Dwshd.sys,easydowns.sys,hbkernel32.sys,qqplatform.exe,rdpwd.sys,easy2.exe, etc.

Dwshd.sys,easydowns.sys,hbkernel32.sys,qqplatform.exe,rdpwd.sys,easy2.exe, etc.

Original endurer
1st-

A friend's computer encountered a strange problem today. Shortly after login, the desktop icon and taskbar disappeared, and sometimes a blue screen error occurs: Stop c0000218 unknown hard error. Please help with the repair.

Press the F8 key when starting the instance and choose to start the instance based on the last correct configuration.

Worker Process.

After all the Members are terminated, the "assumer.exe" command is run, and the desktop icon and taskbar appear again. However, they disappear again later.

Run pe_xscan to scan logs and analyze the logs. The following suspicious items are found:

Pe_xscan 07-07-21 by Purple endurer
15:30:49
Windows XP Service Pack 2 (5.1.2600)
MSIE: 6.0.2900.2180
Administrator user group

C:/Windows/system32/csrss.exe * 500 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime process |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | CSRSS. exe | CSRSS. exe
C:/Windows/system32/CSRSS. dll | 7:59:31
C:/Windows/system32/sh05004.dll |
C:/Windows/system32/sh18027.dll |
C:/Windows/system32/sh21017.dll |
C:/Windows/system32/winlogon.exe * 524 | MICROSOFT (r) Windows (r) Operating System | 5.1.2600.2180 | Windows NT logon application | (c) Microsoft Corporation. all rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Winlogon. exe
C:/Windows/system32/hbqqxx. dll
C:/Windows/system32/SVCHOST. EXE * 732 | MICROSOFT? Windows? Operating System | 5.1.2600.2180 | generic host process for Win32 services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation |? | Svchost.exe
C:/Windows/system32/RPCSS. dll |
C:/Windows/system32/spcss. dll | MICROSOFT? Windows? Operating System | 5.1.2600.2726 | Distributed COM services |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) | Microsoft Corporation |? | RPCSS. dll | RPCSS. dll
O1-hosts: 222.122.219.220 www.qq.com
O2-BHO bandie class-{77fef28e-eb96-44ff-b511-3185dea48697} = C:/progra ~ 1/Baidu/BAR/baidubar. dll |
O2-BHO-{F6A454AE-156A-415E-9F89-3795677A8A91} = C:/program files/Internet Explorer/53u1ttme. 2ys | 0:20:21
O3-IE Toolbar:-{B580CF65-E151-49C3-B73F-70B13FCA8E86 }= C:/progra ~ 1/Baidu/BAR/baidubar. dll |
O4-HKLM/../policies/Explorer/run: [QQ] C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/df499
O20-appinit_dlls = d
O23-service: aliimz ()-system32/Drivers/aliimz. sys (manual)
O23-service: b160485 (b160485)-C:/Windows/system32/b160485.sys | (manual)
O23-service: bdguard (bdguard)-system32/Drivers/bdguard. sys | (BOOT)
O23-service: d435fd4 (d435fd4)-C:/Windows/system32/d435fd4. sys | 7:59:11 (manual)
O23-service: d812a079 (d812a079)-C:/Windows/system32/d812a079. sys | 7:57:51 (manual)
O23-service: dwshd ()-C:/Windows/system32/Drivers/dwshd. sys (pilot)
O23-service: FTP (FTP protocol driver)-C:/Windows/system32/Drivers/easydowns. sys | (automatic)
O23-service: hbkernel32 (hbkernel32 driver)-system32/Drivers/hbkernel32.sys | (BOOT)
O23-service: National (National Instruments domain Service)-C:/Windows/system32/qqplatform.exe | (automatic)
O23-service: qakrcr (qakrcr)-C:/Windows/system32/svchost.exe-K qakrcr |-> C:/Windows/system32/vfbegm. dll (automatic)
O23-service: rdpwd ()-C:/Windows/system32/Drivers/rdpwd. sys | 17:29:13 (manual)
O23-service: Register (Register services)-C:/Windows/system32/easy2.exe (automatic)
O23-service: svcname (Service name)-C:/Windows/system32/easy9.exe (automatic)
O23-service: wszayy (wszayy)-C:/Windows/system32/svchost.exe-K wszayy |-> C:/Windows/system32/xtjcjx. DLL | (automatic)
O24-shlexechook: [f]-{DE02F764-C51A-4788-9597-D78ECC2AC08F} = de02f764. dll
O24-shlexechook: [B]-{DA63E650-537C-4042-87BB-9D19D844680B} = da63e650. dll
O24-shlexechook: [6]-{4d023de9-f4b5-4be0-99c6-7c7ad0cf5426} = 4d023de9. dll
O24-shlexechook: [e]-{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} = 08223b03. dll
O24-shlexechook: [0]-{4154a8c2-bef9-46c8-983a-a26a0030ec30} = 4154a8c2. dll
O24-shlexechook: [4]-{F0930A2F-D971-4828-8209-B7DFD266ED44} = C:/Windows/system32/zjuwqgep. dll
O24-shlexechook: [c]-{122b901e-493f-4ad9-bc69-7de8c3e52fcc} = 122b901e. dll
O24-shlexechook: [3]-{9ca963ca-417c-4089-b0ab-31380f90d7e3} = 9ca963ca. dll
O24-shlexechook: [8]-{82710040-f86e-42e0-b1f8-04edf75856f8} = 82710040.dll
O24-shlexechook: [B]-{C250CF20-5F89-4310-9854-4BC261FB14FB} = c250cf20. dll
O24-shlexechook: [f]-{4bf9cba3-8dee-41a1-8bdb-fc28d30e949f} = 4bf9cba3. dll
O24-shlexechook: [2]-{4f34c688-fd49-42fc-97f7-87d2f5791612} = 4f34c688. dll
O24-shlexechook: [0]-{495271ca-d0c6-4052-abe6-5b01c73cdfb0} = 495271ca. dll
O24-shlexechook: [6]-{22d75360-199d-4f79-880d-82e766675f06} = 22d75360. dll
O24-shlexechook: [e]-{58ff3024-8a83-4b1a-88e9-302f47646eee} = 58ff3024. dll
O24-shlexechook: [a]-{DFB3DAC5-B0B5-4B05-BFCF-FB42737778FA} = dfb3dac5. dll
O24-shlexechook: [1]-{AD794E6B-90B7-4F9D-8FD6-0C16E3298FF2} = ad794e6b. dll
O24-shlexechook: [B]-{201476d0-2b18-462e-ab9f-3e2b0cc8732b} = 201476d0. dll
O24-shlexechook: [c]-{E1D19FCC-4777-4D71-B863-6A0A5B4E59BC} = e1d19fcc. dll
O24-shlexechook: [6]-{4fbfd5a4-5fe8-4444-8bd9-fd0fa64f96} = 4fbfd5a4. dll
O24-shlexechook: [c]-{56bc86c7-0692-4f94-a2c1-6cf1dbf8096c} = 56bc86c7. dll
O24-shlexechook: [f]-{B3721C07-62B3-411A-9DC7-F5F27E3E21FF} = b3721c07. dll
O24-shlexechook: [1]-{8566f82e-03a4-416e-aeac-66600d8881f1} = 8566f82e. dll
O24-shlexechook: [3]-{D7C79813-9233-4AE0-832C-99B2E8019673} = d7c79813. dll
O24-shlexechook: [e]-{34a25f04-008d-403e-8ee6-2307bc02fa2e} = 34a25f04. dll
O24-shlexechook: [8]-{66afcb56-faa9-42d2-8c72-2767a46c7fa8} = 66afcb56. dll
O24-shlexechook: [4]-{BA7EDF54-8408-4B21-B351-7B447B344BA4} = ba7edf54. dll
O24-shlexechook: [8]-{E4814792-EFA3-4C20-93D0-8B130A59F9A8} = e4814792.dll
O24-shlexechook: [f]-{E0D39066-96D7-4891-8527-488ADAFCD60F} = e0d39066. dll
O24-shlexechook: []-{F6A454AE-156A-415E-9F89-3795677A8A91} = C:/program files/Internet Explorer/53u1ttme. 2ys | 0:20:21

O26 - IFEO: 360rpt.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: 360Safe.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: 360tray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: avp.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: DrRtp.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: enc98.EXE -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: kav32.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: kvmonxp.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: nod32kui.exe -> C:/WINDOWS/System32/easydownload.dll
O26 - IFEO: QQDoctor.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: RStray.exe -> C:/WINDOWS/system32/svchost.exe
O26 - IFEO: ua80.EXE -> C:/WINDOWS/system32/svchost.exe

It is estimated that the malicious program was intruded upon by a friend after browsing the Web pages exploiting the vulnerabilities of baidubar and uusee ~

 

Baidu/Baidu is not dead for a day, and there are no more harm!

 

Aliimz. sys and hbkernel32.sys are common malicious program files recently.

From the log, we can find that the malicious program changes the Windows System File RPCSS. DLL to spcss. dll, and then creates a false CSRSS. dll.

In this way, after the fake CSRSS. dll is detected and killed, the system function will be abnormal. Manual recovery is troublesome ~