我中的是backdoor.gpigeon.skw,扫描了这么一个东西请各位帮我分析一下
自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SchedulingAgent = mstinit.exe /firstlogon
UserFaultCheck = %systemroot%\system32\dumprep 0 -u
internat.exe = internat.exe
helper.dll = C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
RavTimer = C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
RavMon = C:\PROGRA~1\RISING\RAV\RAVMON.EXE -SYSTEM

HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
shell32.dll = C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\system32\webcheck.dll
SysTray = C:\WINDOWS\system32\stobject.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\system32\browseui.dll= Browseui 预加载程序
%SystemRoot%\system32\browseui.dll= 组件类别缓存程序


SYSTEM.INI BOOT SHELL Explorer.exe


其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> administrator
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> administrator
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> C:\WINDOWS\system32\userinit.exe,


AUTOEXEC.BAT
MZP

Hosts
127.0.0.1 localhost



进程列表

[System Process]
System

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
C:\PROGRA~1\RISING\RAV\RAVMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
F:\rx\加速\DuDuAcc.exe
F:\rx\加速\dudupros.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\xz\RavDetect.exe

进程详细信息


C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\xunleibho_v8.dll

8A|F9~
tkVWSS
addallurl
sendurl
--------------------------------------------------
--------------------------
---------------------------
Cookie
---------------------------
------------------------------
CCatchRightClick Create
thunder://
Software\Sandai Technologies Inc.\Thunder\Paramete
Software\Thunder Network\ThunderOem\thunder_backwn
Software\Sandai Technologies Inc.\ThunderOem
ThunderOemArray
Software\Thunder Network\ThunderOem
IsMiniVer
[yufeng]-------------------
----------------
-----------------
----------------
IsInvalid
UseDlaccel
Software\Sandai Technologies Inc.\ThunderOem\
Software\Thunder Network\ThunderOem\
Software\3721
yahoo_mini
mmst://
mms://
https://
http://
ftp://
Config_Monitor
IESuffixs
thunder.ini
Monitor
ExtendNames
.asf;.avi;.exe;.iso;.mp3;.mpeg;.mpga;.ra;.rar;.rm;
UserConfig.ini
MonitoringIE
MonitorIE
thunder_backwnd
thunder_backwnd
thunder_backwnd
TfrmCmdCenter
#32770
thunder_backwnd
CallThunder
#*05#*
#*04#*
#*03#*
#*02#*
#*01#*
bho exit
ThunderCatchRight Class
ThunderIEHelper Class
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Xunleibho.CatchRightClick.1
CLSID\%s
Xunleibho.CatchRightClick.1\CLSID
\ProgID
CLSID\
Apartment
ThreadingModel
CLSID\%s\InprocServer32
.?AV_com_error@@
.?AVtype_info@@


F:\rx\加速\dddiemon.dll

Wj2Qf=
u78^pt)
QPh 4s
VPQRRR
VWh 4s
VPh 4s
QSSj#S
Yt6F;5
jdPSh\
jeh 4s
jfh 4s
PSVSSSW
PPPPPPPQPPP
SPSSSSSS
t%8^lt 9^x
90u29p
90u29p
tlIItMIt=
PSSSSSS
uRFGHt
_9=,5s
t.;t$$t(
VC20XC00U
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
"WWSh(
PPPPPPPP
PPPPPPPP
/play.aspx?
mail.mop.com
freemail.eyou.com
mail.yahoo.com
func=mail&
mail.tom.com
mail.google.com
sinamail.sina.com
mail.sohu.com
mail.163.com
/cgi-bin/getmsg/
\dluban.dat
ATL:0272F148
ATL:%8.8X
BUTTON
WTL_BitmapButton
autoupdatetime
SOFTWARE\Dudu\DddClient
vaporcd
\All Users\Application Data
SHGetFolderPathA
shell32.dll
r[0-9][0-9]
a[0-9][0-9]
a[0-9]
DEFAULT
Software\Dudu\DddClient
strFileType
bScoutType
bScout
SCOUTFILE
\DuDu\DDD\conf2.dat
SCOUTFLASH
lastdownloadtime
lasturl
TYPELIB
Delete
NoRemove
ForceRemove
explorer.exe
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
UnRegisterTypeLib
oleaut32.dll
FVersion
SOFTWARE\Microsoft\Internet Explorer
DUDU_DDDPROXY2
nIEFrame
:77963b7a931377ad4ab5ad6a9cd718aa@
http://
ftp://
tooltips_class32
DuDuAcc.exe"
"%s" /m2 "/c%s" "/e%s" "/i%s"
"%s" /m3 "/c%s" "/e%s" "/i%s"
Floating point (%%e, %%f, %%g, and %%G) is not sup
user32.dll
shlwapi.dll
C:\Program Files\Internet Explorer\iexplore.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
((((((((((((((((((((((((((
REGISTRY
Module
HTML Document
((((( H


C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\spool\PRTPROCS\W32X86\vprproc.dll (made by Windows (R) 2000 DDK provider)

Alloc failed in OpenPrintProcessor, while printing
t ;t$$t
VC20XC00U
wcscpy
wcslen
_vsnprintf
ntdll.dll
RtlUnwind
GlobalFree
SetLastError
CreateEventW
CloseHandle
UnmapViewOfFile
MapViewOfFile
OpenFileMappingW
ResetEvent
SetEvent
OutputDebugStringA
GlobalAlloc
KERNEL32.dll
ClosePrinter
SPOOLSS.DLL
DeleteDC
CancelDC
GDI32.dll
genprint.dll
ClosePrintProcessor
ControlPrintProcessor
EnumPrintProcessorDatatypesW
GetPrintProcessorCapabilities
OpenPrintProcessor
PrintDocumentOnPrintProcessor
NT EMF 1.008
Tecent Virtual Printer Finish!
Winprint_TextNoTranslation
Winprint_TextNoCRTranslation
UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU
?UUUUUU


C:\WINDOWS\Explorer.EXE

e:\Program Files\WinRAR\rarext.dll

用HijackThis1.99.1版扫日志上来