这是小弟机子上的进程，麻烦大家替我看看，偶不晓得怎么去分析进程和日志，希望哪个大哥大姐教下偶，不胜感激，谢谢！

教下小弟怎么分析哈！

机子老是中毒，真郁闷，黑客有那么多！哪个大哥教教偶吧！

教下小弟怎么分析哈！

偶在此谢谢大家！

看这个没用，sreng2日志

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><; C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RavTask><"C:\Program Files\Rising\Rav\RavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <MSConfig><C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto>  [(Verified)Microsoft Windows XP Publisher]
    <CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe>  [CNNIC]
    <runeip><C:\Program Files\Rising\AntiSpyware\runiep.exe>  [Beijing Rising Technology Co., Ltd.]
    <ATIModeChange><; Ati2mdxx.exe>  [ATI Technologies, Inc.]
    <ATIPTA><; C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe>  [ATI Technologies, Inc.]
    <BigDog303><; C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)>  [N/A]
    <Cmaudio><; RunDll32 cmicnfg.cpl,CMICtrlWnd>  [N/A]
    <cmdbcs><; C:\WINDOWS\cmdbcs.exe>  []
    <DataLayer><; C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE>  [Nokia Mobile Phones Ltd.]
    <HomeShare><; C:\Program Files\HomeShare\HomeShare.exe>  []
    <IMJPMIG8.1><; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Windows Publisher]
    <mppds><; C:\WINDOWS\mppds.exe>  []
    <NVRaidService><; C:\WINDOWS\system32\nvraidservice.exe>  [NVIDIA Corporation]
    <PCSuiteTrayApplication><; C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray>  [Nokia]
    <PHIME2002A><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Windows Publisher]
    <PHIME2002ASync><; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Windows Publisher]
    <RealOneAssist><; D:\音乐\mtv\RealPlayer广告拦截超级助手\RealOneAssist.exe>  [N/A]
    <RfwMain><; "C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
    <shualai><; C:\WINDOWS\shualai.exe /i>  []
    <StormCodec_Helper><; "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti>  []
    <System><; C:\Program Files\Common Files\System\Updaterun.exe>  []
    <upxmdnd><; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upxmdnd.exe>  []
    <Vistadrv><; C:\Program Files\Vista\systool\Vistadrive\vsdrv.exe>  []
    <VisualTaskTips><; C:\Program Files\VisualTaskTips\VisualTaskTips.exe>  [VisualTaskTips.com]
    <winform><; C:\WINDOWS\winform.exe>  []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    <KKDelay><C:\Program Files\Rising\AntiSpyware\RunOnce.exe>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><EXPLORER.EXE>  [Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [Microsoft Corporation]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:\WINDOWS\system32\RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [Microsoft Corporation]
    <CDBurn><%SystemRoot%\system32\SHELL32.dll>  [Microsoft Corporation]
    <WebCheck><%SystemRoot%\system32\webcheck.dll>  [Microsoft Corporation]
    <SysTray><C:\WINDOWS\system32\stobject.dll>  [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    <WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    <WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    <WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    <WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    <WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    <WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    <WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    <WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    <WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    <{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
    <{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    <Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
    <浏览器自定义组件><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    <Windows 桌面更新><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    <Internet Explorer 6><%SystemRoot%\system32\ie4uinit.exe>  [(Verified)Microsoft Windows Publisher]

重复了,第4楼的第4个、第5个、第6个是病毒

第7个是流氓软件

启动文件夹
N/A

==================================
服务
[A409D9F0 / A409D9F0][Stopped/Auto Start]
  <C:\WINDOWS\system32\A409D9F0.EXE -d><Microsoft Corporation>
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
  <C:\WINDOWS\system32\Ati2evxx.exe><>
[ATI Smart / ATI Smart][Stopped/Auto Start]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[Rising Proxy  Service / RfwProxySrv][Stopped/Manual Start]
  <c:\program files\rising\rfw\rfwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
  <c:\program files\rising\rfw\rfwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:\Program Files\Rising\Rav\CCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:\PROGRAM FILES\RISING\RAV\Ravmond.exe"><Beijing Rising Technology Co., Ltd.>
[Print Spooler / Spooler][Running/Auto Start]
  <C:\WINDOWS\system32\spoolsv.exe><Microsoft Corporation>
[Distributed Application Client / SOCEESe][Running/Auto Start]
  <C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE C:\WINDOWS\SYSTEM32\WBEM\FHLAA.DLL,Export 1087><Microsoft Corporation>
[Office Backup Engine / Investor][Stopped/Auto Start]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\xhieo.dll><Microsoft Corporation>

==================================
驱动程序
[ati2mtag / ati2mtag][Running/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32\DRIVERS\BaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[C-Media WDM Audio Interface / cmuda][Running/Manual Start]
  <system32\drivers\cmuda.sys><C-Media Inc>
[ExpScaner / ExpScaner][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\ExpScan.sys><>
[HookCont / HookCont][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\HookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\HookUrl.sys><Beijing Rising Technology Co., Ltd.>
[IR Enumerator Service / IRENUM][Stopped/Manual Start]
  <system32\DRIVERS\irenum.sys><N/A>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Running/Auto Start]
  <\??\c:\program files\rising\rfw\mProcRs.sys><Beijing Rising Technology Co., Ltd.>
[Nokia USB Generic / Nokia USB Generic][Stopped/Manual Start]
  <system32\drivers\nmwcdc.sys><Nokia>
[Nokia USB Modem / Nokia USB Modem][Stopped/Manual Start]
  <system32\drivers\nmwcdcm.sys><Nokia>
[Nokia USB Phone Parent / Nokia USB Phone Parent][Stopped/Manual Start]
  <system32\drivers\nmwcd.sys><Nokia>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[nvatabus / nvatabus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvatabus.sys><NVIDIA Corporation>
[NVIDIA nForce Networking Controller Driver / NVENETFD][Running/Manual Start]
  <system32\DRIVERS\NVENETFD.sys><NVIDIA Corporation>
[NVIDIA Network Bus Enumerator / nvnetbus][Running/Manual Start]
  <system32\DRIVERS\nvnetbus.sys><NVIDIA Corporation>
[NVIDIA NForce(tm) ATA RAID Class Driver / nvraid][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvraid.sys><NVIDIA Corporation>
[NVIDIA nForce AGP Bus Filter / nv_agp][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nv_agp.sys><NVIDIA Corporation>
[iNetShare / Passthru][Running/Manual Start]
  <system32\DRIVERS\inetdrv.sys><>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
  <\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <\SystemRoot\system32\Drivers\RsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys><Rising>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><N/A>
[TCP/IP Protocol Driver / Tcpip][Running/System Start]
  <system32\DRIVERS\tcpip.sys><Microsoft Corporation>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[VIMICRO USB PC Camera (ZC0301PLH) / ZSMC303][Running/Manual Start]
  <System32\Drivers\usbVM303.sys><Vimicro Corporation>
[cdnprot / cdnprot][Running/Boot Start]
  <\SystemRoot\system32\drivers\cdnprot.sys><中国互联网络信息中心(CNNIC)>
[dcachdef / dcachdef][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\dcachdef.sys><中国互联网络信息中心(CNNIC)>
[cdntran / cdntran][Running/Auto Start]
  <system32\drivers\cdntran.sys><CNNIC>
[RsAntiSpyware / RsAntiSpyware][Stopped/Boot Start]
  <\SystemRoot\system32\drivers\RsBoot.sys><Beijing Rising>

<CdnCtr><C:\Program Files\CNNIC\Cdn\cdnup.exe> [CNNIC]

流氓软件

<cmdbcs><; C:\WINDOWS\cmdbcs.exe> []

<mppds><; C:\WINDOWS\mppds.exe> []

<shualai><; C:\WINDOWS\shualai.exe /i> []

<System><; C:\Program Files\Common Files\System\Updaterun.exe> []

<upxmdnd><; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\upxmdnd.exe> []

服务
[A409D9F0 / A409D9F0][Stopped/Auto Start]
<C:\WINDOWS\system32\A409D9F0.EXE -d><Microsoft Corporation>

[Print Spooler / Spooler][Running/Auto Start]
<C:\WINDOWS\system32\spoolsv.exe><Microsoft Corporation>
这个,如果没用打印机的话,把这个禁用

[Distributed Application Client / SOCEESe][Running/Auto Start]
<C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE C:\WINDOWS\SYSTEM32\WBEM\FHLAA.DLL,Export 1087><Microsoft Corporation>
[Office Backup Engine / Investor][Stopped/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\xhieo.dll><Microsoft Corporation>

[cdnprot / cdnprot][Running/Boot Start]
<\SystemRoot\system32\drivers\cdnprot.sys><中国互联网络信息中心(CNNIC)>
[dcachdef / dcachdef][Stopped/Boot Start]
<\SystemRoot\system32\drivers\dcachdef.sys><中国互联网络信息中心(CNNIC)>
[cdntran / cdntran][Running/Auto Start]
<system32\drivers\cdntran.sys><CNNIC>

禁用