【原创】如何用Procexp和Autoruns工具识别与删除木马程序 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛【原创】如何用Procexp和Autoruns工具识别与删除木马程序

	瑞星ESM助力北京石龙医院筑牢安全防线		瑞星恶意代码管理系统助金华电力提升防御能力		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		助力国家网络安全瑞星获病毒应急处理中心感谢信
	实力拉满瑞星第四十四次通过VB100测评		瑞星发布2024年六大网络安全趋势		瑞星携手中国农业大学共筑网络安全防线		人工智能在网络安全领域的风险和机遇

«16 17 18 19 202122 23

21 / 23 页

跳转页

【原创】如何用Procexp和Autoruns工具识别与删除木马程序

言无忌163 初生襁褓狮帖子:34 注册: 2006-04-10 来自:	发表于： 2006-04-21 14:38 \| 短消息资料字号：小中大 201楼文件名：IEXPLORE.EXE 文件路径：IEXPLORE.EXE>>C:\Program Files\Internet Explorer\IEXPLORE.EXE 病毒名：Backdoor.Gpigeon.uvc 状态：清除成功
言无忌163 初生襁褓狮帖子:34 注册: 2006-04-10 来自:

轩辕小聪卡卡技术团队帖子:8368 注册: 2006-01-09 来自:	发表于： 2006-04-21 14:52 \| 短消息资料字号：小中大 202楼【回复“言无忌163”的帖子】晕，灰鸽子的干嘛发这个帖子里。回自己原来的帖子或另发一主题帖，用HijackThis或Autoruns扫个日志发上来。本来应该是个不复杂的问题，怎么搞了一个星期，还连日志都没发上来呀？！
轩辕小聪卡卡技术团队帖子:8368 注册: 2006-01-09 来自:

BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:	发表于： 2006-05-12 10:27 \| 只看楼主短消息资料字号：小中大 203楼 Process Explorer 升级到10.11 升级内容： 1) 在Vista系统上进程属性页中增加进程循环计数列 2) 增加查看和编辑服务权限功能 3) 修改在.NET运行时的句柄泄漏 4) 增加进程属性中I/O列内容 5) 增加系统和每个进程的I/O字节历史图表 6) 增加I/O历史记录图表 7) 增加内存提交历史记录图表 8) 增加可选择I/O历史托盘图标 9) 支持基于Itanium的64位Windows 下载地址：http://www.sysinternals.com/Files/ProcessExplorerNt.zip
BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:

友好人士锋芒艾服狮帖子:1287 注册: 2005-12-21 来自:	发表于： 2006-05-15 23:11 \| 短消息资料字号：小中大 204楼看到Baohe大叔在推荐，我把这贴子顶出。。
友好人士锋芒艾服狮帖子:1287 注册: 2005-12-21 来自:

清风之雷初生襁褓狮帖子:1 注册: 2006-05-19 来自:	发表于： 2006-05-19 01:35 \| 短消息资料字号：小中大 205楼哎!看晚了!好帖啊!现在再学习也不晚!
清风之雷初生襁褓狮帖子:1 注册: 2006-05-19 来自:

kaka新手初生襁褓狮帖子:29 注册: 2005-10-19 来自:	发表于： 2006-06-08 23:38 \| 短消息资料字号：小中大 206楼在这个帖子里，楼主一共发了32张图，真够耐心细致的。多谢楼主，全都收藏了。
kaka新手初生襁褓狮帖子:29 注册: 2005-10-19 来自:

asdf437 初生襁褓狮帖子:3 注册: 2006-06-09 来自:	发表于： 2006-06-09 20:30 \| 短消息资料字号：小中大 207楼不知道怎么分辩那个是病毒。。。。？？？可以说具体点吗，？谢了
asdf437 初生襁褓狮帖子:3 注册: 2006-06-09 来自:

BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:	发表于： 2006-06-27 15:37 \| 只看楼主短消息资料字号：小中大 208楼 Autoruns 升级到v8.52 升级内容：增加一个被恶意软件利用劫持桌面背景的自启动项。 http://www.sysinternals.com/Files/Autoruns.zip
BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:

BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:	发表于： 2006-07-12 10:14 \| 只看楼主短消息资料字号：小中大 209楼 Procexp升级到 10.20。更新内容：针对Vista增加了“integrity level”和“Virutalized”列对于x64处理器上的64位Vista上驱动做了签名下载地址：http://www.sysinternals.com/Files/ProcessExplorerNt.zip
BlackStone 叱咤花甲狮帖子:2616 注册: 2005-09-27 来自:

羽翼の涅磐初生襁褓狮帖子:1 注册: 2006-08-17 来自:	发表于： 2006-08-17 03:01 \| 短消息资料字号：小中大 210楼 HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + DAEMON Tools-1033 Virtual DAEMON Manager (Not verified) DAEMON'S HOME c:\program files\d-tools\daemon.exe + kav Kaspersky Anti-Virus (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avp.exe + LetsCool File not found: C:\Program Files\LetsCool\LetsCool.exe + nwiz NVIDIA nView Wizard, Version 105.18 (Not verified) NVIDIA Corporation c:\windows\system32\nwiz.exe + WinampAgent File not found: ; + YOKAssiant File not found: C:\PROGRA~1\YOK.com\SUPERS~1\YOK_SuperSearch.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Documents and Settings\All Users\「开始」菜单\程序\启动 C:\Documents and Settings\Administrator\「开始」菜单\程序\启动 HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks + ewido anti-spyware 4.0 ewido anti-spyware guard (Not verified) Anti-Malware Development a.s. d:\program files\ewido anti-spyware 4.0\shellexecutehook.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved + Desktop Explorer NVIDIA Desktop Explorer, Version 105.18 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll + Desktop Explorer Menu NVIDIA Desktop Explorer, Version 105.18 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll + Display Panning CPL Extension File not found: deskpan.dll + Fusion Cache Microsoft .NET Runtime Execution Engine (Not verified) Microsoft Corporation c:\windows\system32\mscoree.dll + nView Desktop Context Menu NVIDIA Desktop Explorer, Version 105.18 (Not verified) NVIDIA Corporation c:\windows\system32\nvshell.dll + Web Anti-Virus Script Monitor Internet Explorer plugin (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus 6.0\scieplugin.dll + Web Folders Microsoft Web Folders (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\web folders\msonsext.dll + WinRAR shell extension c:\program files\winrar\rarext.dll HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved HKLM\Software\Classes\Folder\Shellex\ColumnHandlers HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects + Ad Class File not found: C:\WINDOWS\SeAd\SeAd44d5bfdd.dll + Letscool System Helper Letscool Network IE Helper (Not verified) LETSCOOL Network Technology c:\windows\system32\coolbho.dll + QQBrowserHelperObject Class QQIEHelper Module (Not verified) 深圳市腾讯计算机系统有限公司 d:\program files\tencent\qq\qqiehelper.dll + Thunder Browser Helper XunLeiBHO (Not verified) Thunder Networking Technologies,LTD c:\program files\thunder network\thunder\comdlls\xunleibho_002.dll HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks HKLM\Software\Microsoft\Internet Explorer\Toolbar HKLM\Software\Microsoft\Internet Explorer\Extensions + YOK超级搜索 File not found: http://www.yok.com + 番茄花园 File not found: http://www.tomatolei.com + 启动迅雷 (Not verified) Thunder Networking Technologies,LTD c:\program files\thunder network\thunder\thunder.exe + 腾讯QQ QQ (Not verified) TENCENT d:\program files\tencent\qq\qq.exe Task Scheduler HKLM\System\CurrentControlSet\Services + AVP Provides protection against computer viruses and spyware. (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus 6.0\avp.exe + ewido anti-spyware 4.0 guard ewido anti-spyware guard (Not verified) Anti-Malware Development a.s. d:\program files\ewido anti-spyware 4.0\guard.exe + UpdateService c:\windows\system32\updateservice.exe HKLM\System\CurrentControlSet\Services + atapi c:\windows\system32\drivers\atapi.sys + d346bus PnP BIOS Extension (Not verified) c:\windows\system32\drivers\d346bus.sys + d346prt SCSI miniport (Not verified) c:\windows\system32\drivers\d346prt.sys + ewido anti-spyware 4.0 driver d:\program files\ewido anti-spyware 4.0\guard.sys + kl1 Kaspersky Unified Driver (Not verified) Kaspersky Lab c:\windows\system32\drivers\kl1.sys + klif spuper-ptor (Not verified) Kaspersky Lab c:\windows\system32\drivers\klif.sys + npkcrypt nProtect KeyCrypt Driver (Not verified) INCA Internet Co., Ltd. d:\program files\tencent\qq\npkcrypt.sys + npkycryp File not found: D:\Program Files\Tencent\QQ\npkycryp.sys HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKLM\SOFTWARE\Microsoft\Command Processor\Autorun HKCU\SOFTWARE\Microsoft\Command Processor\Autorun HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify + klogon Logon Visualizer (Not verified) Kaspersky Lab c:\windows\system32\klogon.dll HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman HKCU\Control Panel\Desktop\Scrnsave.exe HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImageName HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors 大侠帮我看看吧。。。我的IE被我卸载了，用的TT 我访问不了QQ空间，提示我浏览器不支持Q-zone的某些特性。。
羽翼の涅磐初生襁褓狮帖子:1 注册: 2006-08-17 来自:

<<上一主题|下一主题>>

«16 17 18 19 202122 23

21 / 23 页

跳转页

页面顶部

Powered by Discuz!NT