病毒安全知识,电脑网络技术,手工杀毒方法,答疑解决笔记

导航

« 部分还原和监控系统的进程Outlook Express非正常备份 »

SREng日志分析实例讲解

  SREng日志分析其实并不难,技术含量不高,很容易掌握,虽然内容很多,但是可以利用分析助手之类的工具把它们分类显示,这样就比较好看,注意分析助手并不能帮你分析日志,它只是分类显示内容,也有智能分析的工具,但是这类工具目前并不好用,我们还是自己来吧。

以下为一完整的日志,我们从头开始(红色代表危险,绿色代表正常,蓝色未知):

  ************开始********

2003-12-31,12:43:27 注意这里,显示2003年,不是以前扫描的,而是因为病毒修改了系统时间,接下去是一些操作系统和SREng的版本信息,所以建议上传日志的时候,一定要完整上传,否则可能遗漏有用的东西

System Repair Engineer 2.7.0.1210
Smallfrogs (http://www.KZTechs.com)

Windows XP Home Edition Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中:
    所有的启动项目(包括注册表、启动文件夹、服务等)
    浏览器加载项
    正在运行的进程(包括进程模块信息)
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描
    计划任务
    API HOOK
    隐藏进程


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher] 看后面[(Verified)Microsoft Windows Component Publisher],这个是文件出版的公司信息,其中的(Verified),说明ctfmon.exe这个启动项通过了文件签名验证,但不代表没有(Verified)就一定有问题,而有(Verified)的也要注意看下内容,有的指的是前半截通过验证,后半截所带的文件可能是病毒,确实有遇到过这样的例子,不过一般情况下我们可以信任(Verified),可以减少你的工作量,有利于恢复你的信心和耐心(更新:并非所有Verified都是安全的,如机器狗修改的文件就可能造成有Verified而列无公司名称的情况)
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <HKSERV.EXE><C:\Program Files\Sony\HotKey Utility\HKserv.exe>  [Sony Corporation] 这里这没有(Verified),但看文件路径:\Program Files\Sony\HotKey Utility以及后面的公司信息[Sony Corporation],应该是SONY的预装的程序(此电脑为SONY的笔记本)
    <SonyPowerCfg><C:\Program Files\Sony\VAIO Power Management\SPMgr.exe>  [Sony Corporation]
    <TkBellExe><"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot>  [RealNetworks, Inc.] 这个是realplayer的信息中心程序,有装过real的应该会知道,看看自己的电脑,没装过的去网上搜索一下,谷歌、百度都行,这算是比较容易搜索出来的文件名
    <RavTimer><C:\Program Files\Rising\Rav\RavTimer.exe>  [Beijing Rising Technology Co., Ltd.] 这个是瑞星,看文件路径就知道,下面几个也是,不用我多说了吧
    <RavMon><C:\Program Files\Rising\Rav\RavMon.exe -system>  [Beijing Rising Technology Co., Ltd.]
    <RfwMain><C:\Program Files\Rising\Rfw\rfwmain.exe>  [Beijing Rising Technology Corporation Limited]
    <Adobe Photo Downloader><"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe">  [Adobe Systems Incorporated] photoshop,也是看文件路径和公司信息
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [] 来了,注意这个Explorer.exe后面的[]是空的,本来应该是有公司信息的,应该是[(Verified)Microsoft Windows Component Publisher]这样的,不清楚的可以在自己的电脑上扫描一份日志对照一下就明白了,前提是你的电脑是正常的状态。而且shell这个位置是个关键位置(日志中的关键位置都要仔细看,比如几个启动项等),如果这里被修改了,可能导致你的桌面就没了,以前常见的桌面丢失就是这里引起的,本例也是,开机后看不到桌面上的快捷方式、任务栏、开始菜单等,只有一个空空的桌面背景。因为这个explorer.exe有问题,要修复,方法,不是删除此注册表项,而是找一个正常的explorer.exe覆盖c:\windows下的同名文件,因为只是文件问题,注册表中就不用动了,如果此项显示的是<shell><>,后面为空值或其它什么东西,就要恢复到<shell><Explorer.exe>状态,在SREng中改也行,直接进入注册表编辑器中改也行。
    <Userinit><C:\WINDOWS\system32\UserInit.exe,>  [(Verified)Microsoft Windows Publisher] 这也是重要位置,记住它的默认值,注意有最后有个逗号,修复方法就是恢复默认值,如果此处被修改或文件UserInit.exe被感染或破坏,造成的结果就是开机后出现反复注销的状态、进不了系统(SREng具有修复此注册表项的功能)
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><fmsiocps.dll,qvmigb.dll,yawdux.dll,qabjau.dll,zkqpsa.dll,wlicwl.dll,bstaks.dll,rvbwdq.dll,xuypvj.dll>  [N/A] 又有了,此项默认值是空值,后面插入这么多随机组合的文件名就是病毒了,一般没有文件路径的都在c:\windows\system32下,或者去c:\windows下找找,不过可能后面这么多文件并不是全存在的。另外注意,卡卡助手的kmon.dll或卡巴斯基(有显示自己的文件路径)也会把自己的文件插入此处,虽然SREng也照样会报告AppInit_DLLs被修改,但只要确认是正常的文件就不用修复了(要灵活一点)
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher] 以下几个一般正常系统中都有的,而且也通过验证了,多看看日志或看看自己的电脑的日志就知道了,就算不知道哪些是不正常,正常的有哪些也知道了
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Publisher]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><>  [(Verified)Microsoft Windows Publisher] 如果不知道是不是正常的文件也不要紧,如此项的sclgntfy.dll,看过去象随机组合的文件名,到网上搜索一下吧,很多进程网站、文件信息站都有它的资料, 还有提供sclgntfy.dll下载的呢,这都表明这应该是个正常的文件。当然病毒可以假冒系统文件名,这就不是SREng能完全识别的了,虽然我们可以根据后面的文件签名验证与文件信息、文件路径来判断
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher] 系统的,正常
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing] [File is missing]文件丢失,不理它,不存在文件还不好,省事(更新:并非显示File is missing就表示文件一定不存在,因此建议还是去检查一下为好)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
    <IFEO[360rpt.exe]><ntsd -d>  [N/A] 又开始了,IFEO,映像劫持,很多人说自己的杀毒软件打不开,就这个位置被劫持了(当然也有其它病毒方法,如磁碟机的方法),这些SREng中显示的红色IFEO都要删除掉(更新:还有一种是调用自身的IFEO,当被IFEO劫持程序与目标程序是同一个时,将导致此过程不停地循环,最终使命令行长度超过系统限制而使操作失败)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
    <IFEO[360safe.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
    <IFEO[360safebox.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
    <IFEO[360tray.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
    <IFEO[CCenter.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPPMain.exe]
    <IFEO[KPPMain.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
    <IFEO[KWatch.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
    <IFEO[QQDoctor.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe]
    <IFEO[QQKav.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
    <IFEO[RavMon.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
    <IFEO[RavMonD.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
    <IFEO[safeboxTray.exe]><ntsd -d>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tqat.exe]
    <IFEO[tqat.exe]><ntsd -d>  [N/A] IFEO项到这结束
[HKEY_CURRENT_USER\Control Panel\Desktop]
    <SCRNSAVE.EXE><C:\WINDOWS\system32\RAVSS.SCR>  [Rising Corp.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <Apoint><; C:\Program Files\Apoint\Apoint.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher] 前面有分号的,说明未启用
    <HotKeysCmds><; C:\WINDOWS\system32\hkcmd.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <IgfxTray><; C:\WINDOWS\system32\igfxtray.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <IMEKRMIG6.1><; C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE>  [(Verified)Microsoft Windows Publisher] 这些是输入法
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <IMSCMig><; C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload>  [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <KavPFW><; >  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    <KavStart><; >  [N/A]
    <Mouse Suite 98 Daemon><; ICO.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <MSPY2002><; C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <snpstd3><; C:\WINDOWS\vsnpstd3.exe>  [] 虽然此项也没有文件公司信息,但只要到网上去用谷歌或百度等搜索就知道是摄像头的程序了
==================================
启动文件夹
[QQ游戏启动加速程序]
  <C:\Documents and Settings\vaio\「开始」菜单\程序\启动\QQ游戏启动加速程序.lnk --> C:\PROGRA~1\Tencent\QQGAME\Accel.exe [深圳市腾讯计算机系统有限公司]><N> 这个<N>代表正常启动,如果是<H>表示是隐藏的,可能会有问题,但更重要的是看文件名与文件路径

==================================
服务 服务与正面的驱动也是病毒躲藏与启动的重灾区
[Application Management / AppMgmt][Stopped/Manual Start]
  <C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A> 注意某些系统服务可能在SREng中未显示通过验证,但建议与自己电脑进行对照(看多了也不用对照),另外注意有的服务可能文件路径不同,如此项AppMgmt,我的电脑上的AppMgmt服务只有<C:\WINDOWS\system32\svchost.exe -k netsvcs>,但不代表后面的appmgmts.dll是病毒,因为appmgmts.dll确实是系统文件,存在于c:\windows\system32下,具体需要检查文件信息以防病毒假冒,同样这是SREng做不了的。
还有一种情况要注意,有时也是<C:\WINDOWS\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\*.dll>这种形式的显示,但后面的*.dll却是病毒文件,很明显的病毒文件名字(一般为随机字母或数字的组合),这时要做的就是改回正常值并删除病毒文件,别删了前面的svchost.exe,修改可以从控制面板-管理工具-服务-右击要修复服务项-属性-可执行文件路径中进行
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A> 这个是常见的,虽然后面是写[n/a],但正常系统中也是如此,所以不用担心什么。有个偷懒的办法,看后面的服务启动状态[Stopped/Disabled],反正已经是disable禁用了,不会启动,即使是病毒也不影响,以下类似。而Manual Start手动启动,Auto Start是自动启动,还有一种好象是system boot系统启动。
[Multi-Function Station Device Monitor / KMDevmonSrv][Running/Auto Start]
  <C:\WINDOWS\system32\KMDEVMONSRV.exe><N/A> 这个比较难辨认了,虽然到网上去搜索文件名或服务名,很多地方说是安全的,也有的说是MODEM的驱动,或多功能一体机的驱动,但也有地方说是病毒,不过可以肯定的一点是它是系统的文件与服务,所以可以先备份后删除,服务项先禁用,以观后效,大不了到时重装相关软件,反正系统还在就没事
[Rising Personal Firewall Service / RfwService][Running/Auto Start] 瑞星
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Corporation Limited>
[SoundMAX Agent Service / SoundMAX Agent Service (default)][Running/Auto Start]
  <C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe><Analog Devices, Inc.> 声卡,看文件路径与公司信息
[VAIO Entertainment Aggregation and Control Service / VAIO Entertainment Aggregation and Control Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe"><Sony Corporation>
[VAIO Entertainment File Import Service / VAIO Entertainment File Import Service][Running/Auto Start]
  <C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe><Sony Corporation> 名字虽然怪,但还是看得出来是SONY预装软件
[VAIO Entertainment Task Scheduler / VAIO Entertainment Task Scheduler][Stopped/Manual Start]
  <"C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe"><Sony Corporation>
[VAIO Entertainment TV Device Arbitration Service / VAIO Entertainment TV Device Arbitration Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe"><Sony Corporation>
[VAIO Entertainment UPnP Client Adapter / VAIO Entertainment UPnP Client Adapter][Stopped/Manual Start]
  <C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM><Sony Corporation>
[VAIO Media Integrated Server / VAIOMediaPlatform-IntegratedServer-AppServer][Stopped/Manual Start]
  <C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe><Sony Corporation>
[VAIO Media Integrated Server (HTTP) / VAIOMediaPlatform-IntegratedServer-HTTP][Stopped/Manual Start]
  <"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP"><Sony Corporation>
[VAIO Media Integrated Server (UPnP) / VAIOMediaPlatform-IntegratedServer-UPnP][Stopped/Manual Start]
  <C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe><Sony Corporation>
[VAIO Media Gateway Server / VAIOMediaPlatform-Mobile-Gateway][Stopped/Manual Start]
  <"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server"><Sony Corporation>

==================================
驱动程序
[aeaudio / aeaudio][Running/Manual Start]
  <system32\drivers\aeaudio.sys><Andrea Electronics Corporation> 声卡,看多了就知道是正常的
[Alps Pointing-device Filter Driver / ApfiltrService][Running/Manual Start]
  <system32\DRIVERS\Apfiltr.sys><Alps Electric Co., Ltd.> 有公司信息的虽然不一定都是正常的文件(特别注意很多病毒的公司信息中会显示是微软),但大部分是正常的,多到网上用关键字搜索
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Rising>
[Panasonic MFSUSB Driver / DGIUSB][Stopped/Manual Start]
  <system32\drivers\KMdgiusb.sys><Conexant Systems, Inc.> 这个Conexant是MODEM芯片厂商,很多笔记本中都有它,而且文件名很容易混,不过它确实是正常的,同时这里的文件开头是KM,可以与上面KMDEVMONSRV.exe对应起来,看来上面的KMDEVMONSRV.exe也是Conexant的MODEM程序
[Sony DMI Call service / DMICall][Running/System Start]
  <system32\DRIVERS\DMICall.sys><Sony Corporation>
[dohs / dohs][Stopped/Auto Start]
  <\??\C:\DOCUME~1\vaio\LOCALS~1\Temp\tmp6.tmp><N/A> 病毒来了,注意看,文件路径是在临时文件夹中(基本没有哪个驱动与服务会在临时文件夹中),而且文件竟然是tmp的
[Intel(R) PRO Adapter Driver / E100B][Running/Manual Start]
  <system32\DRIVERS\e100b325.sys><Intel Corporation>
[fmsq / fmsq][Stopped/Auto Start]
  <\??\C:\DOCUME~1\vaio\LOCALS~1\Temp\tmp18.tmp><N/A> 同上
[FwDrv / FwDrv][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\FwDrv.sys><Rising>
[HSFHWICH / HSFHWICH][Running/Manual Start]
  <system32\DRIVERS\HSFHWICH.sys><Conexant Systems, Inc.>
[HSF_DP / HSF_DP][Running/Manual Start]
  <system32\DRIVERS\HSF_DP.sys><Conexant Systems, Inc.>Conexant
[ialm / ialm][Running/Manual Start]
  <system32\DRIVERS\ialmnt5.sys><Intel Corporation>
[KMsmfpi / KMsmfpi][Running/Auto Start]
  <\??\C:\WINDOWS\System32\Drivers\KMSMFPI.sys><Conexant Systems, Inc.> 继续证实上面的KMDEVMONSRV.exe
[KWatch3 / KWatch3][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\KWatch3.SYS><Kingsoft Corporation>
[mdmxsdk / mdmxsdk][Running/Auto Start]
  <system32\DRIVERS\mdmxsdk.sys><Conexant>
[mhfp / mhfp][Stopped/Auto Start] 病毒
  <\??\C:\DOCUME~1\vaio\LOCALS~1\Temp\tmp1.tmp><N/A>
[mnsf / mnsf][Stopped/Auto Start] 病毒
  <\??\C:\DOCUME~1\vaio\LOCALS~1\Temp\tmp14.tmp><N/A>
[msfpfis64 / msfpfis64][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\msosmsfpfis64.sys><N/A> 病毒,没有公司信息,文件名可疑,而且到网上搜索下,很快也有相关信息
[msp2p32 / msp2p32][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\msosmsp2p32.sys><N/A> 同上
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32\drivers\npf.sys><CACE Technologies> 这个虽然ARP欺骗会用到它,但本身不是病毒,而且有的上网拨号程序(如网通)也会用到它,视具体情况而定
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.> 有的日志中此项没有公司信息,但很多日志中都会出现此项,正常文件
[smwdm / smwdm][Running/Manual Start]
  <system32\drivers\smwdm.sys><Analog Devices, Inc.>
[Sony Notebook Control Device / SNC][Running/Manual Start]
  <System32\Drivers\SonyNC.sys><Sony Corporation>
[USB PC Camera (SNPSTD3) / SNPSTD3][Stopped/Manual Start]
  <system32\DRIVERS\snpstd3.sys><> 没有公司信息,但是是USB摄像头
[Sony Programmable I/O Control Device / SPI][Running/Manual Start]
  <system32\DRIVERS\SonyPI.sys><Sony Corporation>
[tifmsony / tifmsony][Running/Manual Start] 安全,理由:网上搜索
  <system32\drivers\tifmsony.sys><Texas Instruments>
[VECP / VECP][Stopped/Auto Start]
  <\??\C:\WINDOWS\System32\Drivers\VECP.sys><Conexant Systems, Inc.>
[Intel(R) PRO/Wireless 2200 Adapter 驱动程序 / w22n51][Running/Manual Start]
  <system32\DRIVERS\w22n51.sys><Intel? Corporation>
[winachsf / winachsf][Running/Manual Start]
  <system32\DRIVERS\HSF_CNXT.sys><Conexant Systems, Inc.>
[zftp / zftp][Stopped/Auto Start] 病毒
  <\??\C:\DOCUME~1\vaio\LOCALS~1\Temp\tmpC.tmp><N/A>

==================================
浏览器加载项 插件部分,虽然不是启动项目,但IE问题大多在这里解决
[ThunderAtOnce Class]
  {01443AEC-0FD1-40fd-9C87-E93D1494C233} <C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD> 迅雷,注意后面的(Signed),通过签名验证,安全
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[]
  {398C9B84-4EF7-47B5-9862-DE29543B3C42} <, > 空的,这里清理不一定有用,不过可能造成麻烦,没必要的话不动它
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\msjava.dll, Microsoft Corporation> 注意没有(Signed),而且显示微软,应该注意检查,但msjava.dll是正常文件,网上可以查出来
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[ThunderAtOnce Class]
  {01443AEC-0FD1-40FD-9C87-E93D1494C233} <C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated> PDF文件阅读器插件
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\msjava.dll, Microsoft Corporation>
[PhotoDraw Class]
  {2375BEE5-F175-4F1C-81EC-8E4E2E72E2DD} <C:\Program Files\Tencent\qq\Qzone\QQPhotoDraw.dll, (Signed) TENCENT> QQ、腾讯
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, (Signed) Microsoft Corporation>
[]
  {398C9B84-4EF7-47B5-9862-DE29543B3C42} <, >
[Thunder Agent Class]
  {485463B7-8FB2-4B3B-B29B-8B919B0EACCE} <C:\Program Files\Thunder\ComDlls\ThunderAgent_Now.dll, Thunder Networking Technologies,LTD>
[]
  {55302805-482E-470E-8A57-6795A1487F90} <, >
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[Microsoft Web 浏览器]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, (Signed) Microsoft Corporation>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll, (Signed) Thunder Networking Technologies,LTD>
[]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, (Signed) N/A>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, (Signed) Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx, (Signed) Adobe Systems, Inc.> FLASH
[]
  {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <, >
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[使用迅雷下载]
  <C:\Program Files\Thunder\Program\geturl.htm, N/A>
[使用迅雷下载全部链接]
  <C:\Program Files\Thunder\Program\getallurl.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>

==================================
正在运行的进程 进程文件,判断方法同上,注意下面的(Verified)、公司名、版本号、文件路径
[PID: 892 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 940 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 964 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1012 / SYSTEM][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1024 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1176 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] 注意有多个svchost.exe进程是正常的,svchost.exe本身并不是病毒
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1244 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1288 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\System32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1380 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1564 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 1756 / SYSTEM][c:\program files\rising\rfw\rfwsrv.exe]  [Beijing Rising Technology Corporation Limited, 3, 1, 0, 15]
    [c:\program files\rising\rfw\Rfwdrv.dll]  [Beijing Rising Technology Corporation Limited, 3, 0, 1, 3]
    [c:\program files\rising\rfw\psapi.dll]  [Microsoft Corporation, 4.00]
    [c:\program files\rising\rfw\rfwrule.dll]  [Beijing Rising Technology Corporation Limited, 3, 1, 0, 0]
    [c:\program files\rising\rfw\rfwlog.dll]  [Beijing Rising Technology Corporation Limited, 3, 1, 0, 2]
[PID: 1896 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
    [C:\WINDOWS\system32\mdimon.dll]  [Microsoft Corporation, 11.3.1897.0]
    [C:\WINDOWS\system32\KMPMONNT.DLL]  [Conexant Systems, Inc., 0.0.0.1]
    [C:\WINDOWS\system32\KMdgimon.dll]  [Conexant Systems, Inc., 1.0.0.1]
    [C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll]  [Microsoft Corporation, 11.3.1897.0]
[PID: 556 / SYSTEM][C:\WINDOWS\system32\KMDEVMONSRV.exe]  [N/A, ]
    [C:\WINDOWS\system32\KMdgimon.dll]  [Conexant Systems, Inc., 1.0.0.1]
[PID: 576 / SYSTEM][C:\WINDOWS\system32\KMdevmonx.exe]  [Conexant Systems, Inc., 1.0.0.1]
    [C:\WINDOWS\system32\KMdgimon.dll]  [Conexant Systems, Inc., 1.0.0.1]
[PID: 640 / SYSTEM][C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe]  [Analog Devices, Inc., 3, 2, 6, 0]
[PID: 716 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 752 / LOCAL SERVICE][C:\WINDOWS\system32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
[PID: 796 / SYSTEM][C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe]  [Sony Corporation, 1.1.00.07070]
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFwImport.dll]  [Sony Corporation, 1.1.00.07070]
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzCdb.dll]  [Sony Corporation, 1.1.00.07070]
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzCs.dll]  [Sony Corporation, 1.1.00.07070]
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzCdbLocalDB.dll]  [Sony Corporation, 1.1.00.07070]
    [C:\Program Files\Common Files\Sony Shared\AvLib\Metallic.dll]  [Sony Corporation, 2.7.00.14160]
    [C:\WINDOWS\system32\msjetoledb40.dll]  [, ] 系统文件,参考http://support.microsoft.com/kb/296931/zh-cn,虽然不是直接说明,但可以旁证
    [C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzCdbSsDb.dll]  [Sony Corporation, 1.1.00.07070]
[PID: 1688 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\System32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 440 / vaio][c:\program files\rising\rfw\RfwMain.exe]  [Beijing Rising Technology Corporation Limited, 3, 1, 0, 11]
    [c:\program files\rising\rfw\RsGuiLib.dll]  [Beijing Rising Technology Co., Ltd., 17, 0, 0, 34]
    [c:\program files\rising\rfw\RSCOMMON.DLL]  [Beijing Rising Technology Co., Ltd., 17, 0, 0, 17]
    [c:\program files\rising\rfw\PngDll.dll]  [Rising, 17, 0, 0, 2]
    [c:\program files\rising\rfw\PSAPI.DLL]  [Microsoft Corporation, 4.00]
[PID: 604 / SYSTEM][C:\WINDOWS\system32\wuauclt.exe]  [(Verified) Microsoft Corporation, 7.2.6001.784 (winmain_oob/wu_wsuswlc(wmbla).080718-1904)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 316 / vaio][C:\WINDOWS\system32\taskmgr.exe]  [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
[PID: 388 / vaio][C:\sreng2\SREngLdr.EXE]  [Smallfrogs Studio, 2.7.0.1210]
[PID: 616 / vaio][C:\sreng2\SRE28574cf0.EXE]  [Smallfrogs Studio, 2.7.0.1210]
    [C:\WINDOWS\system32\SSMSFltr.dll]  [Sony Corporation, 1.1.00.07261]
    [C:\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]
其它没什么好说的,因为没有explorer.exe进程(桌面没起来),所以就这么多了
==================================
文件关联
.TXT  Error. [C:\WINDOWS\notepad.exe %1] 虽然显示error错误,但文件C:\WINDOWS\notepad.exe路径也是正确的,所以修不修复都没关系,下面的一样
.EXE  OK. ["%1" %*] 如果发现exe文件不能正常执行,则要检查此项exe文件关联是否正确
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"] 注册表文件
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者 如果有遇到QQ能上但打不开网页的注意这里,但如果使用了NOD32,这个WINSOCK也会被修改,但能看得出来是NOD32改的,还有使用一些加速器也会修改此处,除这些外篡改WINSOCK的都是病毒
N/A

==================================
Autorun.inf 不用我废话了,这是自动播放病毒的地方
N/A

==================================
HOSTS 文件 电脑报的黑榜或360的防恶意网址都是用它来屏蔽,但如果发现正常网站上不去,可以检查下此处下面有没误禁或被病毒禁用网址
127.0.0.1       localhost

==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 388, C:\SRENG2\SRENGLDR.EXE]

==================================
计划任务 分析助手中没有包括这项,所以要回头检查下计划任务中有没有病毒,注意搜狗拼音也会在此处安家
N/A

==================================
API HOOK 使用卡巴斯基、瑞星(新版的,本机上是旧的版本,所以没有)、卡卡等都会在此处出现入口点错误、RVA错误,但只要看看文件路径与文件名就知道什么是正常的,什么则是病毒造成的
N/A

==================================
隐藏进程
N/A

==================================

  ************结束******************

  基本就是这样,没什么高深的东东,多看、多找、多记就会分析了,很简单,只要你有耐心。同时缺陷也是明显的,所以当我说你的日志没问题时,只是说你的日志,而不是你的电脑、你的系统。即使根据日志清理修复后也要求用其它工具扫个尾。不过也不用太灰心,一般情况下也是够用的。


>> 除非说明均为原创,如转载请注明来源于http://www.stormcn.cn/post/202.html

发表评论(欢迎交流,无须注册 | 如申请友链与本站要求不符,恕不回复,见谅):

验证码

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

  • 收藏文章:
  • 新浪微博:
  • 订阅博客:
  • 腾讯微博:

最新发表

最新评论及回复

本站出现的所有广告均不代表本人及本站观点立场 | 关于我 | 网站地图 | 联系邮箱 | 返回顶部
Copyright 2008-2016 www.stormcn.cn. All Rights Reserved. Powered By Z-Blog. 闽ICP备09000343号

闽公网安备 35010202000133号