一位朋友在使用电脑的过程中,360提示发现病毒,当时清除了。但重启电脑后出现故障:桌面无显示。请我帮忙检修。

  按Ctrl+Alt+Del打开任务管理器检查进程,没有发现explorer.exe。检查发现c:\windows文件夹里没有explorer.exe,dllcache文件夹中也没有。

  运行winRAR来搜索,在c:\windows\temp发现了一个explorer.exe,把它移动到c:\windows文件夹再运行,任务栏和桌面图标都显示出来了。使用pe_xscan扫描log并分析,发现如下可疑项(进程模块有省略):

pe_xscan 11-02-14 by Purple Endurer 2011-3-11 14:17:16 6.0.2900.5512 MSIE:6.0.2900.5512 管理员用户组 正常模式 [System Process]  0     2009-8-21 22:22:36  Microsoft(R) Windows(R) Operating System  5.1.2600.5781  Windows NT BASE API Client DLL  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)  Microsoft Corporation ?  kernel32  kernel32     2009-8-21 22:22:37  Microsoft? Windows? Operating System  5.1.2600.5698  GDI Client DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)  Microsoft Corporation ?  gdi32  gdi32     2009-8-21 22:22:31  Microsoft? Windows? Operating System  5.1.2600.5795  Remote Procedure Call Runtime  ? Microsoft Corporation. All rights reserved.  5.1.2600.5795 (xpsp_sp3_qfe.090415-1301)  Microsoft Corporation ?  rpcrt4.dll  rpcrt4.dll     2009-8-21 22:22:33  Microsoft? Windows? Operating System  5.1.2600.5694  Net Win32 API DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5694 (xpsp_sp3_gdr.081015-1312)  Microsoft Corporation ?  NetApi32.DLL  NetApi32.DLL     2009-8-10 23:49:15  Microsoft? Windows? Operating System  5.1.2600.5768  Microsoft Text Frame Work Service IME  ? Microsoft Corporation. All rights reserved.  5.1.2600.5768 (xpsp_sp3_qfe.090226-1518)  Microsoft Corporation ?  MSCTFIME  MSCTFIME.IME     2009-8-21 22:22:31  Microsoft(R) Windows(R) Operating System  6.00.2900.5848  Shell Doc Object and Control Library  (C) Microsoft Corporation. All rights reserved.  6.00.2900.5848 (xpsp_sp3_qfe.090718-1313)  Microsoft Corporation ?  SHDOCVW.DLL  SHDOCVW.DLL     2009-8-21 22:22:29  Microsoft(R) Windows(R) Operating System  6.00.2900.5835  Internet Extensions for Win32  (C) Microsoft Corporation. All rights reserved.  6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)  Microsoft Corporation ?  wininet.dll  wininet.dll     2009-8-21 22:22:32  Microsoft? Windows? Operating System  5.2.5721.5145  Windows Portable Device API Components  ? Microsoft Corporation. All rights reserved.  5.2.5721.5145 (WMP_11.061018-2006)  Microsoft Corporation ?   PortableDeviceApi.dll     2009-8-21 22:22:33  Microsoft(R) Windows(R) Operating System  5.1.2600.5625  Microsoft Windows Sockets 2.0 Service Provider  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)  Microsoft Corporation ?  mswsock.dll  mswsock.dll C:\WINDOWS\system32\csrss.exe 584  2009-3-13 10:3:58     2009-8-21 22:22:37  Microsoft? Windows? Operating System  5.1.2600.5698  GDI Client DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)  Microsoft Corporation ?  gdi32  gdi32     2009-8-21 22:22:36  Microsoft(R) Windows(R) Operating System  5.1.2600.5781  Windows NT BASE API Client DLL  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)  Microsoft Corporation ?  kernel32  kernel32     2009-8-21 22:22:31  Microsoft? Windows? Operating System  5.1.2600.5795  Remote Procedure Call Runtime  ? Microsoft Corporation. All rights reserved.  5.1.2600.5795 (xpsp_sp3_qfe.090415-1301)  Microsoft Corporation ?  rpcrt4.dll  rpcrt4.dll   624  2009-3-13 10:3:58  Microsoft(R) Windows(R) Operating System  5.1.2600.5512  Windows NT Logon Application  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5512 (xpsp.080413-2113)  Microsoft Corporation ?  winlogon  WINLOGON.EXE     2009-8-21 22:22:36  Microsoft(R) Windows(R) Operating System  5.1.2600.5781  Windows NT BASE API Client DLL  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)  Microsoft Corporation ?  kernel32  kernel32     2009-8-21 22:22:31  Microsoft? Windows? Operating System  5.1.2600.5795  Remote Procedure Call Runtime  ? Microsoft Corporation. All rights reserved.  5.1.2600.5795 (xpsp_sp3_qfe.090415-1301)  Microsoft Corporation ?  rpcrt4.dll  rpcrt4.dll     2009-8-21 22:22:37  Microsoft? Windows? Operating System  5.1.2600.5698  GDI Client DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)  Microsoft Corporation ?  gdi32  gdi32     2009-8-21 22:22:33  Microsoft? Windows? Operating System  5.1.2600.5694  Net Win32 API DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5694 (xpsp_sp3_gdr.081015-1312)  Microsoft Corporation ?  NetApi32.DLL  NetApi32.DLL     2009-8-10 23:49:15  Microsoft? Windows? Operating System  5.1.2600.5768  Microsoft Text Frame Work Service IME  ? Microsoft Corporation. All rights reserved.  5.1.2600.5768 (xpsp_sp3_qfe.090226-1518)  Microsoft Corporation ?  MSCTFIME  MSCTFIME.IME C:\WINDOWS\system32\services.exe 700  2009-3-13 10:3:58     2009-8-21 22:22:36  Microsoft(R) Windows(R) Operating System  5.1.2600.5781  Windows NT BASE API Client DLL  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)  Microsoft Corporation ?  kernel32  kernel32     2009-8-21 22:22:31  Microsoft? Windows? Operating System  5.1.2600.5795  Remote Procedure Call Runtime  ? Microsoft Corporation. All rights reserved.  5.1.2600.5795 (xpsp_sp3_qfe.090415-1301)  Microsoft Corporation ?  rpcrt4.dll  rpcrt4.dll     2009-8-21 22:22:37  Microsoft? Windows? Operating System  5.1.2600.5698  GDI Client DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)  Microsoft Corporation ?  gdi32  gdi32     2009-8-21 22:22:33  Microsoft? Windows? Operating System  5.1.2600.5694  Net Win32 API DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5694 (xpsp_sp3_gdr.081015-1312)  Microsoft Corporation ?  NetApi32.DLL  NetApi32.DLL C:\WINDOWS\system32\lsass.exe 720  2009-3-13 10:3:58     2009-8-21 22:22:36  Microsoft(R) Windows(R) Operating System  5.1.2600.5781  Windows NT BASE API Client DLL  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)  Microsoft Corporation ?  kernel32  kernel32     2009-8-21 22:22:31  Microsoft? Windows? Operating System  5.1.2600.5795  Remote Procedure Call Runtime  ? Microsoft Corporation. All rights reserved.  5.1.2600.5795 (xpsp_sp3_qfe.090415-1301)  Microsoft Corporation ?  rpcrt4.dll  rpcrt4.dll     2009-8-21 22:22:37  Microsoft? Windows? Operating System  5.1.2600.5698  GDI Client DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)  Microsoft Corporation ?  gdi32  gdi32     2009-8-21 22:22:33  Microsoft? Windows? Operating System  5.1.2600.5694  Net Win32 API DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5694 (xpsp_sp3_gdr.081015-1312)  Microsoft Corporation ?  NetApi32.DLL  NetApi32.DLL C:\WINDOWS\system32\svchost.exe 1020  2009-3-13 10:3:58     2009-8-21 22:22:36  Microsoft(R) Windows(R) Operating System  5.1.2600.5781  Windows NT BASE API Client DLL  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5781 (xpsp_sp3_qfe.090321-1341)  Microsoft Corporation ?  kernel32  kernel32     2009-8-21 22:22:31  Microsoft? Windows? Operating System  5.1.2600.5795  Remote Procedure Call Runtime  ? Microsoft Corporation. All rights reserved.  5.1.2600.5795 (xpsp_sp3_qfe.090415-1301)  Microsoft Corporation ?  rpcrt4.dll  rpcrt4.dll     2009-8-21 22:22:37  Microsoft? Windows? Operating System  5.1.2600.5698  GDI Client DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5698 (xpsp_sp3_gdr.081022-1932)  Microsoft Corporation ?  gdi32  gdi32     2009-8-21 22:22:33  Microsoft? Windows? Operating System  5.1.2600.5694  Net Win32 API DLL  ? Microsoft Corporation. All rights reserved.  5.1.2600.5694 (xpsp_sp3_gdr.081015-1312)  Microsoft Corporation ?  NetApi32.DLL  NetApi32.DLL     2009-8-21 22:22:29  Microsoft(R) Windows(R) Operating System  6.00.2900.5835  Internet Extensions for Win32  (C) Microsoft Corporation. All rights reserved.  6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)  Microsoft Corporation ?  wininet.dll  wininet.dll     2009-8-21 22:22:33  Microsoft(R) Windows(R) Operating System  5.1.2600.5625  Microsoft Windows Sockets 2.0 Service Provider  (C) Microsoft Corporation. All rights reserved.  5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)  Microsoft Corporation ?  mswsock.dll  mswsock.dll     2011-3-10 13:4:5 O4 - HKLM\..\run: [360Soft]  O4 - HKLM\..\run: [Inst]  "" -safe O23 - 服务: Nla (Network Location Awareness (NLA)) - C:\WINDOWS\system32\svchost.exe -k netsvcs  2009-3-13 10:3:58     2009-8-21 22:22:33(手动) O23 - 服务: Srv (Srv) -   2009-3-13 10:3:58  Microsoft? Windows? Operating System  5.1.2600.5725  Server driver  ? Microsoft Corporation. All rights reserved.  5.1.2600.5725 (xpsp_sp3_gdr.081211-1306)  Microsoft Corporation ?  SRV.SYS  SRV.SYS(手动) O23 - 服务: WmdmPmSN (Portable Media Serial Number Service) - C:\WINDOWS\System32\svchost.exe -k netsvcs  2009-3-13 10:3:58        2009-8-21 22:22:34(手动) O23 - 服务: WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) -   2009-3-13 10:3:58  Microsoft? Windows? Operating System  6.0.5716.32  Windows Driver Foundation - User-mode Driver Framework Platform Driver  ? Microsoft Corporation. All rights reserved.  6.0.5716.32 (winmain(wmbla).060928-1756)  Microsoft Corporation ?  WUDFPf.sys  WUDFPf.sys(手动) O23 - 服务: WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) -   2009-3-13 10:3:58  Microsoft? Windows? Operating System  6.0.5716.32  Windows Driver Foundation - User-mode Driver Framework Reflector  ? Microsoft Corporation. All rights reserved.  6.0.5716.32 (winmain(wmbla).060928-1756)  Microsoft Corporation ?  WUDFRd.sys  WUDFRd.sys(手动) O23 - 服务: WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup  2009-3-13 10:3:58     2009-8-21 22:22:27(手动) O29 - HKCU-Start Page  hxxp://www.111dh.com/#5恭喜您,成功登陆本站,请单击“是(Y)”大量免费电影站,名站导航天天看! O29 - HKUS-Start Page  hxxp://www.537.com

  很多系统文件没有通过数字签名验证,估计是被病毒替换或感染了。下载DrWeb CureIt!来查杀……