一位朋友在使用电脑的过程中,360提示发现病毒,当时清除了。但重启电脑后出现故障:桌面无显示。请我帮忙检修。
按Ctrl+Alt+Del打开任务管理器检查进程,没有发现explorer.exe。检查发现c:\windows文件夹里没有explorer.exe,dllcache文件夹中也没有。
运行winRAR来搜索,在c:\windows\temp发现了一个explorer.exe,把它移动到c:\windows文件夹再运行,任务栏和桌面图标都显示出来了。使用pe_xscan扫描log并分析,发现如下可疑项(进程模块有省略):
pe_xscan 11-02-14 by Purple Endurer
2011-3-11 14:17:16
6.0.2900.5512
MSIE:6.0.2900.5512
管理员用户组
正常模式
[System Process] * 0
C:\WINDOWS\system32\kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
C:\WINDOWS\system32\GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
C:\WINDOWS\system32\RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
C:\WINDOWS\system32\netapi32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:\WINDOWS\system32\msctfime.ime | 2009-8-10 23:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME
C:\WINDOWS\system32\shdocvw.dll | 2009-8-21 22:22:31 | Microsoft(R) Windows(R) Operating System | 6.00.2900.5848 | Shell Doc Object and Control Library | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.5848 (xpsp_sp3_qfe.090718-1313) | Microsoft Corporation| ? | SHDOCVW.DLL | SHDOCVW.DLL
C:\WINDOWS\system32\WININET.dll | 2009-8-21 22:22:29 | Microsoft(R) Windows(R) Operating System | 6.00.2900.5835 | Internet Extensions for Win32 | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.5835 (xpsp_sp3_qfe.090626-1600) | Microsoft Corporation| ? | wininet.dll | wininet.dll
C:\WINDOWS\system32\portabledeviceapi.dll | 2009-8-21 22:22:32 | Microsoft? Windows? Operating System | 5.2.5721.5145 | Windows Portable Device API Components | ? Microsoft Corporation. All rights reserved. | 5.2.5721.5145 (WMP_11.061018-2006) | Microsoft Corporation| ? | | PortableDeviceApi.dll
C:\WINDOWS\system32\mswsock.dll | 2009-8-21 22:22:33 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5625 | Microsoft Windows Sockets 2.0 Service Provider | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) | Microsoft Corporation| ? | mswsock.dll | mswsock.dll
C:\WINDOWS\system32\csrss.exe* 584 | 2009-3-13 10:3:58
C:\WINDOWS\system32\GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
C:\WINDOWS\system32\KERNEL32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
C:\WINDOWS\system32\RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
C:\WINDOWS\system32\winlogon.exe * 624 | 2009-3-13 10:3:58 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5512 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-2113) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
C:\WINDOWS\system32\kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
C:\WINDOWS\system32\RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
C:\WINDOWS\system32\GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
C:\WINDOWS\system32\NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:\WINDOWS\system32\msctfime.ime | 2009-8-10 23:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME
C:\WINDOWS\system32\services.exe* 700 | 2009-3-13 10:3:58
C:\WINDOWS\system32\kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
C:\WINDOWS\system32\RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
C:\WINDOWS\system32\GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
C:\WINDOWS\system32\NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:\WINDOWS\system32\lsass.exe* 720 | 2009-3-13 10:3:58
C:\WINDOWS\system32\kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
C:\WINDOWS\system32\RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
C:\WINDOWS\system32\GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
C:\WINDOWS\system32\NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:\WINDOWS\system32\svchost.exe* 1020 | 2009-3-13 10:3:58
C:\WINDOWS\system32\kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
C:\WINDOWS\system32\RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
C:\WINDOWS\system32\GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
C:\WINDOWS\system32\NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:\WINDOWS\system32\WININET.dll | 2009-8-21 22:22:29 | Microsoft(R) Windows(R) Operating System | 6.00.2900.5835 | Internet Extensions for Win32 | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.5835 (xpsp_sp3_qfe.090626-1600) | Microsoft Corporation| ? | wininet.dll | wininet.dll
c:\windows\system32\MSWSOCK.dll | 2009-8-21 22:22:33 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5625 | Microsoft Windows Sockets 2.0 Service Provider | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) | Microsoft Corporation| ? | mswsock.dll | mswsock.dll
C:\Program Files\Common Files\System\kb860088.CNT | 2011-3-10 13:4:5
O4 - HKLM\..\run: [360Soft] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\run: [Inst] "C:\Program Files\qcat\qsetup.exe" -safe
O23 - 服务: Nla (Network Location Awareness (NLA)) - C:\WINDOWS\system32\svchost.exe -k netsvcs | 2009-3-13 10:3:58
-> C:\WINDOWS\System32\mswsock.dll | 2009-8-21 22:22:33(手动)
O23 - 服务: Srv (Srv) - system32\DRIVERS\srv.sys | 2009-3-13 10:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5725 | Server driver | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5725 (xpsp_sp3_gdr.081211-1306) | Microsoft Corporation| ? | SRV.SYS | SRV.SYS(手动)
O23 - 服务: WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs | 2009-3-13 10:3:58
-> C:\WINDOWS\system32\mspmsnsv.dll | 2009-8-21 22:22:34(手动)
O23 - 服务: WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys | 2009-3-13 10:3:58 | Microsoft? Windows? Operating System | 6.0.5716.32 | Windows Driver Foundation - User-mode Driver Framework Platform Driver | ? Microsoft Corporation. All rights reserved. | 6.0.5716.32 (winmain(wmbla).060928-1756) | Microsoft Corporation| ? | WUDFPf.sys | WUDFPf.sys(手动)
O23 - 服务: WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys | 2009-3-13 10:3:58 | Microsoft? Windows? Operating System | 6.0.5716.32 | Windows Driver Foundation - User-mode Driver Framework Reflector | ? Microsoft Corporation. All rights reserved. | 6.0.5716.32 (winmain(wmbla).060928-1756) | Microsoft Corporation| ? | WUDFRd.sys | WUDFRd.sys(手动)
O23 - 服务: WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup | 2009-3-13 10:3:58
-> C:\WINDOWS\System32\WUDFSvc.dll | 2009-8-21 22:22:27(手动)
O29 - HKCU-Start Page = hxxp://www.111dh.com/#5恭喜您,成功登陆本站,请单击“是(Y)”大量免费电影站,名站导航天天看!
O29 - HKUS-Start Page = hxxp://www.537.com
很多系统文件没有通过数字签名验证,估计是被病毒替换或感染了。下载DrWeb CureIt!来查杀……