dwshd.sys,EASYDOWNS.sys,HBKernel32.sys,QQPlatform.exe,RDPWD.sys,easy2.exe等
endurer 原创
2008-11-25 第1版
一位朋友的电脑今天出现了奇怪的问题,登录后不久桌面图标和任务栏消失,有时会出现蓝屏错误:stop c0000218 unknown hard error。请偶帮助检修。
开机时按F8键,选择按最后一次正确的配置启动。
进入桌面后,发现硬盘灯狂闪,打开任务管理器,发现explorer.exe进程以是system帐户运行的,同时有userinit.exe,iexplore.exe,easy2.exe,easy9.exe,QQPlatform.exe,以及3个uusee.exe进程。
把它们全部终止了,再运行explorer.exe,桌面图标和任务栏重新出现,但一会儿又消失了。
运行 pe_xscan 扫描 log 并分析,发现如下可疑项:
pe_xscan 07-07-21 by Purple Endurer
2008-11-25 15:30:49
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
C:/WINDOWS/system32/csrss.exe 500 2004-8-17 4:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 Client Server Runtime Process ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? CSRSS.Exe CSRSS.Exe
2008-11-24 7:59:31
2004-8-17 4:0:0
2004-8-17 4:0:0
2004-8-17 4:0:0
C:/WINDOWS/system32/winlogon.exe 524 2004-8-17 4:0:0 Microsoft(R) Windows(R) Operating System 5.1.2600.2180 Windows NT Logon Application (C) Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? winlogon WINLOGON.EXE
C:/WINDOWS/system32/SVCHOST.EXE 732 2004-8-17 4:0:0 Microsoft? Windows? Operating System 5.1.2600.2180 Generic Host Process for Win32 Services ? Microsoft Corporation. All rights reserved. 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Corporation ? svchost.exe svchost.exe
2004-8-17 4:0:0
C:/WINDOWS/system32/spcss.dll 2004-8-17 4:0:0 Microsoft? Windows? Operating System 5.1.2600.2726 Distributed COM Services ? Microsoft Corporation. All rights reserved. 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Microsoft Corporation| ? rpcss.dll rpcss.dll
O1 - Hosts: 222.122.219.220 www.qq.com
O2 - BHO BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} = 2008-11-25 7:6:10
O2 - BHO - {F6A454AE-156A-415E-9F89-3795677A8A91} = 2008-11-25 0:20:21
O3 - IE工具栏: - {B580CF65-E151-49C3-B73F-70B13FCA8E86} = 2008-11-25 7:6:10
O4 - HKLM/../Policies/Explorer/Run: [qq]
O20 - AppInit_DLLs =
O23 - 服务: aliimz () - (手动)
O23 - 服务: b160485 (b160485) - 2008-11-24 8:1:31(手动)
O23 - 服务: BdGuard (BdGuard) - 2008-11-25 7:6:28(引导)
O23 - 服务: d435fd4 (d435fd4) - 2008-11-24 7:59:11(手动)
O23 - 服务: d812a079 (d812a079) - 2008-11-24 7:57:51(手动)
O23 - 服务: dwshd () - (引导)
O23 - 服务: FTP (FTP Protocol Driver) - 2004-8-17 4:0:0(自动)
O23 - 服务: HBKernel32 (HBKernel32 Driver) - 2008-11-24 8:0:11(引导)
O23 - 服务: National (National Instruments Domain Service) - 2008-11-25 7:5:35(自动)
O23 - 服务: qakrcr (qakrcr) - C:/WINDOWS/system32/svchost.exe -k qakrcr 2004-8-17 4:0:0 -> (自动)
O23 - 服务: RDPWD () - 2006-11-6 17:29:13(手动)
O23 - 服务: Register (Register services) - (自动)
O23 - 服务: svcname (服务名) - (自动)
O23 - 服务: wszayy (wszayy) - C:/WINDOWS/system32/svchost.exe -k wszayy 2004-8-17 4:0:0 -> 2004-8-17 4:0:0(自动)
O24 - ShlExecHook: [F] - {DE02F764-C51A-4788-9597-D78ECC2AC08F} =
O24 - ShlExecHook: [B] - {DA63E650-537C-4042-87BB-9D19D844680B} =
O24 - ShlExecHook: [6] - {4D023DE9-F4B5-4BE0-99C6-7C7AD0CF5426} =
O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} =
O24 - ShlExecHook: [0] - {3474A8C2-BEF9-46C8-983A-A26A0030EC30} =
O24 - ShlExecHook: [4] - {F0930A2F-D971-4828-8209-B7DFD266ED44} =
O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} =
O24 - ShlExecHook: [3] - {9CA963CA-107C-4089-B0AB-31380F90D7E3} =
O24 - ShlExecHook: [8] - {82710040-F86E-42E0-B1F8-04EDF75856F8} =
O24 - ShlExecHook: [B] - {C250CF20-5F89-4310-9854-4BC261FB14FB} =
O24 - ShlExecHook: [F] - {4BF9CBA3-8DEE-41A1-8BDB-FC28D30E949F} =
O24 - ShlExecHook: [2] - {4F34C688-FD49-42FC-97F7-87D2F5791612} =
O24 - ShlExecHook: [0] - {495271CA-D0C6-4052-ABE6-5B01C73CDFB0} =
O24 - ShlExecHook: [6] - {22D75360-199D-4F79-880D-82E766675F06} =
O24 - ShlExecHook: [E] - {58FF3024-8A83-4B1A-88E9-302F47646EEE} =
O24 - ShlExecHook: [A] - {DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA} =
O24 - ShlExecHook: [2] - {AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2} =
O24 - ShlExecHook: [B] - {201476D0-2B18-462E-AB9F-3E2B0CC8732B} =
O24 - ShlExecHook: [C] - {E1D19FCC-4777-4D71-B863-6A0A5B4E59BC} =
O24 - ShlExecHook: [6] - {4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96} =
O24 - ShlExecHook: [C] - {56BC86C7-0692-4F94-A2C1-6CF1DBF8096C} =
O24 - ShlExecHook: [F] - {B3721C07-62B3-411A-9DC7-F5F27E3E21FF} =
O24 - ShlExecHook: [1] - {8566F82E-03A4-416E-AEAC-66600D8881F1} =
O24 - ShlExecHook: [3] - {D7C79813-9233-4AE0-832C-99B2E8019673} =
O24 - ShlExecHook: [E] - {34A25F04-008D-403E-8EE6-2307BC02FA2E} =
O24 - ShlExecHook: [8] - {66AFCB56-FAA9-42D2-8C72-2767A46C7FA8} =
O24 - ShlExecHook: [4] - {BA7EDF54-8408-4B21-B351-7B447B344BA4} =
O24 - ShlExecHook: [8] - {E4814792-EFA3-4C20-93D0-8B130A59F9A8} =
O24 - ShlExecHook: [F] - {E0D39066-96D7-4891-8527-488ADAFCD60F} =
O24 - ShlExecHook: [] - {F6A454AE-156A-415E-9F89-3795677A8A91} = 2008-11-25 0:20:21
O26 - IFEO: 360rpt.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: 360Safe.exe ->
O26 - IFEO: 360tray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.exe ->
O26 - IFEO: DrRtp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: enc98.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kav32.exe ->
O26 - IFEO: kvmonxp.exe ->
O26 - IFEO: nod32kui.exe ->
O26 - IFEO: QQDoctor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RStray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ua80.EXE -> C:/WINDOWS/system32/svchost.exe
估计恶意程序是朋友在浏览了利用 BaiDuBar、UUSee的漏洞的网页后侵入的~
百毒/Baidu真是一日不死,害人不止!
aliimz.sys、HBKernel32.sys都近期非常常见的恶意程序文件。
从 log 中我们可以发现恶意程序将windows系统文件rpcss.dll改为spcss.dll,然后再创建出一个假的csrss.dll。
这样我们将假的csrss.dll查杀后,系统功能将不正常。手工恢复比较麻烦~