遭遇EBUIITI.SYS,QBNLWVQCIMQBOS.DLL,JSRLDZLVYUNXEO.DLL,JSRLDZLVYUNXEO.DLL等

endurer 原创
2007-11-08 第1版

昨天，一位网友说的电脑中的AntiVir不停地报告发现病毒，工作速度很慢，让偶通过QQ帮他检修。

检查AntiVir的日志，如下（去掉了重复的病毒项目）：
/---
Exported events:

2007-11-7 18:09 [Guard] Malware found
      Virus or unwanted program 'HTML/Shellcode.Gen [HTML/Shellcode.Gen]'
      detected in file 'C:/WINDOWS/Temp/194070676504.tmp.
      Action performed: Deny access

2007-11-7 18:09 [Guard] Malware found
      Virus or unwanted program 'JS/Dldr.Agent.ZY [JS/Dldr.Agent.ZY]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/ZFPRNT8W/6142[1].js.
      Action performed: Deny access

2007-11-7 18:08 [Guard] Malware found
      Virus or unwanted program 'JS/Dldr.FakeBaidu [JS/Dldr.FakeBaidu]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/ZFPRNT8W/du8[1].htm.
      Action performed: Deny access

2007-11-7 18:08 [Guard] Malware found
      Virus or unwanted program 'HEUR/Exploit.HTML [HEUR/Exploit.HTML]'
      detected in file 'C:/WINDOWS/Temp/194028139496.tmp.
      Action performed: Deny access

2007-11-7 18:08 [Guard] Malware found
      Virus or unwanted program 'HTML/ADODB.Exploit.Gen [HTML/ADODB.Exploit.Gen]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/CV7Z6C59/ifuckhackerdewife[1].js.
      Action performed: Move file to quarantine

2007-11-7 18:08 [Guard] Error detected
      Error detected in AntiVir Guard.
      Error message: Action failed for file: C:/Documents and
      Settings/LocalService/Local Settings/Temporary Internet
      Files/Content.IE5/CV7Z6C59/ifuckhackerdewife[1].js
      Error code: [0x00000005 - 拒绝访问。].

2007-11-7 18:08 [Guard] Malware found
      Virus or unwanted program 'HTML/Dldr.Agent.380 [HTML/Dldr.Agent.380]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/2VRB9SJU/xs[1].htm.
      Action performed: Delete file

2007-11-7 18:07 [Guard] Malware found
      Virus or unwanted program 'EXP/Ani.Gen [EXP/Ani.Gen]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/CV7Z6C59/ad[1].jpg.
      Action performed: Delete file

2007-11-7 18:07 [Guard] Malware found
      Virus or unwanted program 'EXP/Thunder.3 [EXP/Thunder.3]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/IN5SVHQN/webxl[1].js.
      Action performed: Delete file

2007-11-7 17:57 [Guard] Malware found
      Virus or unwanted program 'TR/Rootkit.AK [TR/Rootkit.AK]'
      detected in file 'C:/WINDOWS/system32/drivers/BDGuard.SYS.
      Action performed: Deny access

2007-11-7 17:45 [Guard] Malware found
      Virus or unwanted program 'TR/Agent.AKL [TR/Agent.AKL]'
      detected in file 'C:/Program Files/Baidu/bar/bdgdins.dll.
      Action performed: Delete file

2007-11-7 15:46 [Guard] Malware found
      Virus or unwanted program 'HTML/ObjCode.Q [HTML/ObjCode.Q]'
      detected in file 'C:/WINDOWS/Temp/194070688776.tmp.
      Action performed: Deny access

2007-11-7 15:46 [Guard] Malware found
      Virus or unwanted program 'HTML/Click.Vipstat [HTML/Click.Vipstat]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/NEE4UXL7/log1[2].htm.
      Action performed: Deny access

2007-11-7 15:45 [Guard] Malware found
      Virus or unwanted program 'JS/Iframe.B [JS/Iframe.B]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/7ZDZHNBT/1358616[1].js.
      Action performed: Deny access

2007-11-7 15:45 [Guard] Malware found
      Virus or unwanted program 'TR/Click.HTML.IFrame.DA [TR/Click.HTML.IFrame.DA]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/2VRB9SJU/bb[1].js.
      Action performed: Deny access

2007-11-7 15:44 [Guard] Malware found
      Virus or unwanted program 'HTML/Infected.WebPage.Gen
      [HTML/Infected.WebPage.Gen]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/NEE4UXL7/wg1997[1].htm.
      Action performed: Deny access

2007-11-7 14:59 [Guard] Malware found
      Virus or unwanted program 'HTML/Dldr.Agent.ZI [HTML/Dldr.Agent.ZI]'
      detected in file 'C:/WINDOWS/Temp/194028139456.tmp.
      Action performed: Deny access

2007-11-7 14:56 [Guard] Malware found
      Virus or unwanted program 'HTML/Dldr.Codsig [HTML/Dldr.Codsig]'
      detected in file 'C:/Documents and Settings/LocalService/Local
      Settings/Temporary Internet Files/Content.IE5/7ZDZHNBT/ee[1].htm.
      Action performed: Deny access
---/
居然有百度搜霸，卸载了。

下载 pe_xscan 扫描 log 分析，发现如下可疑项：
/---
pe_xscan 07-08-30 by Purple Endurer
2007-11-7 17:50:28
Windows XP Service Pack 2(5.1.2600)
非管理员用户组
C:/WINDOWS/Explorer.EXE * 1356 | 2007-6-13 21:21:55 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    c:/documents and settings/re/application data/ppstream/bin/1.0.0.2/vodrc.dll | 2007-8-8 10:22:0 | vodrc | 1.0.0.2 | vodrc | PPStream Inc.  All rights reserved. | 1.0.0.2 | | ? | vodrc.dll | vodrc.dll
    C:/PROGRA~1/baidu/bar/baidubar.dll | 2007-7-20 15:52:44 | BaiduBar Module | 2, 0, 2, 145 | BaiduBar Module | Copyright 2005 | 2, 0, 2, 145 | , Inc. |  | BaiduBar | BaiduBar.DLL

C:/WINDOWS/system32/svchost.exe * 1940 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    c:/windows/system32/wbem/qbnlwvqcimqbos.dll | 2007-11-7 11:30:23

O2 - BHO PPGouCatcher - {00000000-0000-0000-0000-E58E57C9C848} - C:/PROGRA~1/PPGou/PPGOUI~1.DLL

O23 - 服务: BdGuard (BdGuard) - system32/drivers/BDGuard.SYS(引导)

O23 - 服务: IQGUYNHTH (WKVPWVLQUWRFSEJ) - C:/WINDOWS/system32/svchost.exe -k UKWGTOCDNJITO -> C:/Windows/system32/wbem/QBNLWVQCIMQBOS.DLL | 2007-11-7 11:30:23(自动)

O23 - 服务: npkycryp (npkycryp) - C:/Program Files/Tencent/QQ/npkycryp.sys(手动)
---/

把 PPGou（屁屁狗）也卸载了。

停止并禁用服务：IQGUYNHTH (WKVPWVLQUWRFSEJ)。

到 ​​http://​​​ 下载 FileInfo 和 bat_do，用FileInfo提取文件信息：
文件说明符 : C:/WINDOWS/system32/wbem/QBNLWVQCIMQBOS.DLL
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-11-7 11:30:23
修改时间 : 2007-11-7 11:30:23
访问时间 : 2007-11-7 18:31:10
大小 : 1028608 字节 1004.512 KB
MD5 : 0e96d0b2ff21e6fd450b382096c350df
SHA1: 23A89AF716AF6B34A7A80B67A028AC02D9FB78E1
CRC32: 32b85f3a

文件说明符 : C:/WINDOWS/system32/wbem/JSRLDZLVYUNXEO.DLL
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-11-7 12:24:33
修改时间 : 2007-11-7 12:24:34
访问时间 : 2007-11-7 18:31:12
大小 : 15223 字节 14.887 KB
MD5 : 22e9c2373bdac310298e257488698e81
SHA1: 6D71557AEF0197AD871BD4070033C95C3ED38CD6
CRC32: 21aec210

文件说明符 : C:/WINDOWS/system32/wbem/EHUVRYNXHDNGWG.DLL
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-11-7 12:24:35
修改时间 : 2007-11-7 12:24:35
访问时间 : 2007-11-7 18:31:14
大小 : 6132 字节 5.1012 KB
MD5 : 1d4eecb9e52baaabc210c07cd6ef3007
SHA1: 4EB1170461DCBA1BBDDC80A7C306BEBE1B8042BD
CRC32: 8e8616b3

文件说明符 : C:/WINDOWS/system32/wbem/EBUIITI.SYS
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2007-11-7 12:24:33
修改时间 : 2007-11-7 15:1:17
访问时间 : 2007-11-7 18:31:16
大小 : 43 字节
MD5 : bdcf39a82e4a7b905ed678ff50312732
SHA1: 532C3FACFE929421583FD47243B68D9B896E041D
CRC32: 89ec3fec

用 bat_do 把可疑文件打包备份，延时删除，改所选文件名，延时删除。重启电脑……