system.dll,Nskhelper2.sys,oapejg.sys,991b0345.dat,NsPass0.sys等1

caobihole

浏览: 949888 次

最近访客更多访客>>

u012363178

jerry_shen

fish119

educationAAAA

博主相关

博客

微博

相册

留言

关于我

文章分类

全部博客 (1423)

社区版块

存档分类

2013-09 ( 92)
2013-08 ( 32)
2013-07 ( 23)
更多存档...

system.dll,Nskhelper2.sys,oapejg.sys,991b0345.dat,NsPass0.sys等1

endurer 原创

2008-12-03 第1版

一位朋友的电脑中的杀毒软件无法启动；QQ医生保护不停地提示有程序要修改系统配置；打开“我的电脑”，总是在搜索，磁盘图标显示不出来。请偶帮忙检修。

使用 pe_xscan 扫描 log 并分析，发现如下可疑项（进程模块部分有省略）：

pe_xscan 08-08-01 by Purple Endurer 
2008-12-3 21:25:22 
Windows XP Service Pack 2(5.1.2600) 
MSIE:6.0.2900.2180 
管理员用户组 
正常模式 

[System Process] * 0 
　　C:/WINDOWS/system32/mcdxhwbu.dll| 2008-12-3 7:16:3 
　　C:/WINDOWS/TEMP/gameset.dat | 2008-12-3 7:18:32 
　　C:/WINDOWS/system32/sysmxd3.dll | 2008-12-3 3:19:3 
C:/WINDOWS/System32/zongximk.exe * 2196 | 2008-12-3 7:14:6 
C:/WINDOWS/Temp/267500 * 3944 | 2008-12-3 7:15:40 
C:/WINDOWS/Temp/444062 * 2720 | 2008-12-3 7:18:36

C:/autorun.inf
/-----
[autorun]
shell/open/command=rundll32 system.dll,explore
shell/explore/command=rundll32 system.dll,explore
-----/
D:/autorun.inf
/-----
[autorun]
shell/open/command=rundll32 system.dll,explore
shell/explore/command=rundll32 system.dll,explore
-----/
E:/autorun.inf
/-----
[autorun]
shell/open/command=rundll32 system.dll,explore
shell/explore/command=rundll32 system.dll,explore
-----/
F:/autorun.inf
/-----
[autorun]
shell/open/command=rundll32 system.dll,explore
shell/explore/command=rundll32 system.dll,explore
-----/
O20 - AppInit_DLLs = qanhllao.dll,zongxim.dll,meyotme.dll,lenyuns.dll,woodken.dll,zesttns.dll,kandoftt.dll,qonenx.dll,xuntxn.dll,cenbezn.dll,telmanz.dll,jolends.dll,xsisco.dll,tobaoup.dll,hsexer.dll,jonzyan.dll,wonlins.dll,delnice.dll,kodens.dll,qzyerd.dll 
O21 - SSODL - oecynwna.dll(0) - {F0930A2F-D971-4828-8209-B7DFD266ED44} =C:/WINDOWS/system32/mcdxhwbu.dll| 2008-12-3 7:16:3 
O21 - SSODL - mcdxhwbu.dll(0) - {F0930A2F-D971-4828-8209-B7DFD266ED44} =C:/WINDOWS/system32/mcdxhwbu.dll| 2008-12-3 7:16:3 
O23 - 服务: NsDlRK250 (NsDlRK250) -C:/WINDOWS/system32/Nskhelper2.sys | 2008-12-3 3:12:48(手动) 
O23 - 服务: NsPsDk00 (NsPsDk00) -C:/WINDOWS/system32/NsPass0.sys | 2008-12-3 3:13:57(手动) 
O23 - 服务: NsPsDk01 (NsPsDk01) -C:/WINDOWS/system32/NsPass1.sys | 2008-12-3 3:14:59(手动) 
O23 - 服务: NsPsDk02 (NsPsDk02) -C:/WINDOWS/system32/NsPass2.sys | 2008-12-3 3:16:1(手动) 
O23 - 服务: NsPsDk03 (NsPsDk03) -C:/WINDOWS/system32/NsPass3.sys | 2008-12-3 3:17:4(手动) 
O23 - 服务: NsPsDk04 (NsPsDk04) -C:/WINDOWS/system32/NsPass4.sys | 2008-12-3 3:18:6(手动) 
O23 - 服务: oapejg (oapejg) -C:/WINDOWS/System32/drivers/oapejg.sys | 2008-11-28 1:2:47(引导) 
O23 - 服务: SafeMon0 (360 safe mon) -C:/WINDOWS/system32/991b0345.dat | 2008-12-3 3:59:4(系统) 
O23 - 服务: stisvc (Windows Image Acquisition (WIA)) -C:/WINDOWS/system32/svchost.exe -k imgsvc | 2004-8-3 16:52:38 -> C:/WINDOWS/system32/wiaservc.dll | 2004-8-3 16:52:28(自动) 
O23 - 服务: W32Time (Windows Time) -C:/WINDOWS/System32/svchost.exe -k netsvcs | 2004-8-3 16:52:38 -> C:/WINDOWS/system32/w32time.dll| 2004-8-3 16:52:26(自动)
O24 - ShlExecHook: [HookExecute Class] - {4BAB150F-DD97-476D-9C1E-41B6CDC0CA7A} = C:/PROGRA~1/Yahoo!/ASSIST~1/yclickon.dll
O24 - ShlExecHook: [PatchCom] - {E568441B-9EF3-49F8-9A67-4141AC41ADD4} = C:/PROGRA~1/Yahoo!/ASSIST~1/assist/ypatch.dll
O24 - ShlExecHook: [4] - {F0930A2F-D971-4828-8209-B7DFD266ED44} = C:/WINDOWS/system32/mcdxhwbu.dll | 2008-12-3 7:16:3
O24 - ShlExecHook: [] - {3FDEB171-8F86-0004-0001-69B8DB553683} = C:/WINDOWS/system32/sysmxd3.dll | 2008-12-3 3:19:3
O26 - IFEO: 360safe.exe -> svchost.exe
O26 - IFEO: 360safebox.exe -> svchost.exe
O26 - IFEO: 360tray.exe -> svchost.exe
O26 - IFEO: ACKWIN32.exe -> svchost.exe
O26 - IFEO: ANTI-TROJAN.exe -> svchost.exe
O26 - IFEO: anti.exe -> svchost.exe
O26 - IFEO: antivir.exe -> svchost.exe
O26 - IFEO: atrack.exe -> svchost.exe
O26 - IFEO: AUTODOWN.exe -> svchost.exe
O26 - IFEO: AVCONSOL.exe -> svchost.exe
O26 - IFEO: AVE32.exe -> svchost.exe
O26 - IFEO: AVGCTRL.exe -> svchost.exe
O26 - IFEO: avk.exe -> svchost.exe
O26 - IFEO: AVKSERV.exe -> svchost.exe
O26 - IFEO: avp.exe -> svchost.exe
O26 - IFEO: AVPUPD.exe -> svchost.exe
O26 - IFEO: AVSCHED32.exe -> svchost.exe
O26 - IFEO: avsynmgr.exe -> svchost.exe
O26 - IFEO: AVWIN95.exe -> svchost.exe
O26 - IFEO: avxonsol.exe -> svchost.exe
O26 - IFEO: BLACKD.exe -> svchost.exe
O26 - IFEO: BLACKICE.exe -> svchost.exe
O26 - IFEO: CCenter.exe -> svchost.exe
O26 - IFEO: CFIADMIN.exe -> svchost.exe
O26 - IFEO: CFIAUDIT.exe -> svchost.exe
O26 - IFEO: CFIND.exe -> svchost.exe
O26 - IFEO: cfinet.exe -> svchost.exe
O26 - IFEO: cfinet32.exe -> svchost.exe
O26 - IFEO: CLAW95.exe -> svchost.exe
O26 - IFEO: CLAW95CT.exe -> svchost.exe
O26 - IFEO: CLEANER.exe -> svchost.exe
O26 - IFEO: CLEANER3.exe -> svchost.exe
O26 - IFEO: DAVPFW.exe -> svchost.exe
O26 - IFEO: dbg.exe -> svchost.exe
O26 - IFEO: debu.exe -> svchost.exe
O26 - IFEO: DV95.exe -> svchost.exe
O26 - IFEO: DV95_O.exe -> svchost.exe
O26 - IFEO: DVP95.exe -> svchost.exe
O26 - IFEO: ECENGINE.exe -> svchost.exe
O26 - IFEO: EFINET32.exe -> svchost.exe
O26 - IFEO: ESAFE.exe -> svchost.exe
O26 - IFEO: ESPWATCH.exe -> svchost.exe
O26 - IFEO: explorewclass.exe -> svchost.exe
O26 - IFEO: F-AGNT95.exe -> svchost.exe
O26 - IFEO: F-PROT.exe -> svchost.exe
O26 - IFEO: f-prot95.exe -> svchost.exe
O26 - IFEO: f-stopw.exe -> svchost.exe
O26 - IFEO: FINDVIRU.exe -> svchost.exe
O26 - IFEO: fir.exe -> svchost.exe
O26 - IFEO: fp-win.exe -> svchost.exe
O26 - IFEO: FRW.exe -> svchost.exe
O26 - IFEO: IAMAPP.exe -> svchost.exe
O26 - IFEO: IAMSERV.exe -> svchost.exe
O26 - IFEO: IBMASN.exe -> svchost.exe
O26 - IFEO: IBMAVSP.exe -> svchost.exe
O26 - IFEO: ice.exe -> svchost.exe
O26 - IFEO: IceSword.exe -> svchost.exe
O26 - IFEO: ICLOAD95.exe -> svchost.exe
O26 - IFEO: ICLOADNT.exe -> svchost.exe
O26 - IFEO: ICMOON.exe -> svchost.exe
O26 - IFEO: ICSSUPPNT.exe -> svchost.exe
O26 - IFEO: iom.exe -> svchost.exe
O26 - IFEO: iomon98.exe -> svchost.exe
O26 - IFEO: JED.exe -> svchost.exe
O26 - IFEO: Kabackreport.exe -> svchost.exe
O26 - IFEO: Kasmain.exe -> svchost.exe
O26 - IFEO: kav32.exe -> svchost.exe
O26 - IFEO: kavstart.exe -> svchost.exe
O26 - IFEO: kissvc.exe -> svchost.exe
O26 - IFEO: KPFW32.exe -> svchost.exe
O26 - IFEO: kpfwsvc.exe -> svchost.exe
O26 - IFEO: KPPMain.exe -> svchost.exe
O26 - IFEO: KRF.exe -> svchost.exe
O26 - IFEO: KVMonXP.exe -> svchost.exe
O26 - IFEO: KVPreScan.exe -> svchost.exe
O26 - IFEO: kwatch.exe -> svchost.exe
O26 - IFEO: lamapp.exe -> svchost.exe
O26 - IFEO: lockdown2000.exe -> svchost.exe
O26 - IFEO: LOOKOUT.exe -> svchost.exe
O26 - IFEO: luall.exe -> svchost.exe
O26 - IFEO: LUCOMSERVER.exe -> svchost.exe
O26 - IFEO: mcafee.exe -> svchost.exe
O26 - IFEO: microsoft.exe -> svchost.exe
O26 - IFEO: mon.exe -> svchost.exe
O26 - IFEO: moniker.exe -> svchost.exe
O26 - IFEO: MOOLIVE.exe -> svchost.exe
O26 - IFEO: MPFTRAY.exe -> svchost.exe
O26 - IFEO: ms.exe -> svchost.exe
O26 - IFEO: N32ACAN.exe -> svchost.exe
O26 - IFEO: navapsvc.exe -> svchost.exe
O26 - IFEO: navapw32.exe -> svchost.exe
O26 - IFEO: NAVLU32.exe -> svchost.exe
O26 - IFEO: NAVNT.exe -> svchost.exe
O26 - IFEO: navrunr.exe -> svchost.exe
O26 - IFEO: NAVSCHED.exe -> svchost.exe
O26 - IFEO: NAVW.exe -> svchost.exe
O26 - IFEO: NAVW32.exe -> svchost.exe
O26 - IFEO: navwnt.exe -> svchost.exe
O26 - IFEO: nisserv.exe -> svchost.exe
O26 - IFEO: nisum.exe -> svchost.exe
O26 - IFEO: NMAIN.exe -> svchost.exe
O26 - IFEO: NORMIST.exe -> svchost.exe
O26 - IFEO: norton.exe -> svchost.exe
O26 - IFEO: NUPGRADE.exe -> svchost.exe
O26 - IFEO: NVC95.exe -> svchost.exe
O26 - IFEO: office.exe -> svchost.exe
O26 - IFEO: OUTPOST.exe -> svchost.exe
O26 - IFEO: PADMIN.exe -> svchost.exe
O26 - IFEO: PAVCL.exe -> svchost.exe
O26 - IFEO: pcc.exe -> svchost.exe
O26 - IFEO: PCCClient.exe -> svchost.exe
O26 - IFEO: pccguide.exe -> svchost.exe
O26 - IFEO: pcciomon.exe -> svchost.exe
O26 - IFEO: pccmain.exe -> svchost.exe
O26 - IFEO: pccwin98.exe -> svchost.exe
O26 - IFEO: PCFWALLICON.exe -> svchost.exe
O26 - IFEO: PERSFW.exe -> svchost.exe
O26 - IFEO: PpPpWallRun.exe -> svchost.exe
O26 - IFEO: program.exe -> svchost.exe
O26 - IFEO: prot.exe -> svchost.exe
O26 - IFEO: pview95.exe -> svchost.exe
O26 - IFEO: ras.exe -> svchost.exe
O26 - IFEO: Rav.exe -> svchost.exe
O26 - IFEO: RAV7.exe -> svchost.exe
O26 - IFEO: rav7win.exe -> svchost.exe
O26 - IFEO: RavMon.exe -> svchost.exe
O26 - IFEO: RavMonD.exe -> svchost.exe
O26 - IFEO: RavStub.exe -> svchost.exe
O26 - IFEO: RavTask.exe -> svchost.exe
O26 - IFEO: regedit.exe -> svchost.exe
O26 - IFEO: rescue32.exe -> svchost.exe
O26 - IFEO: Rfw.exe -> svchost.exe
O26 - IFEO: rn.exe -> svchost.exe
O26 - IFEO: safeboxTray.exe -> svchost.exe
O26 - IFEO: safeweb.exe -> svchost.exe
O26 - IFEO: scam32.exe -> svchost.exe
O26 - IFEO: scan.exe -> svchost.exe
O26 - IFEO: SCAN32.exe -> svchost.exe
O26 - IFEO: SCANPM.exe -> svchost.exe
O26 - IFEO: scon.exe -> svchost.exe
O26 - IFEO: SCRSCAN.exe -> svchost.exe
O26 - IFEO: secu.exe -> svchost.exe
O26 - IFEO: SERV95.exe -> svchost.exe
O26 - IFEO: sirc32.exe -> svchost.exe
O26 - IFEO: SMC.exe -> svchost.exe
O26 - IFEO: smtpsvc.exe -> svchost.exe
O26 - IFEO: SPHINX.exe -> svchost.exe
O26 - IFEO: spy.exe -> svchost.exe
O26 - IFEO: sreng.exe -> svchost.exe
O26 - IFEO: SWEEP95.exe -> svchost.exe
O26 - IFEO: symproxysvc.exe -> svchost.exe
O26 - IFEO: TBSCAN.exe -> svchost.exe
O26 - IFEO: TCA.exe -> svchost.exe
O26 - IFEO: TDS2-98.exe -> svchost.exe
O26 - IFEO: TDS2-NT.exe -> svchost.exe
O26 - IFEO: Thunder5.exe -> svchost.exe
O26 - IFEO: Tmntsrv.exe -> svchost.exe
O26 - IFEO: TMOAgent.exe -> svchost.exe
O26 - IFEO: tmproxy.exe -> svchost.exe
O26 - IFEO: tmupdito.exe -> svchost.exe
O26 - IFEO: TSC.exe -> svchost.exe
O26 - IFEO: UlibCfg.exe -> svchost.exe
O26 - IFEO: vavrunr.exe -> svchost.exe
O26 - IFEO: VET95.exe -> svchost.exe
O26 - IFEO: VETTRAY.exe -> svchost.exe
O26 - IFEO: vir.exe -> svchost.exe
O26 - IFEO: VPC32.exe -> svchost.exe
O26 - IFEO: VSECOMR.exe -> svchost.exe
O26 - IFEO: vshwin32.exe -> svchost.exe
O26 - IFEO: VSSCAN40 -> svchost.exe
O26 - IFEO: vsstat.exe -> svchost.exe
O26 - IFEO: WEBSCAN.exe -> svchost.exe
O26 - IFEO: WEBSCANX.exe -> svchost.exe
O26 - IFEO: webtrap.exe -> svchost.exe
O26 - IFEO: WFINDV32.exe -> svchost.exe
O26 - IFEO: windows优化大师.exe -> svchost.exe
O26 - IFEO: wink.exe -> svchost.exe
O26 - IFEO: XDelbox.exe -> svchost.exe
O26 - IFEO: zonealarm.exe -> svchost.exe