Trojan/PSW.Agent.cxh

王朝百科·作者佚名  2010-02-06  
宽屏版  字体:   |    |    |  超大  

Trojan/PSW.Agent.cxh

病毒名称 Trojan/PSW.Agent.cxh

病毒类型 木马

危险级别 ★★

影响平台 Win 9X/ME/NT/2000/XP/2003

描述 这是一个 木马 病毒。

Trojan/PSW.Agent.cxh“代理木马”变种cxh是一个盗取用户计算机上机密信息的木马程序。“代理木马”变种cxh运行后,自我复制到Windows目录下。修改注册表,实现开机自启。侦听黑客指令,盗取用户计算机上的机密信息,并将机密信息发送到黑客指定的邮箱里。

特征

病毒特征如下:

1、打开浏览器后,把主页修改成http://www.9505.com

2、会自动在桌面建立三个名称分别为"最酷手机铃声"、"最热音乐连播"、"最新手机图片"的html链接,地址是http://www.520tt.com/和http://www.ads3721.com/

3、该html链接删除之后过10秒左右又会新建

4、过几分钟就会弹出窗口直接进入网址http://www.ads3721.com/

5、如果访问本网站会导致直接进入网址http://www.ads3721.com/

6、如果在正常模式下用安全卫士查杀电脑会接着自动关机

扫描注册表结果

注册表

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]

<ctfmon.exe><C:WINDOWSsystem32ctfmon.exe> [(Verified)Microsoft Windows Publisher]

<bgswitch><C:WINDOWSsystem32gswitch.exe> []

<EXPLORER><C:Program FilesCommon FilesSystemwab32res.exe> [N/A]

<izxc9wqq><C:DOCUME~1ADMINI~1LOCALS~1Tempiexpl0re.exe> []

<df1iw><C:DOCUME~1ADMINI~1LOCALS~1Temp1explore.exe> []

<l><C:DOCUME~1ADMINI~1LOCALS~1TempServere.exe> []

<qw76gqfs7tl><C:DOCUME~1ADMINI~1LOCALS~1Tempwinlog0n.exe> []

[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]

<load><> [N/A]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

<PHIME2002ASync><C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC> [(Verified)Microsoft Windows Publisher]

<PHIME2002A><C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName> [(Verified)Microsoft Windows Publisher]

<BigDogPath><C:WINDOWSVM_STI.EXE 10moons USB PC Camera (ZC0301PL)> [N/A]

<WebThunder><C:Program FilesThunder NetworkWebThunderWebThunder.exe> [(Verified)ShenZhen Thunder Networking Technologies Ltd.]

<TkBellExe><"C:Program FilesCommon FilesRealUpdate_OB

ealsched.exe" -osboot> [(Verified)"RealNetworks, Inc."]

<runeip><C:Program FilesRisingAntiSpyware

uniep.exe> [Beijing Rising Technology Co., Ltd.]

<RavTask><"C:Program FilesRisingRavRavTask.exe" -system> [Beijing Rising Technology Co., Ltd.]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]

<KKDelay><C:Program FilesRisingAntiSpywareRunOnce.exe> [Beijing Rising Technology Co., Ltd.]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]

<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]

<Userinit><C:WINDOWSsystem32userinit.exe,> [(Verified)Microsoft Windows Publisher]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]

<AppInit_DLLs><> [N/A]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]

<UIHost><logonui.exe> [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]

<><C:WINDOWSsystem32RavExt.dll> [Beijing Rising Technology Co., Ltd.]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]

<WPDShServiceObj><C:WINDOWSsystem32WPDShServiceObj.dll> [(Verified)Microsoft Windows Component Publisher]

服务项

服务

[Help and Support / helpsvc][Stopped/Auto Start]

<C:WINDOWSSystem32svchost.exe -k netsvcs-->%WINDIR%PCHealthHelpCtrBinariespchsvc.dll><N/A>

[Human Interface Device Access / HidServ][Stopped/Disabled]

<C:WINDOWSSystem32svchost.exe -k netsvcs-->%SystemRoot%System32hidserv.dll><N/A>

[Rising Process Communication Center / RsCCenter][Running/Auto Start]

<"C:Program FilesRisingRavCCenter.exe"><Beijing Rising Technology Co., Ltd.>

[Rising RealTime Monitor / RsRavMon][Running/Auto Start]

<"C:PROGRAM FILESRISINGRAVRavmond.exe"><Beijing Rising Technology Co., Ltd.>

[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]

<C:WINDOWSsystem32svchost.exe -k WudfServiceGroup-->%SystemRoot%System32WUDFSvc.dll><Microsoft Corporation>

相关驱动

驱动程序

[2310_00 / 2310_00][Stopped/Boot Start]

<SystemRootSystem32BIRD2310_00.sys><HighPoint Technologies, Inc.>

[3WAREDRV / 3WAREDRV][Stopped/Boot Start]

<SystemRootSystem32BIRD3WAREDRV.SYS><N/A>

[3WAREGSM / 3WAREGSM][Stopped/Boot Start]

<SystemRootSystem32BIRD3waregsm.sys><N/A>

[3WDRV100 / 3WDRV100][Stopped/Boot Start]

<SystemRootSystem32BIRD3WDRV100.SYS><N/A>

[A320RAID / A320RAID][Stopped/Boot Start]

<SystemRootSystem32BIRDa320raid.sys><Adaptec, Inc.>

[AAC / AAC][Stopped/Boot Start]

<SystemRootSystem32BIRDaac.sys><Adaptec, Inc.>

[AACSAS / AACSAS][Stopped/Boot Start]

<SystemRootSystem32BIRDaacsas.sys><Adaptec, Inc.>

[AAR81XX / AAR81XX][Stopped/Boot Start]

<SystemRootSystem32BIRDaar81xx.sys><Adaptec, Inc.>

[AARSI3X / AARSI3X][Stopped/Boot Start]

<SystemRootSystem32BIRDaarsi3x.sys><Adaptec, Inc.>

[ADP94XX / ADP94XX][Stopped/Boot Start]

<SystemRootSystem32BIRDadp94xx.sys><Adaptec, Inc.>

[adpu160m / adpu160m][Stopped/Boot Start]

<SystemRootSystem32BIRDadpu160m.sys><Microsoft Corporation>

[ADPU320 / ADPU320][Stopped/Boot Start]

<SystemRootSystem32BIRDadpu320.sys><Adaptec, Inc.>

[AEC6210 / AEC6210][Stopped/Boot Start]

<SystemRootSystem32BIRDaec6210.sys><ACARD Technology Corp.>

[AEC6260 / AEC6260][Stopped/Boot Start]

<SystemRootSystem32BIRDaec6260.sys><ACARD Technology Corp.>

[AEC6280 / AEC6280][Stopped/Boot Start]

<SystemRootSystem32BIRDaec6280.sys><ACARD Technology Corp.>

[AEC67160 / AEC67160][Stopped/Boot Start]

<SystemRootSystem32BIRDaec67160.sys><ACARD Technology Corp.>

[AEC67162 / AEC67162][Stopped/Boot Start]

<SystemRootSystem32BIRDaec67162.sys><ACARD Technology Corp.>

[AEC671X / AEC671X][Stopped/Boot Start]

<SystemRootSystem32BIRDAEC671X.sys><ACARD Technology Corp.>

[AEC6880 / AEC6880][Stopped/Boot Start]

<SystemRootSystem32BIRDAEC6880.sys><ACARD Technology Corp.>

[AEC6897 / AEC6897][Stopped/Boot Start]

<SystemRootSystem32BIRDaec6897.sys><ACARD Technology Corp.>

[AEC68X5 / AEC68X5][Stopped/Boot Start]

<SystemRootSystem32BIRDaec68x5.sys><ACARD Technology Corp.>

[aic78u2 / aic78u2][Stopped/Boot Start]

<SystemRootSystem32BIRDaic78u2.sys><Microsoft Corporation>

[aic78xx / aic78xx][Stopped/Boot Start]

<SystemRootSystem32BIRDaic78xx.sys><Microsoft Corporation>

[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]

<system32driversALCXWDM.SYS><Realtek Semiconductor Corp.>

[ARCM_X86 / ARCM_X86][Stopped/Boot Start]

<SystemRootSystem32BIRDarcm_x86.sys><ARECA Technology Corporation>

[asc / asc][Stopped/Boot Start]

<SystemRootSystem32BIRDasc.sys><Advanced System Products, Inc.>

[BaseTDI / BaseTDI][Running/Auto Start]

<??C:WINDOWSsystem32driversasetdi.sys><Beijing Rising Technology Co., Ltd.>

[BCHTSW32 / BCHTSW32][Stopped/Boot Start]

<SystemRootSystem32BIRDchtsw32.sys><Broadcom Corporation>

[buslogic / buslogic][Running/Boot Start]

<SystemRootSystem32irduslogic.sys><Microsoft Corporation>

[CDA1000 / CDA1000][Stopped/Boot Start]

<SystemRootSystem32BIRDcda1000.sys><Adaptec, Inc.>

[CmdIde / CmdIde][Running/Boot Start]

<SystemRootSystem32BIRDcmdide.sys><CMD Technology, Inc.>

[CPQARRY2 / CPQARRY2][Stopped/Boot Start]

<SystemRootSystem32BIRDcpqarry2.sys><Compaq Computer Corporation>

[CPQCISSM / CPQCISSM][Stopped/Boot Start]

<SystemRootSystem32BIRDcpqcissm.sys><Hewlett-Packard Company>

[CSB6IDE / CSB6IDE][Running/Boot Start]

<SystemRootSystem32BIRDcsb6ide.sys><ServerWorks Corporation>

[dac2w2k / dac2w2k][Stopped/Boot Start]

<SystemRootSystem32BIRDdac2w2k.sys><Mylex Corporation>

[DMX3191 / DMX3191][Stopped/Boot Start]

<SystemRootSystem32BIRDDMX3191.sys><Microsoft Corporation>

[DMX3194 / DMX3194][Stopped/Boot Start]

<SystemRootSystem32BIRDdmx3194.sys><Microsoft Corporation>

[dpti2o / dpti2o][Stopped/Boot Start]

<SystemRootSystem32BIRDdpti2o.sys><Microsoft Corporation>

[DPTSCSI / DPTSCSI][Stopped/Boot Start]

<SystemRootSystem32BIRDdptscsi.sys><Distributed Processing Technology Corp.>

[ExpScaner / ExpScaner][Running/Auto Start]

<??C:PROGRAM FILESRISINGRAVExpScan.sys><>

[FASTSX / FASTSX][Running/Boot Start]

<SystemRootSystem32BIRDfastsx.sys><Promise Technology, Inc.>

[FASTTRAK / FASTTRAK][Running/Boot Start]

<SystemRootSystem32BIRDfasttrak.sys><Promise Technology, Inc.>

[FASTTX2K / FASTTX2K][Running/Boot Start]

<SystemRootSystem32BIRDfasttx2k.sys><Promise Technology, Inc.>

[fd16_700 / fd16_700][Stopped/Boot Start]

<SystemRootSystem32BIRDfd16_700.sys><Microsoft Corporation>

[VIA Rhine-Family Fast Ethernet Adapter Driver Service / FETND5BV][Running/Manual Start]

<system32DRIVERSfetnd5bv.sys><VIA Technologies, Inc.>

[fireport / fireport][Stopped/Boot Start]

<SystemRootSystem32BIRDfireport.sys><Microsoft Corporation>

[flashpnt / flashpnt][Running/Boot Start]

<SystemRootSystem32BIRDflashpnt.sys><Mylex,Corp.>

[FT8300 / FT8300][Running/Boot Start]

<SystemRootSystem32BIRDft8300.sys><Promise Technology, Inc.>

[FTSATA2 / FTSATA2][Stopped/Boot Start]

<SystemRootSystem32DRIVERSftsata2.sys><N/A>

清除方法

1. 删除木马的启动项:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]

"wow"="%System%Launcher.exe"

2. 重新启动计算机

3. 删除木马文件:

%System%Launcher.exe

%System%mywow.dll

专杀工具

http://it.rising.com.cn/Channels/Service/index.shtml

 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
© 2005- 王朝百科 版权所有