遭遇修改系统时间、使用映像劫持的xibgptd.exe,netdde32.exe等1 -阿里云开发者社区

今天中午，一位网友说他的电脑中的杀毒软件无法启动，打开包含杀毒等字样的网页会自动关闭，不停地提示web.exe程序出错，不定期弹出广告窗口。让偶通过QQ远程协助。
先到 http://endurer.ys168.com 下载 HijackThis，ProcView。运行procView，直接被关闭了。把 HijackThis.exe 改名为 h.exe，再运行，傅HijackThis自带的进程管理器终止了N个Web.exe进程。
接着下载 pe_xscan 扫描 log 并分析，发现如下可疑项：
/===
pe_xscan 07-07-21 by Purple Endurer
2005-10-19 12:46:14
Windows XP Service Pack 2(5.1.2600)
管理员用户组

[System Process] * 0
    C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46
    C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6
    C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26
    C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/1mb0pe.l6v | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52
    C:/WINDOWS/system32/mydpri.dll | 2004-8-4 9:14:12
    C:/WINDOWS/system32/wgepri.dll | 2004-8-4 9:13:58
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30

C:/WINDOWS/system32/winlogon.exe * 700 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/system32/45119F1B.DLL | 2005-10-19 10:33:54 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?

C:/WINDOWS/system32/services.exe * 748 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Services and Controller app | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | services.exe | services.exe
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30

C:/WINDOWS/system32/lsass.exe * 760 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30

C:/WINDOWS/system32/svchost.exe * 928 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30

C:/WINDOWS/Explorer.EXE * 1900 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/KB908024.log | 2005-10-19 10:32:52
    C:/WINDOWS/system32/JQXELW.dll | 2007-4-16 23:54:26
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52
    C:/WINDOWS/system32/wgepri.dll | 2004-8-4 9:13:58
    C:/WINDOWS/system32/mydpri.dll | 2004-8-4 9:14:12
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/45119F1B.DLL | 2005-10-19 10:33:54 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
    C:/WINDOWS/netdde32.exe | 2005-10-19 9:19:16
    C:/WINDOWS/system32/netdde32.exe | 2005-10-19 9:19:16
    C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26
    C:/WINDOWS/system32/MsHttpApp.dll | 2007-3-5 17:9:26 | MsHttpApp | 1.0.0.1 | MsHttpApp | Microsoft Corporation.  All rights reserved. | 1.0.0.1 | Microsoft Corporation| ? | MsHttpApp.dll | MsHttpApp.dll

C:/Program Files/Common Files/Microsoft Shared/xibgptd.exe * 160 | 2005-10-19 8:7:52
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52

C:/Program Files/OCINS/idnsvr.exe * 192 | 2007-8-10 8:4:18 |  | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 0 | 中国互联网信息中心(CNNIC) |  | idnsvr | idnsvr.exe
    C:/Program Files/OCINS/idnsvr.exe | 2007-8-10 8:4:18 |  | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 0 | 中国互联网信息中心(CNNIC) |  | idnsvr | idnsvr.exe
    C:/Program Files/OCINS/idnsvr.dll | 2007-8-10 8:4:50 |  | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 2 | 中国互联网信息中心(CNNIC) |  | idnsvr | idnsvr.dll
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52

C:/Program Files/Common Files/System/xmjisnw.exe * 200 | 2005-10-19 8:7:52
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52

C:/WINDOWS/system32/ctfmon.exe * 240 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52

C:/WINDOWS/svrsvc.exe * 500 | 2004-8-17 12:0:0
    C:/WINDOWS/svrsvc.exe | 2004-8-17 12:0:0
    C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30

C:/WINDOWS/system32/dllcache/1028/svchost.exe * 780 | 2007-8-10 8:4:14 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46

C:/Program Files/QQ2006/QQ.exe * 2144 | 2007-5-11 19:30:50 | QQ | 7,0,225,1651 | QQ | Copyright (C) 1998 - 2007 TENCENT Inc. All Rights Reserved | 7,0,225,1651 | TENCENT |  | COMQQD | QQ.exe
    C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
    C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46
    C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6
    C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52
    C:/WINDOWS/system32/1mb0pe.l6v | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
    C:/WINDOWS/system32/mydpri.dll | 2004-8-4 9:14:12
    C:/WINDOWS/system32/wgepri.dll | 2004-8-4 9:13:58
    C:/WINDOWS/system32/JQXELW.dll | 2007-4-16 23:54:26

C:/Program Files/QQ2006/TIMPlatform.exe * 2252 | 2007-5-11 15:17:20 | QQ | 7,0,208,1651 | TIMPlatform | Copyright ? 2005 ━ 2007 TENCENT Inc. All Rights Reserved | 7,0,225,1651 | TENCENT |  | TIMPlatform | TIMPlatform.exe
    C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46
    C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6
    C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26
    C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52

C:/WINDOWS/system32/rundll32.exe * 3972 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46
    C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6
    C:/WINDOWS/system32/JQXELW.dll | 2007-4-16 23:54:26
    C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26
    C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43
    C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52

F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe

O1 - Hosts: 61.152.244.167 search.114.vnet.cn
O1 - Hosts: 61.152.244.167 auto.search.msn.com
O1 - Hosts: 61.152.244.167  www.hao123.comO1 - Hosts: 61.152.244.167 hao123.com
O1 - Hosts: 61.152.244.167  www.360safe.comO1 - Hosts: 61.152.244.167 360safe.com
O1 - Hosts: 222.73.126.115 update.360safe.com
O1 - Hosts: 61.152.244.167 dl.360safe.com
O1 - Hosts: 61.152.244.167 bbs.360safe.com
O1 - Hosts: 61.152.244.167  www.btbaicai.comO1 - Hosts: 61.152.244.167 btbaicai.com
O1 - Hosts: 61.152.244.167  www.pctutu.comO1 - Hosts: 61.152.244.167  www.7322.comO1 - Hosts: 61.152.244.167  www.5566.netO1 - Hosts: 61.152.244.167  www.9991.comO1 - Hosts: 61.152.244.167 9991.com
O1 - Hosts: 61.152.244.167 forum.ikaka.com
O1 - Hosts: 61.152.244.167  www.ikaka.comO1 - Hosts: 222.73.126.115 update.ikaka.com
O1 - Hosts: 61.152.244.167 forum.jiangmin.com
O1 - Hosts: 222.73.126.115 update.jiangmin.com
O1 - Hosts: 61.152.244.167 post.baidu.com
O1 - Hosts: 222.73.126.115 update.rising.com.cn
O1 - Hosts: 61.152.244.167 online.rising.com.cn
O1 - Hosts: 222.73.126.115 center.rising.com.cn
O1 - Hosts: 61.152.244.167 up.duba.net
O1 - Hosts: 61.152.244.167 shadu.baidu.com
O1 - Hosts: 61.152.244.167 security.symantec.com
O1 - Hosts: 61.152.244.167 shadu.duba.net
O1 - Hosts: 61.152.244.167 online.jiangmin.com
O1 - Hosts: 61.152.244.167 cn.mcafee.com
O1 - Hosts: 61.152.244.167  www.ahn.com.cnO1 - Hosts: 61.152.244.167  www.kaspersky.com.cnO1 - Hosts: 61.152.244.167  www.pcav.cnO1 - Hosts: 61.152.244.167 mopery.hits.io
O1 - Hosts: 61.152.244.167  www.luosoft.comO1 - Hosts: 61.152.244.167 luosoft.com
O1 - Hosts: 61.152.244.167  www.im286.comO1 - Hosts: 61.152.244.167 bbs.htmlman.net
O1 - Hosts: 61.152.244.167 10000.286er.com
O1 - Hosts: 61.152.244.167 im286.net
O1 - Hosts: 61.152.244.167 cool.47555.com
O1 - Hosts: 61.152.244.167 ju.qihoo.com
O1 - Hosts: 61.152.244.167 bbs.chinaz.com
O1 - Hosts: 222.73.126.115 dnl-cn1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-cn15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-eu15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us12.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us13.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us14.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-us15.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru1.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru2.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru3.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru4.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru5.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru6.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru7.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru8.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru9.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru10.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru11.kaspersky-labs.com
O1 - Hosts: 222.73.126.115 dnl-ru12.kaspersky-labs.com 

 O2 - BHO CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:/Program Files/Common Files/CPUSH/cpush0.dll

O2 - BHO IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:/PROGRA~1/OCINS/ieaux.dll

O4 - HKCU/../Run: [MSetup] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/install.exe

D:/autorun.inf
/-----
[AutoRun]
open=pnxxupm.exe
shell/open=打开(&O)
shell/open/Command=pnxxupm.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=pnxxupm.exe
-----/
E:/autorun.inf
/-----
[AutoRun]
open=pnxxupm.exe
shell/open=打开(&O)
shell/open/Command=pnxxupm.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=pnxxupm.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=pnxxupm.exe
shell/open=打开(&O)
shell/open/Command=pnxxupm.exe
shell/open/Default=1
shell/explore=资源管理器(&X)
shell/explore/Command=pnxxupm.exe
-----/
遭遇修改系统时间、使用映像劫持的xibgptd.exe,netdde32.exe等1

热门文章

最新文章

相关电子书

探索云世界

热门

云计算

大数据

云原生

人工智能

数据库

开发与运维

活动广场

任务中心

训练营

直播

乘风者计划

下载

镜像站

技术资料

遭遇修改系统时间、使用映像劫持的xibgptd.exe,netdde32.exe等1

热门文章

最新文章

相关电子书
