“Cocktail”therapy to deal with the variety of Trojan hybrid intrusion-vulnerability warning-the black bar safety net

ID MYHACK58:62200922030
Type myhack58
Reporter 佚名
Modified 2009-01-21T00:00:00


Here is a quote of the“cocktail”therapy is a medical term, refers to the physician while using the a variety of anti-viral drugs to deal with AIDS. For a computer virus to a single tool in particular is very well-known tool is very easy to be viral as against the target without losing effect, it's like medicine on the said resistance, if a plurality of tools used in combination, can be used to fight computer viruses, this anti-attack ability of resistance to.

Last weekend encountered a page locking is www. 321so. net advertising Trojans on Monday to see a similar case, the same is playing the AD, the antivirus software failure, the Task Manager does not open, can not access anti-virus vendor's website, Safe Mode blue screen, System Restore is disabled.

When this happens, quite a lot of users will seek killing tools to solve previous similar phenomenon may be AV Terminator designed to kill tool solve, but unfortunately, the virus manufacturing and dissemination of means in constant evolution, the Black industry chain practitioner certainly will not stand still, they always find against virus and killing tools.

The system is such a virus invasion is disastrous, I dare say: such a virus invasion if there is no professional guidance, the 9 9% of users will choose to re-install.

About my cocktail therapy

I usually prepare this a few tools:

Poison Blaster first aid kit-a fool of a generic Trojan removal tools, many of the Trojans we look forward to using it once the scan restarts to complete the Trojan removal and System Repair.

Clean up experts of small independent module, need to love Poison fighter community download.

Important components are:

Process Manager-built-in security authentication process module Analyzer.

File Shredder-force delete stubborn program module of the well tool.

System garbage cleanup tool-many download controller will hide in the system temporary folder and IE cache folder, manually delete the inferior of this to the visitors.

sreng-used to analyse the log.

The ice Ninja--used to analyze and kill the process.

XDELBOX--quite handy to restart the Delete tool, you can directly import you need to delete a list of files, a reboot deleted in its entirety.

The disposal of ideas

The following tools can be sequentially executed, it may not be divided successively performed separately.

  1. First try the first aid kit, this is a new tool, the virus is often used to end of the security software run a couple of methods for first aid kit are invalid, the new version also includes a certain anti-rootkit capability.

For not too complex Trojan intrusion, first aid kit once a restart to get the ratio about 7 to 8%.

Today this instance of First Aid Kit failure, the performance of scanning total can not be completed, the scan the program will crash out.

  1. First aid kit program crash may have been running Trojan virus interference, to solve this problem, you need a Process Manager

In this example, the direct operation of the ice edge failure, apparently by image hijacking. Random renamed after the Run can be started, but was quickly turned off. Similar security tools can not be directly executed, renamed is the most simple way.

Just the Clean up expert Process Manager was renamed after the run, found have system. exe in the run, there are a number a DLL module is determined to be virus-free. These modules are all selected after the end of the process.

  1. The sreng randomly renamed after the execution, the analysis of logs exported to the log file.

In this log found a lot of abnormal


To start the project Registry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] <svchest.exe><C:\WINDOWS\system32\svchest.exe> [tomato garden] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <HBService32><System.exe> [N/A] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] <Alcmtr><anymie360.exe> [] <gem><C:\DOCUME~1\JXSJ~1. WWW\LOCALS~1\Temp\sv1D. tmp> [File is missing] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] <{8 9 2 4 0 2 2 0-D63C-4DCD-9E8D-080C4032ABD8}><C:\WINDOWS\system32\opikgiig.dll> [] <{59AECB4D-6A81-4A12-B617-363FC1838D58}><C:\WINDOWS\system32\lpaecbkd.dll> [] <{E89112B1-42FC-46DB-944E-DC4B0A6DBAC5}><C:\WINDOWS\system32\eophhibh.dll> [] <{176C010A-06E8-4EFD-88A4-03A03328F5BB}><C:\WINDOWS\system32\hnmcghga.dll> [] <{E99DD30A-62FF-4A0D-8 3 9 5-88ABF43D8864}><C:\WINDOWS\system32\eppddjga.dll> [] <{9C21718E-9 0 4 1-4C25-B5A3-058E29987703}><C:\WINDOWS\system32\pcihnhoe.dll> [] <{60EE1E55-8AB6-4 1 9 1-A43A-AF71C840742C}><C:\WINDOWS\system32\mgeehell.dll> [] <{C66E9790-1 5 9 7-4A33-AF9B-91F829A47B32}><C:\WINDOWS\system32\cmmepnpg.dll> [] <{B9DBE372-702A-448F-A440-8D3165184132}><C:\WINDOWS\system32\bpdbejni.dll> [] <{C1CC2E66-8D80-4B62-85FF-C54DBFED1461}><C:\WINDOWS\system32\chcciemm.dll> [] <{832F07E4-5 2 7 1-4C4A-B76A-800E1B6AFE38}><C:\WINDOWS\system32\ojifgnek.dll> [] <{BB8C0FAF-2 1 0 4-4FE9-A4B4-18F1F66F612B}><C:\WINDOWS\system32\bbocgfaf.dll> [] <{1BD89A31-0D8A-4 6 8 1-BEDA-D12FDC93BC58}><C:\WINDOWS\system32\hbdopajh.dll> [] <{4C6C420F-215B-44E2-AC09-B4E13915F16B}><C:\WINDOWS\system32\kcmckigf.dll> [] <{BA07E3C5-7E9C-4B72-9C69-D60E204541E0}><C:\WINDOWS\system32\bagnejcl.dll> [] <{81E57996-AC4A-465D-9 6 3 2-5BBB45AF9BE6}><C:\WINDOWS\system32\ohelnppm.dll> [] <{1ADCE198-C337-4EB1-99B0-46EA76564607}><C:\WINDOWS\system32\hadcehpo.dll> [] <{5B5257C8-FAC1-42BE-B5E5-F0832AC4BB39}><C:\WINDOWS\system32\lblilnco.dll> [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] <8 9 2 4 0 2 2 0><C:\WINDOWS\system32\opikgiig.dll> [] <59AECB4D><C:\WINDOWS\system32\lpaecbkd.dll> [] <E89112B1><C:\WINDOWS\system32\eophhibh.dll> [] <176C010A><C:\WINDOWS\system32\hnmcghga.dll> [] <E99DD30A><C:\WINDOWS\system32\eppddjga.dll> [] <9C21718E><C:\WINDOWS\system32\pcihnhoe.dll> [] <60EE1E55><C:\WINDOWS\system32\mgeehell.dll> [] <C66E9790><C:\WINDOWS\system32\cmmepnpg.dll> [] <B9DBE372><C:\WINDOWS\system32\bpdbejni.dll> [] <C1CC2E66><C:\WINDOWS\system32\chcciemm.dll> [] <832F07E4><C:\WINDOWS\system32\ojifgnek.dll> [] <BB8C0FAF><C:\WINDOWS\system32\bbocgfaf.dll> [] <1BD89A31><C:\WINDOWS\system32\hbdopajh.dll> [] <4C6C420F><C:\WINDOWS\system32\kcmckigf.dll> [] <BA07E3C5><C:\WINDOWS\system32\bagnejcl.dll> [] <81E57996><C:\WINDOWS\system32\ohelnppm.dll> [] <1ADCE198><C:\WINDOWS\system32\hadcehpo.dll> [] <5B5257C8><C:\WINDOWS\system32\lblilnco.dll> [] Service [Provisioning Transaction Service / pangu222][Stopped/Auto Start] <C:\WINDOWS\system32\sv1F.tmp.exe><(File is missing)> Driver [msiffei / msiffei][Stopped/Manual Start] <System32\Drivers\msiffei.sys><N/A> [Safe Mon 3 6 0 / SafeMon0][Running/System Start] <\??\ C:\WINDOWS\system32\D9F7F2BC.dat><N/A>

In many processes found in the virus module

[PID: 6 6 4 / wucz][C:\WINDOWS\explorer.exe] [Microsoft Corporation, 6.00.2900.3156 (xpsp_sp2_qfe. 070613-1311)] [C:\WINDOWS\system32\opikgiig.dll] [N/A, ] [C:\WINDOWS\system32\lpaecbkd.dll] [N/A, ] [C:\WINDOWS\system32\eophhibh.dll] [N/A, ] [C:\WINDOWS\system32\hnmcghga.dll] [N/A, ] [C:\WINDOWS\system32\eppddjga.dll] [N/A, ] [C:\WINDOWS\system32\pcihnhoe.dll] [N/A, ] [C:\WINDOWS\system32\mgeehell.dll] [N/A, ] [C:\WINDOWS\system32\cmmepnpg.dll] [N/A, ] [C:\WINDOWS\system32\bpdbejni.dll] [N/A, ] [C:\WINDOWS\system32\chcciemm.dll] [N/A, ] [C:\WINDOWS\system32\ojifgnek.dll] [N/A, ] [C:\WINDOWS\system32\bbocgfaf.dll] [N/A, ] [C:\WINDOWS\system32\hbdopajh.dll] [N/A, ] [C:\WINDOWS\system32\kcmckigf.dll] [N/A, ] [C:\WINDOWS\system32\bagnejcl.dll] [N/A, ] [C:\WINDOWS\system32\ohelnppm.dll] [N/A, ] [C:\WINDOWS\system32\hadcehpo.dll] [N/A, ] [C:\WINDOWS\system32\lblilnco.dll] [N/A, ] [C:\WINDOWS\system32\anymie360.dll] [N/A, ] [C:\WINDOWS\system32\contmenu.dll] [N/A, ]

HOSTS file with a fake QQ home page to the fake website. www.qq.com qq.com

By checking this the 9 8. 1 2 6. 3 3. 2 1 0 from Europe, estimated to be a hacker to catch a broiler chickens.

  1. The use of multiple tools to forcibly delete the above that a long string of the DLL and the dangerous EXE.

I first use a File Shredder, browse the windows\system32 directory, these DLLS are the same born into a number of strange DLL file and the EXE file, all crushed, which requires empirical determination, not sure of the file you can not delete. The analysis of logs to find the suspicious file to import a list of xdelbox, a reboot deleted.

Why two tools? My basis is, the Log analysis can be found in the malware load points, but for the Downloader, not all after downloading the product will be loaded at boot time, check the windows\system32 directory as the exception file, and then artificially deleted or a certain value.

  1. Restart the computer and found boot speed a lot, while there are a number of DLL file failed to load message box POPs up.

Again using the first aid kit, no longer crash, and successfully completed the scan, found 1 3 0 multiple suspicious add-ons. At this time, I did not immediately select Restart.

  1. Try to run clean-up expert 2. 6. 5, manually remove Trojan horse is a judgment based on experience, the total will be missing, and we don't can remember the many malicious software for registry and system configuration files to modify, where the MOP-up work or to clean-up the experts of the malware removal module to solve.

This time found a 1 0 more malware, the all clear after the scan is repeated is no longer find residue.

Next reboot again the computer, respectively, using the Clean up expert Process Analysis and a first aid kit, were not found in the new insecure add-ons, determine the initial clearing is completed, the remaining work is to put the discovery of the unknown file to the Zhuhai analysis.

The above step actually is not complicated, the core point is the process of analysis to find suspicious processes, the end of the risk process, the General user is recommended to use the first aid kit to solve, after all, a first aid kit is more simple, the effect is still good.

Recommended that the ordinary user to grasp the log export function in you can not solve, you can in the forum to submit a log, please experienced users help you out.