dwshd.sys,EASYDOWNS.sys,HBKernel32.sys,QQPlatform.exe,RDPWD.sys,easy2.exe等
endurer 原创
2008-11-25 第1版
一位朋友的电脑今天出现了奇怪的问题,登录后不久桌面图标和任务栏消失,有时会出现蓝屏错误:stop c0000218 unknown hard error。请偶帮助检修。
开机时按F8键,选择按最后一次正确的配置启动。
进入桌面后,发现硬盘灯狂闪,打开任务管理器,发现explorer.exe进程以是system帐户运行的,同时有userinit.exe,iexplore.exe,easy2.exe,easy9.exe,QQPlatform.exe,以及3个uusee.exe进程。
把它们全部终止了,再运行explorer.exe,桌面图标和任务栏重新出现,但一会儿又消失了。
运行 pe_xscan 扫描 log 并分析,发现如下可疑项:
pe_xscan 07-07-21 by Purple Endurer
2008-11-25 15:30:49
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
C:/WINDOWS/system32/csrss.exe* 500 | 2004-8-17 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime Process | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CSRSS.Exe | CSRSS.Exe
C:/WINDOWS/system32/csrss.dll | 2008-11-24 7:59:31
C:/WINDOWS/system32/sh05004.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/sh18027.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/sh21017.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/winlogon.exe* 524 | 2004-8-17 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
C:/WINDOWS/system32/HBQQXX.dll
C:/WINDOWS/system32/SVCHOST.EXE* 732 | 2004-8-17 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
c:/windows/system32/rpcss.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/spcss.dll | 2004-8-17 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2726 | Distributed COM Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Microsoft Corporation| ? | rpcss.dll | rpcss.dll
O1 - Hosts: 222.122.219.220
O2 - BHO BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} = C:/PROGRA~1/baidu/bar/baidubar.dll | 2008-11-25 7:6:10
O2 - BHO - {F6A454AE-156A-415E-9F89-3795677A8A91} = C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-11-25 0:20:21
O3 - IE工具栏: - {B580CF65-E151-49C3-B73F-70B13FCA8E86} = C:/PROGRA~1/baidu/bar/baidubar.dll | 2008-11-25 7:6:10
O4 - HKLM/../Policies/Explorer/Run: [qq] C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/DF499
O20 - AppInit_DLLs = d
O23 - 服务: aliimz () - System32/Drivers/aliimz.sys (手动)
O23 - 服务: b160485 (b160485) - C:/WINDOWS/system32/b160485.sys | 2008-11-24 8:1:31(手动)
O23 - 服务: BdGuard (BdGuard) - system32/drivers/BDGuard.SYS | 2008-11-25 7:6:28(引导)
O23 - 服务: d435fd4 (d435fd4) - C:/WINDOWS/system32/d435fd4.sys | 2008-11-24 7:59:11(手动)
O23 - 服务: d812a079 (d812a079) - C:/WINDOWS/system32/d812a079.sys | 2008-11-24 7:57:51(手动)
O23 - 服务: dwshd () - C:/WINDOWS/System32/drivers/dwshd.sys (引导)
O23 - 服务: FTP (FTP Protocol Driver) - C:/WINDOWS/system32/drivers/EASYDOWNS.sys | 2004-8-17 4:0:0(自动)
O23 - 服务: HBKernel32 (HBKernel32 Driver) - system32/drivers/HBKernel32.sys | 2008-11-24 8:0:11(引导)
O23 - 服务: National (National Instruments Domain Service) - C:/WINDOWS/system32/QQPlatform.exe | 2008-11-25 7:5:35(自动)
O23 - 服务: qakrcr (qakrcr) - C:/WINDOWS/system32/svchost.exe -k qakrcr | 2004-8-17 4:0:0 -> C:/WINDOWS/System32/vfbegm.dll(自动)
O23 - 服务: RDPWD () - C:/WINDOWS/system32/drivers/RDPWD.sys | 2006-11-6 17:29:13(手动)
O23 - 服务: Register (Register services) - C:/WINDOWS/system32/easy2.exe (自动)
O23 - 服务: svcname (服务名) - C:/WINDOWS/system32/easy9.exe (自动)
O23 - 服务: wszayy (wszayy) - C:/WINDOWS/system32/svchost.exe -k wszayy | 2004-8-17 4:0:0 -> C:/WINDOWS/System32/xtjcjx.dll| 2004-8-17 4:0:0(自动)
O24 - ShlExecHook: [F] - {DE02F764-C51A-4788-9597-D78ECC2AC08F} = DE02F764.dll
O24 - ShlExecHook: [B] - {DA63E650-537C-4042-87BB-9D19D844680B} = DA63E650.dll
O24 - ShlExecHook: [6] - {4D023DE9-F4B5-4BE0-99C6-7C7AD0CF5426} = 4D023DE9.dll
O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} = 08223B03.dll
O24 - ShlExecHook: [0] - {3474A8C2-BEF9-46C8-983A-A26A0030EC30} = 3474A8C2.dll
O24 - ShlExecHook: [4] - {F0930A2F-D971-4828-8209-B7DFD266ED44} = C:/WINDOWS/system32/zjuwqgep.dll
O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} = 122B901E.dll
O24 - ShlExecHook: [3] - {9CA963CA-107C-4089-B0AB-31380F90D7E3} = 9CA963CA.dll
O24 - ShlExecHook: [8] - {82710040-F86E-42E0-B1F8-04EDF75856F8} = 82710040.dll
O24 - ShlExecHook: [B] - {C250CF20-5F89-4310-9854-4BC261FB14FB} = C250CF20.dll
O24 - ShlExecHook: [F] - {4BF9CBA3-8DEE-41A1-8BDB-FC28D30E949F} = 4BF9CBA3.dll
O24 - ShlExecHook: [2] - {4F34C688-FD49-42FC-97F7-87D2F5791612} = 4F34C688.dll
O24 - ShlExecHook: [0] - {495271CA-D0C6-4052-ABE6-5B01C73CDFB0} = 495271CA.dll
O24 - ShlExecHook: [6] - {22D75360-199D-4F79-880D-82E766675F06} = 22D75360.dll
O24 - ShlExecHook: [E] - {58FF3024-8A83-4B1A-88E9-302F47646EEE} = 58FF3024.dll
O24 - ShlExecHook: [A] - {DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA} = DFB3DAC5.dll
O24 - ShlExecHook: [2] - {AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2} = AD794E6B.dll
O24 - ShlExecHook: [B] - {201476D0-2B18-462E-AB9F-3E2B0CC8732B} = 201476D0.dll
O24 - ShlExecHook: [C] - {E1D19FCC-4777-4D71-B863-6A0A5B4E59BC} = E1D19FCC.dll
O24 - ShlExecHook: [6] - {4FBFD5A4-5FE8-4444-8BD9-FD0FAFA64F96} = 4FBFD5A4.dll
O24 - ShlExecHook: [C] - {56BC86C7-0692-4F94-A2C1-6CF1DBF8096C} = 56BC86C7.dll
O24 - ShlExecHook: [F] - {B3721C07-62B3-411A-9DC7-F5F27E3E21FF} = B3721C07.dll
O24 - ShlExecHook: [1] - {8566F82E-03A4-416E-AEAC-66600D8881F1} = 8566F82E.dll
O24 - ShlExecHook: [3] - {D7C79813-9233-4AE0-832C-99B2E8019673} = D7C79813.dll
O24 - ShlExecHook: [E] - {34A25F04-008D-403E-8EE6-2307BC02FA2E} = 34A25F04.dll
O24 - ShlExecHook: [8] - {66AFCB56-FAA9-42D2-8C72-2767A46C7FA8} = 66AFCB56.dll
O24 - ShlExecHook: [4] - {BA7EDF54-8408-4B21-B351-7B447B344BA4} = BA7EDF54.dll
O24 - ShlExecHook: [8] - {E4814792-EFA3-4C20-93D0-8B130A59F9A8} = E4814792.dll
O24 - ShlExecHook: [F] - {E0D39066-96D7-4891-8527-488ADAFCD60F} = E0D39066.dll
O24 - ShlExecHook: [] - {F6A454AE-156A-415E-9F89-3795677A8A91} = C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-11-25 0:20:21
O26 - IFEO: 360rpt.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: 360Safe.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: 360tray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: DrRtp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: enc98.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kav32.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: kvmonxp.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: nod32kui.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: QQDoctor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RStray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ua80.EXE -> C:/WINDOWS/system32/svchost.exe
估计恶意程序是朋友在浏览了利用 BaiDuBar、UUSee的漏洞的网页后侵入的~
百毒/Baidu真是一日不死,害人不止!
aliimz.sys、HBKernel32.sys都近期非常常见的恶意程序文件。
从 log 中我们可以发现恶意程序将windows系统文件rpcss.dll改为spcss.dll,然后再创建出一个假的csrss.dll。
这样我们将假的csrss.dll查杀后,系统功能将不正常。手工恢复比较麻烦~