日志中异常项目如下:
==================================
注册表
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<MSConfig><C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto> [(Verified)Microsoft Windows Component Publisher]
<CNRNRNHelper.dll><; C:\PROGRA~1\CNRN\RNMain.exe C:\PROGRA~1\CNRN\RNHelper.dll,Rundll32> [File is missing]
<stup.exe><; Rundll32.exe C:\PROGRA~1\TENCENT\SSPlus\SPlus.dll,Rundll32 R> [File is missing]
<yassistse><; > [N/A]
<YLive.exe><; > [N/A]
<zmzy><; E:\down\zmzy\zmzy\zmzy.exe> [File is missing]
==================================
服务
[dasdf33s2d2 / dd3asdf33sdd2][Stopped/Auto Start]
<C:\WINDOWS\Fonts\dd1fsd2.exe -r><N/A>
[kaekxwc / kaekxwc][Stopped/Auto Start]
<C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\xaekxwc\xaekxwc.dll,Service><Microsoft Corporation>
[Windows Time / W32Time][Running/Auto Start]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->c:\windows\system32\wins\ohdfjrrey.dll><Microsoft LTD.>
==================================
驱动程序
[sfafix / sfafix][Stopped/Boot Start]
<\SystemRoot\system32\drivers\sfafix.sys><N/A>
[viv2c3cau / viv2c3caux][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\viv2c3caux.sys><N/A>
==================================
正在运行的进程
C:\WINDOWS\system32\wins\3720\svchost.exe
==================================
进程特权扫描
特殊特权被允许: SeLoadDriverPrivilege [PID = 5856, C:\WINDOWS\SYSTEM32\WINS\3720\SVCHOST.EXE]
==================================
PS:输入法进程c:\windows\system32\ctfmon.exe被多进程调用,个人感觉可能是C:\WINDOWS\system32\wins\3720\svchost.exe这个可疑文件在作祟。