即日起每日会给大家提供一些染毒环境的SREng日志，因为部分实习生是第一次接触SREng这个工具，对日志分析不熟悉，如果冒然跑去反病毒区回帖，一旦出现误判，可能对求助者不利，因此采用这种“内部”交流的方式，希望大家能够多练习，真正分析日志的方法是靠自己实践摸索出来的！

注：日志分析练习情况与大家的实习期总成绩没有关联，请大家不要有顾虑，放心大胆的练习！



 附件: 您所在的用户组无法下载或查看附件


========以下为参考分析结果========
异常项见附件（仅保留日志中可疑度较高的项）

注意：
1、AppInit_DLLs项不要删除，而是要清空；
2、劫持项和Hosts内容较多，可以借助工具快速处理；
3、病毒创建了较多服务项，如  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\qhly.dll><>，要注意判断哪个是系统文件，哪个是病毒文件，不要把系统文件删掉；
4、日志中可见cnnic流氓软件，可以建议用户删除，但是如果用户对此深有好感，也可不删，决定权在用户；

 附件: 您所在的用户组无法下载或查看附件

该用户帖子内容已被屏蔽

<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe>  [N/A]
    <ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe>  [N/A]
    <rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe>  [N/A]
    <dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe>  [N/A]
    <qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe>  [N/A]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <sun><C:\WINDOWS\SysSun1\svchost.exe>  [N/A]
  这些都是病毒吧....哪位达人出来说说

可疑的地方：


1.启动项中

<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe>  [N/A]
<ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe>  [N/A]
<rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe>  [N/A]
<dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe>  [N/A]
<qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe>  [N/A]
<sun><C:\WINDOWS\SysSun1\svchost.exe>  [N/A]
  <UnlockerAssistant><"C:\Program Files\Unlocker\UnlockerAssistant.exe">  [N/A]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>  [N/A]
  <upxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\upxdnd.exe>  [N/A]
    <winform><C:\WINDOWS\winform.exe>  [N/A]
    <IEBarUp><RunDll32 "C:\WINDOWS\System32\msUPT.dll",Run>  []
    <mppds><C:\WINDOWS\mppds.exe>  [N/A]
    <Desktop><"C:\WINDOWS\System32\internet.exe">  [Microsoft Corporation]
    <Internet><"C:\WINDOWS\system32\internet.exe">  [Microsoft Corporation]
    <CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe>  [CNNIC]
    <tcjfcji><C:\Program Files\Intel\tcjfcji.exe>  [N/A]
    <pxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\pxdnd.exe>  [N/A]
    <nwiztlbb><C:\WINDOWS\System32\nwiztlbb.exe>  [N/A]
    <nwizqqfo><C:\WINDOWS\System32\nwizqqfo.exe>  [N/A]
    <cmdbcs><C:\WINDOWS\cmdbcs.exe>  [N/A]
    <msccrt><C:\WINDOWS\msccrt.exe>  [N/A]
    <{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\SystemKb.sys>  [N/A]
    <{D14FA1E2-123F-6358-1E32-D2455234FDE2}><C:\WINDOWS\System32\nospri.dll>  [N/A]


[CAJViewer Preload]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\CAJViewer Preload.lnk --> C:\PROGRA~1\TTKN\CAJVIE~1.0\CAJVIE~1.EXE [Tsinghua Tongfang Knowledge Network Technology(Beijing) Co., Ltd.]><N>
[yfhlgc]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yfhlgc.lnk --> C:\PROGRA~1\MICROS~4\yfhlgcj.exe [N/A]><N>


还有镜像劫持需要修复

2.服务：
[CoolWare / CoolWare][Running/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\System32\qhly.dll><>
[Fast Client / fast][Running/Manual Start]
  <C:\WINDOWS\System32\0feb.exe><N/A>
[GrayPigeonServer / GrayPigeonServer][Running/Auto Start]
  <C:\WINDOWS\G_Server2006.exe><>
[Internet Connection Manager / Internet Connection Manager][Running/Manual Start]
  <"C:\WINDOWS\System32\internet.exe"><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Running/Manual Start]
  <C:\WINDOWS\System32\\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[Windows pgkx RunThem / pgkx][Running/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\kbfs\ulpc.dll>< >


3.进程中被大量加载的可疑dll：
    [C:\WINDOWS\System32\NTDLL32.dll]  [Microsoft Corporation, 5.1.2600.2180]
    [C:\WINDOWS\System32\webpageparser.dll]  [N/A, ]
    [C:\WINDOWS\System32\Charset.dll]  [N/A, ]
    [C:\WINDOWS\System32\CreateDomTree.dll]  [N/A, ]
    [C:\WINDOWS\System32\winlib .dll]  [N/A, ]
    [C:\WINDOWS\System32\febd.dll]  [N/A, ]
    [C:\WINDOWS\System32\330f.dll]  [  , 1, 0, 0, 3]
    [c:\progra~1\kbfs\xosf.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\kbfs\ctxk.dll]  [ , 1, 0, 0, 6]

4.Autorun.inf 这里的东西应该都是病毒了
[C:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[D:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[E:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[F:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe

5.hosts被修改了好多，也应该修复

看

1.<u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe>  [N/A]
    <ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe>  [N/A]
    <rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe>  [N/A]
    <dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe>  [N/A]
    <qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe>  [N/A]
临时文件？
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <sun><C:\WINDOWS\SysSun1\svchost.exe>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><C:\WINDOWS\System32\NTDLL32.dll>  [Microsoft Corporation]又是这个
还有劫持
好多好多我就不一一列举了
2.[yfhlgc]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yfhlgc.lnk --> C:\PROGRA~1\MICROS~4\yfhlgcj.exe [N/A]><N>这个是甚麽啊
3.[Internet Connection Manager / Internet Connection Manager][Running/Manual Start]
  <"C:\WINDOWS\System32\internet.exe"><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Running/Manual Start]
  <C:\WINDOWS\System32\\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[Windows pgkx RunThem / pgkx][Running/Manual Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\PROGRA~1\kbfs\ulpc.dll>< >
[WebPrint / WebPrint][Running/Manual Start]
  <c:\windows\system32\webprint.exe><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Running/Manual Start]
  <C:\WINDOWS\System32\\rundll32.exe windhcp.ocx,input><Microsoft Corporation>
这些错在哪里？
4.驱动程序有好多陌生的，不过
[Secdrv / Secdrv][Stopped/Manual Start]
  <System32\DRIVERS\secdrv.sys><N/A>这个是正确的？
[mspcidrv / mspcidrv][Running/Boot Start]
  <system32\DRIVERS\mspcidrv.sys><Windows (R) 2000 DDK provider>这个是错误的？
[nv / nv][Running/Boot Start]
  <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>这个又是什么？
5.为什么浏览器加载项里关于迅雷的链接全都没有签名？
6.[Cbho Object]
  {352E3B3A-CAB5-4DBC-B940-C7F84D0447D8} <C:\PROGRA~1\CNNIC\Cdn\cdndrag.dll, CNNIC>
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application

Data\Microsoft\PCTools\pctools.dll, 金泰丰(广州)科技有限公司>
[Jpeg Class]
  {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} <C:\WINDOWS\System32\30fe.dll, TODO: <公司名>>
[CdnForIE Class]
  {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>
[Advance Helper]
  {8E25AC4A-B129-451B-BEE2-3B510BB751DA} <C:\WINDOWS\System32\NTDLL32.dll, Microsoft Corporation>
[IE Browser Helper]
  {D0903A3B-F0EA-434a-9742-98C5335C7946} <C:\WINDOWS\System32\IEHelper.dll, Mass Effect Network>
[WMHlprObj Class]
  {F5824EFB-728A-4726-A5A5-85A68B20EDC3} <C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll, CNNIC>
[CdnForIE Class]
  {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} <C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll, CNNIC>这些为什么会有问题？
7.正在运行的进程里好多有版本号没签名的，还有CDEF盘自动运行中病毒了
8.hosts文件好多网页地址被解析到不正确的IP
9.特殊特权被允许： SeLoadDriverPrivilege [PID = 536, C:\WINDOWS\SYSTEM32\CTFMON.EXE]这个CTFMON是输入法，可以被写在这里么？

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe>  [N/A]
    <ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe>  [N/A]
    <rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe>  [N/A]
    <dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe>  [N/A]
    <qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe>  [N/A]  以上有问题
缺少公司签名版本信息
==================================
服务
[Internet Connection Manager / Internet Connection Manager][Running/Manual Start]
  <"C:\WINDOWS\System32\internet.exe"><Microsoft Corporation>
[Win32 Debug Service / MSDebugsvc][Running/Manual Start]
  <C:\WINDOWS\System32\\rundll32.exe msdebug.dll,input><Microsoft Corporation>
[WebPrint / WebPrint][Running/Manual Start]
  <c:\windows\system32\webprint.exe><Microsoft Corporation>
[Windows DHCP Service / WinDHCPsvc][Running/Manual Start]
  <C:\WINDOWS\System32\\rundll32.exe windhcp.ocx,input><Microsoft Corporation>以不知道这个有什么问题！！！ 公司签名都是伪造的？
==================================
驱动程序
[mspcidrv / mspcidrv][Running/Boot Start]
  <system32\DRIVERS\mspcidrv.sys><Windows (R) 2000 DDK provider>
不知道为什么
==================================
浏览器加载项
[Info cache]
  {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll, 金泰丰(广州)科技有限公司>
[Jpeg Class]
  {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} <C:\WINDOWS\System32\30fe.dll, TODO: <公司名>>

[Advance Helper]
  {8E25AC4A-B129-451B-BEE2-3B510BB751DA} <C:\WINDOWS\System32\NTDLL32.dll, Microsoft Corporation>
[IE Browser Helper]
  {D0903A3B-F0EA-434a-9742-98C5335C7946} <C:\WINDOWS\System32\IEHelper.dll, Mass Effect Network>
不知道为什么
进程：
[PID: 1248][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\System32\NTDLL32.dll]  [Microsoft Corporation, 5.1.2600.2180]
版本信息这边有可疑

注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]       
    <u1rjs10ri1uew03><C:\DOCUME~1\cui\LOCALS~1\Temp\Servera.exe>  [N/A]
    <ym6t5yvzdk2rm><C:\DOCUME~1\cui\LOCALS~1\Temp\winlog0n.exe>  [N/A]
    <rg60qte9qw61w><C:\DOCUME~1\cui\LOCALS~1\Temp\crasos.exe>  [N/A]
    <dtb46vxxrkiub><C:\DOCUME~1\cui\LOCALS~1\Temp\iexp10re.exe>  [N/A]
    <qhm2><C:\DOCUME~1\cui\LOCALS~1\Temp\iexpl0re.exe>  [N/A]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    <sun><C:\WINDOWS\SysSun1\svchost.exe>  [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <upxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\upxdnd.exe>  [N/A]
    <winform><C:\WINDOWS\winform.exe>  [N/A]
    <IEBarUp><RunDll32 "C:\WINDOWS\System32\msUPT.dll",Run>  []
    <mppds><C:\WINDOWS\mppds.exe>  [N/A]
    <Desktop><"C:\WINDOWS\System32\internet.exe">  [Microsoft Corporation]
    <Internet><"C:\WINDOWS\system32\internet.exe">  [Microsoft Corporation]
    <CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe>  [CNNIC]
    <tcjfcji><C:\Program Files\Intel\tcjfcji.exe>  [N/A]
    <pxdnd><C:\DOCUME~1\cui\LOCALS~1\Temp\pxdnd.exe>  [N/A]
    <nwiztlbb><C:\WINDOWS\System32\nwiztlbb.exe>  [N/A]
    <nwizqqfo><C:\WINDOWS\System32\nwizqqfo.exe>  [N/A]
    <cmdbcs><C:\WINDOWS\cmdbcs.exe>  [N/A]
    <msccrt><C:\WINDOWS\msccrt.exe>  [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><C:\WINDOWS\System32\NTDLL32.dll>  [Microsoft Corporation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
    <IFEO[avp.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
    <IFEO[CCenter.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe]
    <IFEO[ccEvtMgr.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetApp.exe]
    <IFEO[ccSetApp.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe]
    <IFEO[ccSetMgr.exe]><svchost.exe> [(Verified)Microsoft Windows XP Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DefWatch.exe]
    <IFEO[DefWatch.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe]
    <IFEO[KAVStart.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMaiMon.exe]
    <IFEO[KMaiMon.exe]><svchost.exe> [(Verified)Tencent Technology(Shenzhen) Company Limited]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe]
    <IFEO[KPfwSvc.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe]
    <IFEO[kvsrvxp.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.exe]
    <IFEO[KVWSC.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe]
    <IFEO[KWatch.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McAgent.exe]
    <IFEO[McAgent.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctskshd.exe]
    <IFEO[mctskshd.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe]
    <IFEO[mcupdmgr.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe]
    <IFEO[nod32krn.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe]
    <IFEO[nod32kui.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
    <IFEO[PFW.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe]
    <IFEO[ras.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
    <IFEO[Rav.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMON.exe]
    <IFEO[RavMON.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmond.exe]
    <IFEO[Ravmond.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe]
    <IFEO[RavStub.exe]><svchost.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
    <IFEO[RavTask.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe]
    <IFEO[RfwMain.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe]
    <IFEO[rfwsrv.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe]
    <IFEO[rtvscan.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
    <IFEO[runiep.exe]><svchost.exe> [(Verified)Microsoft Windows Publisher]

启动文件夹
[yfhlgc]
  <C:\Documents and Settings\All Users\「开始」菜单\程序\启动\yfhlgc.lnk --> C:\PROGRA~1\MICROS~4\yfhlgcj.exe [N/A]><N>
==================================


==================================
驱动程序
[cjebihhf / cjebihhf][Running/System Start]
  <\??\C:\WINDOWS\system32\drivers\cjebihhf.sys><N/A>
[dibaabae / dibaabae][Running/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\dibaabae.sys><N/A>

[jcaehcga / jcaehcga][Running/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\jcaehcga.sys><N/A>
[kmsinput / kmsinput][Running/Manual Start]
  <\??\C:\WINDOWS\System32\drivers\kmsinput.sys><N/A>

==================================
正在运行的进程
[PID: 556][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]
[PID: 628][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
    [C:\WINDOWS\System32\febd.dll]  [N/A, ]
    [C:\WINDOWS\System32\330f.dll]  [  , 1, 0, 0, 3]
[PID: 652][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]   
    [C:\WINDOWS\System32\webpageparser.dll]  [N/A, ]
    [C:\WINDOWS\System32\Charset.dll]  [N/A, ]
    [C:\WINDOWS\System32\CreateDomTree.dll]  [N/A, ]
    [C:\WINDOWS\System32\winlib .dll]  [N/A, ]
    [C:\WINDOWS\System32\febd.dll]  [N/A, ]
    [C:\WINDOWS\System32\330f.dll]  [  , 1, 0, 0, 3]
    [c:\progra~1\kbfs\xosf.dll]  [, 1, 0, 0, 6]
    [c:\progra~1\kbfs\ctxk.dll]  [ , 1, 0, 0, 6]

怎么越看越觉得运行的都是病毒啊，象征性的把前面的拿出来了 ，其他的觉得也是……好多……

==================================
Autorun.inf
[C:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[D:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[E:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe
[F:\]
[AutoRun]
Open=sxs.exe
Shell\Open=打开(&O)
Shell\Open\Command=sxs.exe
Shell\Open\Default=1
Shell\Explore=资源管理器(&X)
Shell\Explore\Command=sxs.exe

还有一个问题，hosts文件里面的，是病毒么？还是有一把这些网址屏蔽掉了？