今晚一位朋友说他的电脑可能中毒了,系统反应很慢,IE主页被改为hxxp://www.9348.cn,不定期弹广告窗口,在桌面上添加广告快捷方式,硬盘双击打不开……请偶帮忙检修。
下载 pe_xscan扫描 log并分析,发现如下可疑项(进程模块部分有省略):
/---
pe_xscan 09-04-28 by Purple Endurer 2009-6-13 21:40:33 Windows XP Service Pack 3(5.1.2600) MSIE:6.0.2900.5512 管理员用户组 正常模式 [System Process]* 0 C:/WINDOWS/System32/SGCQdll.dat| 2009-6-11 11:34:44 C:/WINDOWS/system32/ZfbJ9AWwU.dll| 2009-6-11 23:44:42 C:/WINDOWS/system32/JBn2ypqY23vWX.dll| 2009-6-11 11:35:23 C:/WINDOWS/system32/cRsAQd4hw.dll| 2009-6-11 11:34:58 C:/WINDOWS/fonts/uXUsF2RrQy.fon| 2009-6-11 11:33:35 C:/WINDOWS/system32/taNjsFa2tT2Dh.dll| 2009-6-11 11:32:18 C:/WINDOWS/system32/BMsg6pdMD4ht.dll| 2009-6-11 11:32:5 C:/WINDOWS/system32/08223B03.dll| 2009-6-11 11:31:54 C:/WINDOWS/system32/704C3595.dll| 2009-6-11 11:31:33 C:/WINDOWS/system32/hhnt2pBK.dll| 2009-6-11 11:31:25 C:/WINDOWS/system32/76B9BA7A.dll| 2009-6-11 11:31:1 C:/WINDOWS/system32/t44y9a553NQ.dll| 2009-6-11 11:30:46 C:/WINDOWS/system32/DcXb7abe.dll| 2009-6-11 11:30:26 C:/WINDOWS/system32/UnsrA8Hec.dll| 2009-6-11 11:29:39 C:/WINDOWS/system32/CJPtNyJ6HWTgWWJdUe.dll| 2009-6-11 11:29:27 C:/WINDOWS/system32/efc0c52cc1.dll| 2009-6-11 11:29:11 C:/WINDOWS/system32/uXrgQ8ZEp.dll| 2009-6-11 11:33:7 C:/WINDOWS/system32/winlogon.exe* 688| 2008-4-13 19:14:18| Microsoft(R) Windows(R) Operating System| 5.1.2600.5512| Windows NT Logon Application| (C) Microsoft Corporation. All rights reserved.| 5.1.2600.5512 (xpsp.080413-2113)| Microsoft Corporation| ?| winlogon| WINLOGON.EXE C:/WINDOWS/System32/SGCQdll.dat| 2009-6-11 11:34:44 C:/WINDOWS/system32/COMRes.dll | 2009-6-11 11:28:50 C:/WINDOWS/system32/dfc8ac3ed7da.dll| 2008-4-13 19:13:40| COM 服务| 03.00.00.4414| ?| 版权所有 (C) Microsoft Corp. 1995-1999| 2001.12.4414.700| Microsoft Corporation| Microsoft(R) 是 Microsoft Corporation 的注册商标。Windows(TM) 是 Microsoft Corporation 的商标。| COMRES.DLL| ? C:/WINDOWS/system32/services.exe* 732| 2008-4-13 19:14:12| Microsoft(R) Windows(R) Operating System| 5.1.2600.5512| Services and Controller app| (C) Microsoft Corporation. All rights reserved.| 5.1.2600.5512 (xpsp.080413-2111)| Microsoft Corporation| ?| services.exe| services.exe C:/WINDOWS/System32/SGCQdll.dat| 2009-6-11 11:34:44 C:/WINDOWS/system32/lsass.exe* 744| 2008-4-13 19:14:4| Microsoft? Windows? Operating System| 5.1.2600.5512| LSA Shell (Export Version)| ? Microsoft Corporation. All rights reserved.| 5.1.2600.5512 (xpsp.080413-2113)| Microsoft Corporation| ?| lsass.exe| lsass.exe C:/WINDOWS/System32/SGCQdll.dat| 2009-6-11 11:34:44 C:/WINDOWS/system32/svchost.exe* 904| 2008-4-13 19:14:14| Microsoft? Windows? Operating System| 5.1.2600.5512| Generic Host Process for Win32 Services| ? Microsoft Corporation. All rights reserved.| 5.1.2600.5512 (xpsp.080413-2111)| Microsoft Corporation| ?| svchost.exe| svchost.exe C:/WINDOWS/System32/SGCQdll.dat| 2009-6-11 11:34:44 C:/WINDOWS/system32/dfc8ac3ed7da.dll| 2008-4-13 19:13:40| COM 服务| 03.00.00.4414| ?| 版权所有 (C) Microsoft Corp. 1995-1999| 2001.12.4414.700| Microsoft Corporation| Microsoft(R) 是 Microsoft Corporation 的注册商标。Windows(TM) 是 Microsoft Corporation 的商标。| COMRES.DLL| ? C:/WINDOWS/java/classes/CLIPORV.DLL| 2009-6-13 14:28:6 C:/WINDOWS/explorer.exe * 1516 | 2008-4-13 19:14:2 C:/WINDOWS/system32/inf/svchoct.exe* 2020| 2009-6-11 12:25:23| Microsoft(R) Windows(R) Operating System| 5.1.2600.5512| Run a DLL as an App| (C) Microsoft Corporation. All rights reserved.| 5.1.2600.5512 (xpsp.080413-2105)| Microsoft Corporation| ?| rundll| RUNDLL.EXE C:/WINDOWS/system32/drivers/TXP1atform.exe* 192| 2009-6-11 11:24:54 F2 - Shell = <Explorer.exe>| 2008-4-13 19:14:2 O2 - BHO BrowserHelper.CBrowserHelper - {2CDAFF9C-2BE0-4730-ACCC-6DC893A1D0CA} = C:/WINDOWS/system32/MYThunder.dll| 2009-6-11 9:47:7| BrowserHelper| 1.00| ?| ?| 1.00| 安全卫士| ?| BrowserHelper| BrowserHelper.dll O2 - BHO - {C69D1467-BDE1-4679-CD02-4689CE024579} = C:/WINDOWS/system32/liu.dll| 2009-6-11 12:26:34 O4 - HKCU/../Run: [QQ2009] C:/Program Files/Tencent/QQ/Bin/QQ.exe" /background O4 - HKCU/../Run: [Explorer] C:/WINDOWS/system32/drivers/TXP1atform.exe O4 - HKLM/../Run: [updater] C:/WINDOWS/system32/updater.exe O4 - HKLM/../Policies/Explorer/Run: [ming9bstart] C:/WINDOWS/system/ming9b090423.exe O4 - HKLM/../Policies/Explorer/Run: [maineyucst]C:/WINDOWS/system32/inf/svchoct.exe C:/WINDOWS/wftadfi16_090608a.dll d16tan C:/autorun.inf /----- [AutoRun] open=QQ2009.exe shellexecute=QQ2009.exe shell/Auto/command=QQ2009.exe -----/ D:/autorun.inf /----- [AutoRun] open=QQ2009.exe shellexecute=QQ2009.exe shell/Auto/command=QQ2009.exe -----/ O20 - AppInit_DLLs = C:/WINDOWS/System32/SGCQdll.dat O23 - 服务: ClipSrv (ClipBook) - C:/WINDOWS/java/classes/CLIPORV.exe| 2009-6-11 11:25:46| Microsoft Windows Operating System| 4.3.3300.2214| Windows NT DDE Server| Microsoft Corporation. All rights reserved.| 9.5.2599.2184| Microsoft Corporation|| CLIPORV.EXE| CLIPORV.EXE(自动) O23 - 服务: klan (klan) - C:/WINDOWS/system32/drivers/klan.sys| 2009-6-13 14:28:6(自动) O23 - 服务: porting (Microsoft Device Logical) - C:/WINDOWS/System32/svchost.exe -k "porting"| 2008-4-13 19:14:14| Microsoft? Windows? Operating System| 5.1.2600.5512| Generic Host Process for Win32 Services| ? Microsoft Corporation. All rights reserved.| 5.1.2600.5512 (xpsp.080413-2111)| Microsoft Corporation| ?| svchost.exe| svchost.exe ->C:/WINDOWS/system32/5b3185.dll| 2009-6-11 11:26:22| Microsoft(R) Windows(R) Operating System| 1, 0, 0, 1| .Net support application| Copyright (C) 2008| 1, 0, 0, 1| Microsoft Corporation| ?| Microsoft(R) Windows(R) Operating System| Server.exe(自动) O23 - 服务: qq2 (qq2) - C:/Program Files/Internet Explorer/002.tmp(手动) O23 - 服务: SafeMon2 (SafeMon2) - C:/WINDOWS/d271a2ff.dat| 2009-6-12 15:32:19(系统) O23 - 服务: Tcphelp (Tcphelp) - C:/WINDOWS/system32/QQ2009.exe| 2009-6-11 12:34:53(自动) O23 - 服务: uoprlgn (uoprlgn) - system32/drivers/iekdj.sys(引导) O24 - ShlExecHook: [A] - {FCA4D3BE-C6C7-4F4D-9CBD-CB2666647ACA} = C:/WINDOWS/system32/EN7hzSreCat8.dll| 2009-6-11 11:28:50 O24 - ShlExecHook: [C] - {028A997C-4262-4107-BD46-2ABBC6143E8C} = C:/WINDOWS/system32/efc0c52cc1.dll| 2009-6-11 11:29:11 O24 - ShlExecHook: [9] - {349F9B06-D92F-4AF9-AE96-6730A16821F9} = C:/WINDOWS/system32/CJPtNyJ6HWTgWWJdUe.dll| 2009-6-11 11:29:27 O24 - ShlExecHook: [4] - {02845FCC-2BF4-4191-888D-18030FAA2074} = C:/WINDOWS/system32/UnsrA8Hec.dll| 2009-6-11 11:29:39 O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} = C:/WINDOWS/system32/122B901E.dll| 2009-6-11 11:29:58 O24 - ShlExecHook: [4] - {A0C86020-5935-4B87-B20E-0B656D450264} = C:/WINDOWS/system32/A0C86020.dll| 2009-6-11 11:30:15 O24 - ShlExecHook: [A] - {6101B532-3E30-49FB-8594-F9B22338FF4A} = C:/WINDOWS/system32/DcXb7abe.dll| 2009-6-11 11:30:26 O24 - ShlExecHook: [B] - {AF235511-A3CA-4AF6-BA10-C2D229B8A01B} = C:/WINDOWS/system32/t44y9a553NQ.dll| 2009-6-11 11:30:46 O24 - ShlExecHook: [6] - {76B9BA7A-81D0-4979-8598-8471F2AB5186} = C:/WINDOWS/system32/76B9BA7A.dll| 2009-6-11 11:31:1 O24 - ShlExecHook: [E] - {54DA5754-2475-4B55-8DFA-D0327C8F4A9E} = C:/WINDOWS/system32/hhnt2pBK.dll| 2009-6-11 11:31:25 O24 - ShlExecHook: [D] - {704C3595-DB85-40F6-A601-8D6F346907BD} = C:/WINDOWS/system32/704C3595.dll| 2009-6-11 11:31:33 O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} = C:/WINDOWS/system32/08223B03.dll| 2009-6-11 11:31:54 O24 - ShlExecHook: [7] - {737858A9-9AEA-4838-9B49-54DA731F7F37} = C:/WINDOWS/system32/BMsg6pdMD4ht.dll| 2009-6-11 11:32:5 O24 - ShlExecHook: [A] - {37C5D66A-8B1B-4545-8112-3751194F6A4A} = C:/WINDOWS/system32/taNjsFa2tT2Dh.dll| 2009-6-11 11:32:18 O24 - ShlExecHook: [A] - {36AC68E6-0C26-4D39-B98E-54B49DAB6BAA} = C:/WINDOWS/system32/dhDhwS7fFW.dll| 2009-6-11 11:32:29 O24 - ShlExecHook: [7] - {71C4F360-FF1E-413E-B17A-0CA267A78E97} = C:/WINDOWS/system32/qB5BKZy7vR5m.dll| 2009-6-11 11:32:40 O24 - ShlExecHook: [8] - {E4814792-EFA3-4C20-93D0-8B130A59F9A8} = C:/WINDOWS/system32/E4814792.dll| 2009-6-11 11:32:51 O24 - ShlExecHook: [5] - {93EC6B33-16B4-4110-BBC1-8B4A20E321C5} = C:/WINDOWS/system32/uXrgQ8ZEp.dll| 2009-6-11 11:33:7 O24 - ShlExecHook: [2] - {C722AD57-35DA-4460-8353-328372F32AB2} = C:/WINDOWS/system32/ufQCU5.dll| 2009-6-11 11:33:23 O24 - ShlExecHook: [7] - {11B10F7F-FB23-466D-BDC3-9591CF02EC17} = C:/WINDOWS/fonts/uXUsF2RrQy.fon| 2009-6-11 11:33:35 O24 - ShlExecHook: [8] - {3D490B56-425C-4B8F-889E-0E391AD54DE8} = C:/WINDOWS/system32/wrGwvaDRB6M.dll| 2009-6-11 11:33:52 O24 - ShlExecHook: [0] - {F653395D-C9C7-4026-ADD1-E88DD96BD650} = C:/WINDOWS/fonts/rsR933gQXyUh.fon| 2009-6-11 11:34:7 O24 - ShlExecHook: [2] - {93DA1E7D-7C46-4F90-8674-EC90511FCA72} = C:/WINDOWS/system32/CDuAUVkGy9.dll| 2009-6-11 11:34:16 O24 - ShlExecHook: [3] - {0D267113-499A-4EEF-998D-C45731C1B313} = C:/WINDOWS/system32/VnTU2WAqUcZA6.dll| 2009-6-11 11:34:29 O24 - ShlExecHook: [E] - {93F33500-527E-4E33-AECA-69B15243A90E} = C:/WINDOWS/system32/cRsAQd4hw.dll| 2009-6-11 11:34:58 O24 - ShlExecHook: [4] - {A23CA53C-731F-4033-92E8-C1DFB4E71D34} = C:/WINDOWS/system32/JBn2ypqY23vWX.dll| 2009-6-11 11:35:23 O24 - ShlExecHook: [3] - {EA25F4E7-8B67-452A-B9DD-B38C526250D3} = C:/WINDOWS/fonts/Q9UnbAWWNuSv4.fon| 2009-6-11 11:35:37 O24 - ShlExecHook: [3] - {425C9CFB-7474-44A1-A2C6-EDEC3EDCB7F3} = C:/WINDOWS/system32/DrM4Kxa9cae.dll| 2009-6-11 11:35:48 O24 - ShlExecHook: [D] - {CD1779C2-CFD3-46FD-8139-A454565E447D} = C:/WINDOWS/system32/ZfbJ9AWwU.dll| 2009-6-11 23:44:42 O24 - ShlExecHook: [A] - {EC2B07DD-0051-405D-9C98-C8BBF9F27B9A} = C:/WINDOWS/system32/QsbvDcwq7umu.dll| 2009-6-11 23:46:44 O26 - IFEO: 360down.exe -> ntsd -d O26 - IFEO: 360hotfix.exe -> ntsd -d O26 - IFEO: 360rpt.exe -> ntsd -d O26 - IFEO: 360safe.exe -> ntsd -d O26 - IFEO: 360safebox.exe -> ntsd -d O26 - IFEO: 360tray.exe -> ntsd -d O26 - IFEO: 360upp.exe -> ntsd -d O26 - IFEO: agentsvr.exe -> ntsd -d O26 - IFEO: apvxdwin.exe -> ntsd -d O26 - IFEO: ast.exe -> ntsd -d O26 - IFEO: avcenter.exe -> ntsd -d O26 - IFEO: avengine.exe -> ntsd -d O26 - IFEO: avgnt.exe -> ntsd -d O26 - IFEO: avguard.exe -> ntsd -d O26 - IFEO: avltmain.exe -> ntsd -d O26 - IFEO: avp.exe -> ntsd -d O26 - IFEO: avp32.exe -> ntsd -d O26 - IFEO: avtask.exe -> ntsd -d O26 - IFEO: bdagent.exe -> ntsd -d O26 - IFEO: bdwizreg.exe -> ntsd -d O26 - IFEO: boxmod.exe -> ntsd -d O26 - IFEO: ccapp.exe -> ntsd -d O26 - IFEO: ccenter.exe -> ntsd -d O26 - IFEO: ccevtmgr.exe -> ntsd -d O26 - IFEO: ccregvfy.exe -> ntsd -d O26 - IFEO: ccsetmgr.exe -> ntsd -d O26 - IFEO: cqw32.exe -> ntsd -d O26 - IFEO: DrvAnti.exe -> ntsd -d O26 - IFEO: egui.exe -> ntsd -d O26 - IFEO: ekrn.exe -> ntsd -d O26 - IFEO: enc98.EXE -> ntsd -d O26 - IFEO: extdb.exe -> ntsd -d O26 - IFEO: frameworkservice.exe -> ntsd -d O26 - IFEO: frwstub.exe -> ntsd -d O26 - IFEO: guardfield.exe -> ntsd -d O26 - IFEO: iparmor.exe -> ntsd -d O26 - IFEO: kaccore.exe -> ntsd -d O26 - IFEO: kasmain.exe -> ntsd -d O26 - IFEO: kav32.exe -> ntsd -d O26 - IFEO: kavstart.exe -> ntsd -d O26 - IFEO: kavsvc.exe -> ntsd -d O26 - IFEO: kavsvcui.exe -> ntsd -d O26 - IFEO: kislnchr.exe -> ntsd -d O26 - IFEO: kissvc.exe -> ntsd -d O26 - IFEO: kmailmon.exe -> ntsd -d O26 - IFEO: knownsvr.exe -> ntsd -d O26 - IFEO: kpfw32.exe -> ntsd -d O26 - IFEO: kpfwsvc.exe -> ntsd -d O26 - IFEO: kregex.exe -> ntsd -d O26 - IFEO: kvfw.exe -> ntsd -d O26 - IFEO: kvmonxp.exe -> ntsd -d O26 - IFEO: kvmonxp.kxp -> ntsd -d O26 - IFEO: kvol.exe -> ntsd -d O26 - IFEO: kvprescan.exe -> ntsd -d O26 - IFEO: kvsrvxp.exe -> ntsd -d O26 - IFEO: kvwsc.exe -> ntsd -d O26 - IFEO: kvxp.kxp -> ntsd -d O26 - IFEO: kwatch.exe -> ntsd -d O26 - IFEO: livesrv.exe -> ntsd -d O26 - IFEO: makereport.exe -> ntsd -d O26 - IFEO: mcagent.exe -> ntsd -d O26 - IFEO: mcdash.exe -> ntsd -d O26 - IFEO: mcdetect.exe -> ntsd -d O26 - IFEO: mcshield.exe -> ntsd -d O26 - IFEO: mctskshd.exe -> ntsd -d O26 - IFEO: mcvsescn.exe -> ntsd -d O26 - IFEO: mcvsshld.exe -> ntsd -d O26 - IFEO: mghtml.exe -> ntsd -d O26 - IFEO: naprdmgr.exe -> ntsd -d O26 - IFEO: navapsvc.exe -> ntsd -d O26 - IFEO: navapw32.exe -> ntsd -d O26 - IFEO: navw32.exe -> ntsd -d O26 - IFEO: nmain.exe -> ntsd -d O26 - IFEO: nod32.exe -> ntsd -d O26 - IFEO: nod32krn.exe -> ntsd -d O26 - IFEO: nod32kui.exe -> ntsd -d O26 - IFEO: npfmntor.exe -> ntsd -d O26 - IFEO: oasclnt.exe -> ntsd -d O26 - IFEO: pavsrv51.exe -> ntsd -d O26 - IFEO: pfw.exe -> ntsd -d O26 - IFEO: psctrls.exe -> ntsd -d O26 - IFEO: psimreal.exe -> ntsd -d O26 - IFEO: psimsvc.exe -> ntsd -d O26 - IFEO: qqdoctormain.exe -> ntsd -d O26 - IFEO: ras.exe -> ntsd -d O26 - IFEO: ravmon.exe -> ntsd -d O26 - IFEO: ravmond.exe -> ntsd -d O26 - IFEO: ravstub.exe -> ntsd -d O26 - IFEO: ravtask.exe -> ntsd -d O26 - IFEO: rfwcfg.exe -> ntsd -d O26 - IFEO: rfwmain.exe -> ntsd -d O26 - IFEO: rfwproxy.exe -> ntsd -d O26 - IFEO: rfwsrv.exe -> ntsd -d O26 - IFEO: rsagent.exe -> ntsd -d O26 - IFEO: rsmain.exe -> ntsd -d O26 - IFEO: rsnetsvr.exe -> ntsd -d O26 - IFEO: rssafety.exe -> ntsd -d O26 - IFEO: rstray.exe -> ntsd -d O26 - IFEO: safebank.exe -> ntsd -d O26 - IFEO: safeboxtray.exe -> ntsd -d O26 - IFEO: scan32.exe -> ntsd -d O26 - IFEO: scanfrm.exe -> ntsd -d O26 - IFEO: sched.exe -> ntsd -d O26 - IFEO: seccenter.exe -> ntsd -d O26 - IFEO: secnotifier.exe -> ntsd -d O26 - IFEO: SetupLD.exe -> ntsd -d O26 - IFEO: shstat.exe -> ntsd -d O26 - IFEO: smartup.exe -> ntsd -d O26 - IFEO: sndsrvc.exe -> ntsd -d O26 - IFEO: spbbcsvc.exe -> ntsd -d O26 - IFEO: symlcsvc.exe -> ntsd -d O26 - IFEO: tbmon.exe -> ntsd -d O26 - IFEO: tmp6.exe -> ntsd -d O26 - IFEO: uihost.exe -> ntsd -d O26 - IFEO: ulibcfg.exe -> ntsd -d O26 - IFEO: updaterui.exe -> ntsd -d O26 - IFEO: uplive.exe -> ntsd -d O26 - IFEO: vcr32.exe -> ntsd -d O26 - IFEO: vcrmon.exe -> ntsd -d O26 - IFEO: vptray.exe -> ntsd -d O26 - IFEO: vsserv.exe -> ntsd -d O26 - IFEO: vstskmgr.exe -> ntsd -d O26 - IFEO: vstskmgr.exe -> ntsd -d O26 - IFEO: webproxy.exe -> ntsd -d O26 - IFEO: xcommsvr.exe -> ntsd -d O26 - IFEO: xnlscn.exe -> ntsd -d O26 - IFEO: 修复工具.exe -> ntsd -d O29 - HKCU-Start Page = hxxp://www.9348.cn/?205460 O29 - HKLM-Start Page = hxxp://www.9348.cn/?205460 .htm - C:/Program Files/佳豆浏览器/jiadou.exe" "%1" .html - C:/Program Files/佳豆浏览器/jiadou.exe" "%1" HKLM/SHOWALL 值非1 ---/ (未完待续)