WINNT\system32\WMVCore.DLL] [Microsoft Corporation, 9.00.00.2980 built by: lab03_dev(bld4act)]
- [C:\WINNT\system32\WMASF.DLL] [Microsoft Corporation, 9.00.00.2980 built by: lab03_dev(bld4act)]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\klscav.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prremote.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prloader.dll] [Kaspersky Lab, 6.0.1.411]
- [C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\prkernel.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\params.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\pxstub.ppl] [Kaspersky Lab, 6.0.1.411]
- [c:\program files\kaspersky lab\kaspersky anti-virus 6.0\tempfile.ppl] [Kaspersky Lab, 6.0.1.411]
- [C:\WINNT\system32\MSDART.DLL] [Microsoft Corporation, 2.71.9030.0 built by: Lab06_N(dagbuild)]
- [C:\WINNT\System32\msxml3.dll] [Microsoft Corporation, 8.30.9926.0]
- [C:\Program Files\Thunder Network\Thunder\Program\FloatBar.dll] [Giganology Inc., 1, 0, 0, 2]
- [C:\WINNT\system32\msadp32.acm] [Microsoft Corporation, 5.00.2134.1]
- [PID: 1656][F:\卡巴斯基\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
- ==================================
- 文件关联
- .TXT Error. [C:\WINNT\notepad.exe %1]
- .EXE OK. ["%1" %*]
- .COM OK. ["%1" %*]
- .PIF OK. ["%1" %*]
- .REG OK. [regedit.exe "%1"]
- .BAT OK. ["%1" %*]
- .SCR OK. ["%1" /S]
- .CHM Error. ["hh.exe" %1]
- .HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
- .INI Error. [C:\WINNT\System32\NOTEPAD.EXE %1]
- .INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
- .VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
- .JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
- .LNK OK. [{00021401-0000-0000-C000-000000000046}]
- ==================================
- Winsock 提供者
- N/A
- ==================================
- Autorun.inf
- N/A
- ==================================
- HOSTS 文件
- N/A
- ==================================
- API HOOK
- RVA 错误: LoadLibraryA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBE8B7B25)
- RVA 错误: LoadLibraryExA (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBE8B7D67)
- RVA 错误: LoadLibraryExW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBE8B7F0B)
- RVA 错误: LoadLibraryW (危险等级: 一般, 被下面模块所HOOK: Dest Addr: 0xBE8B7C49)
- RVA 错误: GetProcAddress (危险等级: 高, 被下面模块所HOOK: Dest Addr: 0xBE8B7E8F)
- ==================================
- 隐藏进程
- N/A
- ==================================
复制代码
[ 本帖最后由 fghj720 于 2007-6-2 12:26 编辑 ] |