遭遇scvhost.exe,qsetup.exe,dsound.dll,hnetcfg.dll,olepro32.dll等1

  一位朋友在使用电脑的过程中,360提示发现病毒,当时清除了。但重启电脑后出现故障:桌面无显示。请我帮忙检修。

  按Ctrl+Alt+Del打开任务管理器检查进程,没有发现explorer.exe。检查发现c:/windows文件夹里没有explorer.exe,dllcache文件夹中也没有。

  运行winRAR来搜索,在c:/windows/temp发现了一个explorer.exe,把它移动到c:/windows文件夹再运行,任务栏和桌面图标都显示出来了。使用pe_xscan扫描log并分析,发现如下可疑项(进程模块有省略):

 

 

pe_xscan 11-02-14 by Purple Endurer 
2011-3-11 14:17:16
6.0.2900.5512
MSIE:6.0.2900.5512
管理员用户组
正常模式
[System Process] * 0
   C:/WINDOWS/system32/kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
   C:/WINDOWS/system32/GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
   C:/WINDOWS/system32/RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
   C:/WINDOWS/system32/netapi32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
   C:/WINDOWS/system32/msctfime.ime | 2009-8-10 23:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME
   C:/WINDOWS/system32/shdocvw.dll | 2009-8-21 22:22:31 | Microsoft(R) Windows(R) Operating System | 6.00.2900.5848 | Shell Doc Object and Control Library | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.5848 (xpsp_sp3_qfe.090718-1313) | Microsoft Corporation| ? | SHDOCVW.DLL | SHDOCVW.DLL
   C:/WINDOWS/system32/WININET.dll | 2009-8-21 22:22:29 | Microsoft(R) Windows(R) Operating System | 6.00.2900.5835 | Internet Extensions for Win32 | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.5835 (xpsp_sp3_qfe.090626-1600) | Microsoft Corporation| ? | wininet.dll | wininet.dll
   C:/WINDOWS/system32/portabledeviceapi.dll | 2009-8-21 22:22:32 | Microsoft? Windows? Operating System | 5.2.5721.5145 | Windows Portable Device API Components | ? Microsoft Corporation. All rights reserved. | 5.2.5721.5145 (WMP_11.061018-2006) | Microsoft Corporation| ? | | PortableDeviceApi.dll
   C:/WINDOWS/system32/mswsock.dll | 2009-8-21 22:22:33 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5625 | Microsoft Windows Sockets 2.0 Service Provider | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) | Microsoft Corporation| ? | mswsock.dll | mswsock.dll
C:/WINDOWS/system32/csrss.exe* 584 | 2009-3-13 10:3:58
   C:/WINDOWS/system32/GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
   C:/WINDOWS/system32/KERNEL32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
   C:/WINDOWS/system32/RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
 C:/WINDOWS/system32/winlogon.exe * 624 | 2009-3-13 10:3:58 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5512 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5512 (xpsp.080413-2113) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
   C:/WINDOWS/system32/kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
   C:/WINDOWS/system32/RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
   C:/WINDOWS/system32/GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
   C:/WINDOWS/system32/NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
   C:/WINDOWS/system32/msctfime.ime | 2009-8-10 23:49:15 | Microsoft? Windows? Operating System | 5.1.2600.5768 | Microsoft Text Frame Work Service IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5768 (xpsp_sp3_qfe.090226-1518) | Microsoft Corporation| ? | MSCTFIME | MSCTFIME.IME
C:/WINDOWS/system32/services.exe* 700 | 2009-3-13 10:3:58
   C:/WINDOWS/system32/kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
   C:/WINDOWS/system32/RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
   C:/WINDOWS/system32/GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
   C:/WINDOWS/system32/NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:/WINDOWS/system32/lsass.exe* 720 | 2009-3-13 10:3:58
   C:/WINDOWS/system32/kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
   C:/WINDOWS/system32/RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
   C:/WINDOWS/system32/GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
   C:/WINDOWS/system32/NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
C:/WINDOWS/system32/svchost.exe* 1020 | 2009-3-13 10:3:58
   C:/WINDOWS/system32/kernel32.dll | 2009-8-21 22:22:36 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5781 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5781 (xpsp_sp3_qfe.090321-1341) | Microsoft Corporation| ? | kernel32 | kernel32
   C:/WINDOWS/system32/RPCRT4.dll | 2009-8-21 22:22:31 | Microsoft? Windows? Operating System | 5.1.2600.5795 | Remote Procedure Call Runtime | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5795 (xpsp_sp3_qfe.090415-1301) | Microsoft Corporation| ? | rpcrt4.dll | rpcrt4.dll
   C:/WINDOWS/system32/GDI32.dll | 2009-8-21 22:22:37 | Microsoft? Windows? Operating System | 5.1.2600.5698 | GDI Client DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) | Microsoft Corporation| ? | gdi32 | gdi32
   C:/WINDOWS/system32/NETAPI32.dll | 2009-8-21 22:22:33 | Microsoft? Windows? Operating System | 5.1.2600.5694 | Net Win32 API DLL | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) | Microsoft Corporation| ? | NetApi32.DLL | NetApi32.DLL
   C:/WINDOWS/system32/WININET.dll | 2009-8-21 22:22:29 | Microsoft(R) Windows(R) Operating System | 6.00.2900.5835 | Internet Extensions for Win32 | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.5835 (xpsp_sp3_qfe.090626-1600) | Microsoft Corporation| ? | wininet.dll | wininet.dll
   c:/windows/system32/MSWSOCK.dll | 2009-8-21 22:22:33 | Microsoft(R) Windows(R) Operating System | 5.1.2600.5625 | Microsoft Windows Sockets 2.0 Service Provider | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) | Microsoft Corporation| ? | mswsock.dll | mswsock.dll
   C:/Program Files/Common Files/System/kb860088.CNT | 2011-3-10 13:4:5
O4 - HKLM/../run: [360Soft] C:/WINDOWS/system32/scvhost.exe
O4 - HKLM/../run: [Inst]  "C:/Program Files/qcat/qsetup.exe" -safe
O23 - 服务: Nla (Network Location Awareness (NLA)) - C:/WINDOWS/system32/svchost.exe -k netsvcs | 2009-3-13 10:3:58
  -> C:/WINDOWS/System32/mswsock.dll | 2009-8-21 22:22:33(手动)
O23 - 服务: Srv (Srv) -  system32/DRIVERS/srv.sys | 2009-3-13 10:3:58 | Microsoft? Windows? Operating System | 5.1.2600.5725 | Server driver | ? Microsoft Corporation. All rights reserved. | 5.1.2600.5725 (xpsp_sp3_gdr.081211-1306) | Microsoft Corporation| ? | SRV.SYS | SRV.SYS(手动)
O23 - 服务: WmdmPmSN (Portable Media Serial Number Service) - C:/WINDOWS/System32/svchost.exe -k netsvcs | 2009-3-13 10:3:58
    -> C:/WINDOWS/system32/mspmsnsv.dll | 2009-8-21 22:22:34(手动)
O23 - 服务: WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) -  system32/DRIVERS/WudfPf.sys | 2009-3-13 10:3:58 | Microsoft? Windows? Operating System | 6.0.5716.32 | Windows Driver Foundation - User-mode Driver Framework Platform Driver | ? Microsoft Corporation. All rights reserved. | 6.0.5716.32 (winmain(wmbla).060928-1756) | Microsoft Corporation| ? | WUDFPf.sys | WUDFPf.sys(手动)
O23 - 服务: WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) -  system32/DRIVERS/wudfrd.sys | 2009-3-13 10:3:58 | Microsoft? Windows? Operating System | 6.0.5716.32 | Windows Driver Foundation - User-mode Driver Framework Reflector | ? Microsoft Corporation. All rights reserved. | 6.0.5716.32 (winmain(wmbla).060928-1756) | Microsoft Corporation| ? | WUDFRd.sys | WUDFRd.sys(手动)
O23 - 服务: WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - C:/WINDOWS/system32/svchost.exe -k WudfServiceGroup | 2009-3-13 10:3:58
  -> C:/WINDOWS/System32/WUDFSvc.dll | 2009-8-21 22:22:27(手动)
O29 - HKCU-Start Page = hxxp://www.111dh.com/#5恭喜您,成功登陆本站,请单击“是(Y)”大量免费电影站,名站导航天天看!
O29 - HKUS-Start Page = hxxp://www.537.com

 

  很多系统文件没有通过数字签名验证,估计是被病毒替换或感染了。下载DrWeb CureIt!来查杀……

你可能感兴趣的:(c,windows,api,Microsoft,System,dll)