遭遇 unixsys08.sys/Trojan-PSW.Win32.QQPass.cdw,Trojan-PSW.Win32.OnLineGames等1

原创

PurpleEndurer 2022-12-12 15:14:59 博主文章分类：系统维护 ©著作权

文章标签 microsoft c windows system service 文章分类 运维

©著作权归作者所有：来自51CTO博客作者PurpleEndurer的原创作品，请联系作者获取转载授权，否则将追究法律责任

遭遇 unixsys08.sys/Trojan-PSW.Win32.QQPass.cdw,Trojan-PSW.Win32.OnLineGames等1

endurer 原创 2008-07-01 第1版

一位网友说他的电脑在正常模式下无法操作，于是强制重启电脑到带网络连接的安全模式，通过!!请偶帮忙检修。

下载 pe_xscan 扫描 log 并分析，发现如下可疑项： /===

pe_xscan 08-04-26 by Purple Endurer 2008-6-30 18:20:21 Windows XP Service Pack 2(5.1.2600) MSIE:7.0.5730.13 管理员用户组带网络连接的安全模式 [System Process] * 0 　　C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys | 2008-6-29 0:27:17 　　C:/WINDOWS/system32/rasdlgcq.dll | 2001-6-29 0:27:8 　　C:/WINDOWS/system32/kbdswjr.dll | 2001-6-29 0:26:35 　　C:/WINDOWS/system32/catsrvwl.dll | 2001-6-29 0:26:16 　　C:/WINDOWS/system32/wklsdd.dll | 2008-6-29 0:27:10 　　C:/WINDOWS/system32/jhfrxz.dll | 2008-6-29 0:26:59 　　C:/WINDOWS/system32/sgdewg.dll | 2008-6-29 0:26:40 　　C:/WINDOWS/system32/jfdses.dll | 2008-6-29 0:26:52 　　C:/WINDOWS/system32/pedadt.dll | 2008-6-29 0:24:30 　　C:/WINDOWS/system32/rfdswc.dll | 2008-6-29 0:24:14 　　C:/WINDOWS/system32/mtewdh.dll | 2008-6-29 0:26:26 　　C:/WINDOWS/system32/tdffdl.dll | 2008-6-29 0:26:7 　　C:/WINDOWS/system32/cedafb.dll | 2008-6-29 0:25:44 C:/WINDOWS/Explorer.EXE* 1216 | 2004-8-7 20:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE 　　C:/WINDOWS/system32/ozfyebyt.dll | 2004-8-8 0:24:12 　　C:/WINDOWS/system32/rfdswc.dll | 2008-6-29 0:24:14 　　C:/WINDOWS/system32/mpwdeapi.dll | 2004-8-8 0:24:19 　　C:/WINDOWS/system32/pedadt.dll | 2008-6-29 0:24:30 　　C:/WINDOWS/system32/apzhctde.dll | 2004-8-8 0:24:36 　　C:/WINDOWS/system32/zxmsdwin.dll | 2004-8-8 0:25:44 　　C:/WINDOWS/system32/cedafb.dll | 2008-6-29 0:25:44 　　C:/WINDOWS/system32/hdf453d.dll | 2004-8-8 0:25:52 　　C:/WINDOWS/system32/rijxbkin.dll | 2004-8-8 0:25:55 　　C:/WINDOWS/system32/MMHADPQG1097.dll | 2008-6-29 0:26:1 　　C:/WINDOWS/system32/mndshsrv.dll | 2004-8-8 0:26:4 　　C:/WINDOWS/system32/tdffdl.dll | 2008-6-29 0:26:7 　　C:/WINDOWS/system32/apsggjba.dll | 2004-8-8 0:26:12 　　C:/WINDOWS/system32/pjjxedwd.dll | 2004-8-8 0:26:17 　　C:/WINDOWS/system32/catsrvwl.dll | 2001-6-29 0:26:16 　　C:/WINDOWS/system32/yxcschlp.dll | 2004-8-8 0:26:19 　　C:/WINDOWS/system32/mtewdh.dll | 2008-6-29 0:26:26 　　C:/WINDOWS/system32/kbdswjr.dll | 2001-6-29 0:26:35 　　C:/WINDOWS/system32/oswxdttb.dll | 2004-8-8 0:26:37 　　C:/WINDOWS/system32/sgdewg.dll | 2008-6-29 0:26:40 　　C:/WINDOWS/system32/zptlcsys.dll | 2004-8-8 0:26:49 　　C:/WINDOWS/system32/jfdses.dll | 2008-6-29 0:26:52 　　C:/WINDOWS/system32/jhfrxz.dll | 2008-6-29 0:26:59 　　C:/WINDOWS/system32/rasdlgcq.dll | 2001-6-29 0:27:8 　　C:/WINDOWS/system32/wklsdd.dll | 2008-6-29 0:27:10 　　C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys | 2008-6-29 0:27:17 C:/Program Files/Tencent/QQ/QQ.exe* 1652 | 2008-2-19 6:15:10 | QQ | 8,0,714,1791 | QQ | Copyright (C) 1998 - 2008 TENCENT Inc. All Rights Reserved | 8,0,714,1791 | TENCENT | | COMQQD | QQ.exe 　　C:/WINDOWS/system32/rasdlgcq.dll | 2001-6-29 0:27:8 　　C:/WINDOWS/system32/kbdswjr.dll | 2001-6-29 0:26:35 　　C:/WINDOWS/system32/catsrvwl.dll | 2001-6-29 0:26:16 　　C:/WINDOWS/system32/wklsdd.dll | 2008-6-29 0:27:10 　　C:/WINDOWS/system32/jhfrxz.dll | 2008-6-29 0:26:59 　　C:/WINDOWS/system32/jfdses.dll | 2008-6-29 0:26:52 　　C:/WINDOWS/system32/sgdewg.dll | 2008-6-29 0:26:40 　　C:/WINDOWS/system32/pedadt.dll | 2008-6-29 0:24:30 　　C:/WINDOWS/system32/rfdswc.dll | 2008-6-29 0:24:14 　　C:/WINDOWS/system32/mtewdh.dll | 2008-6-29 0:26:26 　　C:/WINDOWS/system32/tdffdl.dll | 2008-6-29 0:26:7 　　C:/WINDOWS/system32/cedafb.dll | 2008-6-29 0:25:44 　　C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys | 2008-6-29 0:27:17 C:/Program Files/Tencent/QQ/TXPlatform.exe* 1680 | 2007-11-18 1:53:39 | TM2008 | 1, 0, 170, 201 | TM2008 | Copyright (C) 1998-2007 TENCENT Inc. All Rights Reserved | 1, 0, 170, 0 | Tencent| ? | | 　　C:/WINDOWS/system32/rasdlgcq.dll | 2001-6-29 0:27:8 　　C:/WINDOWS/system32/kbdswjr.dll | 2001-6-29 0:26:35 　　C:/WINDOWS/system32/catsrvwl.dll | 2001-6-29 0:26:16 　　C:/WINDOWS/system32/wklsdd.dll | 2008-6-29 0:27:10 　　C:/WINDOWS/system32/jhfrxz.dll | 2008-6-29 0:26:59 　　C:/WINDOWS/system32/jfdses.dll | 2008-6-29 0:26:52 　　C:/WINDOWS/system32/sgdewg.dll | 2008-6-29 0:26:40 　　C:/WINDOWS/system32/pedadt.dll | 2008-6-29 0:24:30 　　C:/WINDOWS/system32/rfdswc.dll | 2008-6-29 0:24:14 　　C:/WINDOWS/system32/mtewdh.dll | 2008-6-29 0:26:26 　　C:/WINDOWS/system32/tdffdl.dll | 2008-6-29 0:26:7 　　C:/WINDOWS/system32/cedafb.dll | 2008-6-29 0:25:44 　　C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys | 2008-6-29 0:27:17 C:/WINDOWS/System32/ctfmon.exe* 116 | 2004-8-7 20:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE 　　C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys | 2008-6-29 0:27:17 　　C:/WINDOWS/system32/rasdlgcq.dll | 2001-6-29 0:27:8 　　C:/WINDOWS/system32/kbdswjr.dll | 2001-6-29 0:26:35 　　C:/WINDOWS/system32/catsrvwl.dll | 2001-6-29 0:26:16 　　C:/WINDOWS/system32/wklsdd.dll | 2008-6-29 0:27:10 　　C:/WINDOWS/system32/jhfrxz.dll | 2008-6-29 0:26:59 　　C:/WINDOWS/system32/sgdewg.dll | 2008-6-29 0:26:40 　　C:/WINDOWS/system32/jfdses.dll | 2008-6-29 0:26:52 　　C:/WINDOWS/system32/pedadt.dll | 2008-6-29 0:24:30 　　C:/WINDOWS/system32/rfdswc.dll | 2008-6-29 0:24:14 　　C:/WINDOWS/system32/mtewdh.dll | 2008-6-29 0:26:26 　　C:/WINDOWS/system32/tdffdl.dll | 2008-6-29 0:26:7 　　C:/WINDOWS/system32/cedafb.dll | 2008-6-29 0:25:44 O2 - BHO - {25FD6584-698F-BCD2-602C-698745210352} -C:/WINDOWS/system32/rijxbkin.dll O2 - BHO - {32023698-6984-8541-9654-698745012523} -C:/WINDOWS/system32/skqncbib.dll O2 - BHO - {35671234-7890-ABCD-CDEF-567801237653} -C:/WINDOWS/system32/yxcschlp.dll O2 - BHO - {3D698451-2015-6358-9871-2015987452D3} -C:/WINDOWS/system32/apzhctde.dll O2 - BHO - {43512378-9874-5641-1025-985420368734} -C:/WINDOWS/system32/oswxdttb.dll O2 - BHO - {47AC9076-C898-B098-D098-A18319080974} -C:/WINDOWS/system32/nhmxdjkl.dll O2 - BHO - {50940F85-F015-14F1-A05F-F69858AC6D05} -C:/WINDOWS/system32/zptlcsys.dll O2 - BHO - {54FAE856-AD58-20CB-A025-CD4895FA6E45} -C:/WINDOWS/system32/pjjxedwd.dll O2 - BHO - {55694105-5108-9405-3695-954187462155} -C:/WINDOWS/system32/mpwdeapi.dll O2 - BHO - {5A069845-2036-6084-9054-6087502480A5} -C:/WINDOWS/system32/ozfyebyt.dll O2 - BHO - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} -C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys O2 - BHO - {7A041F13-A111-12A3-B0CF-F99818AA68A7} -C:/WINDOWS/system32/zxmsdwin.dll O2 - BHO - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:/WINDOWS/system32/mnmhgsrv.dll O2 - BHO - C:/WINDOWS/system32/mnmhgsrv.dll - {7E853D72-626A-48EC-A868-BA8D5E23E045} - O2 - BHO - {7FD45A54-9875-698F-E56E-65102358FDF7} -C:/WINDOWS/system32/apsggjba.dll O2 - BHO - {87FD640A-158F-48AC-FD14-1597F14A9778} -C:/WINDOWS/system32/mndshsrv.dll O2 - BHO - {B490415F-65F8-B5C5-D8BA-9405FB12054B} -C:/WINDOWS/system32/yzztkmsn.dll O2 - BHO - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} -C:/WINDOWS/system32/hdf453d.dll O20 - AppInit_DLLs = yzztkmsn.dll,skqncbib.dll,womsoy.dll,nhmxdjkl.dll O21 - SSODL - midimapgj(0) - {4F4F0064-71E0-4f0d-0003-708476C7815F} =C:/WINDOWS/system32/midimapgj.dll O21 - SSODL - cliconfgzx.dll(0) - {00050005-0005-0005-0005-00050005BB15} =C:/WINDOWS/system32/cliconfgzx.dll O21 - SSODL - catsrvwl.dll(-) - {00040004-0004-0004-0004-00040004BB15} =C:/WINDOWS/system32/catsrvwl.dll O21 - SSODL - kbdswjr.dll(-) - {00120012-0012-0012-0012-00120012BB15} =C:/WINDOWS/system32/kbdswjr.dll O21 - SSODL - rasdlgcq.dll(-) - {00230023-0023-0023-0023-00230023BB15} =C:/WINDOWS/system32/rasdlgcq.dll O23 - 服务: e130371c6a3baccb (e130371c6a3baccb) -C:/e130371c6a3baccb.dat (手动) O23 - 服务: hbdegbbh(hbdegbbh) -C:/WINDOWS/System32/drivers/hbdegbbh.sys (引导) O23 - 服务: Hdv32 (Hdv32) -C:/WINDOWS/system32/drivers/Hdv32_c.sys (手动) O23 - 服务: heebajhj(hbdegbbh) -C:/WINDOWS/System32/drivers/heebajhj.sys (引导) O23 - 服务: pjjgkej (pjjgkej) -C:/WINDOWS/System32/drivers/pjjgkej.sys (引导) O24 - ShlExecHook: [7] - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} =C:/WINDOWS/system32/mnmhgsrv.dll O24 - ShlExecHook: [MICROSOFT] - {17DFD111-BF3A-4CB4-ADB0-88FCBFE69821} =C:/WINDOWS/system32/hhrdxd.dll O24 - ShlExecHook: [MICROSOFT] - {4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4} =C:/WINDOWS/system32/tdggrz.dll O24 - ShlExecHook: [MICROSOFT] - {A9895933-6636-4281-BC58-EE6DE2AF96E3} =C:/WINDOWS/system32/ddserh.dll O24 - ShlExecHook: [5] - {5A069845-2036-6084-9054-6087502480A5} =C:/WINDOWS/system32/ozfyebyt.dll O24 - ShlExecHook: [MICROSOFT] - {461D2AB4-29A5-45C2-9134-D52272D3DE38} =C:/WINDOWS/system32/rfdswc.dll O24 - ShlExecHook: [5] - {55694105-5108-9405-3695-954187462155} =C:/WINDOWS/system32/mpwdeapi.dll O24 - ShlExecHook: [B] - {B490415F-65F8-B5C5-D8BA-9405FB12054B} =C:/WINDOWS/system32/yzztkmsn.dll O24 - ShlExecHook: [MICROSOFT] - {5E907A48-400E-4EA8-9792-FFAE052D59E9} =C:/WINDOWS/system32/pedadt.dll O24 - ShlExecHook: [3] - {3D698451-2015-6358-9871-2015987452D3} =C:/WINDOWS/system32/apzhctde.dll O24 - ShlExecHook: [F] - {4F4F0064-71E0-4f0d-0003-708476C7815F} =C:/WINDOWS/system32/midimapgj.dll O24 - ShlExecHook: [5] - {00050005-0005-0005-0005-00050005BB15} =C:/WINDOWS/system32/cliconfgzx.dll O24 - ShlExecHook: [7] - {7A041F13-A111-12A3-B0CF-F99818AA68A7} =C:/WINDOWS/system32/zxmsdwin.dll O24 - ShlExecHook: [MICROSOFT] - {84143967-B645-4BFF-B873-DA1DC886E9A7} =C:/WINDOWS/system32/cedafb.dll O24 - ShlExecHook: [B] - {B629FF4F-ACDB-5C90-A098-FACB3456A26B} =C:/WINDOWS/system32/hdf453d.dll O24 - ShlExecHook: [2] - {25FD6584-698F-BCD2-602C-698745210352} =C:/WINDOWS/system32/rijxbkin.dll O24 - ShlExecHook: [3] - {32023698-6984-8541-9654-698745012523} =C:/WINDOWS/system32/skqncbib.dll O24 - ShlExecHook: [5] - {eaa21495-29ae-4e50-8ad9-a4f877c1ab85} =C:/WINDOWS/system32/MMHADPQG1097.dll O24 - ShlExecHook: [8] - {87FD640A-158F-48AC-FD14-1597F14A9778} =C:/WINDOWS/system32/mndshsrv.dll O24 - ShlExecHook: [MICROSOFT] - {C0595A7E-2E2F-4B34-A83A-019270A0A464} =C:/WINDOWS/system32/tdffdl.dll O24 - ShlExecHook: [7] - {7FD45A54-9875-698F-E56E-65102358FDF7} =C:/WINDOWS/system32/apsggjba.dll O24 - ShlExecHook: [5] - {54FAE856-AD58-20CB-A025-CD4895FA6E45} =C:/WINDOWS/system32/pjjxedwd.dll O24 - ShlExecHook: [5] - {00040004-0004-0004-0004-00040004BB15} =C:/WINDOWS/system32/catsrvwl.dll O24 - ShlExecHook: [3] - {35671234-7890-ABCD-CDEF-567801237653} =C:/WINDOWS/system32/yxcschlp.dll O24 - ShlExecHook: [MICROSOFT] - {189F087F-4378-405F-85FA-37D955AD7A8C} =C:/WINDOWS/system32/mtewdh.dll O24 - ShlExecHook: [5] - {00120012-0012-0012-0012-00120012BB15} =C:/WINDOWS/system32/kbdswjr.dll O24 - ShlExecHook: [4] - {43512378-9874-5641-1025-985420368734} =C:/WINDOWS/system32/oswxdttb.dll O24 - ShlExecHook: [MICROSOFT] - {8C41B7F7-3168-400D-A702-0E7EFE0BA304} =C:/WINDOWS/system32/sgdewg.dll O24 - ShlExecHook: [5] - {50940F85-F015-14F1-A05F-F69858AC6D05} =C:/WINDOWS/system32/zptlcsys.dll O24 - ShlExecHook: [MICROSOFT] - {81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B} =C:/WINDOWS/system32/jfdses.dll O24 - ShlExecHook: [MICROSOFT] - {7914E0AA-ECCB-4311-B584-C49538227824} =C:/WINDOWS/system32/jhfrxz.dll O24 - ShlExecHook: [4] - {47AC9076-C898-B098-D098-A18319080974} =C:/WINDOWS/system32/nhmxdjkl.dll O24 - ShlExecHook: [5] - {00230023-0023-0023-0023-00230023BB15} =C:/WINDOWS/system32/rasdlgcq.dll O24 - ShlExecHook: [MICROSOFT] - {E8A3B193-77E3-4FB3-986D-F4FA4828BAFC} =C:/WINDOWS/system32/wklsdd.dll O24 - ShlExecHook: [] - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} =C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys

（未完待续）