启动项目
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><ablkfkkd.dll>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><C:\windows\system32\XPtoVista\Logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AB54F44D-652A-447F-B2D8-44FD96937ECE}><C:\windows\system32\ablkfkkd.dll>  []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <AB54F44D><C:\windows\system32\ablkfkkd.dll>  []
==================================
正在运行的进程
[PID: 1380][C:\windows\explorer.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\ablkfkkd.dll]  [N/A, ]
[PID: 896][C:\windows\system32\conime.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\windows\system32\ablkfkkd.dll]  [N/A, ]
[PID: 2572][C:\Temp\Rar$EX00.922\SREae94e837.EXE]  [Smallfrogs Studio, 2.7.0.1210]
    [C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll]  [Microsoft Corporation, 6.0 (xpsp.060825-0040)]
    [C:\windows\system32\ablkfkkd.dll]  [N/A, ]
==================================

可疑的地方：
autoguarder guarded.
C:\windows\system32\ablkfkkd.dll>
把[AppInit_DLLs]项的值清空
镜像劫持：
[IFEO[auto.exe]]    <AUTOGUARDER GUARDED.>
[IFEO[MSDOS.bat]]    <AUTOGUARDER GUARDED.>
[IFEO[ntldr.exe]]    <AUTOGUARDER GUARDED.>
[IFEO[pagefile.pif]]    <AUTOGUARDER GUARDED.>
[IFEO[sos.exe]]    <AUTOGUARDER GUARDED.>
[IFEO[sxs.exe]]    <AUTOGUARDER GUARDED.>
[IFEO[test.exe]]    <AUTOGUARDER GUARDED.>

C:\windows\system32\ablkfkkd.dll
C:\windows\system32\ablkfkkd.dll
还有修复映像挟持

1.[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><ablkfkkd.dll>  []清空
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><C:\windows\system32\XPtoVista\Logonui.exe>  [Microsoft Corporation]
XP  to  Vista？
<{AB54F44D-652A-447F-B2D8-44FD96937ECE}><C:\windows\system32\ablkfkkd.dll>  []
<AB54F44D><C:\windows\system32\ablkfkkd.dll>  []
2.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe]
    <IFEO[auto.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDOS.bat]
    <IFEO[MSDOS.bat]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntldr.exe]
    <IFEO[ntldr.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif]
    <IFEO[pagefile.pif]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe]
    <IFEO[sos.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sxs.exe]
    <IFEO[sxs.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe]
    <IFEO[test.exe]><AUTOGUARDER GUARDED.>  [N/A]
劫持又是

==================================
[PID: 2572][C:\Temp\Rar$EX00.922\SREae94e837.EXE]  [Smallfrogs Studio, 2.7.0.1210]
    [C:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-

ww_ac3f9c03\COMCTL32.dll]  [Microsoft Corporation, 6.0 (xpsp.060825-0040)]有问题为什么。。




进程特权扫描
特殊特权被允许： SeLoadDriverPrivilege [PID = 1152, C:\WINDOWS\SYSTEM32\SPOOLSV.EXE]
特殊特权被允许： SeLoadDriverPrivilege [PID = 2556, C:\TEMP\RAR$EX00.922\SRENGLDR.EXE]
为什么 没有问题。

为了练习日志分析，今天分析这个日志。
现有以下疑问：

1、关于ablkfkkd.dll此文件觉得很可疑，首先文件名很奇怪有，凡带有此文件的项公司版本信息均无，而且<AppInit_DLLs><ablkfkkd.dll>  []项默认情况为<AppInit_DLLs><>  ，这里也不正常
<AppInit_DLLs><ablkfkkd.dll>  []
<{AB54F44D-652A-447F-B2D8-44FD96937ECE}><C:\windows\system32\ablkfkkd.dll>  []
<AB54F44D><C:\windows\system32\ablkfkkd.dll>  []
  [C:\windows\system32\ablkfkkd.dll]  [N/A]

所以觉得这些项可疑，觉得应该删除这些项，并删除该文件。

2、有些项后面标明[File is missing]，觉得有问题，不知该如何修复。

<Bdangel><F:\安装软件包\系统工具\上网提速王\bdan>  [File is missing]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]


3、如何判断劫持项，如何判断劫持项是用来免疫病毒的。
记得7月8日 日志分析 练习1中也有IFEO项，那些是病毒搞的鬼。本贴却说明，该日志中通过文件名判断，这些劫持项是用来免疫病毒的，不需要处理。
<IFEO[auto.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDOS.bat]
    <IFEO[MSDOS.bat]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntldr.exe]
    <IFEO[ntldr.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.pif]
    <IFEO[pagefile.pif]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sos.exe]
    <IFEO[sos.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sxs.exe]
    <IFEO[sxs.exe]><AUTOGUARDER GUARDED.>  [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe]
    <IFEO[test.exe]><AUTOGUARDER GUARDED.>  [N/A]