日志中可见的异常项目如下,当然,不可见异常项目的会有更多(个人估计绝大多数可执行文件都已经被病毒感染了,残念……)
==================================
启动文件夹
[YJHUBSXFK8S]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\YJHUBSXFK8S.lnk --> C:\WINDOWS\GUQFEI~1.EXE [Kav. Corporation]><H>
[RYQM7KL]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\RYQM7KL.lnk --> C:\WINDOWS\LJZP5.exe [Kav. Corporation]><H>
[RYQM7KL]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\RYQM7KL.BAT --> [File is missing]><N>
[LL1YT7]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\LL1YT7.lnk --> C:\WINDOWS\UBVCX4Q.exe [Kav. Corporation]><H>
[LL1YT7]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\LL1YT7.BAT --> [File is missing]><N>
[AQVX4FHETK6R]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\AQVX4FHETK6R.lnk --> C:\WINDOWS\DOLQTRY.exe [Kav. Corporation]><H>
[AQVX4FHETK6R]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\AQVX4FHETK6R.BAT --> [File is missing]><N>
[Y9007FGE]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Y9007FGE.lnk --> C:\WINDOWS\NBMXJT~1.EXE [Kav. Corporation]><H>
[Y9007FGE]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Y9007FGE.BAT --> [File is missing]><N>
[ABKH1U11]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\ABKH1U11.lnk --> C:\WINDOWS\BRXFEI~1.EXE [Kav. Corporation]><H>
==================================
服务
[AME368P2VZ9L / 24I7KBY4][Running/Auto Start]
<C:\WINDOWS\system32\W1DI1LH.exe 0WON44OQ2W><Kav. Corporation>
[administrator / administrator][Stopped/Disabled]
<C:\WINDOWS\Hacker.com.cn.exe><(File is missing)>
[Gray_Pigeon_Server1.23 / GrayPigeonServer1.23][Stopped/Auto Start]
<C:\WINDOWS\G_Server1.23.exe><Microsoft Corporation>
[7WBDW23HNF6Z / GUQFEIYO12Z][Running/Auto Start]
<C:\WINDOWS\GUQFEIYO12Z.exe 3LIKNNUGF><Kav. Corporation>
[NVIOOsDIA Dissplay Drilverv / NVIOOsDIA Dissplay Drilverv][Stopped/Disabled]
<C:\WINDOWS\SONYpp\TEPLEwI.exe><(File is missing)>
[Remote Rtctkoe / Remote Rtctkoe][Stopped/Auto Start]
<C:\WINDOWS\Rtctkoe><(File is missing)>
[Remote Rtekoe / Remote Rtekoe][Stopped/Auto Start]
<C:\WINDOWS\Retkoe><(File is missing)>
[System trke / System trke][Stopped/Disabled]
<C:\WINDOWS\System trke><(File is missing)>
[Windows Mensty / Windows Mensty][Stopped/Auto Start]
<C:\WINDOWS\system\Systmm><N/A>
[Windows Ruenk / Windows Ruenk][Stopped/Disabled]
<C:\WINDOWS\WINDOWS\Ruenk><(File is missing)>
[YRBB9MT976RA / UBVCX4Q][Stopped/Auto Start]
<C:\WINDOWS\UBVCX4Q.exe WDQVR0><Kav. Corporation>
[04E5ODND8BT / DOLQTRY][Stopped/Auto Start]
<C:\WINDOWS\DOLQTRY.exe FX2F0H8OV><Kav. Corporation>
[JKZ6M59M / LJZP5][Stopped/Auto Start]
<C:\WINDOWS\LJZP5.exe QK6ADOLAKFD><Kav. Corporation>
[OQKWDB / NBMXJT93TL6K][Stopped/Auto Start]
<C:\WINDOWS\NBMXJT93TL6K.exe 6OA4PB><Kav. Corporation>
[L204675DH48 / BRXFEI2GJM6][Stopped/Auto Start]
<C:\WINDOWS\BRXFEI2GJM6.exe ESRFFDVC03O><Kav. Corporation>
[CHJS6Q / 84LIZ7PJ2I1][Stopped/Auto Start]
<C:\WINDOWS\system32\6DIRSL5SDXK.exe TDP2GB70D><Kav. Corporation>
==================================
驱动程序
[3YZXTSIYMR / 6OIXE][Stopped/Manual Start]
<\??\C:\WINDOWS\BHIAHQW.txt><N/A>
[JT99G3 / LB7OKTTGA53][Stopped/Manual Start]
<\??\C:\WINDOWS\JNHGRX.txt><N/A>
[44HS5DIWD2A / M4M2EV][Stopped/Manual Start]
<\??\C:\WINDOWS\5K99NRP.txt><N/A>
[YDCCNGBFFFA / O8O3WPC5Z][Stopped/Manual Start]
<\??\C:\WINDOWS\FNY5G.txt><N/A>
[82MHXKL4BK / XQXJH][Stopped/Manual Start]
<\??\C:\WINDOWS\K6XTZ3.txt><N/A>
[J1FGRRFK / C0QJ9NEYXAT1][Running/Manual Start]
<\??\C:\WINDOWS\F3CP3QV.txt><N/A>
==================================
正在运行的进程
[PID: 856 / SYSTEM][C:\WINDOWS\system32\W1DI1LH.exe] [Kav. Corporation, 1.2.0.1]
[PID: 980 / SYSTEM][C:\WINDOWS\GUQFEIYO12Z.exe] [Kav. Corporation, 1.2.0.1]
[PID: 792 / SYSTEM][C:\WINDOWS\system32\W1DI1LH.exe] [Kav. Corporation, 1.2.0.1]
[PID: 2468 / SYSTEM][C:\WINDOWS\system32\W1DI1LH.exe] [Kav. Corporation, 1.2.0.1]
[PID: 3876 / SYSTEM][C:\WINDOWS\system32\W1DI1LH.exe] [Kav. Corporation, 1.2.0.1]
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 792, C:\WINDOWS\SYSTEM32\W1DI1LH.EXE]
特殊特权被允许: SeLoadDriverPrivilege [PID = 3876, C:\WINDOWS\SYSTEM32\W1DI1LH.EXE]
==================================