7月8日日志分析练习8 bbs.ikaka.com

lqqk7 - 2009-7-8 16:12:00

即日起每日会给大家提供一些染毒环境的SREng日志，因为部分实习生是第一次接触SREng这个工具，对日志分析不熟悉，如果冒然跑去反病毒区回帖，一旦出现误判，可能对求助者不利，因此采用这种“内部”交流的方式，希望大家能够多练习，真正分析日志的方法是靠自己实践摸索出来的！

注：日志分析练习情况与大家的实习期总成绩没有关联，请大家不要有顾虑，放心大胆的练习！

附件: 您所在的用户组无法下载或查看附件

========以下为参考分析结果========
异常项见附件（仅保留日志中可疑度较高的项）

注意：
1、AppInit_DLLs项不要删除，而是要清空；
2、劫持项和Hosts内容较多，可以借助工具快速处理；
3、病毒创建了较多服务项，如 <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\qhly.dll><>，要注意判断哪个是系统文件，哪个是病毒文件，不要把系统文件删掉；
4、日志中可见cnnic流氓软件，可以建议用户删除，但是如果用户对此深有好感，也可不删，决定权在用户；

附件: 您所在的用户组无法下载或查看附件

merrk_chuan - 2009-7-8 20:38:00

精神病院看门的 - 2009-7-8 20:56:00

该用户帖子内容已被屏蔽

qu48 - 2009-7-8 21:09:00

<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe> [N/A]
<ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe> [N/A]
<rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe> [N/A]
<dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe> [N/A]
<qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe> [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<sun><C:\WINDOWS\SysSun1\svchost.exe> [N/A]
这些都是病毒吧....哪位达人出来说说

daemonz - 2009-7-8 22:19:00

可疑的地方：

1.启动项中

<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe> [N/A]
<ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe> [N/A]
<rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe> [N/A]
<dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe> [N/A]
<qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe> [N/A]
<sun><C:\WINDOWS\SysSun1\svchost.exe> [N/A]
<UnlockerAssistant><"C:\Program Files\Unlocker\UnlockerAssistant.exe"> [N/A]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [N/A]
<upxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\upxdnd.exe> [N/A]
<winform><C:\WINDOWS\winform.exe> [N/A]
<IEBarUp><RunDll32 "C:\WINDOWS\System32\msUPT.dll",Run> []
<mppds><C:\WINDOWS\mppds.exe> [N/A]
<Desktop><"C:\WINDOWS\System32\internet.exe"> [Microsoft Corporation]
<Internet><"C:\WINDOWS\system32\internet.exe"> [Microsoft Corporation]
<CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe> [CNNIC]
<tcjfcji><C:\Program Files\Intel\tcjfcji.exe> [N/A]
<pxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\pxdnd.exe> [N/A]
<nwiztlbb><C:\WINDOWS\System32\nwiztlbb.exe> [N/A]
<nwizqqfo><C:\WINDOWS\System32\nwizqqfo.exe> [N/A]
<cmdbcs><C:\WINDOWS\cmdbcs.exe> [N/A]
<msccrt><C:\WINDOWS\msccrt.exe> [N/A]
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys> [N/A]
<{D14FA1E2-123F-6358-1E32-D2455234FDE2}><C:\WINDOWS\System32\nospri.dll> [N/A]

[CAJViewer Preload]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\CAJViewer Preload.lnk --> C:\PROGRA~1\TTKN\CAJVIE~1.0\CAJVIE~1.EXE [Tsinghua Tongfang Knowledge Network Technology(Beijing) Co., Ltd.]><N>
[yfhlgc]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yfhlgc.lnk --> C:\PROGRA~1\MICROS~4\yfhlgcj.exe [N/A]><N>

还有镜像劫持需要修复

2.服务：
[CoolWare / CoolWare][Running/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\qhly.dll><>
[Fast Client / fast][Running/Manual Start]
<C:\WINDOWS\System32\0feb.exe><N/A>
[GrayPigeonServer / GrayPigeonServer][Running/Auto Start]
<C:\WINDOWS\G_Server2006.exe><>
[Internet Connection Manager / Internet Connection Manager][Running/Manual Start]
<"C:\WINDOWS\System32\internet.exe"><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Running/Manual Start]
<C:\WINDOWS\System32\\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[Windows pgkx RunThem / pgkx][Running/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\kbfs\ulpc.dll>< >

3.进程中被大量加载的可疑dll：
[C:\WINDOWS\System32\NTDLL32.dll] [Microsoft Corporation, 5.1.2600.2180]
[C:\WINDOWS\System32\webpageparser.dll] [N/A, ]
[C:\WINDOWS\System32\Charset.dll] [N/A, ]
[C:\WINDOWS\System32\CreateDomTree.dll] [N/A, ]
[C:\WINDOWS\System32\winlib .dll] [N/A, ]
[C:\WINDOWS\System32\febd.dll] [N/A, ]
[C:\WINDOWS\System32\330f.dll] [ , 1, 0, 0, 3]
[c:\progra~1\kbfs\xosf.dll] [, 1, 0, 0, 6]
[c:\progra~1\kbfs\ctxk.dll] [ , 1, 0, 0, 6]

4.Autorun.inf 这里的东西应该都是病毒了
[C:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[D:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[E:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[F:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe

5.hosts被修改了好多，也应该修复

清觞 - 2009-7-10 14:48:00

看

零度的穷浪漫 - 2009-7-29 3:53:00

1.<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe> [N/A]
<ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe> [N/A]
<rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe> [N/A]
<dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe> [N/A]
<qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe> [N/A]
临时文件？
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<sun><C:\WINDOWS\SysSun1\svchost.exe> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><C:\WINDOWS\System32\NTDLL32.dll> [Microsoft Corporation]又是这个:kaka6:
还有劫持:kaka3:
好多好多我就不一一列举了
2.[yfhlgc]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yfhlgc.lnk --> C:\PROGRA~1\MICROS~4\yfhlgcj.exe [N/A]><N>这个是甚麽啊
3.[Internet Connection Manager / Internet Connection Manager][Running/Manual Start]
<"C:\WINDOWS\System32\internet.exe"><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Running/Manual Start]
<C:\WINDOWS\System32\\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[Windows pgkx RunThem / pgkx][Running/Manual Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\kbfs\ulpc.dll>< >
[WebPrint / WebPrint][Running/Manual Start]
<c:\windows\system32\webprint.exe><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Running/Manual Start]
<C:\WINDOWS\System32\\rundll32.exe windhcp.ocx,input><Microsoft Corporation>
这些错在哪里？
4.驱动程序有好多陌生的，不过
[Secdrv / Secdrv][Stopped/Manual Start]
<System32\DRIVERS\secdrv.sys><N/A>这个是正确的？
[mspcidrv / mspcidrv][Running/Boot Start]
<system32\DRIVERS\mspcidrv.sys><Windows (R) 2000 DDK provider>这个是错误的？
[nv / nv][Running/Boot Start]
<System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>这个又是什么？
5.为什么浏览器加载项里关于迅雷的链接全都没有签名？
6.[Cbho Object]
{352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} <C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll, CNNIC>
[Info cache]
{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application

Data\Microsoft\PCTools\pctools.dll, 金泰丰(广州)科技有限公司>
[Jpeg Class]
{4970DA77-DB06-4EB9-AAB5-77AF0CC77310} <C:\WINDOWS\System32\30fe.dll, TODO: <公司名>>
[CdnForIE Class]
{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>
[Advance Helper]
{8E25AC4A-B129-451B-BEE2-3B510BB751DA} <C:\WINDOWS\System32\NTDLL32.dll, Microsoft Corporation>
[IE Browser Helper]
{D0903A3B-F0EA-434a-9742-98C5335C7946} <C:\WINDOWS\System32\IEHelper.dll, Mass Effect Network>
[WMHlprObj Class]
{F5824EFB-728A-4726-A5A5-85A68B20EDC3} <C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll, CNNIC>
[CdnForIE Class]
{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>这些为什么会有问题？
7.正在运行的进程里好多有版本号没签名的，还有CDEF盘自动运行中病毒了
8.hosts文件好多网页地址被解析到不正确的IP
9.特殊特权被允许： SeLoadDriverPrivilege [PID = 536, C:\WINDOWS\SYSTEM32\CTFMON.EXE]这个CTFMON是输入法，可以被写在这里么？

still刀刀 - 2009-7-30 1:25:00

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe> [N/A]
<ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe> [N/A]
<rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe> [N/A]
<dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe> [N/A]
<qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe> [N/A] 以上有问题
缺少公司签名版本信息
==================================
服务
[Internet Connection Manager / Internet Connection Manager][Running/Manual Start]
<"C:\WINDOWS\System32\internet.exe"><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Running/Manual Start]
<C:\WINDOWS\System32\\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[WebPrint / WebPrint][Running/Manual Start]
<c:\windows\system32\webprint.exe><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Running/Manual Start]
<C:\WINDOWS\System32\\rundll32.exe windhcp.ocx,input><Microsoft Corporation>以不知道这个有什么问题！！！公司签名都是伪造的？:kaka2:
==================================
驱动程序
[mspcidrv / mspcidrv][Running/Boot Start]
<system32\DRIVERS\mspcidrv.sys><Windows (R) 2000 DDK provider>
不知道为什么
==================================
浏览器加载项
[Info cache]
{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, 金泰丰(广州)科技有限公司>
[Jpeg Class]
{4970DA77-DB06-4EB9-AAB5-77AF0CC77310} <C:\WINDOWS\System32\30fe.dll, TODO: <公司名>>

[Advance Helper]
{8E25AC4A-B129-451B-BEE2-3B510BB751DA} <C:\WINDOWS\System32\NTDLL32.dll, Microsoft Corporation>
[IE Browser Helper]
{D0903A3B-F0EA-434a-9742-98C5335C7946} <C:\WINDOWS\System32\IEHelper.dll, Mass Effect Network>
不知道为什么
进程：
[PID: 1248][C:\WINDOWS\System32\svchost.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\NTDLL32.dll] [Microsoft Corporation, 5.1.2600.2180]
版本信息这边有可疑

乐陶猪 - 2009-8-4 22:15:00

注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe> [N/A]
<ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe> [N/A]
<rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe> [N/A]
<dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe> [N/A]
<qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe> [N/A]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
<sun><C:\WINDOWS\SysSun1\svchost.exe> [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<upxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\upxdnd.exe> [N/A]
<winform><C:\WINDOWS\winform.exe> [N/A]
<IEBarUp><RunDll32 "C:\WINDOWS\System32\msUPT.dll",Run> []
<mppds><C:\WINDOWS\mppds.exe> [N/A]
<Desktop><"C:\WINDOWS\System32\internet.exe"> [Microsoft Corporation]
<Internet><"C:\WINDOWS\system32\internet.exe"> [Microsoft Corporation]
<CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe> [CNNIC]
<tcjfcji><C:\Program Files\Intel\tcjfcji.exe> [N/A]
<pxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\pxdnd.exe> [N/A]
<nwiztlbb><C:\WINDOWS\System32\nwiztlbb.exe> [N/A]
<nwizqqfo><C:\WINDOWS\System32\nwizqqfo.exe> [N/A]
<cmdbcs><C:\WINDOWS\cmdbcs.exe> [N/A]
<msccrt><C:\WINDOWS\msccrt.exe> [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><C:\WINDOWS\System32\NTDLL32.dll> [Microsoft Corporation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
<IFEO[avp.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
<IFEO[CCenter.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe]
<IFEO[ccEvtMgr.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetApp.exe]
<IFEO[ccSetApp.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe]
<IFEO[ccSetMgr.exe]><svchost.exe> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DefWatch.exe]
<IFEO[DefWatch.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
<IFEO[KAVStart.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMaiMon.exe]
<IFEO[KMaiMon.exe]><svchost.exe> [(Verified)Tencent Technology(Shenzhen) Company Limited]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
<IFEO[KPfwSvc.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe]
<IFEO[kvsrvxp.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.exe]
<IFEO[KVWSC.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
<IFEO[KWatch.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McAgent.exe]
<IFEO[McAgent.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctskshd.exe]
<IFEO[mctskshd.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe]
<IFEO[mcupdmgr.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
<IFEO[nod32krn.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
<IFEO[nod32kui.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
<IFEO[PFW.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe]
<IFEO[ras.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
<IFEO[Rav.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMON.exe]
<IFEO[RavMON.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmond.exe]
<IFEO[Ravmond.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
<IFEO[RavStub.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
<IFEO[RavTask.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]
<IFEO[RfwMain.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
<IFEO[rfwsrv.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe]
<IFEO[rtvscan.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
<IFEO[runiep.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]

启动文件夹
[yfhlgc]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yfhlgc.lnk --> C:\PROGRA~1\MICROS~4\yfhlgcj.exe [N/A]><N>
==================================

==================================
驱动程序
[cjebihhf / cjebihhf][Running/System Start]
<\??\C:\WINDOWS\system32\drivers\cjebihhf.sys><N/A>
[dibaabae / dibaabae][Running/Manual Start]
<\??\C:\WINDOWS\system32\drivers\dibaabae.sys><N/A>

[jcaehcga / jcaehcga][Running/Manual Start]
<\??\C:\WINDOWS\system32\drivers\jcaehcga.sys><N/A>
[kmsinput / kmsinput][Running/Manual Start]
<\??\C:\WINDOWS\System32\drivers\kmsinput.sys><N/A>

==================================
正在运行的进程
[PID: 556][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 628][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\febd.dll] [N/A, ]
[C:\WINDOWS\System32\330f.dll] [ , 1, 0, 0, 3]
[PID: 652][\??\C:\WINDOWS\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[C:\WINDOWS\System32\webpageparser.dll] [N/A, ]
[C:\WINDOWS\System32\Charset.dll] [N/A, ]
[C:\WINDOWS\System32\CreateDomTree.dll] [N/A, ]
[C:\WINDOWS\System32\winlib .dll] [N/A, ]
[C:\WINDOWS\System32\febd.dll] [N/A, ]
[C:\WINDOWS\System32\330f.dll] [ , 1, 0, 0, 3]
[c:\progra~1\kbfs\xosf.dll] [, 1, 0, 0, 6]
[c:\progra~1\kbfs\ctxk.dll] [ , 1, 0, 0, 6]

怎么越看越觉得运行的都是病毒啊，象征性的把前面的拿出来了，其他的觉得也是……好多……

==================================
Autorun.inf
[C:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[D:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[E:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[F:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe

还有一个问题，hosts文件里面的，是病毒么？还是有一把这些网址屏蔽掉了？

瑞星卡卡安全论坛