遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2
遭遇beep.sys/Backdoor.Win32.Agent,DOVA/Backdoor.Win32.Hupigon,myRAT.rmvb/Trojan.Win32.Delf等2
endurer 原创 2008-06-22 第1版
(继1)
到 http://purpleendurer.ys168.com 下载 FileInfo 和 bat_do。
用FileInfo 提取 pe_xscan 的 log 中红色标记的文件的信息;用 bat_do 打包备份,延时删除,改所选文件名,再延时删除。
下载并安装 瑞星卡卡安全助手,切换到[高级功能]->[系统启动项管理],
在左边点击[登录项],在右边找到 F2、O4 项对应的项目,右击,从弹出的菜单里选择删除。
在左边分别点击[服务项]和[驱动],找到 O23组的对应项, 右击,从弹出的菜单中选择删除。
另外检查发现
文件说明符 : c:/windows/system32/drivers/beep.sys 属性 : A--- 数字签名:否 PE文件:是 获取文件版本信息大小失败! 创建时间 : 2008-6-16 16:30:47 修改时间 : 2008-6-16 16:30:48 大小 : 2278 字节 2.230 KB MD5 : 57feb7a53fc0fc0d72460c79f6fe4a70 SHA1: 426C70291E57437C7F922055D6E9F780582CB6AD CRC32: b4f9768e
(卡巴斯基报为:Backdoor.Win32.Agent.krx[KLAB-5393973])
也用 bat_do处理了。
用WinRAR删除Windows临时文件夹,IE临时文件夹,c:/windows/prefetch 中可以删除的文件。
重启电脑~
这下电脑工作正常了。
附部分病毒文件信息:
文件 beep.sys 接收于 2008.06.17 11:48:14 (CET)
| 反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
| AhnLab-V3 | 2008.6.17.0 | 2008.06.17 | - |
| AntiVir | 7.8.0.55 | 2008.06.17 | - |
| Authentium | 5.1.0.4 | 2008.06.17 | - |
| Avast | 4.8.1195.0 | 2008.06.16 | - |
| AVG | 7.5.0.516 | 2008.06.16 | Worm/Agent.N |
| BitDefender | 7.2 | 2008.06.17 | - |
| CAT-QuickHeal | 9.50 | 2008.06.16 | - |
| ClamAV | 0.93.1 | 2008.06.17 | - |
| DrWeb | 4.44.0.09170 | 2008.06.17 | - |
| eSafe | 7.0.15.0 | 2008.06.16 | - |
| eTrust-Vet | 31.6.5881 | 2008.06.17 | - |
| Ewido | 4.0 | 2008.06.16 | - |
| F-Prot | 4.4.4.56 | 2008.06.12 | - |
| F-Secure | 7.60.13501.0 | 2008.06.17 | - |
| Fortinet | 3.14.0.0 | 2008.06.17 | - |
| GData | 2.0.7306.1023 | 2008.06.17 | - |
| Ikarus | T3.1.1.26.0 | 2008.06.17 | - |
| Kaspersky | 7.0.0.125 | 2008.06.17 | - |
| McAfee | 5318 | 2008.06.16 | - |
| Microsoft | 1.3604 | 2008.06.17 | - |
| NOD32v2 | 3192 | 2008.06.17 | - |
| Norman | 5.80.02 | 2008.06.16 | - |
| Panda | 9.0.0.4 | 2008.06.16 | - |
| Prevx1 | V2 | 2008.06.17 | - |
| Rising | 20.49.11.00 | 2008.06.17 | - |
| Sophos | 4.30.0 | 2008.06.17 | - |
| Sunbelt | 3.0.1153.1 | 2008.06.15 | - |
| Symantec | 10 | 2008.06.17 | - |
| TheHacker | 6.2.92.352 | 2008.06.17 | - |
| TrendMicro | 8.700.0.1004 | 2008.06.17 | - |
| VBA32 | 3.12.6.7 | 2008.06.17 | - |
| VirusBuster | 4.3.26:9 | 2008.06.12 | - |
| Webwasher-Gateway | 6.6.2 | 2008.06.17 | - |
| 附加信息 | |||
| File size: 2278 bytes | |||
| MD5...: 57feb7a53fc0fc0d72460c79f6fe4a70 | |||
| SHA1..: 426c70291e57437c7f922055d6e9f780582cb6ad | |||
| SHA256: 8f374788e5331a514bb7af41349fe2e41d1bf747c3cf6f8c0450f70d7700f62a | |||
| SHA512: 25496d47a6a7385e517575d4c82b3eaa6f477f5344c0db91d87ee55f0ccec035 834f7cfd854405cdbe784847ffcd5c2c66e1fea2bb34d50bc8bbfef99ffa14da |
|||
| PEiD..: - | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x102e6 timedatestamp.....: 0x4853ae23 (Sat Jun 14 11:40:19 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x2a0 0x23c 0x240 5.84 738686680103bf7136d1d58d91449851 .rdata 0x4e0 0x94 0xa0 2.56 b3ae866fa0e297874aa7207a07840525 .data 0x580 0x18 0x20 0.00 70bc8f4b72a86921468bf8e8441dce51 INIT 0x5a0 0x144 0x160 4.44 5d072eceb6de4a7376bf9d6312676161 .reloc 0x700 0x58 0x60 3.47 d9b273eae760f0b360a5cdc940e91f18 ( 1 imports ) > ntoskrnl.exe: IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IofCompleteRequest, DbgPrint, IoDeleteDevice, IoDeleteSymbolicLink, KeServiceDescriptorTable, ProbeForWrite, ProbeForRead, _except_handler3 ( 0 exports ) | |||
文件说明符 : D:/test/myRAT.rmvb 属性 : -SH- 数字签名:否 PE文件:是 语言 : 中文(中国) 文件版本 : 1.0.0.500 说明 : 版权 : 备注 : 产品版本 : 1.0.0.0 产品名称 : 公司名称 : 合法商标 : 内部名称 : 源文件名 : 创建时间 : 2008-6-16 2:44:19 修改时间 : 2008-6-16 10:44:20 大小 : 135680 字节 132.512 KB MD5 : 2d12b069fe76521573f6c7335b5b4b3a SHA1: 4CCF4F2AE88DF6B28544AC5628EE5F87157EBB13 CRC32: 6a109c0d
卡巴斯基报为:Trojan-Downloader.Win32.Delf.jdo,瑞星报为:Trojan.Win32.Delf.fck
| 反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
| AhnLab-V3 | 2008.6.17.0 | 2008.06.17 | - |
| AntiVir | 7.8.0.55 | 2008.06.17 | BDS/Backdoor.Gen |
| Authentium | 5.1.0.4 | 2008.06.17 | W32/OnlineGames.A.gen!Eldorado |
| Avast | 4.8.1195.0 | 2008.06.16 | - |
| AVG | 7.5.0.516 | 2008.06.16 | - |
| BitDefender | 7.2 | 2008.06.17 | - |
| CAT-QuickHeal | 9.50 | 2008.06.16 | - |
| ClamAV | 0.93.1 | 2008.06.17 | - |
| DrWeb | 4.44.0.09170 | 2008.06.17 | BackDoor.Siggen.18 |
| eSafe | 7.0.15.0 | 2008.06.16 | - |
| eTrust-Vet | 31.6.5881 | 2008.06.17 | - |
| Ewido | 4.0 | 2008.06.16 | - |
| F-Prot | 4.4.4.56 | 2008.06.12 | W32/OnlineGames.A.gen!Eldorado |
| F-Secure | 7.60.13501.0 | 2008.06.17 | - |
| Fortinet | 3.14.0.0 | 2008.06.17 | - |
| GData | 2.0.7306.1023 | 2008.06.17 | Trojan-Downloader.Win32.Delf.jdo |
| Ikarus | T3.1.1.26.0 | 2008.06.17 | Backdoor.Win32.Delf.RAN |
| Kaspersky | 7.0.0.125 | 2008.06.17 | Trojan-Downloader.Win32.Delf.jdo |
| McAfee | 5318 | 2008.06.16 | - |
| Microsoft | 1.3604 | 2008.06.17 | Backdoor:Win32/Delf.RAN |
| NOD32v2 | 3193 | 2008.06.17 | - |
| Norman | 5.80.02 | 2008.06.16 | - |
| Panda | 9.0.0.4 | 2008.06.16 | Suspicious file |
| Prevx1 | V2 | 2008.06.17 | - |
| Rising | 20.49.11.00 | 2008.06.17 | Trojan.Win32.Delf.fck |
| Sophos | 4.30.0 | 2008.06.17 | Troj/Delf-FAH |
| Sunbelt | 3.0.1153.1 | 2008.06.15 | - |
| Symantec | 10 | 2008.06.17 | - |
| TheHacker | 6.2.92.352 | 2008.06.17 | - |
| TrendMicro | 8.700.0.1004 | 2008.06.17 | - |
| VBA32 | 3.12.6.7 | 2008.06.17 | - |
| VirusBuster | 4.3.26:9 | 2008.06.12 | - |
| Webwasher-Gateway | 6.6.2 | 2008.06.17 | Trojan.Backdoor.Backdoor.Gen |
| 附加信息 | |||
| File size: 135680 bytes | |||
| MD5...: 2d12b069fe76521573f6c7335b5b4b3a | |||
| SHA1..: 4ccf4f2ae88df6b28544ac5628ee5f87157ebb13 | |||
| SHA256: 48305730acf26f319facfa169e6eb8b07e1cdcb90e0cd34421e0f4d56422ff7b | |||
| SHA512: 44ef829d1fc28f1412ca9d4b675e31bb255f35c45bd7d1bddb91955988e57ef3 9be30e2d2db3488f5fb7f306ea95dda97d67078c39a85edd1f22d6f1af9ee24c |
|||
| PEiD..: - | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x41c1b4 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 ( 4 exports ) Install, InstallEx, ServerMain, ServiceMain |
|||
文件说明符 : D:/test/DOVA 属性 : -SHR 数字签名:否 PE文件:是 获取文件版本信息大小失败! 创建时间 : 2008-6-16 2:44:38 修改时间 : 2008-6-16 16:30:50 大小 : 231729 字节 226.305 KB MD5 : 76d5a93a77a4b266ce590864fe2cdae4 SHA1: E9E2694515A8D0BEF74E5D4094E49DB4DC46E297 CRC32: 3c8f8c39
卡巴斯基报为:Backdoor.Win32.Hupigon.clpz
| 反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
| AhnLab-V3 | 2008.6.17.0 | 2008.06.17 | Win32/NSAnti.suspicious |
| AntiVir | 7.8.0.55 | 2008.06.17 | BDS/Backdoor.Gen |
| Authentium | 5.1.0.4 | 2008.06.17 | W32/Hupigon.A.gen!Eldorado |
| Avast | 4.8.1195.0 | 2008.06.16 | Win32:Hupigon-ZA |
| AVG | 7.5.0.516 | 2008.06.16 | Generic10.ANTC |
| BitDefender | 7.2 | 2008.06.17 | MemScan:Backdoor.Hupigon.ZUW |
| CAT-QuickHeal | 9.50 | 2008.06.16 | Win32.Packed.NSAnti.r |
| ClamAV | 0.93.1 | 2008.06.17 | - |
| DrWeb | 4.44.0.09170 | 2008.06.17 | BackDoor.Pigeon.2254 |
| eSafe | 7.0.15.0 | 2008.06.16 | suspicious Trojan/Worm |
| eTrust-Vet | 31.6.5881 | 2008.06.17 | - |
| Ewido | 4.0 | 2008.06.16 | Backdoor.GrayBird.kx |
| F-Prot | 4.4.4.56 | 2008.06.12 | W32/Hupigon.A.gen!Eldorado |
| Fortinet | 3.14.0.0 | 2008.06.17 | - |
| GData | 2.0.7306.1023 | 2008.06.17 | Backdoor.Win32.Hupigon.clpz |
| Ikarus | T3.1.1.26.0 | 2008.06.17 | Packed.Win32.Klone.af |
| Kaspersky | 7.0.0.125 | 2008.06.17 | Backdoor.Win32.Hupigon.clpz |
| McAfee | 5318 | 2008.06.16 | - |
| Microsoft | 1.3604 | 2008.06.17 | VirTool:Win32/Obfuscator.A |
| NOD32v2 | 3193 | 2008.06.17 | - |
| Norman | 5.80.02 | 2008.06.16 | W32/Suspicious_N.gen |
| Panda | 9.0.0.4 | 2008.06.16 | Suspicious file |
| Prevx1 | V2 | 2008.06.17 | Suspicious |
| Rising | 20.49.11.00 | 2008.06.17 | - |
| Sophos | 4.30.0 | 2008.06.17 | Sus/UnkPacker |
| Sunbelt | 3.0.1153.1 | 2008.06.15 | VIPRE.Suspicious |
| Symantec | 10 | 2008.06.17 | - |
| TheHacker | 6.2.92.352 | 2008.06.17 | - |
| TrendMicro | 8.700.0.1004 | 2008.06.17 | - |
| VBA32 | 3.12.6.7 | 2008.06.17 | suspected of Backdoor.XiaoBird.1 |
| VirusBuster | 4.3.26:9 | 2008.06.12 | Packed/NSPack |
| Webwasher-Gateway | 6.6.2 | 2008.06.17 | Trojan.Backdoor.Backdoor.Gen |
| 附加信息 | |||
| File size: 231729 bytes | |||
| MD5...: 76d5a93a77a4b266ce590864fe2cdae4 | |||
| SHA1..: e9e2694515a8d0bef74e5d4094e49db4dc46e297 | |||
| SHA256: 56002d8d72834e91189ac226b809be2968ddcd199edf74486b8baa527ae64c81 | |||
| SHA512: 8f414f7d1f035e621db966d760dbba76ff18aeb895c62398e1368522094f45f5 7161dfe25018fca5aff40e881adb66169511403d931220017f334e0e1b8ca80f |
|||
| PEiD..: - | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4df028 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0xde000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0xdf000 0x39000 0x38531 8.00 15910b31c9cfb5449b6989cf64121b8e 0x118000 0x88a 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 25 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > USER32.DLL: GetKeyboardType > ADVAPI32.DLL: RegQueryvalueExA > OLEAUT32.DLL: SysFreeString > KERNEL32.DLL: TlsSetvalue > ADVAPI32.DLL: RegSetvalueExA > KERNEL32.DLL: lstrcpyA > MPR.DLL: WNetOpenEnumA > VERSION.DLL: VerQueryvalueA > GDI32.DLL: UnrealizeObject > USER32.DLL: CreateWindowExA > KERNEL32.DLL: Sleep > OLEAUT32.DLL: SafeArrayPtrOfIndex > COMCTL32.DLL: ImageList_SetIconSize > SHELL32.DLL: Shell_NotifyIconA > WININET.DLL: InternetReadFile > ADVAPI32.DLL: StartServiceA > WSOCK32.DLL: WSACleanup > IMAGEHLP.DLL: CheckSumMappedFile > WINMM.DLL: waveOutWrite > AVICAP32.DLL: capCreateCaptureWindowA > MSACM32.DLL: acmFormatChooseA > WS2_32.DLL: WSAIoctl > ADVAPI32.DLL: SetSecurityInfo > AVICAP32.DLL: capGetDriverDescriptionA ( 0 exports ) | |||
| Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E5A5604431A0EFF889FD0378A1F6E80097A6ED84 | |||
| packers (Avast): NsPack, NsPack | |||
| packers (F-Prot): NSPack | |||
| packers (Authentium): NSPack | |||