Rootkit.Win32.KernelBot,RootKit.Win32.Mnless,Trojan.Win32.Patched,Backdoor.Win32.RWX等1
endurer 原创
2008-07-14 第1版
一位朋友最近电脑反应很慢,而且使用QQ时总提示需要激活,怀疑电脑中了盗号木马,请偶帮忙检修。
下载 pe_xscan 并运行,用任务管理器终止explorer.exe进程后,扫描log并分析,发现如下可疑项:
pe_xscan 08-07-01 by Purple Endurer
2008-7-11 17:38:5
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
正常模式
C:/WINDOWS/system32/winlogon.exe* 992 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon |
C:/WINDOWS/System32/wbem/wmideprv.dll | 2008-4-15 11:56:11 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | WMI | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | wmisvc.dll |
C:/WINDOWS/system32/winlib .dll
C:/WINDOWS/system32/svchost.exe* 1236 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe |
C:/WINDOWS/system32/Proxy.Dll | 2004-8-17 12:0:0 | COM Services | 03.00.00.4414| ? | Copyright (C) Microsoft Corp. 1995-1999 | 2001.12.4414.308 | Microsoft Corporation | Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation | COLBACT.DLL|
C:/WINDOWS/system32/svchost.exe* 1380 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe |
C:/WINDOWS/system32/Proxy.Dll | 2004-8-17 12:0:0 | COM Services | 03.00.00.4414| ? | Copyright (C) Microsoft Corp. 1995-1999 | 2001.12.4414.308 | Microsoft Corporation | Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation | COLBACT.DLL|
C:/WINDOWS/system32/svchost.exe* 1464 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe |
C:/WINDOWS/System32/Proxy.Dll | 2004-8-17 12:0:0 | COM Services | 03.00.00.4414| ? | Copyright (C) Microsoft Corp. 1995-1999 | 2001.12.4414.308 | Microsoft Corporation | Microsoft(R) is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation | COLBACT.DLL|
O2 - BHO 网站排名工具条BHO - {489873CE-F3E1-44A3-8E89-04BE26BE4446} = C:/Program Files/zzToolBar/Toolbar_bho.dll |
O2 - BHO - {54FAE856-AD58-20CB-A025-CD4895FA6E45} = C:/WINDOWS/system32/pjjxedwd.dll |
O2 - BHO - {6E091341-6715-2098-51F0-178367AE53E6} = C:/WINDOWS/system32/fgfsbkuy.dll |
O9 - IE工具栏扩展按钮HKLM:知识库 - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxp://blank.la/?h
O9 - IE工具菜单扩展项HKLM: - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxp://blank.la/?h
O20 - AppInit_DLLs =zembila.dll,msbod.dll,quaryfy.dll,verpthr.dll,wpuplder.dll,padlod.dll,jordspa.dll,verptw.dll
O20 - Winlogon Notify: WmiApSrv - C:/WINDOWS/System32/wbem/wmideprv.dll |
O23 - 服务: acpidisk (acpidisk) - C:/WINDOWS/system32/drivers/acpidisk.sys |
O23 - 服务: apcdli (apcdli) - C:/Program Files/Microsoft Office/SYSTEM/apcdli.sys (自动)
O23 - 服务: Connection Sharing (ICEKERS) (Winddows system32 services) - C:/Documents and Settings/All Users/s2.exe (自动)
O23 - 服务: ntptdb () - C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/ntptdb.sys (自动)
O23 - 服务: Spcvlsvs (Spcvl Srv) - C:/WINDOWS/system32/Spcvls.exe |
O23 - 服务: SpcvlsvsDrv (SpcvlsvsDrv) - C:/WINDOWS/system32/Spcvls.sys (手动)
O23 - 服务: tyts9 (tyts9) - System32/DRIVERS/tyts9.sys (引导)
O23 - 服务: WmiAcpi (Microsoft Windows Management Interface for ACPI) - system32/DRIVERS/wmiacpi.sys |
O23 - 服务: xbn3u0q (xbn3u0q) - system32/drivers/xbn3u0q.sys |
O24 - ShlExecHook: [MICROSOFT] - {E8A3B193-77E3-4FB3-986D-F4FA4828BAFC} = C:/WINDOWS/system32/wklsdd.dll
O24 - ShlExecHook: [MICROSOFT] - {C0595A7E-2E2F-4B34-A83A-019270A0A464} = C:/WINDOWS/system32/tdffdl.dll
O24 - ShlExecHook: [MICROSOFT] - {8C41B7F7-3168-400D-A702-0E7EFE0BA304} = C:/WINDOWS/system32/sgrefg.dll
O24 - ShlExecHook: [MICROSOFT] - {6E6CA8A1-81BC-4707-A54C-F4903DD70BAD} = C:/WINDOWS/system32/zgxfdx.dll
O24 - ShlExecHook: [MICROSOFT] - {17DFD111-BF3A-4CB4-ADB0-88FCBFE69821} = C:/WINDOWS/system32/hhrdxd.dll
O24 - ShlExecHook: [MICROSOFT] - {EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6} = C:/WINDOWS/system32/fsrgeb.dll
O24 - ShlExecHook: [MICROSOFT] - {7E54996D-821E-4631-87FA-406383955A10} = C:/WINDOWS/system32/qdsrfn.dll
O24 - ShlExecHook: [MICROSOFT] - {1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} = C:/WINDOWS/system32/wyrsdj.dll
O24 - ShlExecHook: [MICROSOFT] - {45AADFAA-DD36-42AB-83AD-0521BBF58C24} = C:/WINDOWS/system32/zgrjdx.dll
O24 - ShlExecHook: [5] - {54FAE856-AD58-20CB-A025-CD4895FA6E45} = C:/WINDOWS/system32/pjjxedwd.dll |
O24 - ShlExecHook: [MICROSOFT] - {189F087F-4378-405F-85FA-37D955AD7A8C} = C:/WINDOWS/system32/mtewdh.dll
O24 - ShlExecHook: [6] - {6E091341-6715-2098-51F0-178367AE53E6} = C:/WINDOWS/system32/fgfsbkuy.dll |
O24 - ShlExecHook: [MICROSOFT] - {84143967-B645-4BFF-B873-DA1DC886E9A7} = C:/WINDOWS/system32/cedafb.dll
O24 - ShlExecHook: [3] - {3D698451-2015-6358-9871-2015987452D3} = 3
O24 - ShlExecHook: [6] - {6C648541-1025-9650-9057-6541258720C6} = 6
O26 - IFEO: adam.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: AgentSvr.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: AppSvc32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ati2evxx.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: autoruns.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avconsol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avgrssvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: AvMonitor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.com -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: CCenter.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ccSvcHst.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: egui.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: esafe.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: FileDsty.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: FTCleanerShell.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: HijackThis.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: IceSword.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: idag.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Iparmor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: isPwdSvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kabaload.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kaccore.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KaScrScn.SCR -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KASMain.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KASTask.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAV32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVDX.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVPF.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVPFW.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVSetup.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVStart.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kavsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVsvcUI.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KISLnchr.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kissvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KMailMon.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KMFilter.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KPFW32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kpfwsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KPPMain.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KRegEx.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KRepair.com -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KsLoader.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVCenter.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KvDetect.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVFW.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KvfwMcl.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVMonXP_1.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kvol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kvolself.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KvReport.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVScan.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVsrvXP.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVStub.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kvupload.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVwsc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kwatch.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KWatch9x.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KWatchX.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: MagicSet.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: mcconsol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: mmqczj.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: mmsk.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: navapsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Navapw32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: nod32krn.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: NPFMntor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: OllyDBG.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: OllyICE.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: PFW.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: PFWLiveUpdate.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: procexp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: QHSET.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: qqkav.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: qqsc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Ras.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rav.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RAVmon.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RAVmonD.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravstub.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravtask.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravtimer.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravtool.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RegClean.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: regtool.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwmain.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwproxy.exeFYFireWall.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwsrv.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwstub.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rising.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Rsaupd.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: runiep.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: safelive.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: scan32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: shcfg32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SmartUp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SREng.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: symlcsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SysSafe.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: TrojanDetector.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Trojanwall.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: TrojDie.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UIHost.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxAgent.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxAttachment.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxCfg.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxFwHlp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxPol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UpLive.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: vsstat.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: webscanx.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: WinDbg.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: WoptiClean.exe -> C:/WINDOWS/system32/svchost.exe
O29 - HKCU-Start Page = hxxp://about.blank.la?g
(未完待续)