Encounter Svchoct.exe,vonine.exe,hbkernel32.sys,ssdtti.sys,system.exe,ublhbztl.sys et 1

Last Update:2018-08-03 Source: Internet

Author: User

Tags manual

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Encounter Svchoct.exe,vonine.exe,hbkernel32.sys,ssdtti.sys,system.exe,ublhbztl.sys et 1

Endurer Original
2008-10-22 1th Edition

The day before yesterday, a colleague said that the input method icon in his computer was missing, please help me.

Open Control Panel, regional and Language Options, language--Advanced, find advanced text services already hooked up, remove the tick, apply, tick, click Apply, and then click OK. The IME icon is still not visible.

Start-run: Ctfmon.exe, or not. Check that the icon for the Ctfmon.exe file is incorrect, download FileInfo extract the file information:

File Descriptor: C:/windows/system32/ctfmon.exe
Properties: A---
Digital signature: No
PE File: No
Creation time: 2004-8-17 12:0:0
Modification Time: 2004-8-17 12:0:0
Size: 15360 bytes 15.0 KB
md5:9663bbc80831c55bfb858d472687ef5a
sha1:15e09cbae3b845900ad68689f91bf64a865ba922
Crc32:3c9a86ba

was obviously replaced.

Some recent viruses like to replace the Ctfmon.exe to achieve boot from the boot, this computer has also won the bid.

Run the Msconfig.exe check startup entry and discover the O4 entry in the following Pe_xscan scan log:

o4-hklm/. /run: [HBService32] System.exe

I just met him a few days ago.

Download Pe_xscan scan log and analyze and find the following suspicious items (the Process Module section has omitted):

Pe_xscan 08-08-01 by
2008-10-20 15:22:2
Windows XP Service Pack 2 (5.1.2600)
msie:6.0.2900.2180
Administrator user Group
Normal mode

[System Process] 0
2008-10-20 2:12:9
2008-10-20 2:11:58
2008-10-20 2:11:58
2008-10-20 2:12:12
2008-10-20 2:13:12
2008-10-20 2:12:50
2008-10-20 2:12:56
2008-10-20 2:12:37
2008-10-20 2:12:45
2008-10-20 2:12:32
2008-10-20 2:12:27
2008-10-20 2:12:22
2008-10-20 2:12:17
2008-10-20 2:12:12
2008-10-20 2:12:10
2008-10-20 2:12:5
2008-10-20 2:12:2
2008-10-20 2:11:59
2008-10-20 2:12:43
2008-10-20 2:12:41
2008-10-20 2:11:59
2008-10-20 2:12:26
2008-10-20 2:11:59
C:/windows/system32/winlogon.exe 524 2004-8-17 4:0:0
2008-10-20 2:12:9
2008-10-20 2:11:59
2008-10-20 2:11:59
2008-10-20 2:11:58
2008-10-20 2:11:58
2008-10-20 2:12:26
2008-10-20 2:12:41
2008-10-20 2:12:43
C:/windows/system32/services. EXE 568 2004-8-17 4:0:0
2008-10-20 2:12:9
2008-10-20 2:11:59
2008-10-20 2:11:59
2008-10-20 2:11:58
2008-10-20 2:11:58
2008-10-20 2:12:26
2008-10-20 2:12:41
2008-10-20 2:12:43
C:/windows/system32/lsass. EXE 580 2004-8-17 4:0:0
2008-10-20 2:12:9
2008-10-20 2:11:59
2008-10-20 2:11:59
2008-10-20 2:11:58
2008-10-20 2:11:58
2008-10-20 2:12:26
2008-10-20 2:12:41
2008-10-20 2:12:43
C:/windows/system32/svchost. EXE 728 2004-8-17 4:0:0
2008-10-20 2:12:9
2008-10-20 2:11:59
2008-10-20 2:11:59
2008-10-20 2:11:58
2008-10-20 2:11:58
2008-10-20 2:12:26
2008-10-20 2:12:41
2008-10-20 2:12:43
F2-reg:system.ini:userinit = <C:/WINDOWS/system32/userinit.exe,>
O3-ie toolbar: Shortcut Bar 3.21-{be830fd4-e393-417f-9f4b-cc70abb3384c} =
O3-ie toolbar: Shortcut Bar 3.21-{07a5baba-6c77-4863-bd39-71962861753a} = 2008-7-22 11:47:22
o4-hklm/. /run: [HBService32]
o4-hklm/. /policies/explorer/run:[mainyust] tan16d
O4-global Startup: Fail to open File
Cmdprocauto =
O20-appinit_dlls =,,,,,,,
O21-ssodl-zjuwqgep.dll (0)-{f0930a2f-d971-4828-8209-b7dfd266ed44} = 2008-10-20 2:12:12
O23-Services: 4901228 (4901228)-2008-10-20 2:12:56 (manual)
O23-Service: 8b52f47 (8b52f47)-2008-10-20 2:11:59 (manual)
O23-Services: Adprot (Adprot)-2008-10-8 3:14:33 (System)
O23-Services: Beep ()-2008-10-20 10:11:22 (System)
O23-Service: Bzqcaby (Bzqcaby)-2008-10-20 2:11:25 (manual)
O23-Service: HBKernel32 (HBKernel32 Driver)-2008-10-20 2:11:58 (boot)
O23-Service: Qabop (Qabop)-2008-10-20 7:3:12 (manual)
O23-Service: RESSDT (RESSDT)-(manual)
O23-Service: SPPMK (SPPMK)-(manual)
O23-Services: UBLHBZTL (UBLHBZTL)-2008-10-13 0:32:52 (boot)
O23-Services: YASKP (YASKP)-2008-10-9 7:51:54 (boot)
O24-shlexechook: [F]-{de02f764-c51a-4788-9597-d78ecc2ac08f} =
O24-shlexechook: [B]-{da63e650-537c-4042-87bb-9d19d844680b} =
O24-shlexechook: [6]-{4d023de9-f4b5-4be0-99c6-7c7ad0cf5426} =
O24-shlexechook: [E]-{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} =
O24-shlexechook: [0]-{3474A8C2-BEF9-46C8-983A-A26A0030EC30} =
O24-shlexechook: [4]-{F0930A2F-D971-4828-8209-B7DFD266ED44} = 2008-10-20 2:12:12
O24-shlexechook: [C]-{122B901E-493F-4AD9-BC69-7DE8C3E52FCC} =
O24-shlexechook: [3]-{9CA963CA-107C-4089-B0AB-31380F90D7E3} =
O24-shlexechook: [8]-{82710040-F86E-42E0-B1F8-04EDF75856F8} =
O24-shlexechook: [B]-{C250CF20-5F89-4310-9854-4BC261FB14FB} =
O24-shlexechook: [F]-{4bf9cba3-8dee-41a1-8bdb-fc28d30e949f} =
O24-shlexechook: [2]-{4f34c688-fd49-42fc-97f7-87d2f5791612} =
O24-shlexechook: [0]-{495271ca-d0c6-4052-abe6-5b01c73cdfb0} =
O24-shlexechook: [6]-{22D75360-199D-4F79-880D-82E766675F06} =
O24-shlexechook: [E]-{58FF3024-8A83-4B1A-88E9-302F47646EEE} =
O26-ifeo:360rpt.exe-ntsd-d
O26-ifeo:360safe.exe-ntsd-d
O26-ifeo:360tray.exe-ntsd-d
O26-ifeo:adam.exe-ntsd-d
O26-ifeo:agentsvr.exe-ntsd-d
O26-ifeo:antiarp.exe-ntsd-d
O26-ifeo:appsvc32.exe-ntsd-d
O26-ifeo:autoruns.exe-ntsd-d
O26-ifeo:avconsol.exe-ntsd-d
O26-ifeo:avgrssvc.exe-ntsd-d
O26-ifeo:avmonitor.exe-ntsd-d
O26-ifeo:avp.com-ntsd-d
O26-ifeo:avp.exe-ntsd-d
O26-ifeo:ccenter.exe-ntsd-d
O26-ifeo:ccsvchst.exe-ntsd-d
O26-ifeo:conime.exe-ntsd-d
O26-ifeo:drvanti.exe-ntsd-d
O26-ifeo:drwadins.exe-ntsd-d
O26-ifeo:drwebscd.exe-ntsd-d
O26-ifeo:drwebupw.exe-ntsd-d
O26-ifeo:eghost.exe-ntsd-d
O26-ifeo:filedsty.exe-ntsd-d
O26-ifeo:filemon.exe-ntsd-d
O26-ifeo:ftcleanershell.exe-ntsd-d
O26-ifeo:fyfirewall.exe-ntsd-d
O26-ifeo:gfring3.exe-ntsd-d
O26-ifeo:gfupd.exe-ntsd-d
O26-ifeo:guardfield.exe-ntsd-d
O26-ifeo:hijackthis.exe-ntsd-d
O26-ifeo:icesword.exe-ntsd-d
O26-ifeo:iparmo.exe-ntsd-d
O26-ifeo:iparmor.exe-ntsd-d
O26-ifeo:ispwdsvc.exe-ntsd-d
O26-ifeo:kabaload.exe-ntsd-d
O26-IFEO:KASCRSCN.SCR-ntsd-d
O26-ifeo:kasmain.exe-ntsd-d
O26-ifeo:kastask.exe-ntsd-d
O26-ifeo:kav32.exe-ntsd-d
O26-ifeo:kavdx.exe-ntsd-d
O26-ifeo:kavpf.exe-ntsd-d
O26-ifeo:kavpfw.exe-ntsd-d
O26-ifeo:kavsetup.exe-ntsd-d
O26-ifeo:kavstart.exe-ntsd-d
O26-ifeo:kislnchr.exe-ntsd-d
O26-ifeo:kmailmon.exe-ntsd-d
O26-ifeo:kmfilter.exe-ntsd-d
O26-ifeo:kpfw32.exe-ntsd-d
O26-ifeo:kpfw32x.exe-ntsd-d
O26-ifeo:kpfwsvc.exe-ntsd-d
O26-ifeo:kregex.exe-ntsd-d
O26-ifeo:krepair.com-ntsd-d
O26-ifeo:ksloader.exe-ntsd-d
O26-IFEO:KVCENTER.KXP-ntsd-d
O26-ifeo:kvdetect.exe-ntsd-d
O26-ifeo:kvfwmcl.exe-ntsd-d
O26-IFEO:KVMONXP.KXP-ntsd-d
O26-IFEO:KVMONXP_1.KXP-ntsd-d
O26-ifeo:kvol.exe-ntsd-d
O26-ifeo:kvolself.exe-ntsd-d
O26-IFEO:KVREPORT.KXP-ntsd-d
O26-IFEO:KVSCAN.KXP-ntsd-d
O26-ifeo:kvsrvxp.exe-ntsd-d
O26-IFEO:KVSTUB.KXP-ntsd-d
O26-ifeo:kvupload.exe-ntsd-d
O26-ifeo:kvwsc.exe-ntsd-d
O26-IFEO:KVXP.KXP-ntsd-d
O26-IFEO:KVXP_1.KXP-ntsd-d
O26-ifeo:kwatch.exe-ntsd-d
O26-ifeo:kwatch9x.exe-ntsd-d
O26-ifeo:kwatchx.exe-ntsd-d
O26-ifeo:magicset.exe-ntsd-d
O26-ifeo:mcconsol.exe-ntsd-d
O26-ifeo:mmqczj.exe-ntsd-d
O26-ifeo:mmsk.exe-ntsd-d
O26-ifeo:navapsvc.exe-ntsd-d
O26-ifeo:navapw32.exe-ntsd-d
O26-ifeo:nod32.exe-ntsd-d
O26-ifeo:nod32krn.exe-ntsd-d
O26-ifeo:nod32kui.exe-ntsd-d
O26-ifeo:npfmntor.exe-ntsd-d
O26-ifeo:ollydbg.exe-ntsd-d
O26-ifeo:ollyice.exe-ntsd-d
O26-ifeo:pfw.exe-ntsd-d
O26-ifeo:pfwliveupdate.exe-ntsd-d
O26-ifeo:procexp.exe-ntsd-d
O26-ifeo:qhset.exe-ntsd-d
O26-ifeo:qqdoctor.exe-ntsd-d
O26-ifeo:qqkav.exe-ntsd-d
O26-ifeo:ras.exe-ntsd-d
O26-ifeo:ravcopy.exe-ntsd-d
O26-ifeo:ravmon.exe-ntsd-d
O26-ifeo:ravmond.exe-ntsd-d
O26-ifeo:ravstub.exe-ntsd-d
O26-ifeo:ravtask.exe-ntsd-d
O26-ifeo:ravxp.exe-ntsd-d
O26-ifeo:rawcopy.exe-ntsd-d
O26-ifeo:regclean.exe-ntsd-d
O26-ifeo:regedit.exe-ntsd-d
O26-ifeo:regmon.exe-ntsd-d
O26-ifeo:regtool.exe-ntsd-d
O26-ifeo:rfwcfg.exe-ntsd-d
O26-ifeo:rfwmain.exe-ntsd-d
O26-ifeo:rfwproxy.exe-ntsd-d
O26-ifeo:rfwsrv.exe-ntsd-d
O26-ifeo:rfwstub.exe-ntsd-d
O26-ifeo:rsagent.exe-ntsd-d
O26-ifeo:rsaupd.exe-ntsd-d
O26-ifeo:runiep.exe-ntsd-d
O26-ifeo:safelive.exe-ntsd-d
O26-ifeo:scan32.exe-ntsd-d
O26-ifeo:shcfg32.exe-ntsd-d
O26-ifeo:smartup.exe-ntsd-d
O26-ifeo:spiderml.exe-ntsd-d
O26-ifeo:spidernt.exe-ntsd-d
O26-ifeo:spiderui.exe-ntsd-d
O26-ifeo:spml_set.exe-ntsd-d
O26-ifeo:sreng.exe-ntsd-d
O26-ifeo:symlcsvc.exe-ntsd-d
O26-ifeo:syssafe.exe-ntsd-d
O26-ifeo:taskmgar.exe-ntsd-d
O26-ifeo:trojandetector.exe-ntsd-d
O26-ifeo:trojanwall.exe-ntsd-d
O26-IFEO:TROJDIE.KXP-ntsd-d
O26-ifeo:uihost.exe-ntsd-d
O26-ifeo:umxagent.exe-ntsd-d
O26-ifeo:umxattachment.exe-ntsd-d
O26-ifeo:umxcfg.exe-ntsd-d
O26-ifeo:umxfwhlp.exe-ntsd-d
O26-ifeo:umxpol.exe-ntsd-d
O26-ifeo:uplive.exe-ntsd-d
O26-ifeo:vsstat.exe-ntsd-d
O26-ifeo:webscanx.exe-ntsd-d
O26-ifeo:wopticlean.exe-ntsd-d
o27-deskcom:0 ()---.
O27-deskcom:1 ()---.
O27-deskcom:2 ()---.
O27-deskcom:3 ()---.
O27-deskcom:4 ()---.

(not to be continued)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More