启动列表报告, 2008-6-10, 11:45:43 启动列表版本: 1.52.2 启动位置: E:\工具\安全辅助工具\HijackThis\HiJackThis2.0.EXE 已检测到: Windows XP SP2 (WinNT 5.01.2600) 已检测到: Internet Explorer v6.00 SP2 (6.00.2900.2180) * 使用默认选项 * 包含空的和无意义的部分 * 显示次要部分 ================================================== 正在运行的进程: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\Explorer.EXE D:\Program Files\360safe\safemon\360tray.exe C:\Program Files\360Safebox\safeboxTray.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\windows\system32\ctfmon.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe C:\windows\system32\nvsvc32.exe d:\Program Files\Tencent\QQ\TXPlatform.exe D:\Program Files\Maxthon2\Maxthon.exe D:\Program Files\Tencent\QQ\QQMusic.exe E:\工具\安全辅助工具\HijackThis\HiJackThis2.0.exe -------------------------------------------------- 启动文件夹列表: Shell 文件夹启动: [C:\Documents and Settings\Administrator\「开始」菜单\程序\启动] *没有文件* Shell 文件夹 AltStartup: *文件夹未找到* 用户 shell 文件夹启动: *文件夹未找到* 用户 shell 文件夹 AltStartup: *文件夹未找到* Shell 文件夹共同启动: [C:\Documents and Settings\All Users\「开始」菜单\程序\启动] *没有文件* Shell 文件夹共同 AltStartup: *文件夹未找到* 用户 shell 文件夹共同启动: *文件夹未找到* 用户 shell 文件夹候补共同启动: *文件夹未找到* -------------------------------------------------- 检查 Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *没有发现注册表键* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *没有发现注册表值* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 360Safetray = d:\Program Files\360safe\safemon\360tray.exe /start 360Safebox = "C:\Program Files\360Safebox\safeboxTray.exe" /r AVP = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" NvCplDaemon = ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup NvMediaCenter = ; RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *没有发现值* -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *没有发现值* -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe = C:\windows\system32\ctfmon.exe -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *没有发现值* -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [AutorunsDisabled] Alcmtr = ; ALCMTR.EXE runeip = ; "C:\Program Files\Rising\AntiSpyware\runiep.exe" /startup -------------------------------------------------- 注册表子键里的自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *没有发现子键* -------------------------------------------------- 注册表子键里的自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *没有发现子键* -------------------------------------------------- 注册表子键里的自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *没有发现子键* -------------------------------------------------- 注册表子键里的自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *没有发现子键* -------------------------------------------------- 注册表子键里的自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *没有发现注册表键* -------------------------------------------------- 注册表子键里的自动运行条目: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *没有发现注册表键* -------------------------------------------------- 文件相关条目 - .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- 文件相关条目 - .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- 文件相关条目 - .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- 文件相关条目 - .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- 文件相关条目 - .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- 文件相关条目 - .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\system32\mshta.exe "%1" %* -------------------------------------------------- 文件相关条目 - .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = C:\windows\notepad.exe %1 -------------------------------------------------- 列举激活设置残余路径: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] * StubPath = C:\windows\system32\Rundll32.exe C:\windows\system32\mscories.dll,Install -------------------------------------------------- 列举 ICQ 类自动启动程序: HKCU\Software\Mirabilis\ICQ\Agent\Apps *没有发现注册表键* -------------------------------------------------- 读取/运行键从C:\windows\WIN.INI: load=*INI 部分未找到* run=*INI 部分未找到* 读取/运行注册表键: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*没有发现注册表值* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*没有发现注册表值* HKLM\..\Windows\CurrentVersion\WinLogon: load=*没有发现注册表键* HKLM\..\Windows\CurrentVersion\WinLogon: run=*没有发现注册表键* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*没有发现注册表值* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*没有发现注册表值* HKCU\..\Windows\CurrentVersion\WinLogon: load=*没有发现注册表键* HKCU\..\Windows\CurrentVersion\WinLogon: run=*没有发现注册表键* HKCU\..\Windows NT\CurrentVersion\Windows: load=*没有发现注册表值* HKCU\..\Windows NT\CurrentVersion\Windows: run=*没有发现注册表值* HKLM\..\Windows NT\CurrentVersion\Windows: load= HKLM\..\Windows NT\CurrentVersion\Windows: run= HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*没有发现注册表值* -------------------------------------------------- Shell 和屏幕保护程序关键来自C:\windows\SYSTEM.INI: Shell=*INI 部分未找到* SCRNSAVE.EXE=*INI 部分未找到* drivers=*INI 部分未找到* Shell 和屏幕保护注册表键: Shell=Explorer.exe SCRNSAVE.EXE=*没有发现注册表值* drivers=*没有发现注册表值* 策略 Shell 键: HKCU\..\Policies: Shell=*没有发现注册表键* HKLM\..\Policies: Shell=*没有发现注册表值* -------------------------------------------------- 检查 EXPLORER.EXE 实例: C:\windows\Explorer.exe: 存在! C:\Explorer.exe: 不存在 C:\windows\Explorer\Explorer.exe: 不存在 C:\windows\System\Explorer.exe: 不存在 C:\windows\System32\Explorer.exe: 不存在 C:\windows\Command\Explorer.exe: 不存在 C:\windows\Fonts\Explorer.exe: 不存在 -------------------------------------------------- 检查超级隐藏 Extensions: .lnk: 隐藏! (快捷方式图标: 没有!) .pif: 隐藏! (快捷方式图标: 有) .exe: 没有隐藏 .com: 没有隐藏 .bat: 没有隐藏 .hta: 没有隐藏 .scr: 没有隐藏 .shs: 隐藏! .shb: 隐藏! .vbs: 没有隐藏 .vbe: 没有隐藏 .wsh: 没有隐藏 .scf: 隐藏! (快捷方式图标: 没有!) .url: 隐藏! (快捷方式图标: 有) .js: 没有隐藏 .jse: 没有隐藏 -------------------------------------------------- 验证 REGEDIT.EXE 完整性: - Regedit.exe 发现于 C:\windows - .reg 打开命令行可行(regedit.exe %1) - 公司名称正确: ’Microsoft Corporation' - 源文件名正确: ’REGEDIT.EXE' - 文件描述: ’Registry Editor' 注册表检查通过 -------------------------------------------------- 列举浏览器助手对象: (未命名) - (没有文件) - RsAutorunsDisabled Thunder AtOnce - d:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll - {01443AEC-0FD1-40fd-9C87-E93D1494C233} flashget2 urlcatch - d:\Program Files\FlashGet Network\FlashGet\ComDlls\bhoCATCH.dll - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} ThunderBHO - d:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll - {889D2FEB-5411-4565-8998-1DD2C5261283} (未命名) - D:\Program Files\360safe\safemon\safemon.dll - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -------------------------------------------------- 列举任务调度工作: *没有发现工作* -------------------------------------------------- 列举下载程序文件: [KUpdateObj2 Class] InProcServer32 = C:\WINDOWS\system32\KingSoft\KOS\UpdateOcx2.dll CODEBASE = http://shadu.duba.net/kosclean_v2/KOSInit.cab -------------------------------------------------- 列举 Winsock LSP 文件: NameSpace #1: C:\windows\System32\mswsock.dll NameSpace #2: C:\windows\System32\winrnr.dll Protocol #1: C:\windows\system32\mswsock.dll Protocol #2: C:\windows\system32\mswsock.dll Protocol #3: C:\windows\system32\mswsock.dll Protocol #4: C:\windows\system32\rsvpsp.dll Protocol #5: C:\windows\system32\rsvpsp.dll Protocol #6: C:\windows\system32\mswsock.dll Protocol #7: C:\windows\system32\mswsock.dll Protocol #8: C:\windows\system32\mswsock.dll Protocol #9: C:\windows\system32\mswsock.dll Protocol #10: C:\windows\system32\mswsock.dll Protocol #11: C:\windows\system32\mswsock.dll Protocol #12: C:\windows\system32\mswsock.dll Protocol #13: C:\windows\system32\mswsock.dll Protocol #14: C:\windows\system32\mswsock.dll Protocol #15: C:\windows\system32\mswsock.dll -------------------------------------------------- 列举 Windows NT/2000/XP 服务 Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system) Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start) AFD: \SystemRoot\System32\drivers\afd.sys (system) Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled) Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (disabled) AMD Processor Driver: system32\DRIVERS\AmdK8.sys (system) Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start) RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start) 标准 IDE/ESDI 硬盘控制器: system32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) 音频存根驱动程序: system32\DRIVERS\audstub.sys (manual start) Kaspersky Anti-Virus 7.0: "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (autostart) Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Contrl Center of Storm Media: C:\Program Files\StormII\stormliv.exe /asservice (autostart) CD-ROM Driver: system32\DRIVERS\cdrom.sys (system) Indexing Service: %SystemRoot%\system32\cisvc.exe (disabled) ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled) .NET Runtime Optimization Service v2.0.50727_X86: C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start) COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart) DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) 磁盘驱动器: system32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Logical Disk Manager Driver: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart) Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (autostart) Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start) FltMgr: system32\DRIVERS\fltMgr.sys (system) FsVga: system32\DRIVERS\fsvga.sys (system) Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system) Game Port Enumerator: system32\DRIVERS\gameenum.sys (manual start) Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start) Microsoft 用于 High Definition Audio 的 UAA 总线驱动程序: system32\DRIVERS\HDAudBus.sys (manual start) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) HTTP: System32\Drivers\HTTP.sys (manual start) HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start) i8042 键盘和 PS/2 鼠标端口驱动程序: system32\DRIVERS\i8042prt.sys (system) CD 烧制筛选驱动器: system32\DRIVERS\imapi.sys (system) IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (disabled) Service for Realtek HD Audio (WDM): system32\drivers\RtkHDAud.sys (manual start) IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start) IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start) IPSEC driver: system32\DRIVERS\ipsec.sys (system) IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start) PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system) KAVBootC: system32\Drivers\KAVBootC.sys (system) Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system) Kl1: system32\drivers\kl1.sys (system) Klif: \??\C:\windows\system32\drivers\klif.sys (system) Kaspersky Anti-Virus NDIS Filter: system32\DRIVERS\klim5.sys (manual start) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Server: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (manual start) Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Mouse Class Driver: system32\DRIVERS\mouclass.sys (system) WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start) MRXSMB: system32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start) Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start) Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start) NDIS 用户模式 I/O 协议: system32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: system32\DRIVERS\netbios.sys (system) NetBios over Tcpip: system32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (disabled) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled) Net Logon: %SystemRoot%\system32\lsass.exe (manual start) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start) Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) nv: system32\DRIVERS\nv4_mini.sys (manual start) nvata: system32\DRIVERS\nvata.sys (system) NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart) IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start) Parallel port driver: system32\DRIVERS\parport.sys (manual start) PCI Bus Driver: system32\DRIVERS\pci.sys (system) PCIIde: system32\DRIVERS\pciide.sys (system) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart) WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start) Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start) Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) 远程访问 PPPOE 驱动程序: system32\DRIVERS\raspppoe.sys (manual start) Direct Parallel: system32\DRIVERS\raspti.sys (manual start) Rdbss: system32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start) Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start) Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled) Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) RsAntiSpyware: system32\drivers\RsBoot.sys (system) Link-Layer Topology Discovery Responder: system32\DRIVERS\rspndr.sys (autostart) QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start) Realtek 10/100/1000 PCI NIC Family NDIS XP Driver: system32\DRIVERS\Rtnicxp.sys (manual start) SafeBoxKrnl: \??\C:\Program Files\360Safebox\SafeBoxKrnl.sys (system) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Secdrv: system32\DRIVERS\secdrv.sys (manual start) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start) Serial port driver: system32\DRIVERS\serial.sys (system) Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start) Print Spooler: %SystemRoot%\system32\spoolsv.exe (disabled) System Restore Filter Driver: \SystemRoot\system32\DRIVERS\sr.sys (disabled) System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled) Srv: system32\DRIVERS\srv.sys (manual start) SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (disabled) Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (disabled) Software Bus Driver: system32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{A1BD9A53-DBF7-48D8-B5D8-38097E5C1106} (disabled) Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system) Terminal Device Driver: system32\DRIVERS\termdd.sys (system) Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (disabled) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (manual start) Microcode Update Driver: system32\DRIVERS\update.sys (manual start) Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (disabled) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (disabled) Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start) USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start) Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (disabled) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start) Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) 自动更新: %systemroot%\system32\svchost.exe -k netsvcs (disabled) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) -------------------------------------------------- 列举 Windows NT 登录/登出脚本: *没有能运行的脚本设置* Windows NT checkdisk command: BootExecute = *没有发现注册表值* Windows NT 'Wininit.ini': PendingFileRenameOperations: *没有发现注册表值* -------------------------------------------------- 列举 ShellServiceObjectDelayLoad 项目: PostBootReminder: C:\windows\system32\SHELL32.dll CDBurn: C:\windows\system32\SHELL32.dll WebCheck: C:\windows\system32\webcheck.dll SysTray: C:\WINDOWS\system32\stobject.dll -------------------------------------------------- 注册表自动运行条目: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *没有发现注册表键* -------------------------------------------------- 注册表自动运行条目: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *没有发现注册表键* -------------------------------------------------- 报告结束,共 26,096 字节 报告生成时间 0.218 秒 命令行选项: /verbose - 在各个部分增加其他信息 /complete - 包括空的部分和不可疑的数据 /full - 包括几个罕见重要部分 /force9x - 如果运行在 WinNT 上则也包括 Win9x-only 启动项 /forceNT - 如果运行在 Win9x 上则也包括 WinNT-only 启动项 /forceall - 包含 Win9x 和WinNT 的启动项,不区分平台 /history - 只列出版本历史