[日志分析 1 ]讲义 bbs.ikaka.com

xyz002 - 2009-7-7 20:30:00

引用:

原帖由 clnfhd 于 2009-7-7 20:22:00 发表
看了课件有很多疑问，请老师解答，太感谢了~！:kaka18:

启动项课件中写的，“黄框标出来的都是病毒文件”，判断原因是没有公司信息吗？还是别的原因？

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]

基本我的问题都包含在他这里面了（55楼）

_逸枫_ - 2009-7-7 20:30:00

引用:

原帖由 wy13008218 于 2009-7-7 20:26:00 发表

引用:

原帖由言兮于 2009-7-7 20:22:00 发表
搞不懂。老师那[N/A]和PID是什么含义呀？:kaka2:

一个没有，一个，具体什么用不知道，老师说，具体的病毒表现老师能给一个么？

　　N/A：Not Available 不可用具体讲有没有、不可获得之类的意思根据实际情况自己理解吧
PID我不会解释，太概念化了嘿嘿

se7ensun - 2009-7-7 20:30:00

引用:

原帖由 a123b_lin 于 2009-7-7 20:13:00 发表
正在运行的进程
[C:\WINDOWS\system32\guard32.dll] [N/A, ]

我的进程里多是这个，guard32.dll是什么啊？

这个明显是comodo的~呵呵~~~~~~

se7ensun - 2009-7-7 20:31:00

引用:

原帖由 xyz002 于 2009-7-7 20:30:00 发表
[quote] 原帖由 clnfhd 于 2009-7-7 20:22:00 发表
看了课件有很多疑问，请老师解答，太感谢了~！:kaka18:

启动项课件中写的，“黄框标出来的都是病毒文件”，判断原因是没有公司信息吗？还是别的原因？

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Compo

公司信息还要看签名的吧~

bluesonata - 2009-7-7 20:34:00

host文件被修改了就打不开有些网页了，如果在日志里发现了问题，怎么把它改回来呢？

这个问题差不多可以总结一下，就是在日志里发现可疑文件了怎么去修改？

===================以下内容为lqqk7回复==================
可以找到hosts文件，直接用记事本打开，编辑里面的内容之后保存即可。另外也可以用sreng将hosts重置为初始状态（见图）

sreng修复系统的操作方法可以参考14楼的那两个帖子

言兮 - 2009-7-7 20:37:00

正在运行的进程太多了，各位老大帮忙分析下看有问题没有，另外谁有好的工具清理垃圾进程的，传到群共享里个，我到时候下下来用用。

正在运行的进程
[PID: 828][\SystemRoot\System32\smss.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 900][\??\C:\WINDOWS\system32\csrss.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 924][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 968][C:\WINDOWS\system32\services.exe] [(Verified) Microsoft Corporation, 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)]
[PID: 980][C:\WINDOWS\system32\lsass.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1168][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1264][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1416][C:\Program Files\Rising\Ris\CCENTER.EXE] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\combase.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 11]
[C:\Program Files\Rising\Ris\cnt09.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 37]
[C:\Program Files\Rising\Ris\cnt08.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 7]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1424][C:\WINDOWS\System32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1468][C:\Program Files\Rising\Ris\RavTask.exe] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 24]
[C:\Program Files\Rising\Ris\proccomm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 46]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Rising\Ris\rsconf.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\RSAPPMGR.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.1]
[C:\Program Files\Rising\Ris\CfgDll.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.20]
[C:\Program Files\Rising\Ris\rstask.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 40]
[C:\Program Files\Rising\Ris\rsstub.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 12]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1504][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1632][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1952][C:\WINDOWS\Explorer.EXE] [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\browselc.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll] [Thunder Networking Technologies,LTD, 1.0.5.29]
[C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll] [Thunder Networking Technologies,LTD, 5, 0, 8, 96]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\gdiplus.dll] [Microsoft Corporation, 5.1.3102.5581 (xpsp_sp3_qfe.080415-1416)]
[C:\WINDOWS\system32\shdoclc.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UNISPIM6.IME] [北京紫光华宇软件股份有限公司, 6.2.0.7]
[PID: 1988][C:\WINDOWS\system32\ctfmon.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 160][C:\Program Files\Rising\Ris\RsTray.exe] [Beijing Rising Information Technology Co., Ltd., 21.0.0.22]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\Program Files\Rising\Ris\ComServ.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.49]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Rising\Ris\rslang.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 28]
[C:\Program Files\Rising\Ris\comx3.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
[C:\Program Files\Rising\Ris\Syslay.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.6]
[C:\Program Files\Rising\Ris\rsxml.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\ProcComm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 46]
[C:\Program Files\Rising\Ris\MonState.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 7]
[C:\Program Files\Rising\Ris\ScanEvnt.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.14]
[C:\Program Files\Rising\Ris\rsguilib.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 75]
[C:\WINDOWS\system32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\Program Files\Rising\Ris\rsconf.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\RSAPPMGR.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.1]
[C:\Program Files\Rising\Ris\CfgDll.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.20]
[C:\Program Files\Rising\Ris\rfwrule.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.25]
[C:\Program Files\Rising\Ris\rspalvd.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.26]
[C:\Program Files\Rising\Ris\rsnetsvr.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 14]
[C:\Program Files\Rising\Ris\ravbintl.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 29]
[C:\Program Files\Rising\Ris\mruleui.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 10]
[C:\Program Files\Rising\Ris\MonTray.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.1.4]
[C:\Program Files\Rising\Ris\PngDll.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\RavITray.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 23]
[C:\Program Files\Rising\Ris\ScanPrxy.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.17]
[C:\Program Files\Rising\Ris\rfwtray.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 1, 12]
[C:\Program Files\Rising\Ris\rsmginfo.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 11]
[C:\Program Files\Rising\Ris\rfwlog.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 13]
[PID: 204][C:\WINDOWS\ZSSnp211.exe] [ZSMCSNAP, 3, 6, 818, 7]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[C:\WINDOWS\system32\ZS211Prp.Ax] [ZSMC, 3, 6, 703, 15]
[PID: 424][C:\Program Files\Rising\Ris\rsnetsvr.exe] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 15]
[C:\Program Files\Rising\Ris\NComm.dll] [Beijing Rising Information Technology Co., Ltd., 6.0.0.12]
[C:\Program Files\Rising\Ris\Syslay.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.6]
[C:\Program Files\Rising\Ris\comx3.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
[C:\Program Files\Rising\Ris\ProcComm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 46]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 448][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 604][C:\WINDOWS\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\gdiplus.dll] [Microsoft Corporation, 5.1.3102.5581 (xpsp_sp3_qfe.080415-1416)]
[PID: 620][C:\Program Files\Rising\Ris\ScanFrm.exe] [Beijing Rising Information Technology Co., Ltd., 21.0.0.12]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Rising\Ris\combase.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 11]
[C:\Program Files\Rising\Ris\moncomm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 13]
[C:\Program Files\Rising\Ris\scansrvp.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.13]
[C:\Program Files\Rising\Ris\proccomm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 46]
[C:\Program Files\Rising\Ris\ScanSrv.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.10]
[C:\Program Files\Rising\Ris\comx3.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
[C:\Program Files\Rising\Ris\Syslay.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.6]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\Program Files\Rising\Ris\ScanSimT.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.24]
[C:\Program Files\Rising\Ris\ScanBT.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.49]
[C:\Program Files\Rising\Ris\ScanStub.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.9]
[C:\Program Files\Rising\Ris\ScanAdd.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.19]
[C:\Program Files\Rising\Ris\ScanRavT.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.27]
[C:\Program Files\Rising\Ris\RsLog.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
[C:\Program Files\Rising\Ris\RSAPPMGR.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.1]
[C:\Program Files\Rising\Ris\CfgDll.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.20]
[C:\Program Files\Rising\Ris\Scanner.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.39]
[C:\Program Files\Rising\Ris\recomp.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\refs.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 5]
[C:\Program Files\Rising\Ris\viruslib.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 5]
[C:\Program Files\Rising\Ris\relibldr.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 6]
[C:\Program Files\Rising\Ris\ffr.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 3]
[C:\Program Files\Rising\Ris\nvfile.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 3]
[C:\Program Files\Rising\Ris\scanexec.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 6]
[C:\Program Files\Rising\Ris\unexe.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\scanex.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 47]
[C:\Program Files\Rising\Ris\extfile.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 15]
[C:\Program Files\Rising\Ris\scansct.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 3]
[C:\Program Files\Rising\Ris\pearc.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\scanpe.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 14]
[C:\Program Files\Rising\Ris\ur000.dat] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 13]
[C:\Program Files\Rising\Ris\urutils.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\methodex.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\revm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 8]
[C:\Program Files\Rising\Ris\heurex.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 9]
[C:\Program Files\Rising\Ris\pecompd.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 1]
[PID: 628][C:\WINDOWS\system32\wdfmgr.exe] [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]
[PID: 1884][C:\WINDOWS\System32\alg.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[C:\WINDOWS\System32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 1576][D:\Program Files\QQ2009\Bin\QQ.exe] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\Common.dll] [Tencent, 1, 30, 860, 0]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.DLL] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll] [Microsoft Corporation, 8.00.50727.762]
[D:\Program Files\QQ2009\Bin\KernelUtil.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\HookQQ.dll] [N/A, ]
[D:\Program Files\QQ2009\Bin\GF.dll] [Tencent, 1, 30, 860, 0]
[C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\gdiplus.dll] [Microsoft Corporation, 5.1.3102.5581 (xpsp_sp3_qfe.080415-1416)]
[D:\Program Files\QQ2009\Bin\AppUtil.dll] [Tencent, 1, 30, 860, 0]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[D:\Program Files\QQ2009\Bin\LoadPatch.dll] [N/A, ]
[D:\Program Files\QQ2009\Bin\TheTools.dll] [N/A, ]
[d:\Program Files\QQ2009\bin\HKDlls\KillQQAd.dll] [N/A, ]
[D:\Program Files\QQ2009\Bin\MainFrame.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\TaskTray.dll] [Tencent, 1, 30, 860, 0]
[d:\Program Files\QQ2009\bin\txpfproxy.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\Com.Tencent.QQShow\Bin\FlashAvatarDll.dll] [Tencent, 1.26.1.26]
[D:\Program Files\QQ2009\Bin\IM.dll] [Tencent, 1, 30, 860, 0]
[C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll] [Tencent, 1.1.1.9]
[C:\Program Files\Common Files\Tencent\TXSSO\Bin\SSOCommon.DLL] [Tencent, 1.1.1.3]
[D:\Program Files\QQ2009\Bin\BasicCtrlDll.dll] [TENCENT, 8,0,773,1801]
[D:\Program Files\QQ2009\Bin\SkinMgr.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\AppCtrl.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\KernelMisc.dll] [Tencent, 1, 30, 860, 0]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[D:\Program Files\QQ2009\Bin\AppMisc.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\QInterLive.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\SystemMsg.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\ChatFrame.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\GroupApp.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.snsapp\Bin\SNSApp.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.soso\Bin\Soso.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.paycenter\Bin\PayCenter.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qbar\Bin\QBar.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqvipmisc\Bin\QQVipMisc.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.wenwen\Bin\WenWen.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.NetBar\Bin\NetBar.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.paipai\Bin\PaiPai.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.wireless\Bin\Wireless.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.paipaigift\Bin\PaiPaiGift.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqshow\Bin\QQShow.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qzone\Bin\Qzone.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.audiovideo\Bin\AudioVideo.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.weather\Bin\Weather.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.crm\Bin\CRM.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.mmog\Bin\MMOG.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqgame\Bin\QQGame.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqlive\Bin\QQLive.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqmusic\Bin\QQMusic.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqpet\Bin\QQPet.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.taotao\Bin\taotao.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.mail\Bin\Mail.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.memo\Bin\Memo.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.advertisement\Bin\Advertisement.dll] [Tencent, 1, 30, 860, 0]

言兮 - 2009-7-7 20:37:00

[D:\Program Files\QQ2009\Plugin\com.tencent.qqvip\Bin\QQVip.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.today\Bin\Today.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqring\Bin\QQRing.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\vqqsdl.dll] [Tencent, 5, 0, 3, 24]
[D:\Program Files\QQ2009\Bin\InformationBox.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\ContactInfoFrame.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.filetransfer\Bin\FileTransfer.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.qqwebsite\Bin\QQWebsite.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\MsgMgr.dll] [Tencent, 1, 30, 860, 0]
[C:\Program Files\Rising\Ris\RavScrCh.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.75]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\Program Files\QQ2009\Bin\ConfigCenter.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\LongCnn.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Bin\AddrSearch.dll] [Tencent, 2, 3, 12, 11]
[PID: 708][D:\Program Files\QQ2009\Bin\HKDlls\KQAdTray.exe] [N/A, ]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[D:\Program Files\QQ2009\Bin\HKDlls\IPSearcher.dll] [N/A, ]
[PID: 3244][d:\Program Files\QQ2009\bin\TXPlatform.exe] [Tencent, 1, 30, 860, 0]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[d:\Program Files\QQ2009\bin\txpfproxy.dll] [Tencent, 1, 30, 860, 0]
[PID: 484][C:\Documents and Settings\Administrator\Application Data\Tencent\QQ\Misc\QQExp.exe] [Tencent, 1, 26, 748, 0]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.DLL] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[d:\Program Files\QQ2009\bin\txpfproxy.dll] [Tencent, 1, 30, 860, 0]
[PID: 3720][D:\Temp\zgtxqq2009\Bin\QQ.exe] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\Common.dll] [Tencent, 1, 5, 225, 0]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.DLL] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCP80.dll] [Microsoft Corporation, 8.00.50727.762]
[C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll] [Microsoft Corporation, 8.00.50727.762]
[D:\Temp\zgtxqq2009\Bin\KernelUtil.dll] [Tencent, 1, 5, 225, 0]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[D:\Temp\zgtxqq2009\Bin\GF.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\MainFrame.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\AppUtil.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\TaskTray.dll] [Tencent, 1, 5, 225, 0]
[d:\Program Files\QQ2009\bin\txpfproxy.dll] [Tencent, 1, 30, 860, 0]
[D:\Temp\zgtxqq2009\Bin\AppMisc.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\ChatFrame.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\IM.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\KernelMisc.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\LongCnn.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\MsgMgr.dll] [Tencent, 1, 5, 225, 0]
[D:\Temp\zgtxqq2009\Bin\SystemMsg.dll] [Tencent, 1, 5, 225, 0]
[PID: 2512][C:\WINDOWS\system32\conime.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[C:\WINDOWS\system32\UxTheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[PID: 2488][C:\Program Files\Rising\Ris\RavMonD.exe] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\combase.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 11]
[C:\WINDOWS\system32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\system32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\Program Files\Rising\Ris\moncomm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 13]
[C:\Program Files\Rising\Ris\MonBase.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 6]
[C:\Program Files\Rising\Ris\Rslog.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
[C:\Program Files\Rising\Ris\mondrv.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 9]
[C:\Program Files\Rising\Ris\defmon.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 31]
[C:\Program Files\Rising\Ris\moncom08.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 1]
[C:\Program Files\Rising\Ris\MonRule.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 9]
[C:\Program Files\Rising\Ris\FileMon.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 28]
[C:\Program Files\Rising\Ris\MailMon.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 24]
[C:\Program Files\Rising\Ris\HookWeb.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 11]
[C:\Program Files\Rising\Ris\rfwlog.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 13]
[C:\Program Files\Rising\Ris\rfwrule.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.25]
[C:\Program Files\Rising\Ris\rfwsrv.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.89]
[C:\Program Files\Rising\Ris\Syslay.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.6]
[C:\Program Files\Rising\Ris\mPorts.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.0]
[C:\Program Files\Rising\Ris\rfwdrvc.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.3]
[C:\Program Files\Rising\Ris\Rfwdrv.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.5]
[C:\Program Files\Rising\Ris\rsnetsvr.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 14]
[C:\Program Files\Rising\Ris\urlrule.dll] [Beijing Rising Information Technology Co., Ltd., 1.0.0.18]
[C:\Program Files\Rising\Ris\comx3.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.37]
[C:\Program Files\Rising\Ris\recomp.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\refs.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 5]
[C:\Program Files\Rising\Ris\viruslib.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 5]
[C:\Program Files\Rising\Ris\relibldr.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 6]
[C:\Program Files\Rising\Ris\rfwproxy.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.25]
[C:\Program Files\Rising\Ris\proccomm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 46]
[C:\Program Files\Rising\Ris\RSAPPMGR.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.1]
[C:\Program Files\Rising\Ris\CfgDll.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.20]
[C:\Program Files\Rising\Ris\Hooksys.dll] [Beijing Rising Information Technology Co., Ltd., 23, 0, 0, 18]
[C:\Program Files\Rising\Ris\ProcCom.dll] [Beijing Rising Information Technology Co., Ltd., 20, 0, 0, 20]
[C:\Program Files\Rising\Ris\RsCommX2.dll] [Beijing Rising Information Technology Co., Ltd., 20, 0, 0, 20]
[C:\Program Files\Rising\Ris\HookCont.dll] [Beijing Rising Information Technology Co., Ltd., 23, 0, 0, 12]
[C:\Program Files\Rising\Ris\BACore.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 22]
[C:\Program Files\Rising\Ris\RSStore.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 12]
[C:\Program Files\Rising\Ris\ScanAdd.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.19]
[C:\Program Files\Rising\Ris\Scanner.dll] [Beijing Rising Information Technology Co., Ltd., 21.0.0.39]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[C:\Program Files\Rising\Ris\ffr.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 3]
[C:\Program Files\Rising\Ris\nvfile.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 3]
[C:\Program Files\Rising\Ris\scanexec.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 6]
[C:\Program Files\Rising\Ris\unexe.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\scanex.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 47]
[C:\Program Files\Rising\Ris\urllib.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 1]
[C:\Program Files\Rising\Ris\pearc.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\scanpe.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 14]
[C:\Program Files\Rising\Ris\ur000.dat] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 13]
[C:\Program Files\Rising\Ris\urutils.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 4]
[C:\Program Files\Rising\Ris\methodex.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 2]
[C:\Program Files\Rising\Ris\pecompd.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 1]
[C:\Program Files\Rising\Ris\heurex.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 9]
[C:\Program Files\Rising\Ris\scansct.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 3]
[C:\Program Files\Rising\Ris\extfile.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 15]
[C:\Program Files\Rising\Ris\revm.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 8]
[C:\Program Files\Rising\Ris\extmail.dll] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 5]
[C:\Program Files\Rising\Ris\ur023.dat] [Beijing Rising Information Technology Co., Ltd., 21, 0, 0, 6]
[PID: 3220][E:\日志\sr-engldr.EXE] [Smallfrogs Studio, 2.7.1.1261]
[PID: 3584][E:\日志\SRE5adef2a7.EXE] [Smallfrogs Studio, 2.7.1.1261]
[C:\WINDOWS\system32\uxtheme.dll] [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
[E:\日志\Upload\3rdUpd.DLL] [Smallfrogs Studio, 2, 1, 0, 15]

===================以下内容为lqqk7回复==================
进程部分没有发现明显异常

zapline - 2009-7-7 20:38:00

引用:

原帖由言兮于 2009-7-7 20:37:00 发表
正在运行的进程太多了，各位老大帮忙分析下看有问题没有，另外谁有好的工具清理垃圾进程的，传到群共享里个，我到时候下下来用用。

正在运行的进程
[PID: 828][\SystemRoot\System32\smss.exe] [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 900][\?

没问题

坤前独后 - 2009-7-7 20:39:00

知道了，十分感谢

言兮 - 2009-7-7 20:40:00

如果日志里发现可疑文件怎样解决处理呢？:kaka2:

===================以下内容为lqqk7回复==================
具体问题具体分析了，比如发现一个可疑文件，通常需要将文件删除，之后要将与其相关的注册表项清除掉
如果发现某个正常的系统文件被篡改（即无法通过签名验证），需要将正常的文件替换回来

HeeNu - 2009-7-7 20:40:00

引用:

原帖由言兮于 2009-7-7 20:37:00 发表
[D:\Program Files\QQ2009\Plugin\com.tencent.qqvip\Bin\QQVip.dll] [Tencent, 1, 30, 860, 0]
[D:\Program Files\QQ2009\Plugin\com.tencent.today\Bin\Today.dll] [Tencent, 1, 30, 860, 0]
[D:\......

进入系统后什么都不要开，扫一遍日志的可分析性比较强！

6709的空 - 2009-7-7 20:41:00

老师我用我的机子。。。。。。这几句什么意思啊
<PHIME2002ASync><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32> [File is missing]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName> [File is missing]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [File is missing]
<IMJPMIG8.1><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32> [File is missing]

===================以下内容为lqqk7回复==================
[File is missing] —— 目标文件不存在

<PHIME2002ASync><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32>
<IMJPMIG8.1><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32>
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>
这两个是微软输入法相关程序

<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>
这个是用来在系统发生宕机时产生内存转储日志的程序

言兮 - 2009-7-7 20:44:00

明白了，万分感谢。zapline
wy13008218
逸枫
三位老大。:kaka12:

_逸枫_ - 2009-7-7 20:44:00

疑问一： <nwiz><nwiz.exe /install> [ ]
这个正常吗？ nwiz是什么意思？经常见。
疑问二： <BigDogPath><C:\WINDOWS\VM_STI.EXE USB PC Camera 301P> [File is missing]
File is missing 是指？下面还有几处也是这样。
疑问三：服务启动类型 Boot Start 具体是指？
疑问四：浏览器加载项有几项有些疑问，麻烦给分析一下是否正常：
1. [CCtInf Class]
{6DBB2904-082D-4DB0-944A-21C22BA121F4} <C:\WINDOWS\system32\BANKCE~1.DLL, >
这个CCtlnf是什么？
2.[]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <, >
[]
{0A155D3C-68E2-4215-A47A-E800A446447A} <, >
[]
{92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[]
{FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
一共有4处连加载项名都没有，只有CLASSID的加载项，请指教

疑问五：Winsock 提供者 N/A
这个是因为我没有采用正版XP安装程序的缘故吗？

PS：发现大家疑问都很多 lqqk7老师受累了我感觉类似的问题您答复的时候可以让提问者参考XX楼的答案这样可以减少一些工作量嘿嘿

===================以下内容为lqqk7回复==================
1、这个是nv显卡驱动相关程序，<nwiz>是这个启动项在注册表中的键值名称；
2、[File is missing]指的是目标文件不存在；
3、Boot Start是服务（驱动）的启动类型，可以理解为在系统引导过程中就已经被加载，系统内核获得控制权之前这类驱动就已经加载到内存中了；
4、CCtInf Class是这个插件在注册表中的名称，这几个加载项没有异常，那些空白的加载项在41楼已经讲解过了；
5、Winsock 提供者显示为N/A是正常的，这里的N/A并非表示没有，而是值是系统默认状态；

_逸枫_ - 2009-7-7 20:45:00

我也是新手
N/A是搜索的百度
像这种看起来感觉很基础性的单词或者名词你可以百度一下嘿嘿

===================以下内容为lqqk7回复==================
百度和google都是最优秀的老师

幽灵楠 - 2009-7-7 20:48:00

搜狗有个自动更新的这个计划任务保留.

dipahole - 2009-7-7 20:51:00

:kaka6:
首先露个脸:kaka12:
然后对楼上某些灌水的同学给以BS:kaka11: ,如果有报告的,不要把全部都贴出来,占用资源.
最后诚恳地向lqqk7 老师提出以下问题:
1.老师很辛苦的准备资料,但是有点错别字.:kaka5:
2.APPINIT_DLLS里面的dll是在哪个时候加载,在安全模式下会加载吗?
3.Winsock里边的内容如何修改,会产生打开不了网页的情况,老师能举例子给我们看看吗?
4.关于autorun.inf里面的:
shell\open\Command=Important.FILES.EXE
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=Important.FILES.EXE

的每一段话的意思,老师能解释一下吗?

暂时是这么多的问题,谢谢老师的解答.:kaka15:

===================以下内容为lqqk7回复==================
1、酷卡mm用她一贯的暴力方式掐着我的脖子让我写的讲义，比较仓促.......:kaka4:
2、引用轩辕小聪的话“每一个进程启动加载user32.dll的时候，会自动加载APPINIT_DLLS键值中保存的所有dll”，“所有加载user32.dll的进程都可以使用这些项目”；
3、比如一个流氓软件修改了winsock，如篡改为c:\windows\system32\virus.dll，当你删除这个文件后，没有修复winsock，就会出现网页无法显示的问题，winsock不需要手动修改，通过sreng将其重置为系统默认值即可（如图）

4、
shell\open\Command=Important.FILES.EXE
在磁盘盘符单击右键，右键菜单中选择“打开”命令，此时会自动运行Important.FILES.EXE文件；

shell\open\Default=1
在磁盘盘符单击右键，右键菜单中的“打开”命令为默认选项，即“打开”这个选项的字体显示为加粗状态；

shell\explore=资源管理器(&X)
在磁盘盘符单击右键，右键菜单中增加一个显示为“资源管理器(&X)”的选项；

shell\explore\Command=Important.FILES.EXE
在磁盘盘符单击右键，右键菜单中选择“资源管理器(&X)”命令，此时会自动运行Important.FILES.EXE文件；

幽灵楠 - 2009-7-7 20:52:00

C:\WINDOWS\system32\drivers\etc\hosts hosts文件是位于这个目录下面的.
你可以打开来修改.,
选择打开方式--记事本

dipahole - 2009-7-7 20:53:00

引用:

原帖由 6709的空 于 2009-7-7 20:41:00 发表
老师我用我的机子。。。。。。这几句什么意思啊
<PHIME2002ASync><C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32> [File is missing]
<PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\T

File is missing 貌似会是文件丢失...但是在注册表某个地方的键值没有删除或修改,应该是卸载不完全吧...:kaka18:

迷失の坏坏 - 2009-7-7 20:53:00

引用:

空空丢东西了？还是你把什么东西删了吖

凌霜寒 - 2009-7-7 21:05:00

提问：
1.浏览器加载项部分，如果只显示出注册表项，或者没有文件路径，如：
[]
{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <, >
[IFlashGetNetscapeEx Class]
{116BA71C-8187-4F15-9A1F-C9D6289155D1} <, >
[EWA Control]
{18226BF8-DC0B-4D81-80E9-A41AE37BB73A} <, >
[]
{19EFFC12-25FB-479A-A0F2-1569AE1B3365} <, >

是有问题吗？

2.正在运行的进程如果是这样： [C:\WINDOWS\system32\msdmo.dll] [, ]
有问题吗

===================以下内容为lqqk7回复==================
1、参考41楼的回复；
2、C:\WINDOWS\system32\msdmo.dll是正常的文件

幽灵楠 - 2009-7-7 21:07:00

你点那个修改他会打开一个文件夹。你删除相应的就行了。。搜狗的是他输入法升级的相关的程序。。

澜若是 - 2009-7-7 21:10:00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Windows Mail 7><"%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE> [File is missing]
请问如上的[File is missing]代表什么含义

===================以下内容为lqqk7回复==================
[File is missing]表示目标文件不存在

CPU_ring0 - 2009-7-7 21:22:00

该用户帖子内容已被屏蔽

MickeyWangQY - 2009-7-7 21:22:00

老师，我有几个问题请教一下：
1、为什么下面两个都包含[N/A,]上面一个没毒，下面一个却是可疑的？
[PID:4888/new] [C:\Program Files\WinRAR\WinRAR.exe] [N/A, ]
[C:\Windows\System32\ypcqchlp.dll] [N/A, ]
2、“文件关联”部分，如果有error出现，怎么判断是由于正常程序修改造成的还是由病毒破坏的呢？
3、“hosts文件“部分如果出现了老师发上来的日志中的情况是不是说明很可疑了？
4、我扫描的自己电脑的日志中有
[已禁用] PMTask.job
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE”的字样，是不是哪里有问题啊？
麻烦老师啦~~~非常感谢！

===================以下内容为lqqk7回复==================
1、熟悉系统和常见的软件是判断可以程序的基础，C:\Program Files\WinRAR\WinRAR.exe是winrar压缩解压程序，而ypcqchlp.dll不是我们所熟知的系统文件，但是他存在于C:\Windows\System32目录下，而且插入多个进程，明显不正常的行为；
2、下节课会讲；
3、目前大部分情况下还是免疫恶意网站的更多，具体判断方法可以通过网址作为依据，如果是将各大反病毒厂商、知名正规的网站指向其他IP，一般都是不正常的；
4、没有问题，是ThinkPad电脑自带的程序；

澜若是 - 2009-7-7 21:27:00

启动文件夹
[OneNote 2007 屏幕剪辑程序和启动程序]
<C:\Users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 屏幕剪辑程序和启动程序.lnk --> D:\PROGRA~1\MICROS~1\Office12\ONENOTEM.EXE [Microsoft Corporation]><N>
[OneNote 2007 屏幕剪辑程序和启动程序]
<C:\Users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 屏幕剪辑程序和启动程序.lnk --> D:\PROGRA~1\MICROS~1\Office12\ONENOTEM.EXE [Microsoft Corporation]><N>
有请问如上的<N>是否与老师列举过的[N/A]，[]等具有相类似的含义啊

最硬的石头 - 2009-7-7 21:28:00

引用:

原帖由 CPU_ring0 于 2009-7-7 21:22:00 发表
刚写了个r3下的隐藏进程的代码，用sreng查了下，，根本发现不了隐藏的进程，之前没有用过这个工具，不知道是基于什么原理查进程的。

那你说说都有几种方法隐藏哈枚举进程:kaka15:

6709的空 - 2009-7-7 21:31:00

坏坏。。。我也不知道啊。。。是不是没扫描出来啊。。再我的启动项目里

朋♂友 - 2009-7-7 21:40:00

先学习学习:kaka1:

小漠663 - 2009-7-7 21:48:00

老师，这两行显示
.HLP Error. [winhlp32.exe %1]
.INI Error. [C:\WINDOWS\System32\NOTEPAD.EXE %1]
是否正常？哪些显示error是不正常的呢？

瑞星卡卡安全论坛