学步园

遭遇auto.exe,winforms.dll,zinforms.dll,LYLoader.exe,LYLoadbr.exe等/1

endurer 原创
2007-10-09 第1版

中午一位网友说他的电脑不断提示 explorer.exe 出错，网速也很慢，让偶帮忙检修。

下载 pe_xscan 扫描 log 并分析，发现如下可疑项（进程模块部分有省略）：

/===
pe_xscan 07-08-30 by Purple Endurer
2007-10-9 12:26:11
Windows XP Service Pack 2(5.1.2600)
管理员用户组

[System Process] * 0
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-8-30 10:49:20 | SPlus Module | 5, 0, 1, 22 |  | 腾讯科技（深圳）有限公司 版权所有 (C) 2007 | 5, 0, 1, 22 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/WINDOWS/system32/okwmbf.dll | 2007-10-9 10:12:6
    C:/WINDOWS/system32/vhhmah.dll | 2007-10-9 10:11:54
    C:/WINDOWS/system32/ehqbfb.dll | 2007-10-9 10:11:36
    C:/WINDOWS/system32/ahgqll.dll | 2007-10-9 10:11:30
    C:/WINDOWS/system32/akoynv.dll | 2007-10-9 10:11:24
    C:/WINDOWS/system32/jomxls.dll | 2007-10-9 10:10:38
    C:/WINDOWS/system32/pvdzkg.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/uhdlkb.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/MsIMMs32.dll | 2007-10-9 10:4:40
    C:/WINDOWS/system32/mppds.dll | 2007-10-9 10:4:38
    C:/WINDOWS/system32/Kvsc3.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/DiskMan32.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10

C:/WINDOWS/system32/csrss.exe * 844 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime Process | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CSRSS.Exe | CSRSS.Exe
    C:/WINDOWS/system32/B2DFC677.DLL | 2007-10-9 10:4:34 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?

C:/WINDOWS/system32/winlogon.exe * 868 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/WINDOWS/system32/B2DFC677.DLL | 2007-10-9 10:4:34 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?

C:/WINDOWS/system32/svchost.exe * 1084 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Generic Host Process for Win32 Services | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | svchost.exe | svchost.exe
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/WINDOWS/system32/B2DFC677.DLL | 2007-10-9 10:4:34 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?

C:/WINDOWS/Explorer.EXE * 1984 | 2007-6-13 21:21:56 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/WINDOWS/system32/SHQMANGR.DLL | 2007-10-9 10:4:32
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-8-30 10:49:20 | SPlus Module | 5, 0, 1, 22 |  | 腾讯科技（深圳）有限公司 版权所有 (C) 2007 | 5, 0, 1, 22 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/WINDOWS/system32/DiskMan32.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/Kvsc3.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/mppds.dll | 2007-10-9 10:4:38
    C:/WINDOWS/system32/B2DFC677.DLL | 2007-10-9 10:4:34 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
    C:/WINDOWS/system32/MsIMMs32.dll | 2007-10-9 10:4:40
    C:/WINDOWS/system32/fxsst.dll | 2004-8-17 20:0:0 | Microsoft(R) Windows(R) Operating System | 5.2.2600.2180 | Fax Service | ? Microsoft Corporation. All rights reserved. | 5.2.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | FXSST.DLL | FXSST.DLL
    C:/WINDOWS/system32/FXSAPI.dll | 2004-8-17 20:0:0 | Microsoft? Windows? Operating System | 5.2.2600.2180 | Microsoft  Fax API Support DLL | ? Microsoft Corporation. All rights reserved. | 5.2.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | FXSAPI.DLL | FXSAPI.DLL
    C:/WINDOWS/system32/uhdlkb.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/pvdzkg.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/jomxls.dll | 2007-10-9 10:10:38
    C:/WINDOWS/system32/akoynv.dll | 2007-10-9 10:11:24
    C:/WINDOWS/system32/ahgqll.dll | 2007-10-9 10:11:30
    C:/WINDOWS/system32/ehqbfb.dll | 2007-10-9 10:11:36
    C:/WINDOWS/system32/vhhmah.dll | 2007-10-9 10:11:54
    C:/WINDOWS/system32/okwmbf.dll | 2007-10-9 10:12:6
    C:/Program Files/TENCENT/SSPlus/SAddr.dll | 2007-8-30 10:49:16 | SAddr Module | 5, 0, 1, 18 |  |  | 5, 0, 1, 18 | Tencent |  | SAddr.dll |

C:/WINDOWS/system32/Rundll32.exe * 388 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Run a DLL as an App | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | rundll | RUNDLL.EXE
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-8-30 10:49:20 | SPlus Module | 5, 0, 1, 22 |  | 腾讯科技（深圳）有限公司 版权所有 (C) 2007 | 5, 0, 1, 22 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/WINDOWS/system32/DiskMan32.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/Kvsc3.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/B2DFC677.DLL | 2007-10-9 10:4:34 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?
    C:/WINDOWS/system32/mppds.dll | 2007-10-9 10:4:38
    C:/WINDOWS/system32/MsIMMs32.dll | 2007-10-9 10:4:40
    C:/WINDOWS/system32/uhdlkb.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/pvdzkg.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/jomxls.dll | 2007-10-9 10:10:38
    C:/WINDOWS/system32/akoynv.dll | 2007-10-9 10:11:24
    C:/WINDOWS/system32/ahgqll.dll | 2007-10-9 10:11:30
    C:/WINDOWS/system32/ehqbfb.dll | 2007-10-9 10:11:36
    C:/WINDOWS/system32/vhhmah.dll | 2007-10-9 10:11:54
    C:/WINDOWS/system32/okwmbf.dll | 2007-10-9 10:12:6

C:/WINDOWS/system32/ctfmon.exe * 816 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-8-30 10:49:20 | SPlus Module | 5, 0, 1, 22 |  | 腾讯科技（深圳）有限公司 版权所有 (C) 2007 | 5, 0, 1, 22 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/WINDOWS/system32/Kvsc3.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/DiskMan32.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/mppds.dll | 2007-10-9 10:4:38
    C:/WINDOWS/system32/MsIMMs32.dll | 2007-10-9 10:4:40
    C:/WINDOWS/system32/uhdlkb.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/pvdzkg.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/jomxls.dll | 2007-10-9 10:10:38
    C:/WINDOWS/system32/akoynv.dll | 2007-10-9 10:11:24
    C:/WINDOWS/system32/ahgqll.dll | 2007-10-9 10:11:30
    C:/WINDOWS/system32/ehqbfb.dll | 2007-10-9 10:11:36
    C:/WINDOWS/system32/vhhmah.dll | 2007-10-9 10:11:54
    C:/WINDOWS/system32/okwmbf.dll | 2007-10-9 10:12:6

C:/WINDOWS/system32/conime.exe * 3576 | 2004-8-17 12:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console | CONIME.EXE
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-8-30 10:49:20 | SPlus Module | 5, 0, 1, 22 |  | 腾讯科技（深圳）有限公司 版权所有 (C) 2007 | 5, 0, 1, 22 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/WINDOWS/system32/MsIMMs32.dll | 2007-10-9 10:4:40
    C:/WINDOWS/system32/mppds.dll | 2007-10-9 10:4:38
    C:/WINDOWS/system32/Kvsc3.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/DiskMan32.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/WINDOWS/system32/uhdlkb.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/pvdzkg.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/jomxls.dll | 2007-10-9 10:10:38
    C:/WINDOWS/system32/akoynv.dll | 2007-10-9 10:11:24
    C:/WINDOWS/system32/ahgqll.dll | 2007-10-9 10:11:30
    C:/WINDOWS/system32/ehqbfb.dll | 2007-10-9 10:11:36
    C:/WINDOWS/system32/vhhmah.dll | 2007-10-9 10:11:54
    C:/WINDOWS/system32/okwmbf.dll | 2007-10-9 10:12:6

C:/WINDOWS/IGM.exe * 3724 | 2007-10-9 10:11:30

C:/Program Files/QQDownload/QQDownload.exe * 3780 | 2007-5-18 17:4:48 | DownTools 应用程序 | 1, 3, 101, 201 | 超级旋风 | Copyright(C) 1998 - 2007 TENCENT Inc. All Rights Reserved. | 1, 3, 101, 101 | Tencent Technology (Shenzhen) Company Limited |  | DownTools | DownTools.EXE
    C:/WINDOWS/system32/winforms.dll | 2007-10-8 14:29:10
    C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll | 2007-8-30 10:49:20 | SPlus Module | 5, 0, 1, 22 |  | 腾讯科技（深圳）有限公司 版权所有 (C) 2007 | 5, 0, 1, 22 | TENCENT |  | SPlus.dll | SPlus.dll
    C:/Program Files/QQDownload/QQDownload.dll | 2007-5-18 17:25:16 | QQDownload Module | 1, 3, 101, 201 | QQDownload Module | Copyright(C) 1998 - 2007 TENCENT Inc. All Rights Reserved. | 1, 3, 101, 101 | Tencent Technology (Shenzhen) Company Limited |  | QQDownload Module | QQDownload.DLL
    C:/Program Files/QQDownload/TNProxy.dll | 2007-4-29 10:40:48 | TNProxy Module | 2, 1, 101, 80 | TNProxy Module | Copyright(c) 1998-2005 Tencent Inc. All Rights Reserved | 2, 1, 101, 80 | Tencent Technology(Shenzhen) Company Limited |  | TNProxy Module | TNProxy.dll
    C:/WINDOWS/system32/okwmbf.dll | 2007-10-9 10:12:6
    C:/WINDOWS/system32/vhhmah.dll | 2007-10-9 10:11:54
    C:/WINDOWS/system32/ehqbfb.dll | 2007-10-9 10:11:36
    C:/WINDOWS/system32/ahgqll.dll | 2007-10-9 10:11:30
    C:/WINDOWS/system32/akoynv.dll | 2007-10-9 10:11:24
    C:/WINDOWS/system32/jomxls.dll | 2007-10-9 10:10:38
    C:/WINDOWS/system32/pvdzkg.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/uhdlkb.dll | 2007-10-9 10:10:30
    C:/WINDOWS/system32/MsIMMs32.dll | 2007-10-9 10:4:40
    C:/WINDOWS/system32/mppds.dll | 2007-10-9 10:4:38
    C:/WINDOWS/system32/Kvsc3.dll | 2007-10-9 10:4:36
    C:/WINDOWS/system32/DiskMan32.dll | 2007-10-9 10:4:36

R3 - URLSearchHook: Tencent SearchHook - {DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9} - C:/Program Files/TENCENT/SSPlus/SAddr.dll

O2 - BHO Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:/Program Files/TENCENT/SSPlus/SAddr.dll

O4 - HKLM/../Run: [stup.exe] Rundll32.exe C:/PROGRA~1/TENCENT/SSPlus/SPlus.dll,Rundll32 R
O4 - HKLM/../Run: [DiskMan32] C:/WINDOWS/DiskMan32.exe
O4 - HKLM/../Run: [Kvsc3] C:/WINDOWS/Kvsc3.exe
O4 - HKLM/../Run: [AVPSrv] C:/WINDOWS/AVPSrv.exe
O4 - HKLM/../Run: [MsIMMs32] C:/WINDOWS/MsIMMs32.exe
O4 - HKLM/../Run: [mppds] C:/WINDOWS/mppds.exe
O4 - HKLM/../Run: [upxdnd] C:/WINDOWS/upxdnd.exe
O4 - HKLM/../Run: [cmdbcs] C:/WINDOWS/cmdbcs.exe
O4 - HKLM/../Run: [NVDispDrv] C:/WINDOWS/NVDispDrv.exe
O4 - HKLM/../Run: [msccrt] C:/WINDOWS/msccrt.exe
O4 - HKLM/../Run: [WinSysM] C:/WINDOWS/IGM.exe
O4 - HKLM/../Run: [MsPrint32D] C:/WINDOWS/MsPrint32D.exe
O4 - HKLM/../Run: [DbgHlp32] C:/WINDOWS/DbgHlp32.exe
O4 - HKLM/../Run: [GenProtect] C:/WINDOWS/GenProtect.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDEG32] LYLoader.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDWG32] LYLoadbr.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDCG32    ] LYLeador.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDOG32] LYLoador.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDSG32] LYLoadar.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDMG32] LYLoadmr.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDHG32] LYLoadhr.exe
O4 - HKLM/../Policies/Explorer/Run: [MSDQG32] LYLoadqr.exe

C:/autorun.inf
/-----
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell/Auto/command=auto.exe
-----/
D:/autorun.inf
/-----
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell/Auto/command=auto.exe
-----/

O20 - AppInit_DLLs = winforms.dll

O23 - 服务: 52B851FE (52B851FE) - C:/WINDOWS/system32/34978A02.EXE -k | 2007-9-18 8:40:54 | Microsoft(R) Windows(R) Operating System| ?| ? | (C) Microsoft Corporation. All rights reserved.| ? | Microsoft Corporation| ?| ?| ?(自动)
O23 - 服务: NPF (Netgroup Packet Filter) - system32/drivers/npf.sys | WinPcap Netgroup Packet Filter Driver | 3, 1, 0, 27 | npf | Copyright ? 2005 CACE Technologies. Copyright ? 2003-2005 NetGroup, Politecnico di Torino. | 3, 1, 0, 27 | CACE Technologies |  | NPF + TME  | npf.sys(手动)

O24 - ShlExecHook: [4] - {AEB6717E-7E19-11d0-97EE-00C04FD91974} = winforms.dll
O24 - ShlExecHook: [5] - {AEB6717E-7E19-11d0-97EE-00C04FD91975} = zinforms.dll

O25 - InsCom: {11716107-A10D-11cf-64CD-11115FE1CF41} = C:/WINDOWS/system32/nwizzhuxians.exe

HKLM/SHOWALL    值非1
===/