遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等

遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等

 

endurer 原创
2008-09-01 第1

 

今天开会时,需要播放课件,为此准备了两台本本,不料作为备用的那台本本,开机后就不定期的弹出消息框,提示加载307b.dll出错。明显是中标了。

 

这消息框势必会影响课件地播放,必须立即处理。

 

该本本装有Kingsoft Internet Security 2008,不过病毒库是8月17日的,暂时无法连网升级。

 

用金山清理专家扫描,没有发现可疑的东东。

 

后来发现该电脑中居然装有瑞星卡卡安全助手,不过是4.x的版本。用它检查开机启动项,马上发现了可疑的东东,用pe_xscan 扫描并分析如下:

/===
pe_xscan 08-08-01 by Purple Endurer
2008-9-1 13:40:48
Windows XP Service Pack 2(5.1.2600)
MSIE:7.0.5730.13
管理员用户组
正常模式

O2 - BHO BHO Class - {1307E689-5CA1-4a15-9583-F2350790290D} = C:/WINDOWS/system32/oqxovy.dll| 2008-8-17 6:41:44
O2 - BHO Invoke Class - {6B76DDAB-898D-4e5b-917C-2B697C2EA7A4} = C:/WINDOWS/system32/8g4.dll| 2008-8-15 23:28:49
O4 - HKLM/../Policies/Explorer/Run: [307b] rundll32  C:/WINDOWS/Downlo~1/307b.dll",Run
307ac.job
307b.job
307dc.job
307sc.job


O9 - IE工具栏扩展按钮HKLM:知识库 - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxp://blank.la/?h
O9 - IE工具菜单扩展项HKLM: - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxtp://blank.la/?h
O23 - 服务: 9bi9m8 (9bi9m8) -  System32/DRIVERS/9bi9m8.sys(引导)
O23 - 服务: ADProt (ADProt) - C:/WINDOWS/system32/drivers/ADProt.sys(系统)
O23 - 服务: kcohj1ba (kcohj1ba) -  system32/drivers/kcohj1ba.sys(引导)
O23 - 服务: oboqyy (Logical Disk Manager Amdinistrative oboqyy) - c:/root/yxyeaholes/scvhost.exe| 2008-7-11 3:14:2(自动)
O23 - 服务: OSEvent (OSEvent) - C:/WINDOWS/system32/s.exe| 2008-8-8 4:9:38(自动)
O23 - 服务: ThinkpadSer (ThinkpadSer) - C:/WINDOWS/system32/4f4.exe| 2008-8-14 11:39:15(自动)
O23 - 服务: w509v (w509v) -  system32/drivers/w509v.sys(引导)

===/

把这些东东都清理了,重启电脑,果然不再弹出那个消息框了。


文件说明符 : C:/root/yxyeaholes/scvhost.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 1.0.0.0
产品版本 : 1.0.0.0
创建时间 : 2008-7-11 11:14:2
修改时间 : 2008-7-11 11:14:2
大小 : 478720 字节 467.512 KB
MD5 : 84e9c475ffe13cb7c8fd60f5b2995f00
SHA1: BAD9CFAE6813748DF9EB9BC0AD6C5728A267D2B2
CRC32: cdee47b1

 

文件 scvhost.exe 接收于 2008.09.01 15:25:39 (CET)
反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.8.29.0 2008.09.01 Win-Trojan/Xema.variant
AntiVir 7.8.1.23 2008.09.01 TR/Spy.Gen
Authentium 5.1.0.4 2008.09.01 W32/Banload.E.gen!Eldorado
Avast 4.8.1195.0 2008.08.31 Win32:Trojan-gen {Other}
AVG 8.0.0.161 2008.09.01 Downloader.Generic7.AGRS
BitDefender 7.2 2008.09.01 Trojan.Generic.662130
CAT-QuickHeal 9.50 2008.08.29 TrojanDownloader.Delf.mpl
ClamAV 0.93.1 2008.09.01 -
DrWeb 4.44.0.09170 2008.09.01 -
eSafe 7.0.17.0 2008.08.31 -
eTrust-Vet 31.6.6062 2008.09.01 -
Ewido 4.0 2008.09.01 -
F-Prot 4.4.4.56 2008.09.01 W32/Banload.E.gen!Eldorado
F-Secure 7.60.13501.0 2008.09.01 Trojan-Downloader.Win32.Delf.mpl
Fortinet 3.14.0.0 2008.09.01 -
GData 19 2008.09.01 Trojan-Downloader.Win32.Delf.mpl
Ikarus T3.1.1.34.0 2008.09.01 Trojan-Downloader.Win32.Delf.asz
K7AntiVirus 7.10.435 2008.09.01 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.09.01 Trojan-Downloader.Win32.Delf.mpl
McAfee 5373 2008.08.29 Generic Downloader.x
Microsoft 1.3807 2008.08.25 -
NOD32v2 3404 2008.09.01 probably a variant of Win32/TrojanDownloader.Delf.ATB
Norman 5.80.02 2008.09.01 -
Panda 9.0.0.4 2008.08.31 -
PCTools 4.4.2.0 2008.09.01 Trojan-Downloader.Delf!sd6
Prevx1 V2 2008.09.01 Cloaked Malware
Rising 20.60.01.00 2008.09.01 Trojan.Win32.Undef.dru
Sophos 4.33.0 2008.09.01 -
Sunbelt 3.1.1592.1 2008.08.30 Trojan-Downloader.Delphi.Gen
Symantec 10 2008.09.01 Trojan Horse
TheHacker 6.3.0.6.069 2008.09.01 -
TrendMicro 8.700.0.1004 2008.09.01 -
VBA32 3.12.8.4 2008.08.31 Trojan-Downloader.Win32.Delf.mpl
ViRobot 2008.9.1.1359 2008.09.01 Trojan.Win32.Downloader.478720.B
VirusBuster 4.5.11.0 2008.08.31 -
Webwasher-Gateway 6.6.2 2008.09.01 Trojan.Spy.Gen

 

附加信息
File size: 478720 bytes
MD5...: 84e9c475ffe13cb7c8fd60f5b2995f00
SHA1..: bad9cfae6813748df9eb9bc0ad6c5728a267d2b2
SHA256: 6925307afc3957989c289dcbcba3eeb220e75d503bc91b4bd6c625a2ba48dbf6
SHA512: 219b328dc82b6d208444b825d18a4c71758a65ccfa21f291e0bc26d458bf11e9
75e5282071dfd603ad54550f72df417ec095702300f6a88a742c99d1ad486f2a
PEiD..: -
TrID..: File type identification
Win32 Executable Borland Delphi 7 (69.1%)
Win32 Executable Borland Delphi 6 (27.0%)
Win32 Executable Delphi generic (1.5%)
Win32 Executable Generic (0.8%)
Win32 Dynamic Link Library (generic) (0.7%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x463f40
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x62fd0 0x63000 6.54 e67f1df4e269a7be7237114c94c9974a
DATA 0x64000 0x13b8 0x1400 4.11 dc6afc04a81f1b4d2e6fe22b921b4345
BSS 0x66000 0x1141 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x68000 0x2776 0x2800 5.01 d0b43b14609d2a068b5d2753a50f0afa
.tls 0x6b000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0x6c000 0x18 0x200 0.20 59ae59073dbfc82e5e0222fb77af1a75
.reloc 0x6d000 0x7204 0x7400 6.66 d8a0e4ffedfa836b07ffcabfcec0d94d
.rsrc 0x75000 0x6800 0x6800 4.31 22b9293e6ea466a14872f8b94f2578e2

( 18 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
> advapi32.dll: ReportEventA, RegisterEventSourceA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, DeregisterEventSource
> kernel32.dll: lstrcpyA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, SuspendThread, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
> gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
> user32.dll: CreateWindowExA, mouse_event, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostThreadMessageA, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessageExtraInfo, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
> kernel32.dll: Sleep
> oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
> ole32.dll: CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
> oleaut32.dll: GetErrorInfo, GetActiveObject, SysFreeString
> advapi32.dll: StartServiceCtrlDispatcherA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenServiceA, OpenSCManagerA, DeleteService, CreateServiceA, CloseServiceHandle
> comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
> shell32.dll: ShellExecuteA
> URLMON.DLL: URLDownloadToFileA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A1F493E60054DB824ECA07D058F4F400F6E383C7

 

 

你可能感兴趣的:(遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等)