sreng日志分析菜苗级别的小结(二)
发布:cxd44 | 发布时间: 2008年11月14日第二部分,黑白配(部分是自己根据手头的几个日志提取的,^_^ 这部分要严重感谢下百度专家崔衍渠老师的正常的注册表项目的文章 ) 为了让文字不至于太长删除了一些 更多的请下载附件 常见的正常注册表加载项目收集.txt (25.86 KB)
----------------------------------
teYqiu【天下无毒】原创文章,转载请标明。http://hi.baidu.com/teyqiu
百度知道反病毒知识专家崔衍渠 授权。 『转载请保留此申明!』
----------------------------------
本帖原始地址:http://hi.baidu.com/teyqiu/blog/item/cc0f7bf435db43d8f2d38577.html
注意更新!
用途:收集不能一眼识别但却是良民的部分正常注册表、服务、驱动项目
Quote:
一、注册表项目
1.02 NVIDIA显卡相关程序
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [NVIDIA Corporation]
<NvMediaCenter><; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [NVIDIA Corporation]
<nwiz><; nwiz.exe /install> []
1.03 常见的一款摄像头相关程序
<BigDogPath><C:\WINDOWS\VM_STI.EXE PC Camera CAMCAN> [N/A]
1.04 某摄像头
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<domino><C:\WINDOWS\domino.exe>
1.06 暴风影音早期版本的解码器设置程序 貌似现在不常见了
<StormCodec_Helper><"E:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti> []
1.07 安装rayfile的上传控件 RaySource 以后安装的一个东西
<Grid Service><"C:\Program Files\GridService\peer.exe" -n Grid> [Mercury]
1.12 realsched.exe进程是RealPlayer自动升级程序realplayer automacticly update,一般来说没多大用处
[TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
1.13 windows外壳程序 正常只存在explorer.exe一个项目,有病毒喜欢在这里加载比如explorer.exe virus.exe
<shell><Explorer.exe> [(Verified)Microsoft Windows Publisher]
1.14 Userinit.exe是Windows操作系统一个关键进程。用于管理不同的启动顺序,例如在建立网络链接和Windows壳的启动。正常路径%systemroot%\system32 并且只有一个项目描述为Verified,前一段时间机器狗会修改此文件 (注意如果安装了金山毒霸杀毒以后在使用sreng会提示userinit被修改 请不要紧张 ^_^ 只是毒霸每次杀毒都尝试修改这个注册表键值导致后面的那个小点没了 ^_^)
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows Publisher]
1.15 logonui.exe是一个系统进程,用于显示微软Windows XP系统用户切换界面。这个程序对你系统的正常运行是非常重要的一般是logonui.exe 如果你为了系统的美丽安装了系统美化软件(比如xp变脸王)这里也会被修改哦,look ^_^
<UIHost><logonui.exe> [(Verified)Microsoft Windows Publisher]
<UIHost><D:\Program Files\XP变脸王\Logons\Donald Duck Login\Donald duck.exe> [JJ Studio]
1.16 以下项目一般都是空,如果存在程序要严重注意下哦
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
<run><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><wbsys.dll> [Stardock.Net, Inc]
注意:木马克星软件,如果出现以下dll文件建议先确认是否有安全木马克星
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
1.17 当系统蓝屏以后会出现的启动项目
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [File is missing]
1.18 一般为空很少有程序会修改这个,修改了要多注意下
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
例外:^_^ 有些安全软件貌似在这里新增注册表项目的
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll> [(Verified)Beijing Rising Science and Technology Corporation Limited]
1.19 一般为空很少有程序会修改这个,修改了要多注意下
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
1.20 以下都是一些常见的系统或者安全软件加载项目一般没问题
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<PostBootReminder><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Publisher]
<CDBurn><%SystemRoot%\system32\SHELL32.dll> [(Verified)Microsoft Windows Publisher]
<WebCheck><%SystemRoot%\system32\webcheck.dll> [(Verified)Microsoft Windows Publisher]
<SysTray><C:\WINDOWS\system32\stobject.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\windows\system32\klogon.dll> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
<WinlogonNotify: crypt32chain><crypt32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
<WinlogonNotify: cryptnet><cryptnet.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
<WinlogonNotify: cscdll><cscdll.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
<WinlogonNotify: ScCertProp><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
<WinlogonNotify: Schedule><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
<WinlogonNotify: sclgntfy><sclgntfy.dll> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
<WinlogonNotify: SensLogn><WlNotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
<WinlogonNotify: termsrv><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
<WinlogonNotify: wlballoon><wlnotify.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Component Publisher]
<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
<浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
<Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
<Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install> [Microsoft Corporation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\System Safety Monitor]
<WinlogonNotify: System Safety Monitor><SSMWinlogonEx.dll> [(Verified)System Safety Limited]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path]
<IFEO[Your Image File Name Here without a path]><ntsd -d> [N/A]
1.22 如下几项均为IBM笔记本系列的正常组件的启动 当然可以考虑屏蔽不建议删除。
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
<WinlogonNotify: tpfnf2><notifyf2.dll>[]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
<WinlogonNotify: tphotkey><tphklock.dll>[]
1.23 壁纸自动换
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<switch><c:\windows\system32\壁纸自动换.exe> []
<switch><c:\windows\system32\bgswitch.exe>[]
Quote:
第二,服务
2.01 人机接口设备,一般清理专家日志显示为残留
[Human Interface Device Access / HidServ][Stopped/Disabled]
<C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
2.04 windows帮助中心
[Help and Support / helpsvc][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll><N/A>
2.05 如下为IBM笔记本的正常组件的服务启动 可根据需要屏蔽部分但不建议删除。
[Ac Profile Manager Service / AcPrfMgrSvc][Running/Auto Start]
<C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe><N/A>
[Access Connections Main Service / AcSvc][Running/Auto Start]
<C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe><Lenovo>
[ThinkPad PM Service / IBMPMSVC][Running/Auto Start]
<C:\WINDOWS\system32\ibmpmsvc.exe><>
[IBM KCU Service / TpKmpSVC][Running/Auto Start]
<C:\WINDOWS\system32\TpKmpSVC.exe><N/A>
2.06 ATI显卡
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
2.11 微软的系统恢复服务
[System Restore Service / srservice][Stopped/Auto Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\srsvc.dll><N/A>
Quote:
第三,驱动程序
3.01 ALi mini IDE Driver provided by Acer Laboratories Inc
[AliIde / AliIde][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\aliide.sys><N/A>
[atitray / atitray][Stopped/System Start]
<\??\e:\NGOATI~1.3\ATT\atitray.sys><N/A>
3.03 VIA AC'97 Audio Controller
[VIA AC'97 Audio Controller (WDM) / VIAudio][Stopped/Manual Start]
<system32\drivers\viaudio.sys><N/A>
3.04 天网防火墙
[SKNFW / SKNFW][Running/System Start]
<\??\C:\WINDOWS\system32\Drivers\SKNFW.sys><N/A>
[SkyProcs / SkyProcs][Stopped/Manual Start]
<\??\C:\PROGRA~1\SkyNet\Firewall\SkyProcs.sys><N/A>
3.05 USB摄像头
[USB PC Camera (SNPSTD3) / SNPSTD3][Stopped/Manual Start]
<system32\DRIVERS\snpstd3.sys><>
[USB PC Camera 301P / ZSMC301b][Stopped/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[Teclast WE PC Camera / ZSMC301b][Running/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[Jollytime PC Camera / ZSMC301b][Stopped/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[USB Data Cable / usb2vcom][Stopped/Manual Start]
<system32\DRIVERS\usb2vcom.sys><>
3.06 sptd.sys是daemon tools虚拟光驱的一个文件
[sptd / sptd][Running/Boot Start]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[dtscsi / dtscsi][Running/Manual Start]
<\SystemRoot\System32\Drivers\dtscsi.sys><N/A>
[d347bus / d347bus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d347prt.sys><>
3.08 The SCSI/RAID Host Controller driver by Microtek Lab
[SMPLSCSI / SMPLSCSI][Stopped/Boot Start]
<\SystemRoot\System32\drivers\SMPLSCSI.SYS><N/A>
3.09 招商银行网上银行大众版登录插件
[CMBProtector / CMBProtector][Running/Auto Start]
<\??\D:\WINDOWS\system32\Drivers\CMBProtector.dat><N/A>
3.10 某主板驱动
[3WAREDRV / 3WAREDRV][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\3WAREDRV.SYS><N/A>
[3WAREGSM / 3WAREGSM][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\3waregsm.sys><N/A>
[3WDRV100 / 3WDRV100][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\3WDRV100.SYS><N/A>
3.11 AntiARP Sniffer的驱动(注意是否有安装arp防火墙 如果不确定建议先禁用之)
[oreans32 / oreans32]
<\??\C:\WINDOWS\system32\drivers\oreans32.sys><N/A>
3.14 Lenovo的驱动
[Lenovo file protect service / fsp]
<C:\WINDOWS\fsp.exe><N/A>
[Lenovo auto login helper / usblogon]
<C:\WINDOWS\usblogon.exe><N/A>
3.15 蓝牙设备驱动
[Bluetooth Audio Service / BlueletAudio][Stopped/Manual Start]
<system32\DRIVERS\blueletaudio.sys><N/A>
[Bluetooth PAN Network Adapter / BT][Stopped/Manual Start]
<system32\DRIVERS\btnetdrv.sys><N/A>
[Bluetooth HID Enumerator / BTHidEnum][Stopped/Manual Start]
<system32\DRIVERS\vbtenum.sys><N/A>
[Bluetooth HID Manager Service / BTHidMgr][Stopped/Boot Start]
<\SystemRoot\System32\Drivers\BTHidMgr.sys><N/A>
[Bluetooth VComm Manager Service / VcommMgr][Stopped/Manual Start]
<System32\Drivers\VcommMgr.sys><N/A>
3.16 Lenovo的IBM笔记本某驱动
[TDSMAPI / TDSMAPI][Stopped/System Start]
<System32\drivers\TDSMAPI.SYS><N/A>
[TPInput / TPInput][Running/Manual Start]
<System32\DRIVERS\TPInput.sys><IBM Corporation>
[TPPWRIF / TPPWRIF][Stopped/System Start]
<System32\drivers\Tppwrif.sys><N/A>
[TSMAPIP / TSMAPIP][Stopped/System Start]
<System32\drivers\TSMAPIP.SYS><N/A>
3.18 完美卸载 软件的驱动
[PnpWmkDrv / PnpWmkDrv][Stopped/System Start]
<\??\C:\WINDOWS\system32\drivers\PnpWmkDrv.sys><N/A>
3.20 Windows XP 核心驱动,常常被人当病毒驱动黑掉
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
3.21 The process WDM WST Codec Driver belongs to the software Microsoft(R) Windows(R) Operating System by Microsoft Corporation (www.microsoft.com).
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
<system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
3.22 Av/机器狗/磁碟机专杀6.4以后出现的自我保护驱动
[KBaseZS / KBaseZS][Running/Disabled]
<\??\C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WTEF81E3\KBaseZS.sys><N/A>
3.23 金山清理专家啊/毒霸2007,2008恶意软件清理驱动
[ATSpy / ATSpy][Running/Manual Start]
<\??\C:\WINDOWS\system32\ATSpy.sys><N/A>
3.24 WinPcap的一个驱动程序吧
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
<system32\drivers\npf.sys><N/A>
Quote:
第四,文件关联:
4.01 以下文件关联常出现类似提示其实是正常的可以无视之
.TXT Error. [C:\windows\notepad.exe %1]
.CHM Error. ["hh.exe" %1]
.HLP Error. [winhlp32.exe %1]
.SCR Error. [AutoCADScriptFile]
Quote:
第五,Winsock 提供者
5.1 dr.com宽带网客户端的应用程序扩展
MSAFD Tcpip [TCP/IP]
C:\WINDOWS\system32\TcpIpDog0.dll(, N/A)
MSAFD Tcpip [UDP/IP]
C:\WINDOWS\system32\TcpIpDog0.dll(, N/A)
MSAFD Tcpip [RAW/IP]
C:\WINDOWS\system32\TcpIpDog0.dll(, N/A)
RSVP UDP Service Provider
C:\WINDOWS\system32\TcpIpDogR0.dll(, N/A)
RSVP TCP Service Provider
C:\WINDOWS\system32\TcpIpDogR0.dll(, N/A)
5.2 nod32的网页扫描相关的
NOD32 protected [MSAFD Tcpip [TCP/IP]]
imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [MSAFD Tcpip [UDP/IP]]
imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [MSAFD Tcpip [RAW/IP]]
imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [RSVP UDP Service Provider]
imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [RSVP TCP Service Provider]
imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32
imon.dll(Eset , NOD32 IMON - Internet scanning support)
Quote:
第六 hosts项目
6.1 正常的只有一项
127.0.0.1 localhost
Quote:
第七,API HOOK
7.1 API HOOK
入口点错误:LoadLibraryExW (危险等级: 高, 被下面模块所HOOK: C:\KAV2007\KASocket.dll)
7.2 卡巴斯基杀毒软件的正常hook
RVA 错误: LoadLibraryA (危险等级: 高, 被下面模块所HOOK: \??\C:\windows\system32\drivers\klif.sys)
RVA 错误: LoadLibraryExA (危险等级: 高, 被下面模块所HOOK: \??\C:\windows\system32\drivers\klif.sys)
RVA 错误: LoadLibraryExW (危险等级: 高, 被下面模块所HOOK: \??\C:\windows\system32\drivers\klif.sys)
RVA 错误: LoadLibraryW (危险等级: 高, 被下面模块所HOOK: \??\C:\windows\system32\drivers\klif.sys)
RVA 错误: GetProcAddress (危险等级: 高, 被下面模块所HOOK: \??\C:\windows\system32\drivers\klif.sys)
原创文章如转载,请注明:转载自雪东博客 [ http://www.xuedong.net/ ]
本文链接地址:http://www.xuedong.net/post/406.html
发布:cxd44 | 分类:网络安全 | 评论:0 | 引用:0 | 浏览:
| TrackBack引用地址
- 相关文章:
sreng日志分析菜苗级别的小结(一) (2008-11-14 10:51:17)
System Repair Engineer (SREng) 2.5 使用教程 (2008-11-14 10:49:54)
System Repair Engineer (SREng) 2.7 Beta 发布 (2008-10-7 0:21:21)
发表评论
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
