补充2楼:
一、
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<ctfmon.exe><C:\windows\system32\ctfmon.exe> [(Infected) Microsoft Corporation
系统输入法进程被病毒感染。
二、
服务
[Application Management / AppMgmt][Stopped/Manual Start]
<C:\windows\system32\svchost.exe -k netsvcs-->%SystemRoot%\System32\appmgmts.dll><N/A>
[DCOM Server Process Launcher / DcomLaunch][Running/Auto Start]
<C:\windows\system32\svchost -k DcomLaunch-->%SystemRoot%\system32\rpcss.dll><N/A>
[Remote Procedure Call (RPC) / RpcSs][Running/Auto Start]
<C:\windows\system32\svchost -k rpcss-->%SystemRoot%\system32\rpcss.dll><N/A>
[Task Scheduler / Schedule][Stopped/Disabled]
<C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\system32\schedsvc.dll><N/A>
[System Restore Service / srservice][Running/Auto Start]
<C:\windows\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\srsvc.dll><N/A>
[Windows Image Acquisition (WIA) / stisvc][Stopped/Disabled]
<C:\windows\system32\svchost.exe -k imgsvc-->%SystemRoot%\system32\wiaservc.dll><N/A>
[Windows Time / W32Time][Running/Auto Start]
<C:\windows\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\w32time.dll><N/A>
以上系统服务进程对应的映像文件(dll文件)和服务注册表项可能均已被病毒替换。
三、
驱动程序
[NsDlRK250 / NsDlRK250][Running/Manual Start]
<\??\C:\windows\system32\Nskhelper2.sys><N/A>
[NsPsDk00 / NsPsDk00][Running/Manual Start]
<\??\C:\windows\system32\NsPass0.sys><N/A>
[NsPsDk01 / NsPsDk01][Running/Manual Start]
<\??\C:\windows\system32\NsPass1.sys><N/A>
[NsPsDk02 / NsPsDk02][Running/Manual Start]
<\??\C:\windows\system32\NsPass2.sys><N/A>
[NsPsDk04 / NsPsDk04][Running/Manual Start]
<\??\C:\windows\system32\NsPass4.sys><N/A>
[Safe Mon 360 / SafeMon0][Running/System Start]
<\??\C:\windows\system32\724A1196.dat><N/A>
[msiffei / msiffei][Stopped/Manual Start]
<System32\Drivers\msiffei.sys><N/A>
[npkwy / npkwy][Running/Boot Start]
<\SystemRoot\system32\drivers\aumlu.sys><N/A>
[acpidisk / acpidisk][Running/Auto Start]
<\??\C:\windows\system32\drivers\acpidisk.sys><N/A>
[io / io][Running/]
<2 - 系统找不到指定的文件。
><N/A>
一个感染性下载器病毒添加的多个驱动程序,还有还原SSDT表使杀软监控失效的NB病毒驱动,以及一些其它病毒驱动。
四、
浏览器加载项
[Info cache]
{296AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\windows\Intel\baiduc.dll, Syons.Fae>
[]
{478932A2-862F-4A34-A264-54A6EB998FDE} <C:\Program Files\Internet Explorer\PowerNt.Onz, N/A>
[]
{5A041F13-A111-12A4-B0CF-F99818AA68A5} <C:\windows\system32\ar12A401dll.dll, N/A>
[]
{D94B22C9-7CA6-4FC7-BE64-52B968F1B84F} <C:\Program Files\Internet Explorer\JoooNt8.Jzx, N/A>
[Info cache]
{296AB8C6-FB22-4D17-8834-064E2BA0A6F0} <C:\windows\Intel\baiduc.dll, Syons.Fae>
[]
{478932A2-862F-4A34-A264-54A6EB998FDE} <C:\Program Files\Internet Explorer\PowerNt.Onz, N/A>
[]
{5A041F13-A111-12A4-B0CF-F99818AA68A5} <C:\windows\system32\ar12A401dll.dll, N/A>
[]
{D94B22C9-7CA6-4FC7-BE64-52B968F1B84F} <C:\Program Files\Internet Explorer\JoooNt8.Jzx, N/A>
病毒添加的BHO……
五、
正在运行的进程
[PID: 556 / SYSTEM][\??\C:\windows\system32\winlogon.exe] [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\winlib .dll] [N/A, ][PID: 784 / SYSTEM][C:\windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[c:\windows\system32\rpcss.dll] [N/A, ]
[C:\windows\system32\anymie360.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ][PID: 860 / NETWORK SERVICE][C:\windows\system32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[c:\windows\system32\rpcss.dll] [N/A, ]
[PID: 904 / SYSTEM][C:\windows\System32\svchost.exe] [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[c:\windows\system32\w32time.dll] [N/A, ]
[c:\windows\system32\srsvc.dll] [N/A, ][PID: 1744 / www][C:\windows\system32\Ati2evxx.exe] [, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[PID: 436 / www][C:\windows\system32\Shadow\ShadowTip.exe] [PowerShadow, 1, 0, 0, 1]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ][PID: 444 / www][C:\windows\system32\conime.exe] [(Verified) Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ][PID: 476 / www][C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe] [ATI Technologies, Inc., 6.14.10.5113]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ][PID: 508 / www][C:\Program Files\D-Tools\daemon.exe] [DAEMON'S HOME, 3.47.0.0]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[PID: 512 / www][C:\windows\system32\ctfmon.exe] [(Infected) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[PID: 2460 / www][C:\Program Files\Internet Explorer\iexplore.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\cbhclajf.dll] [N/A, ]
[C:\windows\system32\jophlmna.dll] [N/A, ]
[C:\windows\system32\bnifahhi.dll] [N/A, ]
[C:\windows\system32\hlmmbahh.dll] [N/A, ]
[C:\windows\Intel\baiduc.dll] [Syons.Fae, 2. 3, 0, 2]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\windows\system32\cekclidm.dll] [N/A, ]
[C:\windows\system32\feldablj.dll] [N/A, ]
[C:\windows\system32\elibcepb.dll] [N/A, ]
[C:\windows\system32\lohogaae.dll] [N/A, ]
[C:\windows\system32\hobecimm.dll] [N/A, ]
[C:\windows\system32\fhofeodb.dll] [N/A, ]
[C:\windows\system32\dncaeejo.dll] [N/A, ]
[C:\windows\system32\mljocdof.dll] [N/A, ]
[C:\windows\system32\dgpacomp.dll] [N/A, ]
[C:\windows\system32\hmeijjgg.dll] [N/A, ]
[C:\windows\system32\imbnnghi.dll] [N/A, ]
[C:\windows\system32\amlkfjcb.dll] [N/A, ]
[C:\windows\system32\pnkiocgg.dll] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ]
[PID: 672 / www][C:\windows\explorer.exe] [(Verified) Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\windows\system32\ar12A401dll.dll] [N/A, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\windows\system32\jophlmna.dll] [N/A, ]
[C:\windows\system32\hlmmbahh.dll] [N/A, ]
[C:\windows\system32\pnkiocgg.dll] [N/A, ]
[C:\windows\system32\amlkfjcb.dll] [N/A, ]
[C:\windows\system32\imbnnghi.dll] [N/A, ]
[C:\windows\system32\hmeijjgg.dll] [N/A, ]
[C:\windows\system32\nnjahgko.dll] [N/A, ]
[C:\windows\system32\dgpacomp.dll] [N/A, ]
[C:\windows\system32\mljocdof.dll] [N/A, ]
[C:\windows\system32\dncaeejo.dll] [N/A, ]
[C:\windows\system32\fhofeodb.dll] [N/A, ]
[C:\windows\system32\hobecimm.dll] [N/A, ]
[C:\windows\system32\lohogaae.dll] [N/A, ]
[C:\windows\system32\elibcepb.dll] [N/A, ]
[C:\windows\system32\feldablj.dll] [N/A, ]
[C:\windows\system32\cekclidm.dll] [N/A, ][PID: 1880 / www][D:\Process Explorer\procexp.exe] [汉化: 余飞雨, 10.2 汉化: 余飞雨]
[D:\Process Explorer\USP10.dll] [Microsoft Corporation, 1.0420.2600.5512 (xpsp.080413-2105)]
[C:\windows\system32\fhofeodb.dll] [N/A, ][PID: 2572 / www][C:\Program Files\Tencent\QQ\TXPlatform.exe] [Tencent, 1, 0, 170, 0]
[C:\Program Files\Tencent\QQ\PSAPI.DLL] [N/A, ]
[C:\windows\system32\fhofeodb.dll] [N/A, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ][PID: 3204 / www][C:\Program Files\Internet Explorer\IEXPLORE.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\windows\system32\hlmmbahh.dll] [N/A, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\windows\Intel\baiduc.dll] [Syons.Fae, 2. 3, 0, 2]
[C:\windows\system32\cekclidm.dll] [N/A, ]
[C:\windows\system32\feldablj.dll] [N/A, ]
[C:\windows\system32\elibcepb.dll] [N/A, ]
[C:\windows\system32\lohogaae.dll] [N/A, ]
[C:\windows\system32\hobecimm.dll] [N/A, ]
[C:\windows\system32\fhofeodb.dll] [N/A, ]
[C:\windows\system32\dncaeejo.dll] [N/A, ]
[C:\windows\system32\mljocdof.dll] [N/A, ]
[C:\windows\system32\dgpacomp.dll] [N/A, ]
[C:\windows\system32\hmeijjgg.dll] [N/A, ]
[C:\windows\system32\imbnnghi.dll] [N/A, ]
[C:\windows\system32\amlkfjcb.dll] [N/A, ]
[C:\windows\system32\pnkiocgg.dll] [N/A, ]
[C:\windows\system32\jophlmna.dll] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ][PID: 720 / www][F:\sreng2\SREngLdr.EXE] [Smallfrogs Studio, 2.7.0.1210]
[F:\sreng2\USP10.dll] [Microsoft Corporation, 1.0420.2600.5512 (xpsp.080413-2105)][PID: 2476 / www][C:\DOCUME~1\www\LOCALS~1\Temp\742192] [, 1, 0, 0, 1]
[C:\windows\system32\hmeijjgg.dll] [N/A, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ][PID: 3836 / www][F:\sreng2\SRE903a8a6a.EXE] [Smallfrogs Studio, 2.7.0.1210]
[F:\sreng2\USP10.dll] [Microsoft Corporation, 1.0420.2600.5512 (xpsp.080413-2105)]
[C:\windows\system32\hmeijjgg.dll] [N/A, ]
[C:\Program Files\Internet Explorer\JoooNt8.Jzx] [N/A, ]
[C:\Program Files\Internet Explorer\PowerNt.Onz] [N/A, ]
[C:\windows\system32\cekclidm.dll] [N/A, ]
[C:\windows\system32\feldablj.dll] [N/A, ]
[C:\windows\system32\elibcepb.dll] [N/A, ]
[C:\windows\system32\lohogaae.dll] [N/A, ]
[C:\windows\system32\hobecimm.dll] [N/A, ]
[C:\windows\system32\fhofeodb.dll] [N/A, ]
[C:\windows\system32\dncaeejo.dll] [N/A, ]
[C:\windows\system32\mljocdof.dll] [N/A, ]
[C:\windows\system32\dgpacomp.dll] [N/A, ]
[C:\windows\system32\imbnnghi.dll] [N/A, ]
[C:\windows\system32\amlkfjcb.dll] [N/A, ]
[C:\windows\system32\pnkiocgg.dll] [N/A, ]
[C:\windows\system32\hlmmbahh.dll] [N/A, ]
[C:\windows\system32\jophlmna.dll] [N/A, ]
[C:\DOCUME~1\www\LOCALS~1\Temp\WowInitcode.dat] [N/A, ]
一群病毒(红色)……
六、
进程特权扫描
特殊特权被允许: SeDebugPrivilege [PID = 2476, C:\DOCUME~1\WWW\LOCALS~1\TEMP\742192]
特殊特权被允许: SeLoadDriverPrivilege [PID = 2476, C:\DOCUME~1\WWW\LOCALS~1\TEMP\742192]
以上两个病毒进程……
