遭遇HBKernel32.sys,aliimz.sys,System.exe,koauolte.exe,cho22.tmp等1
endurer
2008-11-03 第1版
一位朋友的说他的电脑登录后自动注销,请偶帮忙检修。
先尝试安全模式,故障依旧。
当userinit.exe被恶意替换后,就会出现这种情况。
于是用Win PE光盘启动,用FileInfo检查userinit.exe:
文件说明符 : C:/WINDOWS/system32/userinit.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2005-12-15 0:0:0
修改时间 : 2008-10-28 19:6:30
大小 : 1024 字节 1.0 KB
MD5 : ab39ab1c7b0b5323dbedb336b0092307
SHA1: 4EF5F6CE1CCFF37BDD8FA767C9B7DAC9AC182421
CRC32: e6f5a115
没有微软的数字签名,果然被替换了,从Windows XP安装光盘中恢复userinit.exe覆盖。
重启电脑,这次可以正常登录了。
下载 pe_xscan 扫描 log分析,发现如下可疑项:
pe_xscan 08-08-01 by Purple Endurer
2008-10-28 17:18:48
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
正常模式
[System Process] * 0
C:/WINDOWS/system32/HBmhly.dll | 2008-10-21 3:28:43
C:/WINDOWS/system32/HBTL.dll | 2008-10-27 5:0:20
C:/WINDOWS/system32/HBQQXX.dll | 2008-10-26 3:10:3
C:/WINDOWS/system32/HBWD.dll | 2008-10-21 3:29:40
C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
C:/WINDOWS/system32/E0D39066.dll | 2008-10-26 3:23:37
C:/WINDOWS/system32/CABA599D.dll | 2008-10-26 3:16:34
C:/WINDOWS/system32/9F684DE8.dll | 2008-10-25 7:5:44
C:/WINDOWS/system32/12B02216.dll | 2008-10-25 7:5:22
C:/WINDOWS/system32/9CA963CA.dll | 2008-10-21 4:36:30
C:/WINDOWS/system32/08223B03.dll | 2008-10-21 4:36:11
C:/WINDOWS/system32/495271CA.dll | 2008-10-21 4:35:52
C:/WINDOWS/system32/8566F82E.dll | 2008-10-21 4:35:33
C:/WINDOWS/system32/58FF3024.dll | 2008-10-21 4:35:14
C:/WINDOWS/system32/B3721C07.dll | 2008-10-21 4:34:55
C:/WINDOWS/system32/DA63E650.dll | 2008-10-21 4:34:36
C:/WINDOWS/system32/4BF9CBA3.dll | 2008-10-21 4:33:58
C:/WINDOWS/system32/22D75360.dll | 2008-10-21 4:33:39
C:/WINDOWS/system32/7ADC2AB1.dll | 2008-10-21 4:33:20
C:/WINDOWS/system32/3474A8C2.dll | 2008-10-21 4:33:1
C:/WINDOWS/system32/E4814792.dll | 2008-10-21 4:32:23
C:/WINDOWS/system32/C250CF20.dll | 2008-10-21 4:32:4
C:/WINDOWS/system32/A8FC611B.dll | 2008-10-21 4:31:26
C:/WINDOWS/system32/122B901E.dll | 2008-10-21 4:31:7
C:/WINDOWS/system32/D7C79813.dll | 2008-10-21 4:30:48
C:/WINDOWS/system32/DE02F764.dll | 2008-10-21 4:30:29
C:/WINDOWS/system32/43ACDCC5.dll | 2008-10-21 3:30:37
C:/WINDOWS/system32/E3367679.dll | 2008-10-21 3:30:18
C:/WINDOWS/system32/3D144530.dll | 2008-10-21 3:29:59
C:/WINDOWS/system32/HBWOW.dll | 2008-10-21 3:29:21
C:/WINDOWS/system32/HBJXSJ.dll | 2008-10-26 3:9:46
C:/WINDOWS/System32/csrss.exe* 628 | 2005-12-14 16:0:0
C:/WINDOWS/system32/gdipro.dll | 2008-10-21 4:31:45
C:/WINDOWS/system32/sys05020.dll | 2005-12-14 16:0:0
C:/WINDOWS/System32/winlogon.exe* 652 | 2005-12-14 16:0:0
C:/WINDOWS/system32/HBmhly.dll | 2008-10-21 3:28:43
C:/WINDOWS/system32/HBJXSJ.dll | 2008-10-26 3:9:46
C:/WINDOWS/system32/HBWOW.dll | 2008-10-21 3:29:21
C:/WINDOWS/system32/HBTL.dll | 2008-10-27 5:0:20
C:/WINDOWS/system32/HBQQXX.dll | 2008-10-26 3:10:3
C:/WINDOWS/system32/HBWD.dll | 2008-10-21 3:29:40
System.exe * 1322
C:/WINDOWS/system32/HBmhly.dll | 2008-10-21 3:28:43
C:/WINDOWS/system32/HBJXSJ.dll | 2008-10-26 3:9:46
C:/WINDOWS/system32/HBWOW.dll | 2008-10-21 3:29:21
C:/WINDOWS/system32/HBTL.dll | 2008-10-27 5:0:20
C:/WINDOWS/system32/HBQQXX.dll | 2008-10-26 3:10:3
C:/WINDOWS/system32/HBWD.dll | 2008-10-21 3:29:40
C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
C:/WINDOWS/system32/E0D39066.dll | 2008-10-26 3:23:37
C:/WINDOWS/system32/CABA599D.dll | 2008-10-26 3:16:34
C:/WINDOWS/system32/9F684DE8.dll | 2008-10-25 7:5:44
C:/WINDOWS/system32/12B02216.dll | 2008-10-25 7:5:22
C:/WINDOWS/system32/9CA963CA.dll | 2008-10-21 4:36:30l
C:/WINDOWS/system32/08223B03.dll | 2008-10-21 4:36:11
C:/WINDOWS/system32/495271CA.dll | 2008-10-21 4:35:52
C:/WINDOWS/system32/8566F82E.dll | 2008-10-21 4:35:33
C:/WINDOWS/system32/58FF3024.dll | 2008-10-21 4:35:14l
C:/WINDOWS/system32/B3721C07.dll | 2008-10-21 4:34:55
C:/WINDOWS/system32/DA63E650.dll | 2008-10-21 4:34:36
C:/WINDOWS/system32/4BF9CBA3.dll | 2008-10-21 4:33:58
C:/WINDOWS/system32/22D75360.dll | 2008-10-21 4:33:39
C:/WINDOWS/system32/7ADC2AB1.dll | 2008-10-21 4:33:20
C:/WINDOWS/system32/3474A8C2.dll | 2008-10-21 4:33:1
C:/WINDOWS/system32/E4814792.dll | 2008-10-21 4:32:23
C:/WINDOWS/system32/C250CF20.dll | 2008-10-21 4:32:4
C:/WINDOWS/system32/A8FC611B.dll | 2008-10-21 4:31:26
C:/WINDOWS/system32/122B901E.dll | 2008-10-21 4:31:7
C:/WINDOWS/system32/D7C79813.dll | 2008-10-21 4:30:48
C:/WINDOWS/system32/DE02F764.dll | 2008-10-21 4:30:29
C:/WINDOWS/system32/43ACDCC5.dll | 2008-10-21 3:30:37
C:/WINDOWS/system32/E3367679.dll | 2008-10-21 3:30:18
C:/WINDOWS/system32/3D144530.dll | 2008-10-21 3:29:59
C:/WINDOWS/System32/koauolte.exe * 1648
C:/WINDOWS/system32/HBmhly.dll | 2008-10-21 3:28:43
C:/WINDOWS/system32/HBJXSJ.dll | 2008-10-26 3:9:46
C:/WINDOWS/system32/HBWOW.dll | 2008-10-21 3:29:21
C:/WINDOWS/system32/HBTL.dll | 2008-10-27 5:0:20
C:/WINDOWS/system32/HBQQXX.dll | 2008-10-26 3:10:3
C:/WINDOWS/system32/HBWD.dll | 2008-10-21 3:29:40
C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
C:/WINDOWS/system32/E0D39066.dll | 2008-10-26 3:23:37
C:/WINDOWS/system32/CABA599D.dll | 2008-10-26 3:16:34
C:/WINDOWS/system32/9F684DE8.dll | 2008-10-25 7:5:44
C:/WINDOWS/system32/12B02216.dll | 2008-10-25 7:5:22
C:/WINDOWS/system32/9CA963CA.dll | 2008-10-21 4:36:30l
C:/WINDOWS/system32/08223B03.dll | 2008-10-21 4:36:11
C:/WINDOWS/system32/495271CA.dll | 2008-10-21 4:35:52
C:/WINDOWS/system32/8566F82E.dll | 2008-10-21 4:35:33
C:/WINDOWS/system32/58FF3024.dll | 2008-10-21 4:35:14l
C:/WINDOWS/system32/B3721C07.dll | 2008-10-21 4:34:55
C:/WINDOWS/system32/DA63E650.dll | 2008-10-21 4:34:36
C:/WINDOWS/system32/4BF9CBA3.dll | 2008-10-21 4:33:58
C:/WINDOWS/system32/22D75360.dll | 2008-10-21 4:33:39
C:/WINDOWS/system32/7ADC2AB1.dll | 2008-10-21 4:33:20
C:/WINDOWS/system32/3474A8C2.dll | 2008-10-21 4:33:1
C:/WINDOWS/system32/E4814792.dll | 2008-10-21 4:32:23
C:/WINDOWS/system32/C250CF20.dll | 2008-10-21 4:32:4
C:/WINDOWS/system32/A8FC611B.dll | 2008-10-21 4:31:26
C:/WINDOWS/system32/122B901E.dll | 2008-10-21 4:31:7
C:/WINDOWS/system32/D7C79813.dll | 2008-10-21 4:30:48
C:/WINDOWS/system32/DE02F764.dll | 2008-10-21 4:30:29
C:/WINDOWS/system32/43ACDCC5.dll | 2008-10-21 3:30:37
C:/WINDOWS/system32/E3367679.dll | 2008-10-21 3:30:18
C:/WINDOWS/system32/3D144530.dll | 2008-10-21 3:29:59
C:/Program Files/Internet Explorer/iexplore.exe * 1832
C:/WINDOWS/system32/HBmhly.dll | 2008-10-21 3:28:43
C:/WINDOWS/system32/HBJXSJ.dll | 2008-10-26 3:9:46
C:/WINDOWS/system32/HBWOW.dll | 2008-10-21 3:29:21
C:/WINDOWS/system32/HBTL.dll | 2008-10-27 5:0:20
C:/WINDOWS/system32/HBQQXX.dll | 2008-10-26 3:10:3
C:/WINDOWS/system32/HBWD.dll | 2008-10-21 3:29:40
C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
C:/Program Files/Deepdo/DeepdoBar/Favorite/FavBlock.dll
C:/WINDOWS/system32/E0D39066.dll | 2008-10-26 3:23:37
C:/WINDOWS/system32/CABA599D.dll | 2008-10-26 3:16:34
C:/WINDOWS/system32/9F684DE8.dll | 2008-10-25 7:5:44
C:/WINDOWS/system32/12B02216.dll | 2008-10-25 7:5:22
C:/WINDOWS/system32/9CA963CA.dll | 2008-10-21 4:36:30l
C:/WINDOWS/system32/08223B03.dll | 2008-10-21 4:36:11
C:/WINDOWS/system32/495271CA.dll | 2008-10-21 4:35:52
C:/WINDOWS/system32/8566F82E.dll | 2008-10-21 4:35:33
C:/WINDOWS/system32/58FF3024.dll | 2008-10-21 4:35:14l
C:/WINDOWS/system32/B3721C07.dll | 2008-10-21 4:34:55
C:/WINDOWS/system32/DA63E650.dll | 2008-10-21 4:34:36
C:/WINDOWS/system32/4BF9CBA3.dll | 2008-10-21 4:33:58
C:/WINDOWS/system32/22D75360.dll | 2008-10-21 4:33:39
C:/WINDOWS/system32/7ADC2AB1.dll | 2008-10-21 4:33:20
C:/WINDOWS/system32/3474A8C2.dll | 2008-10-21 4:33:1
C:/WINDOWS/system32/E4814792.dll | 2008-10-21 4:32:23
C:/WINDOWS/system32/C250CF20.dll | 2008-10-21 4:32:4
C:/WINDOWS/system32/A8FC611B.dll | 2008-10-21 4:31:26
C:/WINDOWS/system32/122B901E.dll | 2008-10-21 4:31:7
C:/WINDOWS/system32/D7C79813.dll | 2008-10-21 4:30:48
C:/WINDOWS/system32/DE02F764.dll | 2008-10-21 4:30:29
C:/WINDOWS/system32/43ACDCC5.dll | 2008-10-21 3:30:37
C:/WINDOWS/system32/E3367679.dll | 2008-10-21 3:30:18
C:/WINDOWS/system32/3D144530.dll | 2008-10-21 3:29:59
C:/Documents and Settings/Administrator/Local Settings/Temp/svDE.tmp * 2052
C:/WINDOWS/system32/HBmhly.dll | 2008-10-21 3:28:43
C:/WINDOWS/system32/HBJXSJ.dll | 2008-10-26 3:9:46
C:/WINDOWS/system32/HBWOW.dll | 2008-10-21 3:29:21
C:/WINDOWS/system32/HBTL.dll | 2008-10-27 5:0:20
C:/WINDOWS/system32/HBQQXX.dll | 2008-10-26 3:10:3
C:/WINDOWS/system32/HBWD.dll | 2008-10-21 3:29:40
C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
C:/WINDOWS/system32/E0D39066.dll | 2008-10-26 3:23:37
C:/WINDOWS/system32/CABA599D.dll | 2008-10-26 3:16:34
C:/WINDOWS/system32/9F684DE8.dll | 2008-10-25 7:5:44
C:/WINDOWS/system32/12B02216.dll | 2008-10-25 7:5:22
C:/WINDOWS/system32/9CA963CA.dll | 2008-10-21 4:36:30l
C:/WINDOWS/system32/08223B03.dll | 2008-10-21 4:36:11
C:/WINDOWS/system32/495271CA.dll | 2008-10-21 4:35:52
C:/WINDOWS/system32/8566F82E.dll | 2008-10-21 4:35:33
C:/WINDOWS/system32/58FF3024.dll | 2008-10-21 4:35:14l
C:/WINDOWS/system32/B3721C07.dll | 2008-10-21 4:34:55
C:/WINDOWS/system32/DA63E650.dll | 2008-10-21 4:34:36
C:/WINDOWS/system32/4BF9CBA3.dll | 2008-10-21 4:33:58
C:/WINDOWS/system32/22D75360.dll | 2008-10-21 4:33:39
C:/WINDOWS/system32/7ADC2AB1.dll | 2008-10-21 4:33:20
C:/WINDOWS/system32/3474A8C2.dll | 2008-10-21 4:33:1
C:/WINDOWS/system32/E4814792.dll | 2008-10-21 4:32:23
C:/WINDOWS/system32/C250CF20.dll | 2008-10-21 4:32:4
C:/WINDOWS/system32/A8FC611B.dll | 2008-10-21 4:31:26
C:/WINDOWS/system32/122B901E.dll | 2008-10-21 4:31:7
C:/WINDOWS/system32/D7C79813.dll | 2008-10-21 4:30:48
C:/WINDOWS/system32/DE02F764.dll | 2008-10-21 4:30:29
C:/WINDOWS/system32/43ACDCC5.dll | 2008-10-21 3:30:37
C:/WINDOWS/system32/E3367679.dll | 2008-10-21 3:30:18
C:/WINDOWS/system32/3D144530.dll | 2008-10-21 3:29:59
O2 - BHO FavHook Class - {CD8BFE70-5809-4C73-9EEE-E5672C2B79D7} = C:/Program Files/Deepdo/DeepdoBar/Favorite/FavBlock.dll | 2002-1-10 7:48:13
O2 - BHO - {F6A454AE-156A-415E-9F89-3795677A8A91} = C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
O4 - HKLM/../Run: [360ary] C:/WINDOWS/system32/koauolte.exe
O4 - HKLM/../Run: [HBService32] System.exe
O4 - HKLM/../Policies/Explorer/Run: [nwiz] alivin.exe
O4 - HKLM/../Policies/Explorer/Run: [svt23]C:/0001B531/685562
O4 - HKLM/../Policies/Explorer/Run: [svt233]C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/cho22.tmp
O20 - AppInit_DLLs =HBmhly.dll,HBTL.dll,HBQQXX.dll,HBWD.dll,E0D39066.dll,CABA599D.dll,9F684DE8.dll,12B02216.dll,9CA963CA.dll,08223B03.dll,495271CA.dll,8566F82E.dll,58FF3024.dll,B3721C07.dll,DA63E650.dll,4BF9CBA3.dll,22D75360.dll,7ADC2AB1.dll,3474A8C2.dll,E4814792.dll,C250CF20.dll,A8FC611B.dll,122B901E.dll,D7C79813.dll,DE02F764.dll,43ACDCC5.dll,E3367679.dll,3D144530.dll,HBWOW.dll,HBJXSJ.dll
O23 - 服务: 4901228 (4901228) - C:/WINDOWS/system32/4901228.sys | 2008-10-21 3:30:37(手动)
O23 - 服务: 5102a80 (5102a80) - C:/WINDOWS/system32/5102a80.sys | 2008-10-25 7:4:56(手动)
O23 - 服务: 8882fa1 (8882fa1) - C:/WINDOWS/system32/8882fa1.sys | 2008-10-21 4:33:57(手动)
O23 - 服务: 8b52f47 (8b52f47) - C:/WINDOWS/system32/8b52f47.sys | 2008-10-21 3:29:59(手动)
O23 - 服务: 9fd8db (9fd8db) - C:/WINDOWS/system32/9fd8db.sys | 2008-10-25 7:4:40(手动)
O23 - 服务: aecff9 (aecff9) - C:/WINDOWS/system32/aecff9.sys | 2008-10-21 4:31:7(手动)
O23 - 服务: aliimz () - System32/Drivers/aliimz.sys (手动)
O23 - 服务: Beep () - C:/WINDOWS/system32/drivers/Beep.sys |2008-10-21 12:28:16(系统)
O23 - 服务: HBKernel32 (HBKernel32 Driver) - system32/DRIVERS/HBKernel32.sys (引导)
O24 - ShlExecHook: [2] - {3D144530-43DA-47CC-B7C7-A3A9F3B9A6B2} = 3D144530.dll
O24 - ShlExecHook: [B] - {E3367679-4775-4244-A62E-4CFE58FC850B} = E3367679.dll
O24 - ShlExecHook: [8] - {43ACDCC5-9009-4AF4-B80A-93BC656EF298} = 43ACDCC5.dll
O24 - ShlExecHook: [F] - {DE02F764-C51A-4788-9597-D78ECC2AC08F} = DE02F764.dll
O24 - ShlExecHook: [3] - {D7C79813-9233-4AE0-832C-99B2E8019673} = D7C79813.dll
O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} = 122B901E.dll
O24 - ShlExecHook: [7] - {A8FC611B-71F6-4B4D-BD3A-BFBCCDE96F57} = A8FC611B.dll
O24 - ShlExecHook: [B] - {C250CF20-5F89-4310-9854-4BC261FB14FB} = C250CF20.dll
O24 - ShlExecHook: [8] - {E4814792-EFA3-4C20-93D0-8B130A59F9A8} = E4814792.dll
O24 - ShlExecHook: [0] - {3474A8C2-BEF9-46C8-983A-A26A0030EC30} = 3474A8C2.dll
O24 - ShlExecHook: [C] - {7ADC2AB1-5C6A-4178-82DA-94863354AF7C} = 7ADC2AB1.dll
O24 - ShlExecHook: [6] - {22D75360-199D-4F79-880D-82E766675F06} = 22D75360.dll
O24 - ShlExecHook: [F] - {4BF9CBA3-8DEE-41A1-8BDB-FC28D30E949F} = 4BF9CBA3.dll
O24 - ShlExecHook: [B] - {DA63E650-537C-4042-87BB-9D19D844680B} = DA63E650.dll
O24 - ShlExecHook: [F] - {B3721C07-62B3-411A-9DC7-F5F27E3E21FF} = B3721C07.dll
O24 - ShlExecHook: [E] - {58FF3024-8A83-4B1A-88E9-302F47646EEE} = 58FF3024.dll
O24 - ShlExecHook: [1] - {8566F82E-03A4-416E-AEAC-66600D8881F1} = 8566F82E.dll
O24 - ShlExecHook: [0] - {495271CA-D0C6-4052-ABE6-5B01C73CDFB0} = 495271CA.dll
O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} = 08223B03.dll
O24 - ShlExecHook: [3] - {9CA963CA-107C-4089-B0AB-31380F90D7E3} = 9CA963CA.dll
O24 - ShlExecHook: [1] - {12B02216-AC3F-42A7-8313-449771237061} = 12B02216.dll
O24 - ShlExecHook: [1] - {9F684DE8-3E87-4174-9033-E02A3DFD8B61} = 9F684DE8.dll
O24 - ShlExecHook: [F] - {CABA599D-5089-4865-9420-E41FA3C1F55F} = CABA599D.dll
O24 - ShlExecHook: [F] - {E0D39066-96D7-4891-8527-488ADAFCD60F} = E0D39066.dll
O24 - ShlExecHook: [] - {F6A454AE-156A-415E-9F89-3795677A8A91} = C:/Program Files/Internet Explorer/53u1ttMe.2ys | 2008-10-26 3:23:48
O24 - ShlExecHook: [] - {5B77087D-AB76-4C22-B0A6-C34D1F438E55} = C:/Program Files/Common Files/Microsoft Shared/MSInfo/Come_System.sys | 2008-10-27 0:32:31
O26 - IFEO: 360Loader.exe -> svchost.exe
O26 - IFEO: 360safebox.exe -> ntsd -d
O26 - IFEO: CCenter.exe -> svchost.exe
O26 - IFEO: IceSword -> svchost.exe
O26 - IFEO: KPPMain.exe -> ntsd -d
O26 - IFEO: RavMon.exe -> svchost.exe
O26 - IFEO: RavMonD.exe -> svchost.exe
O26 - IFEO: RavStub.exe -> svchost.exe
O26 - IFEO: RavTask.exe -> svchost.exe
O26 - IFEO: RSTray.exe -> svchost.exe
O26 - IFEO: Thunder5.exe -> svchost.exe
O26 - IFEO: tqat.exe -> ntsd -d
(未完待续)
标签:tmp,10,exe,21,WINDOWS,system32,dll,sys,2008 From: https://blog.51cto.com/endurer/5921715