sichost.exe,winxphelp.exe,360up.exe,RavNT.exe,Counter.exe,login.jpg.exe等1
endurer 原创 2008-07-09 第1版
一位朋友说他的电脑开机后系统很慢,卡巴斯基、卡卡安全助手未能自启动,系统日期变为2001年,定期自动打开hxxp://s**m.bizm*d.cn/ad/ADShow.aspx?ADID=56等广告网页,可能是中标了。请偶帮忙检修。
把pe_xscan,FileInfo, bat_do,HijackThis等程序拷到U盘,来到朋友家。把网线取下来,然后开机,果然超慢,而且弹出提示框:
然后定期弹出对话框,提示脱机工作,是否连接。
运行U盘上的 pe_xscan 扫描并分析,发现如下可疑项(进程模块中相同的部分有省略,有6个隐藏的IE进程,下面的log中只留了1个):
pe_xscan 08-07-02 by Purple Endurer
2008-7-9 11:14:27
Windows XP Service Pack 2(5.1.2600)
MSIE:7.0.5730.13
管理员用户组
正常模式
C:/WINDOWS/System32/csrss.exe* 776 | 2002-10-7 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime Process | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CSRSS.Exe |
C:/WINDOWS/system32/31BA777E.DLL | 2000-7-8 6:1:50| ?| ?| ?| ?| ?| ?| ?| ?|
C:/WINDOWS/System32/winlogon.exe* 800 | 2002-10-7 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/31BA777E.DLL | 2000-7-8 6:1:50| ?| ?| ?| ?| ?| ?| ?| ?|
C:/WINDOWS/system32/winlib .dll
C:/WINDOWS/System32/services.exe* 852 | 2002-10-7 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Services and Controller app | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | services.exe |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/31BA777E.DLL | 2000-7-8 6:1:50| ?| ?| ?| ?| ?| ?| ?| ?|
C:/WINDOWS/System32/lsass.exe* 864 | 2002-10-7 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | LSA Shell (Export Version) | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | lsass.exe |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/31BA777E.DLL | 2000-7-8 6:1:50| ?| ?| ?| ?| ?| ?| ?| ?|
C:/WINDOWS/System32/svchost.exe*
C:/WINDOWS/System32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/System32/yzztnmsn.dll |
C:/WINDOWS/System32/nhmxejkl.dll |
C:/WINDOWS/system32/31BA777E.DLL | 2000-7-8 6:1:50| ?| ?| ?| ?| ?| ?| ?| ?|
c:/windows/system32/bitsex.dll | 2004-8-17 12:0:0 | svchost | 5.1.2600.2180 | Microsoft SNMP Manager API (uses WinSNMP) | Copyright @ 2004 | 5.1.2600.2180 | @ Microsoft Corporation. All rights reserved. | | svchost |
c:/windows/system32/irmon64.dll | 2008-6-30 3:29:36 | Microsoft(R) Windows(R) Operating System | 1, 0, 0, 1 | Microsoft RIP for Internet Protocol | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 1 | Microsoft Corporation | | 6to4.dll |
c:/windows/icpb.dll |
C:/WINDOWS/system32/mmchost.dll |
c:/windows/iasxin.dll | 2008-7-7 7:43:6 | Microsoft(R) Windows(R) Operating System | 1, 0, 0, 2 | Microsoft RIP for Internet Protocol | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 2 | Microsoft Corporation | | 6to4.dll |
c:/windows/avtapit.dll | 2008-6-18 3:27:12 | Microsoft(R) Windows(R) Operating System | 1, 0, 0, 1 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 1 | Microsoft Corporation | | advapi32.dll |
c:/windows/system32/oobe/tvkoywtebi.dll | 1982-7-8 15:28:43 | Time32 | 3.2 | Windows Times | | 3.1.2.422 | Microsoft LTD. | | 3.0.22 |
C:/WINDOWS/System32/KERNEL32.exe * 1760 |
c:/windows/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
c:/windows/system32/yzztnmsn.dll |
c:/windows/system32/nhmxejkl.dll |
C:/WINDOWS/Explorer.exe* 1816 | 2002-10-7 4:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/31BA777E.DLL | 2000-7-8 6:1:50| ?| ?| ?| ?| ?| ?| ?| ?|
C:/WINDOWS/system32/syswindrv.dll | 2008-7-8 14:29:11| ? | 3, 3, 3, 0| ?| ? | 3, 3, 3, 0| ?| ?| ?|
C:/WINDOWS/system32/wwinsystem.dll |
C:/WINDOWS/system32/shlhook.dll | 2007-7-11 16:46:47 | 瑞星卡卡上网安全助手4.0 | 4.00 | shlhook Module | Rising Corp. All rights reserved. | 4.0.0.9 | Beijing Rising Technology Co., Ltd. | | Beijing Rising Technology Co., Ltd. |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/mndshsrv.dll |
C:/WINDOWS/system32/mndhgdwd.dll |
C:/WINDOWS/system32/ypcqghlp.dll |
C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys |
C:/WINDOWS/system32/dndsaf.dll |
C:/WINDOWS/system32/ShowAD.dll |
C:/WINDOWS/system32/GameGuard02.dll |
C:/WINDOWS/system32/91t4q.dll
C:/WINDOWS/Downlo~1/c77b.dll | 2008-7-8 15:37:10 | Microsoft(R) Windows(R) Operating System | 5, 3, 2600, 2180 | Microsoft DirectMusic Interactive Engine | 版权所有 (C) 2007 | 5, 3, 2600, 2180 | Microsoft Corporation | | Microsoft DirectMusic Interactive Engine |
c:/windows/system32/config/sam6.log | 2008-7-8 15:29:39 | Microsoft(R) Windows(R) Operating System | 5.1.2600.0 | Microsoft DCOM Client | (C) Microsoft Corporation. All rights reserved. | 5.1.2601.1 | Microsoft Corporation | | |
C:/WINDOWS/system/zydld32080708jt.dll |
C:/WINDOWS/system32/oobe/tvkoywtebi.dll | 1982-7-8 15:28:43 | Time32 | 3.2 | Windows Times | | 3.1.2.422 | Microsoft LTD. | | 3.0.22 |
C:/WINDOWS/system32/229a.dll | 2008-7-8 16:25:46 | DLL Module | 1, 1, 0, 2 | DLL Module | Copyright 2007 | 1, 1, 0, 2 | | | DLL |
C:/WINDOWS/system32/xml42.dll |
C:/WINDOWS/system32/mmchost.dll |
E:/Program Files/Tencent/QQ/qdshm.dll | 2006-8-31 12:8:52 | QQDiskShellMenu Module | 1, 0, 101, 20 | QQDiskShellMenu Module | Copyright 2004 | 1, 0, 101, 20 | | | QQDiskShellMenu |
C:/WINDOWS/mfc42.exe * 1844 |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/mmchost.dll |
C:/WINDOWS/System32/360up.exe * 1932 | 2008-7-7 8:57:38 | msword | 1, 0, 0, 3 | Windows Updater | 版权所有 (C) 2008 | 1, 0, 0, 3 | Microsoft | | msword |
C:/WINDOWS/System32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/RavNT.exe * 1984 | 2008-7-7 7:40:36 | Rising AntiVirus 2008 | 1, 0, 0, 1 | RavNT Application | 版权所有 (C) 2008 | 1, 0, 0, 1 | 瑞星 | | RavNT |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/System32/2973a.exe * 260 | 2008-7-8 4:46:37 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Progman Group Converter | Copyright Zhongsou(C) 2005 | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | GrpConv|
C:/WINDOWS/system32/2973a.exe | 2008-7-8 4:46:37 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Progman Group Converter | Copyright Zhongsou(C) 2005 | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | GrpConv|
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/qqshel.exe * 1224 | 2008-7-7 8:17:4 | msword | 1, 0, 0, 1 | Windows Updater | 版权所有 (C) 2008 | 1, 0, 0, 1 | Microsoft | | msword |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/System32/Rundll32.exe* 2232 | 2002-10-7 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/NMGameX.dll | 2006-7-10 3:20:44 | NMGame.XEngine | 1, 0, 1, 3 | SinaLive | Copyright 2004 | 1, 0, 1, 3 | NMGameX | | NMGameX |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/System32/login.jpg.exe * 2288 | 2008-7-8 14:24:44 | svchost | 5.01.2180 | Generic Host Process for Win32 Services | Microsoft Corporation | 5.01.2180 | Microsoft Corporation | Microsoft Corporation | svchost |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/Program Files/Counter/Counter.exe * 2336 |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/Program Files/Counter/htmlpeek.dll |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/Com/1.1.6/WndHook.dll |
C:/WINDOWS/System32/usmsvc.exe * 2476 | 2008-6-30 4:18:50 | usmsvc 应用程序 | 1, 0, 0, 7 | usmsvc Microsoft 基础类应用程序 | 版权所有 (C) 2008 | 1, 0, 0, 7 | | | usmsvc |
C:/WINDOWS/system32/TElem32.dll | 2008-6-30 4:18:8 | TElem32 Dynamic Link Library | 1, 0, 0, 7 | TElem32 DLL | 版权所有 (C) 2008 | 1, 0, 0, 7 | | | TElem32 |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/System32/ctfmon.exe* 2560 | 2002-10-7 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/System32/conime.exe* 2696 | 2002-10-7 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/Program Files/Internet Explorer/iexplore.exe * 2088 | 2004-5-19 7:39:58 | Windows? Internet Explorer | 7.00.6000.16674 | Internet Explorer | ? Microsoft Corporation. All rights reserved. | 7.00.6000.16674 (vista_gdr.080415-1732) | Microsoft Corporation| ? | iexplore |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
C:/WINDOWS/system32/yzztnmsn.dll |
C:/WINDOWS/system32/nhmxejkl.dll |
C:/WINDOWS/system32/imgutilhx2.dll |
C:/WINDOWS/system32/ksuserfy.dll |
C:/WINDOWS/system32/adsntzt.dll |
C:/WINDOWS/system32/catsrvwl.dll |
C:/WINDOWS/system32/bootvidgj.dll |
C:/WINDOWS/system32/kbdswjr.dll |
C:/WINDOWS/system32/dpvvoxmh.dll |
C:/WINDOWS/system32/cliconfgzx.dll |
C:/WINDOWS/system32/rasdlgcq.dll |
C:/WINDOWS/system32/wklsdd.dll |
C:/WINDOWS/system32/sgdewg.dll |
C:/WINDOWS/system32/tdfhex.dll |
C:/WINDOWS/system32/zycdex.dll |
C:/WINDOWS/system32/tdggrz.dll |
C:/WINDOWS/system32/fmcvxy.dll |
C:/WINDOWS/system32/ddserh.dll |
C:/WINDOWS/system32/fsrgeb.dll |
C:/WINDOWS/system32/jhfrxz.dll |
C:/WINDOWS/system32/mfdesy.dll |
C:/WINDOWS/system32/jdsaex.dll |
C:/WINDOWS/system32/jfrwdh.dll |
C:/WINDOWS/system32/jfdses.dll |
C:/WINDOWS/system32/rfdswc.dll |
C:/WINDOWS/system32/ydggsx.dll |
C:/WINDOWS/system32/tdffdl.dll |
C:/WINDOWS/system32/mtewdh.dll |
C:/WINDOWS/system32/cedafb.dll |
C:/WINDOWS/system32/hhrdxd.dll |
C:/WINDOWS/system32/pedadt.dll |
C:/WINDOWS/system32/jggtsr.dll |
C:/WINDOWS/system32/oobe/tvkoywtebi.dll | 1982-7-8 15:28:43 | Time32 | 3.2 | Windows Times | | 3.1.2.422 | Microsoft LTD. | | 3.0.22 |
C:/Program Files/Common Files/CPUSH/cpush0.dll | 2008-7-8 14:25:18| ? | 1.0.9.4| ?| ? | 1.0.9.4| ?| ? | cpush.dll |
C:/WINDOWS/system32/229a.dll | 2008-7-8 16:25:46 | DLL Module | 1, 1, 0, 2 | DLL Module | Copyright 2007 | 1, 1, 0, 2 | | | DLL |
C:/WINDOWS/system/zydld32080708.dll |
C:/Documents and Settings/All Users/Application Data/Microsoft/PCTools/pctools.dll | 2008-6-16 11:29:20 | ati Module | 1, 0, 0, 0 | ati Module | Copyright 2007 | 1, 0, 0, 0 | 明勋科技有限公司 | | ati |
C:/WINDOWS/System32/usmsho.dll | 2008-6-30 4:18:42 | usmsho Module | 1, 0, 0, 7 | usmsho Module | Copyright 2008 | 1, 0, 0, 7 | | | usmsho |
C:/WINDOWS/System32/TElem32.dll | 2008-6-30 4:18:8 | TElem32 Dynamic Link Library | 1, 0, 0, 7 | TElem32 DLL | 版权所有 (C) 2008 | 1, 0, 0, 7 | | | TElem32 |
C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys |
C:/Documents and Settings/All Users/Application Data/Microsoft/OFFICE/USERDATA/webbrowser_2145.dll | 2008-7-8 14:27:21 | | 3, 4, 6, 0 | | Copyright 2008 | 3, 4, 6, 0 | | | |
C:/WINDOWS/system32/xml42.dll |
C:/WINDOWS/ThunderAtone.dll | 2008-7-8 15:30:40 | Thunder Download AtOnce | 1.1.1.5 | 迅雷浏览器高级特性支持模块 | Copyright 2005-2007 | 1.3.7.2 | Thunder Networking Technologies,LTD | | |
C:/WINDOWS/System32/cmd.exe* 3992 | 2002-10-7 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Command Processor | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | cmd |
C:/WINDOWS/system32/NTNSDKWOW.dll | 2000-7-7 3:4:44 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) | Windows XP MSPLAY API DLL | (C) Microsoft Corporation. All rights resad. | 5.1.2600.3099 | Microsoft Corporation | Microsoft | msplay32 |
F2 - REG: system.ini: UserInit = <C:/WINDOWS/system32/userinit.exe,C:/WINDOWS/system32/sichost.exe>
F2 - Shell = <EXPLORER.EXE winxphelp.exe>
O2 - BHO CAdLogic Object - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} = C:/Program Files/Common Files/CPUSH/cpush0.dll | 2008-7-8 14:25:18| ? | 1.0.9.4| ?| ? | 1.0.9.4| ?| ? | cpush.dll |
O2 - BHO Invoke Class - {16ECEEE2-939F-4619-8419-B3D21C0B094C} = C:/WINDOWS/system32/229a.dll | 2008-7-8 16:25:46 | DLL Module | 1, 1, 0, 2 | DLL Module | Copyright 2007 | 1, 1, 0, 2 | | | DLL |
O2 - BHO Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} = C:/Documents and Settings/All Users/Application Data/Microsoft/PCTools/pctools.dll | 2008-6-16 11:29:20 | ati Module | 1, 0, 0, 0 | ati Module | Copyright 2007 | 1, 0, 0, 0 | 明勋科技有限公司 | | ati |
O2 - BHO CMsgCenter Class - {6014EABC-B61A-4F07-A32B-440EAE835DF9} = C:/WINDOWS/System32/usmsho.dll | 2008-6-30 4:18:42 | usmsho Module | 1, 0, 0, 7 | usmsho Module | Copyright 2008 | 1, 0, 0, 7 | | | usmsho |
O2 - BHO - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} = C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys |
O2 - BHO WebHelper Class - {986488AF-13D5-9DDF-4FEF-9FB88698CFC1} = C:/Documents and Settings/All Users/Application Data/Microsoft/OFFICE/USERDATA/webbrowser_2145.dll | 2008-7-8 14:27:21 | | 3, 4, 6, 0 | | Copyright 2008 | 3, 4, 6, 0 | | | |
O2 - BHO Thunder下载辅助 - {EB2ECF2E-81B1-4D2C-9553-3DF0CCB52A09} = C:/WINDOWS/ThunderAtone.dll | 2008-7-8 15:30:40 | Thunder Download AtOnce | 1.1.1.5 | 迅雷浏览器高级特性支持模块 | Copyright 2005-2007 | 1.3.7.2 | Thunder Networking Technologies,LTD | | |
O2 - BHO - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} = C:/WINDOWS/system32/xml42.dll |
O4 - HKLM/../Run: [NMGameX_AutoRun] C:/WINDOWS/system32/Rundll32.exe NMGameX.dll,LiveProcess /aa
O4 - HKLM/../Run: [login.jpg.exe] C:/WINDOWS/system32/login.jpg.exe
O4 - HKLM/../Run: [Funshion] C:/Program Files/Funshion Online/Funshion/Funshion.exe /tray
O4 - HKLM/../Run: [Counter] C:/Program Files/Counter/Counter.exe"
O4 - HKLM/../Run: [usmsvc] C:/WINDOWS/system32/usmsvc.exe
O4 - HKLM/../Run: [360] C:/WINDOWS/360safe.exe
O4 - HKLM/../Run: [RavMonS] C:/WINDOWS/soni.exe
O4 - HKLM/../Policies/Explorer/Run: [lljyn_df] C:/WINDOWS/system/lljyn080704.exe
O4 - HKLM/../Policies/Explorer/Run: [zy_df] C:/WINDOWS/system/zydle080708.exe
O4 - HKLM/../Policies/Explorer/Run: [c77b] rundll32 C:/WINDOWS/Downlo~1/c77b.dll" ,Run
CmdProcAuto = C:/WINDOWS/system32/sichost.exe
C:/autorun.inf /----- [AutoRun] open=MSDOS.bat shell/open=打开(&O) shell/open/Command=MSDOS.bat shell/open/Default=1 shell/explore=资源管理器(&X) shell/explore/Command=MSDOS.bat -----/ D:/autorun.inf /----- [AutoRun] open=MSDOS.bat shell/open=打开(&O) shell/open/Command=MSDOS.bat shell/open/Default=1 shell/explore=资源管理器(&X) shell/explore/Command=MSDOS.bat -----/
c77ac.job c77sc.job c77dc.job c77b.job
O9 - IE工具栏扩展按钮HKLM:知识库 - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxp://blank.la/?h O9 - IE工具菜单扩展项HKLM: - {06926B30-424E-4f1c-8EE3-543CD96573DC} - hxxp://blank.la/?h
O10 - LSP: MSAFD IGMP = C:/WINDOWS/system32/mmchost.dll |
O10 - LSP: MSAFD IGMP = C:/WINDOWS/system32/mmchost.dll |
O20 - AppInit_DLLs = ieprot.dll,NTNSDKWOW.dll,toolbo.dll,wolko.dll,he1low.dll,gwofw.dll,momusi.dll,jsedf.dll,pocolieov.dll,wowolse.dll,zmsory.dll,wepome.dll,jcoolde.dll,ziflok.dll,qananp.dll,yzztnmsn.dll,nhmxejkl.dll,znsomy.dll,pcoseve.dll
O21 - SSODL - rasdlgcq.dll(2) - {00230023-0023-0023-0023-00230023BB15} = C:/WINDOWS/system32/rasdlgcq.dll |
O21 - SSODL - cliconfgzx.dll(0) - {00050005-0005-0005-0005-00050005BB15} = C:/WINDOWS/system32/cliconfgzx.dll |
O21 - SSODL - dpvvoxmh.dll(0) - {00070007-0007-0007-0007-00070007BB15} = C:/WINDOWS/system32/dpvvoxmh.dll |
O21 - SSODL - kbdswjr.dll(1) - {00120012-0012-0012-0012-00120012BB15} = C:/WINDOWS/system32/kbdswjr.dll |
O21 - SSODL - bootvidgj.dll(0) - {00030003-0003-0003-0003-00030003BB15} = C:/WINDOWS/system32/bootvidgj.dll |
O21 - SSODL - catsrvwl.dll(0) - {00040004-0004-0004-0004-00040004BB15} = C:/WINDOWS/system32/catsrvwl.dll |
O21 - SSODL - adsntzt.dll(0) - {00010001-0001-0001-0001-00010001BB15} = C:/WINDOWS/system32/adsntzt.dll |
O21 - SSODL - ksuserfy.dll(1) - {00130013-0013-0013-0013-00130013BB15} = C:/WINDOWS/system32/ksuserfy.dll |
O21 - SSODL - imgutilhx2.dll(0) - {00300030-0030-0030-0030-00300030BB15} = C:/WINDOWS/system32/imgutilhx2.dll |
O23 - 服务: A30177B2 (A30177B2) - C:/WINDOWS/system32/7D4BDEF4.EXE -d | 2000-7-8 6:1:23| ?| ?| ?| ?| ?| ?| ?| ?|
O23 - 服务: acpidisk (acpidisk) - C:/WINDOWS/system32/drivers/acpidisk.sys |
O23 - 服务: Apcdli () - C:/Program Files/Microsoft Office/SYSTEM/apcdli.sys (自动)
O23 - 服务: BITS (Background Intelligent Transfer Service) - C:/WINDOWS/System32/svchost.exe -> C:/WINDOWS/system32/BITSEx.dll | 2004-8-17 12:0:0 | svchost | 5.1.2600.2180 | Microsoft SNMP Manager API (uses WinSNMP) | Copyright @ 2004 | 5.1.2600.2180 | @ Microsoft Corporation. All rights reserved. | | svchost |
O23 - 服务: IIS Manager (IIS Manager ) - C:/DOCUME~1/rd/LOCALS~1/Temp/1.tmp (手动)
O23 - 服务: Irmon (Irmon) - C:/WINDOWS/System32/svchost.exe -> C:/WINDOWS/system32/irmon64.dll | 2008-6-30 3:29:36 | Microsoft(R) Windows(R) Operating System | 1, 0, 0, 1 | Microsoft RIP for Internet Protocol | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 1 | Microsoft Corporation | | 6to4.dll |
O23 - 服务: IPRIP () - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/icpb.dll |
O23 - 服务: jzzethq (jzzethq) - system32/drivers/jzzethq.sys |
O23 - 服务: kernel32 (kernel32) - c:/windows/system32/KERNEL32.exe |
O23 - 服务: mfc42 (mfc42) - c:/windows/mfc42.exe |
O23 - 服务: mrs5gz7 (mrs5gz7) - System32/DRIVERS/mrs5gz7.sys | | 1, 0, 0, 1 | File System Driver | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 1 | | | |
O23 - 服务: Nessery (Nessery) - C:/WINDOWS/system32/Nessery.sys |
O23 - 服务: Network Services (网络服务) - C:/WINDOWS/MayaBaby/MayaBabyMain.exe |
O23 - 服务: ntptdb (ntptdb) - C:/Documents and Settings/All Users/Application Data/Microsoft/Office/SYSTEM/ntptdb.sys |
O23 - 服务: Nwsapagent () - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/iasxin.dll | 2008-7-7 7:43:6 | Microsoft(R) Windows(R) Operating System | 1, 0, 0, 2 | Microsoft RIP for Internet Protocol | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 2 | Microsoft Corporation | | 6to4.dll |
O23 - 服务: ProtectedStorager5 (Protected Storage Manager) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> c:/windows/system32/config/sam6.log | 2008-7-8 15:29:39 | Microsoft(R) Windows(R) Operating System | 5.1.2600.0 | Microsoft DCOM Client | (C) Microsoft Corporation. All rights reserved. | 5.1.2601.1 | Microsoft Corporation | | |
O23 - 服务: pvuv (Windows pvuv RunThem) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/PROGRA~1/kqpq/uaza.dll | 2008-7-8 15:31:29 | AdDm | 5, 0, 1, 0 | AdDm | Copyright ? 2006 | 5, 0, 1, 0 | | | AdDm |
O23 - 服务: RESSDT (RESSDT) - C:/WINDOWS/system32/ssdtti.sys (手动)
O23 - 服务: ROCKEYNT (ROCKEYNT) - C:/WINDOWS/system32/drivers/Rockeynt.sys | 2005-1-11 14:18:46 | ROCKEY Device Driver | 4.00 | Rockey Device Driver | (C)Copyright FTCX,All Right Reserved! 1999-2000 | 4.00 | FeiTian Tech Co.,Ltd| ? | Rockeynt.sys |
O23 - 服务: Tcpip (TCP/IP Protocol Driver) - System32/DRIVERS/tcpip.sys | 2002-10-7 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.3244 | TCP/IP Protocol Driver | ? Microsoft Corporation. All rights reserved. | 5.1.2600.3244 (xpsp_sp2_gdr.071030-1259) | Microsoft Corporation| ? | tcpip.sys |
O23 - 服务: U3sHlpDr (U3sHlpDr) - C:/WINDOWS/System32/Drivers/U3sHlpDr.sys |
O23 - 服务: ULSStorage (ULSStorage) - C:/WINDOWS/system32/2973a.exe | 2008-7-8 4:46:37 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows Progman Group Converter | Copyright Zhongsou(C) 2005 | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | GrpConv|
O23 - 服务: W32Time (Windows Time) - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/system32/oobe/tvkoywtebi.dll | 1982-7-8 15:28:43 | Time32 | 3.2 | Windows Times | | 3.1.2.422 | Microsoft LTD. | | 3.0.22 |
O23 - 服务: WbWin () - C:/WINDOWS/System32/svchost.exe -k netsvcs -> C:/WINDOWS/avtapit.dll | 2008-6-18 3:27:12 | Microsoft(R) Windows(R) Operating System | 1, 0, 0, 1 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 1, 0, 0, 1 | Microsoft Corporation | | advapi32.dll |
O23 - 服务: wwinsystem (wwinsystem) - C:/WINDOWS/system32/tcpip.exe |
O24 - ShlExecHook: [5] - {00230023-0023-0023-0023-00230023BB15} = C:/WINDOWS/system32/rasdlgcq.dll |
O24 - ShlExecHook: [5] - {00050005-0005-0005-0005-00050005BB15} = C:/WINDOWS/system32/cliconfgzx.dll |
O24 - ShlExecHook: [5] - {00070007-0007-0007-0007-00070007BB15} = C:/WINDOWS/system32/dpvvoxmh.dll |
O24 - ShlExecHook: [MICROSOFT] - {841529CB-7F77-4B99-A895-B5441E0D302F} = C:/WINDOWS/system32/jfrwdh.dll |
O24 - ShlExecHook: [MICROSOFT] - {8C41B7F7-3168-400D-A702-0E7EFE0BA304} = C:/WINDOWS/system32/sgdewg.dll |
O24 - ShlExecHook: [MICROSOFT] - {A9895933-6636-4281-BC58-EE6DE2AF96E3} = C:/WINDOWS/system32/ddserh.dll |
O24 - ShlExecHook: [MICROSOFT] - {45AADFAA-DD36-42AB-83AD-0521BBF58C24} = C:/WINDOWS/system32/zycdex.dll |
O24 - ShlExecHook: [MICROSOFT] - {17DFD111-BF3A-4CB4-ADB0-88FCBFE69821} = C:/WINDOWS/system32/hhrdxd.dll |
O24 - ShlExecHook: [5] - {00120012-0012-0012-0012-00120012BB15} = C:/WINDOWS/system32/kbdswjr.dll |
O24 - ShlExecHook: [MICROSOFT] - {84143967-B645-4BFF-B873-DA1DC886E9A7} = C:/WINDOWS/system32/cedafb.dll |
O24 - ShlExecHook: [5] - {00030003-0003-0003-0003-00030003BB15} = C:/WINDOWS/system32/bootvidgj.dll |
O24 - ShlExecHook: [5] - {00040004-0004-0004-0004-00040004BB15} = C:/WINDOWS/system32/catsrvwl.dll |
O24 - ShlExecHook: [5] - {00010001-0001-0001-0001-00010001BB15} = C:/WINDOWS/system32/adsntzt.dll |
O24 - ShlExecHook: [5] - {00130013-0013-0013-0013-00130013BB15} = C:/WINDOWS/system32/ksuserfy.dll |
O24 - ShlExecHook: [5] - {00300030-0030-0030-0030-00300030BB15} = C:/WINDOWS/system32/imgutilhx2.dll |
O24 - ShlExecHook: [MICROSOFT] - {81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B} = C:/WINDOWS/system32/jfdses.dll |
O24 - ShlExecHook: [MICROSOFT] - {B29583D8-033A-4B9F-8553-7C5458F3FB8E} = C:/WINDOWS/system32/jdsaex.dll |
O24 - ShlExecHook: [MICROSOFT] - {0086DD39-EB8E-4504-A085-AC8A433E34D0} = C:/WINDOWS/system32/ydggsx.dll |
O24 - ShlExecHook: [MICROSOFT] - {0B846B26-BFE6-4E8E-A948-1DB17B77B483} = C:/WINDOWS/system32/tdfhex.dll |
O24 - ShlExecHook: [MICROSOFT] - {C0595A7E-2E2F-4B34-A83A-019270A0A464} = C:/WINDOWS/system32/tdffdl.dll |
O24 - ShlExecHook: [MICROSOFT] - {189F087F-4378-405F-85FA-37D955AD7A8C} = C:/WINDOWS/system32/mtewdh.dll |
O24 - ShlExecHook: [MICROSOFT] - {DC3D30AE-0380-4151-8934-EE98A34B0370} = C:/WINDOWS/system32/mfdesy.dll |
O24 - ShlExecHook: [MICROSOFT] - {E8A3B193-77E3-4FB3-986D-F4FA4828BAFC} = C:/WINDOWS/system32/wklsdd.dll |
O24 - ShlExecHook: [MICROSOFT] - {461D2AB4-29A5-45C2-9134-D52272D3DE38} = C:/WINDOWS/system32/rfdswc.dll |
O24 - ShlExecHook: [MICROSOFT] - {7914E0AA-ECCB-4311-B584-C49538227824} = C:/WINDOWS/system32/jhfrxz.dll |
O24 - ShlExecHook: [MICROSOFT] - {CAED0F3B-DF8B-4DBF-BB20-8DFBC3199068} = C:/WINDOWS/system32/jggtsr.dll |
O24 - ShlExecHook: [MICROSOFT] - {73AE86E6-7F03-4C3B-8980-FB1DA157D3C7} = C:/WINDOWS/system32/fmcvxy.dll |
O24 - ShlExecHook: [MICROSOFT] - {EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6} = C:/WINDOWS/system32/fsrgeb.dll |
O24 - ShlExecHook: [MICROSOFT] - {5E907A48-400E-4EA8-9792-FFAE052D59E9} = C:/WINDOWS/system32/pedadt.dll |
O24 - ShlExecHook: [MICROSOFT] - {4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4} = C:/WINDOWS/system32/tdggrz.dll |
O24 - ShlExecHook: [E] - {E490415F-65F8-B5C5-D8BA-9405FB12054E} = C:/WINDOWS/system32/yzztnmsn.dll |
O24 - ShlExecHook: [8] - {87FD640A-158F-48AC-FD14-1597F14A9778} = C:/WINDOWS/system32/mndshsrv.dll |
O24 - ShlExecHook: [5] - {57AC9076-C898-B098-D098-A18319080975} = C:/WINDOWS/system32/nhmxejkl.dll |
O24 - ShlExecHook: [7] - {7C648541-1025-9650-9057-6541258720C7} = C:/WINDOWS/system32/mndhgdwd.dll |
O24 - ShlExecHook: [8] - {80AF1289-F140-A140-D012-C1458759FC08} = C:/WINDOWS/system32/ypcqghlp.dll |
O24 - ShlExecHook: [] - {74381DEC-D78B-43E4-BA5D-5244F669EBE4} = C:/Program Files/Internet Explorer/PLUGINS/UnixSys08.Sys |
O24 - ShlExecHook: [MICROSOFT] - {259BF3CF-194D-4FE6-9ADB-DE6544B098B6} = C:/WINDOWS/system32/dndsaf.dll |
O24 - ShlExecHook: [8] - {ACADABAE-1102-0010-8000-00AA006D2EA8} = C:/WINDOWS/system32/ShowAD.dll |
O24 - ShlExecHook: [8] - {ACADABAE-1101-0010-8000-00AA006D2EA8} = C:/WINDOWS/system32/GameGuard02.dll |
O26 - IFEO: 360rpt.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: 360safe.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: 360safebox.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: 360tray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: adam.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: AgentSvr.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: AppSvc32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ati2evxx.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: autoruns.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avconsol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avgrssvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: AvMonitor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.com -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: CCenter.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ccSvcHst.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: egui.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: esafe.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: FileDsty.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: FTCleanerShell.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: HijackThis.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: IceSword.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: idag.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Iparmor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: isPwdSvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kabaload.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kaccore.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KaScrScn.SCR -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KASMain.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KASTask.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAV32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVDX.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVPF.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVPFW.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVSetup.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVStart.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kavsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KAVsvcUI.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KISLnchr.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kissvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KMailMon.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KMFilter.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KPFW32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kpfwsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KPPMain.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KRegEx.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KRepair.com -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KsLoader.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVCenter.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KvDetect.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVFW.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KvfwMcl.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVMonXP_1.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kvol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kvolself.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KvReport.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVScan.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVsrvXP.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVStub.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kvupload.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KVwsc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kwatch.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KWatch9x.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: KWatchX.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: MagicSet.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: mcconsol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: mmqczj.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: mmsk.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: navapsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Navapw32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: nod32krn.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: NPFMntor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: OllyDBG.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: OllyICE.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: PFW.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: PFWLiveUpdate.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: procexp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: QHSET.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: QQDoctor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: QQDoctorMain.exe -> TASKMAN.EXE
O26 - IFEO: qqkav.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: qqsc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Ras.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rav.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RAVmon.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RAVmonD.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravstub.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravtask.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravtimer.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ravtool.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RegClean.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: regtool.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwmain.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwproxy.exeFYFireWall.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwsrv.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rfwstub.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: rising.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Rsaupd.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: runiep.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: safebank.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: safeboxtray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: safelive.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: scan32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SelfUpdate.exe -> TASKMAN.EXE
O26 - IFEO: shcfg32.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SmartUp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SREng.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: symlcsvc.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: SysSafe.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: TrojanDetector.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: Trojanwall.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: TrojDie.kxp -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UIHost.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxAgent.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxAttachment.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxCfg.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxFwHlp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UmxPol.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: UpLive.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: vsstat.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: webscanx.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: WinDbg.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: WoptiClean.exe -> C:/WINDOWS/system32/svchost.exe
O29 - HKCU-Start Page = hxxp://about.blank.la?g
HKLM/SHOWALL 值非1
朋友电脑中的这些恶意程序,使用 IEFO(映像劫持,pe_xscan 的O26项)技术阻止了卡巴斯基、卡卡安全助手的运行。
此外还使用了现在常见的shellExecuteHook(pe_xscan 的O24项),autorun.inf,SSODL(pe_xscan 的O21项),而CmdProcAuto = C:/WINDOWS/system32/sichost.exe这个曾经流行的技术再次被使用。
值得注意的是 计划任务 最近也被恶意程序使用的比较多……还好pe_xscan早有防备~
另外,发现 C:/WINDOWS/System32/lsass.exe 未能通过微软文件数字签名验证……可能是被恶意程序替换了。
(未完待续)
