遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等
来源:互联网 发布:c语言while语句 编辑:程序博客网 时间:2024/04/25 15:13
遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等
endurer 原创
2008-09-01 第1版
今天开会时,需要播放课件,为此准备了两台本本,不料作为备用的那台本本,开机后就不定期的弹出消息框,提示加载307b.dll出错。明显是中标了。
这消息框势必会影响课件地播放,必须立即处理。
该本本装有Kingsoft Internet Security 2008,不过病毒库是8月17日的,暂时无法连网升级。
用金山清理专家扫描,没有发现可疑的东东。
后来发现该电脑中居然装有瑞星卡卡安全助手,不过是4.x的版本。用它检查开机启动项,马上发现了可疑的东东,用pe_xscan 扫描并分析如下:
/===
pe_xscan 08-08-01 by Purple Endurer
2008-9-1 13:40:48
Windows XP Service Pack 2(5.1.2600)
MSIE:7.0.5730.13
管理员用户组
正常模式
O2 - BHO BHO Class - {1307E689-5CA1-4a15-9583-F2350790290D} = C:/WINDOWS/system32/oqxovy.dll| 2008-8-17 6:41:44
O2 - BHO Invoke Class - {6B76DDAB-898D-4e5b-917C-2B697C2EA7A4} = C:/WINDOWS/system32/8g4.dll| 2008-8-15 23:28:49
O4 - HKLM/../Policies/Explorer/Run: [307b] rundll32 C:/WINDOWS/Downlo~1/307b.dll",Run
307ac.job
307b.job
307dc.job
307sc.job
O9 - IE工具栏扩展按钮HKLM:知识库 - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxp://blank.la/?h
O9 - IE工具菜单扩展项HKLM: - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxtp://blank.la/?h
O23 - 服务: 9bi9m8 (9bi9m8) - System32/DRIVERS/9bi9m8.sys(引导)
O23 - 服务: ADProt (ADProt) - C:/WINDOWS/system32/drivers/ADProt.sys(系统)
O23 - 服务: kcohj1ba (kcohj1ba) - system32/drivers/kcohj1ba.sys(引导)
O23 - 服务: oboqyy (Logical Disk Manager Amdinistrative oboqyy) - c:/root/yxyeaholes/scvhost.exe| 2008-7-11 3:14:2(自动)
O23 - 服务: OSEvent (OSEvent) - C:/WINDOWS/system32/s.exe| 2008-8-8 4:9:38(自动)
O23 - 服务: ThinkpadSer (ThinkpadSer) - C:/WINDOWS/system32/4f4.exe| 2008-8-14 11:39:15(自动)
O23 - 服务: w509v (w509v) - system32/drivers/w509v.sys(引导)
===/
把这些东东都清理了,重启电脑,果然不再弹出那个消息框了。
文件说明符 : C:/root/yxyeaholes/scvhost.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 1.0.0.0
产品版本 : 1.0.0.0
创建时间 : 2008-7-11 11:14:2
修改时间 : 2008-7-11 11:14:2
大小 : 478720 字节 467.512 KB
MD5 : 84e9c475ffe13cb7c8fd60f5b2995f00
SHA1: BAD9CFAE6813748DF9EB9BC0AD6C5728A267D2B2
CRC32: cdee47b1
文件 scvhost.exe 接收于 2008.09.01 15:25:39 (CET)
| 反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
| AhnLab-V3 | 2008.8.29.0 | 2008.09.01 | Win-Trojan/Xema.variant |
| AntiVir | 7.8.1.23 | 2008.09.01 | TR/Spy.Gen |
| Authentium | 5.1.0.4 | 2008.09.01 | W32/Banload.E.gen!Eldorado |
| Avast | 4.8.1195.0 | 2008.08.31 | Win32:Trojan-gen {Other} |
| AVG | 8.0.0.161 | 2008.09.01 | Downloader.Generic7.AGRS |
| BitDefender | 7.2 | 2008.09.01 | Trojan.Generic.662130 |
| CAT-QuickHeal | 9.50 | 2008.08.29 | TrojanDownloader.Delf.mpl |
| ClamAV | 0.93.1 | 2008.09.01 | - |
| DrWeb | 4.44.0.09170 | 2008.09.01 | - |
| eSafe | 7.0.17.0 | 2008.08.31 | - |
| eTrust-Vet | 31.6.6062 | 2008.09.01 | - |
| Ewido | 4.0 | 2008.09.01 | - |
| F-Prot | 4.4.4.56 | 2008.09.01 | W32/Banload.E.gen!Eldorado |
| F-Secure | 7.60.13501.0 | 2008.09.01 | Trojan-Downloader.Win32.Delf.mpl |
| Fortinet | 3.14.0.0 | 2008.09.01 | - |
| GData | 19 | 2008.09.01 | Trojan-Downloader.Win32.Delf.mpl |
| Ikarus | T3.1.1.34.0 | 2008.09.01 | Trojan-Downloader.Win32.Delf.asz |
| K7AntiVirus | 7.10.435 | 2008.09.01 | Trojan.Win32.Malware.1 |
| Kaspersky | 7.0.0.125 | 2008.09.01 | Trojan-Downloader.Win32.Delf.mpl |
| McAfee | 5373 | 2008.08.29 | Generic Downloader.x |
| Microsoft | 1.3807 | 2008.08.25 | - |
| NOD32v2 | 3404 | 2008.09.01 | probably a variant of Win32/TrojanDownloader.Delf.ATB |
| Norman | 5.80.02 | 2008.09.01 | - |
| Panda | 9.0.0.4 | 2008.08.31 | - |
| PCTools | 4.4.2.0 | 2008.09.01 | Trojan-Downloader.Delf!sd6 |
| Prevx1 | V2 | 2008.09.01 | Cloaked Malware |
| Rising | 20.60.01.00 | 2008.09.01 | Trojan.Win32.Undef.dru |
| Sophos | 4.33.0 | 2008.09.01 | - |
| Sunbelt | 3.1.1592.1 | 2008.08.30 | Trojan-Downloader.Delphi.Gen |
| Symantec | 10 | 2008.09.01 | Trojan Horse |
| TheHacker | 6.3.0.6.069 | 2008.09.01 | - |
| TrendMicro | 8.700.0.1004 | 2008.09.01 | - |
| VBA32 | 3.12.8.4 | 2008.08.31 | Trojan-Downloader.Win32.Delf.mpl |
| ViRobot | 2008.9.1.1359 | 2008.09.01 | Trojan.Win32.Downloader.478720.B |
| VirusBuster | 4.5.11.0 | 2008.08.31 | - |
| Webwasher-Gateway | 6.6.2 | 2008.09.01 | Trojan.Spy.Gen |
| 附加信息 |
|---|
| File size: 478720 bytes |
| MD5...: 84e9c475ffe13cb7c8fd60f5b2995f00 |
| SHA1..: bad9cfae6813748df9eb9bc0ad6c5728a267d2b2 |
| SHA256: 6925307afc3957989c289dcbcba3eeb220e75d503bc91b4bd6c625a2ba48dbf6 |
| SHA512: 219b328dc82b6d208444b825d18a4c71758a65ccfa21f291e0bc26d458bf11e9 75e5282071dfd603ad54550f72df417ec095702300f6a88a742c99d1ad486f2a |
| PEiD..: - |
| TrID..: File type identification Win32 Executable Borland Delphi 7 (69.1%) Win32 Executable Borland Delphi 6 (27.0%) Win32 Executable Delphi generic (1.5%) Win32 Executable Generic (0.8%) Win32 Dynamic Link Library (generic) (0.7%) |
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x463f40 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 8 sections ) name viradd virsiz rawdsiz ntrpy md5 CODE 0x1000 0x62fd0 0x63000 6.54 e67f1df4e269a7be7237114c94c9974a DATA 0x64000 0x13b8 0x1400 4.11 dc6afc04a81f1b4d2e6fe22b921b4345 BSS 0x66000 0x1141 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .idata 0x68000 0x2776 0x2800 5.01 d0b43b14609d2a068b5d2753a50f0afa .tls 0x6b000 0x10 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rdata 0x6c000 0x18 0x200 0.20 59ae59073dbfc82e5e0222fb77af1a75 .reloc 0x6d000 0x7204 0x7400 6.66 d8a0e4ffedfa836b07ffcabfcec0d94d .rsrc 0x75000 0x6800 0x6800 4.31 22b9293e6ea466a14872f8b94f2578e2 ( 18 imports ) > kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle > user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA > advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey > oleaut32.dll: SysFreeString, SysReAllocStringLen, SysAllocStringLen > kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA > advapi32.dll: ReportEventA, RegisterEventSourceA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, DeregisterEventSource > kernel32.dll: lstrcpyA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, SuspendThread, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle > version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA > gdi32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt > user32.dll: CreateWindowExA, mouse_event, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostThreadMessageA, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessageExtraInfo, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout > kernel32.dll: Sleep > oleaut32.dll: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit > ole32.dll: CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoTaskMemFree, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID > oleaut32.dll: GetErrorInfo, GetActiveObject, SysFreeString > advapi32.dll: StartServiceCtrlDispatcherA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenServiceA, OpenSCManagerA, DeleteService, CreateServiceA, CloseServiceHandle > comctl32.dll: ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create > shell32.dll: ShellExecuteA > URLMON.DLL: URLDownloadToFileA ( 0 exports ) |
| Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=A1F493E60054DB824ECA07D058F4F400F6E383C7 |
- 遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等
- s.exe,4f4.exe,8g4.dll,fh8.dll
- 遭遇conme.exe,abbhelp.dll,MintRoot.sys,AntiVirus.sys,mtlrd.sys等1
- 遭遇conme.exe,abbhelp.dll,MintRoot.sys,AntiVirus.sys,mtlrd.sys等2
- 遭遇Cli5.exe,DNFchin.exe,362.VBS,svhot.exe,userdata.dll,oshajf.sys等
- 遭遇scvhost.exe,qsetup.exe,dsound.dll,hnetcfg.dll,olepro32.dll等1
- 遭遇scvhost.exe,qsetup.exe,dsound.dll,hnetcfg.dll,olepro32.dll等2
- 登录Windows后自动注销,原来中了pcidump.sys,scvhost.exe,SoundxVolumns.dll,kav32.exe等
- 遭遇 NinSys74.Sys,B674A2D4.EXE,42AE09E4.DLL,msavp.dll,avpdj,avpwl.dll等
- 遭遇6to4.dll,pcidump.sys,WmiSvc.sys,updater.exe等
- 遭遇vchelp.exe,videodevice.dll,swchost.exe,IEXPLORE32.Sys等1
- 遭遇vchelp.exe,videodevice.dll,swchost.exe,IEXPLORE32.Sys等2
- 遭遇 kapjazy.dll,yhpri.dll,WinSys64.Sys,nwiztlbu.exe,myplayer.com 等1
- 遭遇 kapjazy.dll,yhpri.dll,WinSys64.Sys,nwiztlbu.exe,myplayer.com 等2
- anymie360.exe,anymie360.dll,b770ca2.sys,Beep.sys,msiffei.sys等1
- anymie360.exe,anymie360.dll,b770ca2.sys,Beep.sys,msiffei.sys等2
- 遭遇svchoct.exe,vonine.exe,HBKernel32.sys,ssdtti.sys,System.exe,ublhbztl.sys等1
- 遭遇svchoct.exe,vonine.exe,HBKernel32.sys,ssdtti.sys,System.exe,ublhbztl.sys等2
- DNS 漏洞发现者 Dan Kaminsky 访谈录
- 董事们,小心别被社会制裁了
- 全球黑客盛会:2008年黑帽大会要闻摘要
- 整理系统调用
- java取系统时间
- 遭遇scvhost.exe,kcohj1ba.sys,4f4.exe,w509v.sys,8g4.dll,307b.dll等
- 驾照场地考试(9选3)
- PHP5中时差相差8小时问题的解决
- 很牛的求职经历(转帖)
- Ext实现页面表单Enter全键盘导航
- commands
- 谢国忠:30年最大调整在即
- 策划“多媒体”网站
- eclipse3.3+CXF2.1+STP配置webservice开发环境(
