今天中午,一位网友说他的电脑中的杀毒软件无法启动,打开包含杀毒等字样的网页会自动关闭,不停地提示web.exe程序出错,不定期弹出广告窗口。让偶通过QQ远程协助。
先到 http://endurer.ys168.com 下载 HijackThis,ProcView。运行procView,直接被关闭了。把 HijackThis.exe 改名为 h.exe,再运行,傅HijackThis自带的进程管理器终止了N个Web.exe进程。
接着下载 pe_xscan 扫描 log 并分析,发现如下可疑项:
/=== pe_xscan 07-07-21 by Purple Endurer 2005-10-19 12:46:14 Windows XP Service Pack 2(5.1.2600) 管理员用户组 [System Process] * 0 C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46 C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6 C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26 C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32 C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/1mb0pe.l6v | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/WINDOWS/system32/mydpri.dll | 2004-8-4 9:14:12 C:/WINDOWS/system32/wgepri.dll | 2004-8-4 9:13:58 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/winlogon.exe * 700 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/45119F1B.DLL | 2005-10-19 10:33:54 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ? C:/WINDOWS/system32/services.exe * 748 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Services and Controller app | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | services.exe | services.exe C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/lsass.exe * 760 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe | lsass.exe C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/svchost.exe * 928 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/Explorer.EXE * 1900 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer | EXPLORER.EXE C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/KB908024.log | 2005-10-19 10:32:52 C:/WINDOWS/system32/JQXELW.dll | 2007-4-16 23:54:26 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/WINDOWS/system32/wgepri.dll | 2004-8-4 9:13:58 C:/WINDOWS/system32/mydpri.dll | 2004-8-4 9:14:12 C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/45119F1B.DLL | 2005-10-19 10:33:54 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ? C:/WINDOWS/netdde32.exe | 2005-10-19 9:19:16 C:/WINDOWS/system32/netdde32.exe | 2005-10-19 9:19:16 C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26 C:/WINDOWS/system32/MsHttpApp.dll | 2007-3-5 17:9:26 | MsHttpApp | 1.0.0.1 | MsHttpApp | Microsoft Corporation. All rights reserved. | 1.0.0.1 | Microsoft Corporation| ? | MsHttpApp.dll | MsHttpApp.dll C:/Program Files/Common Files/Microsoft Shared/xibgptd.exe * 160 | 2005-10-19 8:7:52 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/Program Files/OCINS/idnsvr.exe * 192 | 2007-8-10 8:4:18 | | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 0 | 中国互联网信息中心(CNNIC) | | idnsvr | idnsvr.exe C:/Program Files/OCINS/idnsvr.exe | 2007-8-10 8:4:18 | | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 0 | 中国互联网信息中心(CNNIC) | | idnsvr | idnsvr.exe C:/Program Files/OCINS/idnsvr.dll | 2007-8-10 8:4:50 | | 2, 6, 0, 0 | 国际化域名支持模块 | Copyright CNNIC 2006 - 2007 | 2, 6, 0, 2 | 中国互联网信息中心(CNNIC) | | idnsvr | idnsvr.dll C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/Program Files/Common Files/System/xmjisnw.exe * 200 | 2005-10-19 8:7:52 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/WINDOWS/system32/ctfmon.exe * 240 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/WINDOWS/svrsvc.exe * 500 | 2004-8-17 12:0:0 C:/WINDOWS/svrsvc.exe | 2004-8-17 12:0:0 C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46 C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/dllcache/1028/svchost.exe * 780 | 2007-8-10 8:4:14 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ? C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46 C:/Program Files/QQ2006/QQ.exe * 2144 | 2007-5-11 19:30:50 | QQ | 7,0,225,1651 | QQ | Copyright (C) 1998 - 2007 TENCENT Inc. All Rights Reserved | 7,0,225,1651 | TENCENT | | COMQQD | QQ.exe C:/WINDOWS/system32/jzgpri.dll | 2004-8-4 9:14:30 C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32 C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46 C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6 C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/WINDOWS/system32/1mb0pe.l6v | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll C:/WINDOWS/system32/mydpri.dll | 2004-8-4 9:14:12 C:/WINDOWS/system32/wgepri.dll | 2004-8-4 9:13:58 C:/WINDOWS/system32/JQXELW.dll | 2007-4-16 23:54:26 C:/Program Files/QQ2006/TIMPlatform.exe * 2252 | 2007-5-11 15:17:20 | QQ | 7,0,208,1651 | TIMPlatform | Copyright ? 2005 ━ 2007 TENCENT Inc. All Rights Reserved | 7,0,225,1651 | TENCENT | | TIMPlatform | TIMPlatform.exe C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46 C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6 C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26 C:/WINDOWS/system32/lazodyn.laz | 2007-4-16 23:54:26 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32 C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 C:/WINDOWS/system32/rundll32.exe * 3972 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE C:/WINDOWS/system32/RemoteDbg.dll | 2005-10-19 9:13:46 C:/WINDOWS/system32/windhcp.ocx | 2005-10-19 9:14:6 C:/WINDOWS/system32/JQXELW.dll | 2007-4-16 23:54:26 C:/Program Files/QQ2006/q.dll | 2007-4-16 23:54:26 C:/WINDOWS/system32/1.1 | 1601-1-2 7:8:43 C:/WINDOWS/system32/dhcpri.dll | 2004-8-4 9:13:52 F2 - REG: system.ini: UserInit=C:/WINDOWS/system32/Userinit.exe O1 - Hosts: 61.152.244.167 search.114.vnet.cn O1 - Hosts: 61.152.244.167 auto.search.msn.com O1 - Hosts: 61.152.244.167 www.hao123.comO1 - Hosts: 61.152.244.167 hao123.com O1 - Hosts: 61.152.244.167 www.360safe.comO1 - Hosts: 61.152.244.167 360safe.com O1 - Hosts: 222.73.126.115 update.360safe.com O1 - Hosts: 61.152.244.167 dl.360safe.com O1 - Hosts: 61.152.244.167 bbs.360safe.com O1 - Hosts: 61.152.244.167 www.btbaicai.comO1 - Hosts: 61.152.244.167 btbaicai.com O1 - Hosts: 61.152.244.167 www.pctutu.comO1 - Hosts: 61.152.244.167 www.7322.comO1 - Hosts: 61.152.244.167 www.5566.netO1 - Hosts: 61.152.244.167 www.9991.comO1 - Hosts: 61.152.244.167 9991.com O1 - Hosts: 61.152.244.167 forum.ikaka.com O1 - Hosts: 61.152.244.167 www.ikaka.comO1 - Hosts: 222.73.126.115 update.ikaka.com O1 - Hosts: 61.152.244.167 forum.jiangmin.com O1 - Hosts: 222.73.126.115 update.jiangmin.com O1 - Hosts: 61.152.244.167 post.baidu.com O1 - Hosts: 222.73.126.115 update.rising.com.cn O1 - Hosts: 61.152.244.167 online.rising.com.cn O1 - Hosts: 222.73.126.115 center.rising.com.cn O1 - Hosts: 61.152.244.167 up.duba.net O1 - Hosts: 61.152.244.167 shadu.baidu.com O1 - Hosts: 61.152.244.167 security.symantec.com O1 - Hosts: 61.152.244.167 shadu.duba.net O1 - Hosts: 61.152.244.167 online.jiangmin.com O1 - Hosts: 61.152.244.167 cn.mcafee.com O1 - Hosts: 61.152.244.167 www.ahn.com.cnO1 - Hosts: 61.152.244.167 www.kaspersky.com.cnO1 - Hosts: 61.152.244.167 www.pcav.cnO1 - Hosts: 61.152.244.167 mopery.hits.io O1 - Hosts: 61.152.244.167 www.luosoft.comO1 - Hosts: 61.152.244.167 luosoft.com O1 - Hosts: 61.152.244.167 www.im286.comO1 - Hosts: 61.152.244.167 bbs.htmlman.net O1 - Hosts: 61.152.244.167 10000.286er.com O1 - Hosts: 61.152.244.167 im286.net O1 - Hosts: 61.152.244.167 cool.47555.com O1 - Hosts: 61.152.244.167 ju.qihoo.com O1 - Hosts: 61.152.244.167 bbs.chinaz.com O1 - Hosts: 222.73.126.115 dnl-cn1.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn2.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn3.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn4.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn5.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn6.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn7.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn8.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn9.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn10.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn11.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn12.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn13.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn14.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-cn15.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu1.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu2.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu3.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu4.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu5.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu6.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu7.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu8.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu9.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu10.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu11.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu12.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu13.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu14.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-eu15.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us1.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us2.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us3.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us4.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us5.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us6.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us7.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us8.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us9.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us10.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us11.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us12.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us13.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us14.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-us15.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru1.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru2.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru3.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru4.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru5.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru6.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru7.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru8.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru9.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru10.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru11.kaspersky-labs.com O1 - Hosts: 222.73.126.115 dnl-ru12.kaspersky-labs.com O2 - BHO CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:/Program Files/Common Files/CPUSH/cpush0.dll O2 - BHO IEAux Class - {7605CC7C-00FD-4A5F-BAFD-828342DE6279} - C:/PROGRA~1/OCINS/ieaux.dll O4 - HKCU/../Run: [MSetup] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/install.exe D:/autorun.inf /----- [AutoRun] open=pnxxupm.exe shell/open=打开(&O) shell/open/Command=pnxxupm.exe shell/open/Default=1 shell/explore=资源管理器(&X) shell/explore/Command=pnxxupm.exe -----/ E:/autorun.inf /----- [AutoRun] open=pnxxupm.exe shell/open=打开(&O) shell/open/Command=pnxxupm.exe shell/open/Default=1 shell/explore=资源管理器(&X) shell/explore/Command=pnxxupm.exe -----/ F:/autorun.inf /----- [AutoRun] open=pnxxupm.exe shell/open=打开(&O) shell/open/Command=pnxxupm.exe shell/open/Default=1 shell/explore=资源管理器(&X) shell/explore/Command=pnxxupm.exe -----/