endurer 原创
2009-08-29 第1版
前两天,一位网友的电脑中了病毒,瑞星和360卫士都无法启动,请偶通过QQ远程协助帮忙检修。
先打开任务管理器,发现有名为iexplore.exe的进程,但任务栏上没没有IE的任务按钮,终止之。
用pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块有省略):
pe_xscan 09-06-21 by Purple Endurer
2009-8-27 23:36:58
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
正常模式
[System Process] * 0
C:/WINDOWS/system32/2EF0D734.dll | 2009-8-27 23:22:26
C:/WINDOWS/system32/Y4npJWJNr.dll | 2009-8-27 23:22:50
C:/WINDOWS/system32/704C3595.dll | 2009-8-27 23:21:58
C:/WINDOWS/fonts/A97CRaCB.fon | 2009-8-27 23:22:4
C:/WINDOWS/system32/pj83ZgsqjcWUNwjrRp42tFw.dll | 2009-8-27 23:21:50
C:/WINDOWS/system32/SrNRKs5F7Rkv9hp.inf | 2009-8-27 23:21:46
C:/WINDOWS/system32/2exJW3dsaTgWrf5uAPadmHN.dll | 2009-8-27 23:21:52
C:/WINDOWS/system32/WcCtgJ4zcxHF.dll | 2009-8-27 23:21:26
C:/WINDOWS/system32/BMsg6pdMD4ht.dll | 2009-8-27 23:23:0
C:/WINDOWS/system32/GU6f5sW42mdc.dll | 2009-8-27 23:22:52
C:/WINDOWS/system32/BtmBAnd89jc9PsPq5EKNj.inf | 2009-8-27 23:22:46
C:/WINDOWS/fonts/bQgc5yHMSD4yd.fon | 2009-8-27 23:22:10
C:/WINDOWS/system32/08223B03.dll | 2009-8-27 23:22:2
C:/WINDOWS/system32/Q9q2MHJ3uTBErM7wc.dll | 2009-8-27 23:21:56
C:/WINDOWS/system32/w7uds3zyayg9.dll | 2009-8-27 23:21:36
C:/WINDOWS/system32/PERrGx5DkqSbQdwauCRQH.dll | 2009-8-27 23:2:30
C:/WINDOWS/system32/rKPbzUHze58GK2VWcYUCt.inf | 2009-8-27 23:2:18
C:/WINDOWS/System32/winlogon.exe* 712 | 2006-9-24 16:42:24 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
C:/WINDOWS/system32/COMRes.dll | 2009-8-27 23:2:0
C:/WINDOWS/System32/svchost.exe* 1128 | 2004-8-17 12:0:0
C:/WINDOWS/system32/COMRes.dll | 2009-8-27 23:2:0
c:/windows/system32/6to4.dll | 2009-8-27 23:1:38
O4 - HKLM/../run: [updater] C:/WINDOWS/system32/updater.exe
O23 - 服务: 6to4 (6to4) - C:/WINDOWS/System32/svchost.exe -k netsvcs | 2004-8-17 12:0:0
-> C:/WINDOWS/system32/6to4.dll | 2009-8-27 23:1:38(自动)
O23 - 服务: pcidump (pcidump) - C:/WINDOWS/system32/drivers/pcidump.sys | 2009-8-27 23:21:38(禁用)
O23 - 服务: WmiSvc (WmiSvc) - C:/WINDOWS/system32/drivers/WmiSvc.sys | 2009-8-27 23:19:30(自动)
O24 - ShlExecHook: [F] - {E3531A16-FFEA-416F-82DF-32FEDE02EABF} = C:/WINDOWS/system32/emHnPuBAaF7XjuXBbdxSg.dll | 2009-8-27 23:2:0
O24 - ShlExecHook: [5] - {427E02E6-39DB-4424-A49C-7553CD1331F5} = C:/WINDOWS/system32/WcCtgJ4zcxHF.dll | 2009-8-27 23:21:26
O24 - ShlExecHook: [5] - {AB8105BD-1B1B-40F3-8D3D-65FD7FC68CC5} = C:/WINDOWS/Downloaded Program Files/ktEDQzfuNZk2SUAMgyAZz.cur | 2009-8-27 23:21:30
O24 - ShlExecHook: [4] - {CF2C613A-A0D9-4E5C-B1BB-6B03B269B054} = C:/WINDOWS/system32/rKPbzUHze58GK2VWcYUCt.inf | 2009-8-27 23:2:18
O24 - ShlExecHook: [D] - {D6129F8A-6F6E-41D7-BBC9-AC7426759CED} = C:/WINDOWS/system32/w7uds3zyayg9.dll | 2009-8-27 23:21:36
O24 - ShlExecHook: [3] - {51716C09-6B08-4CCF-B526-718E912C0573} = C:/WINDOWS/system32/PERrGx5DkqSbQdwauCRQH.dll | 2009-8-27 23:2:30
O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} = C:/WINDOWS/system32/122B901E.dll | 2009-8-27 23:2:36
O24 - ShlExecHook: [9] - {5405A7B2-F3F5-446F-8715-2A4EF674E079} = C:/WINDOWS/system32/rfpz9wwyy2np.dll | 2009-8-27 23:2:42
O24 - ShlExecHook: [0] - {610B6886-2A1A-475A-A842-65A613C70460} = C:/WINDOWS/system32/SrNRKs5F7Rkv9hp.inf | 2009-8-27 23:21:46
O24 - ShlExecHook: [C] - {765BA0B5-EBE4-4B1A-AFDA-5683606F626C} = C:/WINDOWS/system32/pj83ZgsqjcWUNwjrRp42tFw.dll | 2009-8-27 23:21:50
O24 - ShlExecHook: [7] - {87DE8A1A-96C5-4420-B222-EF998F697CE7} = C:/WINDOWS/system32/2exJW3dsaTgWrf5uAPadmHN.dll | 2009-8-27 23:21:52
O24 - ShlExecHook: [2] - {108DA6C0-CFBF-41D4-9A09-C4D06AE6FFD2} = C:/WINDOWS/system32/Q9q2MHJ3uTBErM7wc.dll | 2009-8-27 23:21:56
O24 - ShlExecHook: [D] - {704C3595-DB85-40F6-A601-8D6F346907BD} = C:/WINDOWS/system32/704C3595.dll | 2009-8-27 23:21:58
O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} = C:/WINDOWS/system32/08223B03.dll | 2009-8-27 23:22:2
O24 - ShlExecHook: [1] - {8708994F-1758-4C2C-9A3F-FA22D6CCCB41} = C:/WINDOWS/fonts/A97CRaCB.fon | 2009-8-27 23:22:4
O24 - ShlExecHook: [A] - {36AC68E6-0C26-4D39-B98E-54B49DAB6BAA} = C:/WINDOWS/system32/dhDhwS7fFW.dll | 2009-8-27 23:3:30
O24 - ShlExecHook: [E] - {1055CA44-51F8-486B-8CBD-DC7AD4213F1E} = C:/WINDOWS/fonts/bQgc5yHMSD4yd.fon | 2009-8-27 23:22:10
O24 - ShlExecHook: [7] - {53915AE3-2660-4870-B092-C9E5A292D327} = C:/WINDOWS/fonts/DGvbbtCNkQVHR6JNYgc.fon | 2009-8-27 23:22:14
O24 - ShlExecHook: [7] - {CD478099-014D-4B3A-A4BB-B518F1019BC7} = C:/WINDOWS/system32/SCEVFJRCmaB7.dll | 2009-8-27 23:22:16
O24 - ShlExecHook: [0] - {23DA65D2-C696-4EE4-BEE8-B4841DEC3E30} = C:/WINDOWS/system32/ndxq9awMc.dll | 2009-8-27 23:22:22
O24 - ShlExecHook: [F] - {2EF0D734-21FD-4225-A1A2-BCD296182AAF} = C:/WINDOWS/system32/2EF0D734.dll | 2009-8-27 23:22:26
O24 - ShlExecHook: [4] - {51AA0D89-E9A9-4284-93E8-40C0FDD59304} = C:/WINDOWS/system32/eNyN5X48HrtXc.dll | 2009-8-27 23:22:28
O24 - ShlExecHook: [7] - {0A2D7F10-1153-4061-AA4B-ACB870212B57} = C:/WINDOWS/system32/z5WRXqHagksJxWt.dll | 2009-8-27 23:22:32
O24 - ShlExecHook: [A] - {A5CA6C70-7185-4466-AB45-B1C34E7A37CA} = C:/WINDOWS/system32/ed78ab9.dll | 2009-8-27 23:22:38
O24 - ShlExecHook: [A] - {BE12C98F-645D-4566-B524-DC32040B7C8A} = C:/WINDOWS/system32/eYNMAnskCCBQCc8Jp.dll | 2009-8-27 23:22:40
O24 - ShlExecHook: [0] - {822775B8-E45B-4E55-9325-0753A0C1DC00} = C:/WINDOWS/system32/wdGSVBqAs3Xk.dll | 2009-8-27 23:22:44
O24 - ShlExecHook: [2] - {1719B301-B494-4185-9379-242461F9CF02} = C:/WINDOWS/system32/BtmBAnd89jc9PsPq5EKNj.inf | 2009-8-27 23:22:46
O24 - ShlExecHook: [5] - {38FEFE05-702C-440D-AD5C-B796209A1CC5} = C:/WINDOWS/system32/Y4npJWJNr.dll | 2009-8-27 23:22:50
O24 - ShlExecHook: [6] - {50EBD6A5-0CF6-4E59-AE08-CCD991AA0596} = C:/WINDOWS/system32/GU6f5sW42mdc.dll | 2009-8-27 23:22:52
O24 - ShlExecHook: [7] - {737858A9-9AEA-4838-9B49-54DA731F7F37} = C:/WINDOWS/system32/BMsg6pdMD4ht.dll | 2009-8-27 23:23:0
O24 - ShlExecHook: [A] - {7F41BC77-7742-4ABF-9277-1316B43D049A} = C:/WINDOWS/system32/kFDDTTA2NjqgtbCWBxS.inf | 2009-8-27 23:17:22
HKLM/SHOWALL 值非1
(未完待续)