In the event of svchoct.exe, vonine.exe, hbkernel32.sys, ssdtti.sys, system.exe, ublhbztl. sys, etc. 1

In the event of svchoct.exe, vonine.exe, hbkernel32.sys, ssdtti.sys, system.exe, ublhbztl. sys, etc. 1

 

Original endurer
1st-

 

The day before yesterday, a colleague said that the input method icon in his computer was missing. Please help me.

Open Control Panel-> area and language options-> language-> details-> advanced, find that the advanced text service has been checked, remove the check box, and click application, click OK. The input method icon cannot be displayed.

Start-run: ctfmon.exe, or not. Check whether the icon of the ctfmon.exe file is incorrect. Download fileinfo to extract the file information:

 

File Description: C:/Windows/system32/ctfmon.exe
Attribute: ---
Digital Signature: No
PE file: No
Creation Time:
Modification time:
Size: 15360 bytes, 15.0 KB
MD5: 9663bbc80831c55bfb858d472687ef5a
Sha1: 15e09cbae3b845900ad68689f91bf64a865ba922
CRC32: 3c9a86ba

 

It is obviously replaced.

 

Some of the recent viruses are replaced by ctfmon.exe to enable auto-startup. Is this computer also won the bid?

 

Run msconfig.exe to check the startup items. The following pe_xscan scan log shows the O4 items:

 

O4-HKLM/../run: [hbservice32] system.exe

I met you a few days ago.

 

Download the pe_xscan scan log and analyze it. The following suspicious items are found (the process module is omitted ):

Pe_xscan 08-08-01 by Purple endurer

Windows XP Service Pack 2 (5.1.2600)
MSIE: 6.0.2900.2180
Administrator user group
Normal Mode

[System process] * 0
C:/Windows/system32/hbmhly. dll |
C:/Windows/system32/hbsoul. dll | 2:11:58
C:/Windows/system32/hbtl. dll | 2:11:58
C:/Windows/system32/zjuwqgep. dll | 2:12:12
C:/Windows/system32/58ff3024. dll | 2:13:12
C:/Windows/system32/495271ca. dll | 2:12:50
C:/Windows/system32/22d75360. dll | 2:12:56
C:/Windows/system32/4bf9cba3. dll | 2:12:37
C:/Windows/system32/4f34c688. dll | 2:12:45
C:/Windows/system32/c250cf20. dll | 2:12:32
C:/Windows/system32/82710040.dll | 2:12:27
C:/Windows/system32/9ca963ca. dll | 2:12:22
C:/Windows/system32/122b901e. dll | 2:12:17
C:/Windows/system32/ipv4a8c2. dll | 2:12:12
C:/Windows/system32/08223b03. dll | 2:12:10
C:/Windows/system32/4d023de9. dll |
C:/Windows/system32/da63e650. dll |
C:/Windows/system32/de02f764. dll | 2:11:59
C:/Windows/system32/hbchibi. dll | 2:12:43
C:/Windows/system32/hbbo. dll | 2:12:41
C:/Windows/system32/hbwow. dll | 2:11:59
C:/Windows/system32/hbzhuxian. dll | 2:12:26
C:/Windows/system32/hbasktao. dll | 2:11:59
C:/Windows/system32/winlogon.exe * 524 |
C:/Windows/system32/hbmhly. dll |
C:/Windows/system32/hbasktao. dll | 2:11:59
C:/Windows/system32/hbwow. dll | 2:11:59
C:/Windows/system32/hbsoul. dll | 2:11:58
C:/Windows/system32/hbtl. dll | 2:11:58
C:/Windows/system32/hbzhuxian. dll | 2:12:26
C:/Windows/system32/hbbo. dll | 2:12:41
C:/Windows/system32/hbchibi. dll | 2:12:43
C:/Windows/system32/services. EXE * 568 |
C:/Windows/system32/hbmhly. dll |
C:/Windows/system32/hbasktao. dll | 2:11:59
C:/Windows/system32/hbwow. dll | 2:11:59
C:/Windows/system32/hbsoul. dll | 2:11:58
C:/Windows/system32/hbtl. dll | 2:11:58
C:/Windows/system32/hbzhuxian. dll | 2:12:26
C:/Windows/system32/hbbo. dll | 2:12:41
C:/Windows/system32/hbchibi. dll | 2:12:43
C:/Windows/system32/LSASS. EXE * 580 |
C:/Windows/system32/hbmhly. dll |
C:/Windows/system32/hbasktao. dll | 2:11:59
C:/Windows/system32/hbwow. dll | 2:11:59
C:/Windows/system32/hbsoul. dll | 2:11:58
C:/Windows/system32/hbtl. dll | 2:11:58
C:/Windows/system32/hbzhuxian. dll | 2:12:26
C:/Windows/system32/hbbo. dll | 2:12:41
C:/Windows/system32/hbchibi. dll | 2:12:43
C:/Windows/system32/SVCHOST. EXE * 728 |
C:/Windows/system32/hbmhly. dll |
C:/Windows/system32/hbasktao. dll | 2:11:59
C:/Windows/system32/hbwow. dll | 2:11:59
C:/Windows/system32/hbsoul. dll | 2:11:58
C:/Windows/system32/hbtl. dll | 2:11:58
C:/Windows/system32/hbzhuxian. dll | 2:12:26
C:/Windows/system32/hbbo. dll | 2:12:41
C:/Windows/system32/hbchibi. dll | 2:12:43
F2-Reg: system. ini: userinit = <C:/Windows/system32/userinit.exe, C:/Windows/system32/vonine.exe>
O3-IE Toolbar: shortcut toolbar 3.21-{BE830FD4-E393-417F-9F4B-CC70ABB3384C} = C:/Windows/system32/ietool. dll
O3-IE Toolbar: shortcut toolbar 3.21-{07a5baba-6c77-4863-bd39-71962861753a} = C:/Windows/system32/lingyu. dll | 11:47:22
O4-HKLM/../run: [hbservice32] system.exe
O4-HKLM/../policies/Explorer/run: [mainyust] C:/Windows/system32/INF/svchoct.exe C:/Windows/wftadfi16_081016a.dll tan16d
O4-Global startup: svchost.exe-> fail to open file
Export procauto = C:/Windows/system32/vonine.exe
O20-appinit_dlls = hbmhly. dll, hbasktao. dll, hbwow. dll, hbsoul. dll, hbtl. dll, hbzhuxian. dll, hbbo. dll, hbchibi. dll
O21-ssodl-zjuwqgep. dll (0)-{F0930A2F-D971-4828-8209-B7DFD266ED44} = C:/Windows/system32/zjuwqgep. dll | 2:12:12
O23-service: 4901228 (4901228)-C:/Windows/system32/4901228.sys | 2:12:56 (manual)
O23-service: 8b52f47 (8b52f47)-C:/Windows/system32/8b52f47. sys | 2:11:59 (manual)
O23-service: adprot (adprot)-C:/Windows/system32/Drivers/adprot. sys | 3:14:33 (system)
O23-service: beep ()-C:/Windows/system32/Drivers/beep. sys | 10:11:22 (system)
O23-service: bzqcaby (bzqcaby)-C:/Windows/system32/Drivers/bzqcaby. sys | 2:11:25 (manual)
O23-service: hbkernel32 (hbkernel32 driver)-system32/Drivers/hbkernel32.sys | 2:11:58 (BOOT)
O23-service: qabop (qabop)-C:/Windows/system32/Drivers/qabop. sys | (manual)
O23-service: ressdt (ressdt)-C:/Windows/system32/ssdtti. sys (manual)
O23-service: sppmk (sppmk)-C:/docume ~ 1/admini ~ 1/locals ~ 1/temp/_ TMP. BAT (manual)
O23-service: ublhbztl (ublhbztl)-system32/Drivers/ublhbztl. sys | 0:32:52 (BOOT)
O23-service: yaskp (yaskp)-system32/Drivers/yaskp. sys | 7:51:54 (pilot)
O24-shlexechook: [f]-{DE02F764-C51A-4788-9597-D78ECC2AC08F} = de02f764. dll
O24-shlexechook: [B]-{DA63E650-537C-4042-87BB-9D19D844680B} = da63e650. dll
O24-shlexechook: [6]-{4d023de9-f4b5-4be0-99c6-7c7ad0cf5426} = 4d023de9. dll
O24-shlexechook: [e]-{08223b03-1b38-4a33-a83a-a4d3cc1d6e4e} = 08223b03. dll
O24-shlexechook: [0]-{4154a8c2-bef9-46c8-983a-a26a0030ec30} = 4154a8c2. dll
O24-shlexechook: [4]-{F0930A2F-D971-4828-8209-B7DFD266ED44} = C:/Windows/system32/zjuwqgep. dll | 2:12:12
O24-shlexechook: [c]-{122b901e-493f-4ad9-bc69-7de8c3e52fcc} = 122b901e. dll
O24-shlexechook: [3]-{9ca963ca-417c-4089-b0ab-31380f90d7e3} = 9ca963ca. dll
O24-shlexechook: [8]-{82710040-f86e-42e0-b1f8-04edf75856f8} = 82710040.dll
O24-shlexechook: [B]-{C250CF20-5F89-4310-9854-4BC261FB14FB} = c250cf20. dll
O24-shlexechook: [f]-{4bf9cba3-8dee-41a1-8bdb-fc28d30e949f} = 4bf9cba3. dll
O24-shlexechook: [2]-{4f34c688-fd49-42fc-97f7-87d2f5791612} = 4f34c688. dll
O24-shlexechook: [0]-{495271ca-d0c6-4052-abe6-5b01c73cdfb0} = 495271ca. dll
O24-shlexechook: [6]-{22d75360-199d-4f79-880d-82e766675f06} = 22d75360. dll
O24-shlexechook: [e]-{58ff3024-8a83-4b1a-88e9-302f47646eee} = 58ff3024. dll
O26-ifeo: 360rpt.exe-> ntsd-d
O26-ifeo: 360safe.exe-> ntsd-d
O26-ifeo: 360tray.exe-> ntsd-d
O26-ifeo: adam.exe-> ntsd-d
O26-ifeo: agentsvr.exe-> ntsd-d
O26-ifeo: antiarp.exe-> ntsd-d
O26-ifeo: Prepare vc32.exe-> ntsd-d
O26-ifeo: autoruns.exe-> ntsd-d
O26-ifeo: avconsol.exe-> ntsd-d
O26-ifeo: avgrssvc.exe-> ntsd-d
O26-ifeo: avmonitor.exe-> ntsd-d
O26-ifeo: avp.com-> ntsd-d
O26-ifeo: avp.exe-> ntsd-d
O26-ifeo: ccenter.exe-> ntsd-d
O26-ifeo: ccsvchst.exe-> ntsd-d
O26-ifeo: conime.exe-> ntsd-d
O26-ifeo: drvanti.exe-> ntsd-d
O26-ifeo: drwadins.exe-> ntsd-d
O26-ifeo: drwebstc.exe-> ntsd-d
O26-ifeo: drwebupw.exe-> ntsd-d
O26-ifeo: eghost.exe-> ntsd-d
O26-ifeo: filedsty.exe-> ntsd-d
O26-ifeo: filemon.exe-> ntsd-d
O26-ifeo: ftcleanershell.exe-> ntsd-d
O26-ifeo: fyfirewall.exe-> ntsd-d
O26-ifeo: gfring3.exe-> ntsd-d
O26-ifeo: gfupd.exe-> ntsd-d
O26-ifeo: guardfield.exe-> ntsd-d
O26-ifeo: hijackthis.exe-> ntsd-d
O26-ifeo: icesword.exe-> ntsd-d
O26-ifeo: iparmo.exe-> ntsd-d
O26-ifeo: iparmor.exe-> ntsd-d
O26-ifeo: ispwdsvc.exe-> ntsd-d
O26-ifeo: kabaload.exe-> ntsd-d
O26-ifeo: kascrscn. scr-> ntsd-d
O26-ifeo: kasmain.exe-> ntsd-d
O26-ifeo: kastask.exe-> ntsd-d
O26-ifeo: kav32.exe-> ntsd-d
O26-ifeo: kavdx.exe-> ntsd-d
O26-ifeo: kavpf.exe-> ntsd-d
O26-ifeo: kavpfw.exe-> ntsd-d
O26-ifeo: kavsetup.exe-> ntsd-d
O26-ifeo: kavstart.exe-> ntsd-d
O26-ifeo: kislnchr.exe-> ntsd-d
O26-ifeo: kmailmon.exe-> ntsd-d
O26-ifeo: kmfilter.exe-> ntsd-d
O26-ifeo: kpfw32.exe-> ntsd-d
O26-ifeo: kpfw32x.exe-> ntsd-d
O26-ifeo: kpfwsvc.exe-> ntsd-d
O26-ifeo: kregex.exe-> ntsd-d
O26-ifeo: krepair.com-> ntsd-d
O26-ifeo: ksloader.exe-> ntsd-d
O26-ifeo: kvcenter. KXP-> ntsd-d
O26-ifeo: kvdetect.exe-> ntsd-d
O26-ifeo: kvfwmcl.exe-> ntsd-d
O26-ifeo: kvmonxp. KXP-> ntsd-d
O26-ifeo: kvmonxp_1.kxp-> ntsd-d
O26-ifeo: kvol.exe-> ntsd-d
O26-ifeo: kvolself.exe-> ntsd-d
O26-ifeo: kvreport. KXP-> ntsd-d
O26-ifeo: kvscan. KXP-> ntsd-d
O26-ifeo: kvsrvxp.exe-> ntsd-d
O26-ifeo: kvstub. KXP-> ntsd-d
O26-ifeo: kvupload.exe-> ntsd-d
O26-ifeo: kvwsc.exe-> ntsd-d
O26-ifeo: kvxp. KXP-> ntsd-d
O26-ifeo: kvxp_1.kxp-> ntsd-d
O26-ifeo: kwatch.exe-> ntsd-d
O26-ifeo: kwatch9x.exe-> ntsd-d
O26-ifeo: kwatchx.exe-> ntsd-d
O26-ifeo: magicset.exe-> ntsd-d
O26-ifeo: mcconsol.exe-> ntsd-d
O26-ifeo: mmqczj.exe-> ntsd-d
O26-ifeo: mmsk.exe-> ntsd-d
O26-ifeo: navapsvc.exe-> ntsd-d
O26-ifeo: navapw32.exe-> ntsd-d
O26-ifeo: nod32.exe-> ntsd-d
O26-ifeo: nod32krn.exe-> ntsd-d
O26-ifeo: nod32kui.exe-> ntsd-d
O26-ifeo: npfmntor.exe-> ntsd-d
O26-ifeo: ollydbg. exe-> ntsd-d
O26-ifeo: ollyice. exe-> ntsd-d
O26-ifeo: pfw.exe-> ntsd-d
O26-ifeo: pfwliveupdate.exe-> ntsd-d
O26-ifeo: procexp.exe-> ntsd-d
O26-ifeo: qhset.exe-> ntsd-d
O26-ifeo: qqdoctor.exe-> ntsd-d
O26-ifeo: qqkav.exe-> ntsd-d
O26-ifeo: ras.exe-> ntsd-d
O26-ifeo: ravcopy.exe-> ntsd-d
O26-ifeo: ravmon.exe-> ntsd-d
O26-ifeo: ravmond.exe-> ntsd-d
O26-ifeo: ravstub.exe-> ntsd-d
O26-ifeo: ravtask.exe-> ntsd-d
O26-ifeo: ravxp.exe-> ntsd-d
O26-ifeo: rawcopy.exe-> ntsd-d
O26-ifeo: regclean.exe-> ntsd-d
O26-ifeo: regedit.exe-> ntsd-d
O26-ifeo: regmon.exe-> ntsd-d
O26-ifeo: regtool.exe-> ntsd-d
O26-ifeo: rfw.exe .exe-> ntsd-d
O26-ifeo: rfwmain.exe-> ntsd-d
O26-ifeo: rfwproxy.exe-> ntsd-d
O26-ifeo: rfwsrv.exe-> ntsd-d
O26-ifeo: rfwstub.exe-> ntsd-d
O26-ifeo: rsagent.exe-> ntsd-d
O26-ifeo: rsaupd.exe-> ntsd-d
O26-ifeo: runiep.exe-> ntsd-d
O26-ifeo: safelive.exe-> ntsd-d
O26-ifeo: scan32.exe-> ntsd-d
O26-ifeo: shda-32.exe-> ntsd-d
O26-ifeo: smartup.exe-> ntsd-d
O26-ifeo: spiderml.exe-> ntsd-d
O26-ifeo: spidernt.exe-> ntsd-d
O26-ifeo: spiderui.exe-> ntsd-d
O26-ifeo: spml_set.exe-> ntsd-d
O26-ifeo: Sreng. exe-> ntsd-d
O26-ifeo: symlcsvc.exe-> ntsd-d
O26-ifeo: syssafe.exe-> ntsd-d
O26-ifeo: taskmgar.exe-> ntsd-d
O26-ifeo: trojandetector.exe-> ntsd-d
O26-ifeo: trojanwall.exe-> ntsd-d
O26-ifeo: trojdie. KXP-> ntsd-d
O26-ifeo: uihost.exe-> ntsd-d
O26-ifeo: umxagent.exe-> ntsd-d
O26-ifeo: umxattachment.exe-> ntsd-d
O26-ifeo: umxw..exe-> ntsd-d
O26-ifeo: umxfwhlp.exe-> ntsd-d
O26-ifeo: umxpol.exe-> ntsd-d
O26-ifeo: uplive.exe-> ntsd-d
O26-ifeo: vsstat.exe-> ntsd-d
O26-ifeo: webscanx.exe-> ntsd-d
O26-ifeo: wopticlean.exe-> ntsd-d
O27-example COM: 0 ()-hxxp: // www.21yy1_com/shop/uploadphotos/200712/20071208202852447.jpg->.
O27-example COM: 1 ()-hxxp: // www.21yy1_com/shop/uploadphotos/200712/20071208204059776.jpg->.
O27-example COM: 2 ()-hxxp: // www.fpcn.net/image/4a.gif->.
O27-example COM: 3 ()-hxxp: // www.fpcn.net/image/13a.gif->.
O27-Hangzhou COM: 4 ()-hxxp: // www.ycwb.com/images/2006-12/11/xin_401203111538546284634.jpg->.

(To be continued)