发表于: 2009-08-04 17:35 | 短消息 资料
字号: 11楼

回复:7月8日 日志分析 练习6

1. 好多好多的镜像劫持啊!!!

2.[Task Scheduler / Schedule][Stopped/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\system32\schedsvc.dll><N/A>

3. [NsRk1 / NsRk1][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\Nskhelper2.sys><N/A>
[NsPsDk00 / NsPsDk00][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\NsPass0.sys><N/A>
[NsPsDk01 / NsPsDk01][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\NsPass1.sys><N/A>
[NsPsDk03 / NsPsDk03][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\NsPass3.sys><N/A>
[NsPsDk04 / NsPsDk04][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\NsPass4.sys><N/A>

4.  []
  {09EB15FA-17D8-4D60-8598-3F549A848DF2} <C:\PROGRA~1\INTERN~1\PLUGINS\b54321.bho, N/A>
  []
  {16FF142F-BEBD-47CE-A3A6-D52A1A2ECB54} <C:\Program Files\Internet Explorer\Vv54321t.321, N/A>
  []
  {E59C8BDA-489C-47EC-8967-A33C6A730B10} <C:\Program Files\Internet Explorer\Explo2eMt.456, N/A>
  []
  {E59C8BDA-489C-47EC-8967-A33C6A730B10} <C:\Program Files\Internet Explorer\Explo2eMt.456,
  []
  {09EB15FA-17D8-4D60-8598-3F549A848DF2} <C:\PROGRA~1\INTERN~1\PLUGINS\b54321.bho, N/A>
  []
  {16FF142F-BEBD-47CE-A3A6-D52A1A2ECB54} <C:\Program Files\Internet Explorer\Vv54321t.321, N/A>
 
5. Autorun.inf
[C:\]
[autorun]
shell\open\command=rundll32 system.dll,explore
shell\explore\command=rundll32 system.dll,explore
[D:\]
[autorun]
shell\open\command=rundll32 system.dll,explore
shell\explore\command=rundll32 system.dll,explore
[E:\]
[autorun]
shell\open\command=rundll32 system.dll,explore
shell\explore\command=rundll32 system.dll,explore