遭遇 kangyi.exe/Trojan.Win32.Undef.hmf,smss.exe,SERVICES.EXE等1
endurer 原创 2008-06-11 第1版
一位朋友的电脑在上网过程中突然变得很慢,不仅系统反应速度慢,而且网速也变得很慢,重启电脑后故障依旧,请偶帮忙检修。
打开任务管理器一看,有个名为kangyi.exe的进程占用了80%以上的CPU时间,此外还发现两个services.exe和smss.exe,都是以system帐户来运行的,开始还以为是眼花了,擦了擦眼睛再看,没错~
运行U盘上的 pe_xscan 扫描 log 并分析,发现如下可疑项:
pe_xscan 08-04-26 by Purple Endurer 2008-6-11 12:33:15 Windows XP Service Pack 2(5.1.2600) MSIE:6.0.2900.2180 管理员用户组 正常模式
C:/WINDOWS/System32/kangyi.exe * 1712 | 2008-6-11 1:39:0 C:/WINDOWS/System32/xml/smss.exe * 2348 | 2008-6-11 1:39:47 C:/WINDOWS/system32/ntsvc.ocx | 2008-6-11 1:39:47 | NT Service Control Module | 1, 0, 0, 1 | NT Service Control Module | Copyright ? 1996, Microsoft Corporation | 1, 0, 0, 1 | Microsoft| ? | NTSVC | NTSVC.OCX C:/WINDOWS/System32/xml/SERVICES.EXE * 2592 |
O4 - HKLM/../Run: [upxdnd] C:/WINDOWS/upxdnd.exe
O20 - AppInit_DLLs = mrjhtjd.dll,qrhhb.dll,xdfntt.dll,hgfhk.dll,hjaiq.dll,kduy.dll,frntrn.dll,dnteh.dll,chmfcmh.dll,jwlah.dll,crugd.dll,lariytrz.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,ydgn.dll,dbfb.dll,fjnbv.dll,wmsat.dll,gmnait.dll,hfjg.dll,xdndn.dll,rgfjj.dll,dscef.dll,xfng.dll,njritc.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,fehom.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,rhs.dll,rdthr.dll,gjjte.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,hkfgh.dll,drghszd.dll,fngn.dll,xdhdg.dll,zdbfbd.dll,fjyjy.dll,awef.dll,msepbe.dll
O23 - 服务: DeepFree Update (DeepFree Update) - C:/WINDOWS/system32/drivers/pcihdd2.sys (手动) O23 - 服务: dohs (dohs) - C:/DOCUME~1/user/LOCALS~1/Temp/tmpD.tmp (自动) O23 - 服务: kangyi (Windows Media kangyi) - C:/WINDOWS/system32/kangyi.exe | 2008-6-11 1:39:0(自动) O23 - 服务: mhfp (mhfp) - C:/DOCUME~1/user/LOCALS~1/Temp/tmp1.tmp (自动) O23 - 服务: PciHardDisk (PciHardDisk) - C:/WINDOWS/system32/drivers/pcidisk.sys (手动) O23 - 服务: UmRdp (UserMode Port Redirector) - C:/WINDOWS/system32/xml/smss.exe |
(未完待续)
