遭遇HBKernel32.sys,aliimz.sys,System.exe,koauolte.exe,cho22.tmp等1
endurer 原创
2008-11-03 第1版
一位朋友的说他的电脑登录后自动注销,请偶帮忙检修。
先尝试安全模式,故障依旧。
当userinit.exe被恶意替换后,就会出现这种情况。
于是用Win PE光盘启动,用FileInfo检查userinit.exe:
文件说明符 : C:/WINDOWS/system32/userinit.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2005-12-15 0:0:0
修改时间 : 2008-10-28 19:6:30
大小 : 1024 字节 1.0 KB
MD5 : ab39ab1c7b0b5323dbedb336b0092307
SHA1: 4EF5F6CE1CCFF37BDD8FA767C9B7DAC9AC182421
CRC32: e6f5a115
<!-- CoreMail Version 3.1_dev Copyright (c) 2002-2008 www.mailtech.cn -->
没有微软的数字签名,果然被替换了,从Windows XP安装光盘中恢复userinit.exe覆盖。
重启电脑,这次可以正常登录了。
下载 pe_xscan 扫描 log分析,发现如下可疑项:
pe_xscan 08-08-01 by Purple Endurer
2008-10-28 17:18:48
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
正常模式
[System Process] 0
2008-10-21 3:28:43
2008-10-27 5:0:20
2008-10-26 3:10:3
2008-10-21 3:29:40
2008-10-26 3:23:48
2008-10-26 3:23:37
2008-10-26 3:16:34
2008-10-25 7:5:44
2008-10-25 7:5:22
2008-10-21 4:36:30
2008-10-21 4:36:11
2008-10-21 4:35:52
2008-10-21 4:35:33
2008-10-21 4:35:14
2008-10-21 4:34:55
2008-10-21 4:34:36
2008-10-21 4:33:58
2008-10-21 4:33:39
2008-10-21 4:33:20
2008-10-21 4:33:1
2008-10-21 4:32:23
2008-10-21 4:32:4
2008-10-21 4:31:26
2008-10-21 4:31:7
2008-10-21 4:30:48
2008-10-21 4:30:29
2008-10-21 3:30:37
2008-10-21 3:30:18
2008-10-21 3:29:59
2008-10-21 3:29:21
2008-10-26 3:9:46
C:/WINDOWS/System32/csrss.exe 628 2005-12-14 16:0:0
2008-10-21 4:31:45
2005-12-14 16:0:0
C:/WINDOWS/System32/winlogon.exe 652 2005-12-14 16:0:0
2008-10-21 3:28:43
2008-10-26 3:9:46
2008-10-21 3:29:21
2008-10-27 5:0:20
2008-10-26 3:10:3
2008-10-21 3:29:40
1322
2008-10-21 3:28:43
2008-10-26 3:9:46
2008-10-21 3:29:21
2008-10-27 5:0:20
2008-10-26 3:10:3
2008-10-21 3:29:40
2008-10-26 3:23:48
2008-10-26 3:23:37
2008-10-26 3:16:34
2008-10-25 7:5:44
2008-10-25 7:5:22
2008-10-21 4:36:30l
2008-10-21 4:36:11
2008-10-21 4:35:52
2008-10-21 4:35:33
2008-10-21 4:35:14l
2008-10-21 4:34:55
2008-10-21 4:34:36
2008-10-21 4:33:58
2008-10-21 4:33:39
2008-10-21 4:33:20
2008-10-21 4:33:1
2008-10-21 4:32:23
2008-10-21 4:32:4
2008-10-21 4:31:26
2008-10-21 4:31:7
2008-10-21 4:30:48
2008-10-21 4:30:29
2008-10-21 3:30:37
2008-10-21 3:30:18
2008-10-21 3:29:59
1648
2008-10-21 3:28:43
2008-10-26 3:9:46
2008-10-21 3:29:21
2008-10-27 5:0:20
2008-10-26 3:10:3
2008-10-21 3:29:40
2008-10-26 3:23:48
2008-10-26 3:23:37
2008-10-26 3:16:34
2008-10-25 7:5:44
2008-10-25 7:5:22
2008-10-21 4:36:30l
2008-10-21 4:36:11
2008-10-21 4:35:52
2008-10-21 4:35:33
2008-10-21 4:35:14l
2008-10-21 4:34:55
2008-10-21 4:34:36
2008-10-21 4:33:58
2008-10-21 4:33:39
2008-10-21 4:33:20
2008-10-21 4:33:1
2008-10-21 4:32:23
2008-10-21 4:32:4
2008-10-21 4:31:26
2008-10-21 4:31:7
2008-10-21 4:30:48
2008-10-21 4:30:29
2008-10-21 3:30:37
2008-10-21 3:30:18
2008-10-21 3:29:59
C:/Program Files/Internet Explorer/iexplore.exe 1832
2008-10-21 3:28:43
2008-10-26 3:9:46
2008-10-21 3:29:21
2008-10-27 5:0:20
2008-10-26 3:10:3
2008-10-21 3:29:40
2008-10-26 3:23:48
2008-10-26 3:23:37
2008-10-26 3:16:34
2008-10-25 7:5:44
2008-10-25 7:5:22
2008-10-21 4:36:30l
2008-10-21 4:36:11
2008-10-21 4:35:52
2008-10-21 4:35:33
2008-10-21 4:35:14l
2008-10-21 4:34:55
2008-10-21 4:34:36
2008-10-21 4:33:58
2008-10-21 4:33:39
2008-10-21 4:33:20
2008-10-21 4:33:1
2008-10-21 4:32:23
2008-10-21 4:32:4
2008-10-21 4:31:26
2008-10-21 4:31:7
2008-10-21 4:30:48
2008-10-21 4:30:29
2008-10-21 3:30:37
2008-10-21 3:30:18
2008-10-21 3:29:59
2052
2008-10-21 3:28:43
2008-10-26 3:9:46
2008-10-21 3:29:21
2008-10-27 5:0:20
2008-10-26 3:10:3
2008-10-21 3:29:40
2008-10-26 3:23:48
2008-10-26 3:23:37
2008-10-26 3:16:34
2008-10-25 7:5:44
2008-10-25 7:5:22
2008-10-21 4:36:30l
2008-10-21 4:36:11
2008-10-21 4:35:52
2008-10-21 4:35:33
2008-10-21 4:35:14l
2008-10-21 4:34:55
2008-10-21 4:34:36
2008-10-21 4:33:58
2008-10-21 4:33:39
2008-10-21 4:33:20
2008-10-21 4:33:1
2008-10-21 4:32:23
2008-10-21 4:32:4
2008-10-21 4:31:26
2008-10-21 4:31:7
2008-10-21 4:30:48
2008-10-21 4:30:29
2008-10-21 3:30:37
2008-10-21 3:30:18
2008-10-21 3:29:59
O2 - BHO FavHook Class - {CD8BFE70-5809-4C73-9EEE-E5672C2B79D7} = 2002-1-10 7:48:13
O2 - BHO - {F6A454AE-156A-415E-9F89-3795677A8A91} = 2008-10-26 3:23:48
O4 - HKLM/../Run: [360ary]
O4 - HKLM/../Run: [HBService32]
O4 - HKLM/../Policies/Explorer/Run: [nwiz]
O4 - HKLM/../Policies/Explorer/Run: [svt23]
O4 - HKLM/../Policies/Explorer/Run: [svt233]
O20 - AppInit_DLLs =,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
O23 - 服务: 4901228 (4901228) - 2008-10-21 3:30:37(手动)
O23 - 服务: 5102a80 (5102a80) - 2008-10-25 7:4:56(手动)
O23 - 服务: 8882fa1 (8882fa1) - 2008-10-21 4:33:57(手动)
O23 - 服务: 8b52f47 (8b52f47) - 2008-10-21 3:29:59(手动)
O23 - 服务: 9fd8db (9fd8db) - 2008-10-25 7:4:40(手动)
O23 - 服务: aecff9 (aecff9) - 2008-10-21 4:31:7(手动)
O23 - 服务: aliimz () - (手动)
O23 - 服务: Beep () - 2008-10-21 12:28:16(系统)
O23 - 服务: HBKernel32 (HBKernel32 Driver) - (引导)
O24 - ShlExecHook: [2] - {3D144530-43DA-47CC-B7C7-A3A9F3B9A6B2} =
O24 - ShlExecHook: [B] - {E3367679-4775-4244-A62E-4CFE58FC850B} =
O24 - ShlExecHook: [8] - {43ACDCC5-9009-4AF4-B80A-93BC656EF298} =
O24 - ShlExecHook: [F] - {DE02F764-C51A-4788-9597-D78ECC2AC08F} =
O24 - ShlExecHook: [3] - {D7C79813-9233-4AE0-832C-99B2E8019673} =
O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} =
O24 - ShlExecHook: [7] - {A8FC611B-71F6-4B4D-BD3A-BFBCCDE96F57} =
O24 - ShlExecHook: [B] - {C250CF20-5F89-4310-9854-4BC261FB14FB} =
O24 - ShlExecHook: [8] - {E4814792-EFA3-4C20-93D0-8B130A59F9A8} =
O24 - ShlExecHook: [0] - {3474A8C2-BEF9-46C8-983A-A26A0030EC30} =
O24 - ShlExecHook: [C] - {7ADC2AB1-5C6A-4178-82DA-94863354AF7C} =
O24 - ShlExecHook: [6] - {22D75360-199D-4F79-880D-82E766675F06} =
O24 - ShlExecHook: [F] - {4BF9CBA3-8DEE-41A1-8BDB-FC28D30E949F} =
O24 - ShlExecHook: [B] - {DA63E650-537C-4042-87BB-9D19D844680B} =
O24 - ShlExecHook: [F] - {B3721C07-62B3-411A-9DC7-F5F27E3E21FF} =
O24 - ShlExecHook: [E] - {58FF3024-8A83-4B1A-88E9-302F47646EEE} =
O24 - ShlExecHook: [1] - {8566F82E-03A4-416E-AEAC-66600D8881F1} =
O24 - ShlExecHook: [0] - {495271CA-D0C6-4052-ABE6-5B01C73CDFB0} =
O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} =
O24 - ShlExecHook: [3] - {9CA963CA-107C-4089-B0AB-31380F90D7E3} =
O24 - ShlExecHook: [1] - {12B02216-AC3F-42A7-8313-449771237061} =
O24 - ShlExecHook: [1] - {9F684DE8-3E87-4174-9033-E02A3DFD8B61} =
O24 - ShlExecHook: [F] - {CABA599D-5089-4865-9420-E41FA3C1F55F} =
O24 - ShlExecHook: [F] - {E0D39066-96D7-4891-8527-488ADAFCD60F} =
O24 - ShlExecHook: [] - {F6A454AE-156A-415E-9F89-3795677A8A91} = 2008-10-26 3:23:48
O24 - ShlExecHook: [] - {5B77087D-AB76-4C22-B0A6-C34D1F438E55} = 2008-10-27 0:32:31
O26 - IFEO: 360Loader.exe -> svchost.exe
O26 - IFEO: 360safebox.exe -> ntsd -d
O26 - IFEO: CCenter.exe -> svchost.exe
O26 - IFEO: IceSword -> svchost.exe
O26 - IFEO: KPPMain.exe -> ntsd -d
O26 - IFEO: RavMon.exe -> svchost.exe
O26 - IFEO: RavMonD.exe -> svchost.exe
O26 - IFEO: RavStub.exe -> svchost.exe
O26 - IFEO: RavTask.exe -> svchost.exe
O26 - IFEO: RSTray.exe -> svchost.exe
O26 - IFEO: Thunder5.exe -> svchost.exe
O26 - IFEO: tqat.exe -> ntsd -d
(未完待续)