system.dll,Nskhelper2.sys,oapejg.sys,991b0345.dat,NsPass0.sys等1
endurer 原创
2008-12-03 第1版
一位朋友的电脑中的杀毒软件无法启动;QQ医生保护不停地提示有程序要修改系统配置;打开“我的电脑”,总是在搜索,磁盘图标显示不出来。请偶帮忙检修。
使用 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块部分有省略):
pe_xscan 08-08-01 by Purple Endurer
2008-12-3 21:25:22
Windows XP Service Pack 2(5.1.2600)
MSIE:6.0.2900.2180
管理员用户组
正常模式
[System Process] 0
2008-12-3 7:16:3
2008-12-3 7:18:32
2008-12-3 3:19:3
2196 2008-12-3 7:14:6
3944 2008-12-3 7:15:40
2720 2008-12-3 7:18:36
/-----
[autorun]
shell/open/command=rundll32 ,explore
shell/explore/command=rundll32 ,explore
-----/
/-----
[autorun]
shell/open/command=rundll32 system.dll,explore
shell/explore/command=rundll32 system.dll,explore
-----/
/-----
[autorun]
shell/open/command=rundll32 ,explore
shell/explore/command=rundll32 ,explore
-----/
/-----
[autorun]
shell/open/command=rundll32 ,explore
shell/explore/command=rundll32 ,explore
-----/
O20 - AppInit_DLLs =
O21 - SSODL - oecynwna.dll(0) - {F0930A2F-D971-4828-8209-B7DFD266ED44} = 2008-12-3 7:16:3
O21 - SSODL - mcdxhwbu.dll(0) - {F0930A2F-D971-4828-8209-B7DFD266ED44} = 2008-12-3 7:16:3
O23 - 服务: NsDlRK250 (NsDlRK250) - 2008-12-3 3:12:48(手动)
O23 - 服务: NsPsDk00 (NsPsDk00) - 2008-12-3 3:13:57(手动)
O23 - 服务: NsPsDk01 (NsPsDk01) - 2008-12-3 3:14:59(手动)
O23 - 服务: NsPsDk02 (NsPsDk02) - 2008-12-3 3:16:1(手动)
O23 - 服务: NsPsDk03 (NsPsDk03) - 2008-12-3 3:17:4(手动)
O23 - 服务: NsPsDk04 (NsPsDk04) - 2008-12-3 3:18:6(手动)
O23 - 服务: oapejg (oapejg) - 2008-11-28 1:2:47(引导)
O23 - 服务: SafeMon0 (360 safe mon) - 2008-12-3 3:59:4(系统)
O23 - 服务: stisvc (Windows Image Acquisition (WIA)) -C:/WINDOWS/system32/svchost.exe -k imgsvc 2004-8-3 16:52:38 2004-8-3 16:52:28(自动)
O23 - 服务: W32Time (Windows Time) -C:/WINDOWS/System32/svchost.exe -k netsvcs 2004-8-3 16:52:38 2004-8-3 16:52:26(自动)
O24 - ShlExecHook: [HookExecute Class] - {4BAB150F-DD97-476D-9C1E-41B6CDC0CA7A} =
O24 - ShlExecHook: [PatchCom] - {E568441B-9EF3-49F8-9A67-4141AC41ADD4} =
O24 - ShlExecHook: [4] - {F0930A2F-D971-4828-8209-B7DFD266ED44} = O24 - ShlExecHook: [] - {3FDEB171-8F86-0004-0001-69B8DB553683} =
(未完待续)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
