我这有个怪问题。。。我昨天装了个卡巴。。最新病毒库没有发现任何病毒。。但是，我有一个心病，就是我的icesword在刚启动完不久后打开查系统。有时能在其system check
中发现显示有一个hidden process，地址为0x.... 路径和名称均为？？？pid：-1有时却没有。。
或者是发现了后。。在刷新一下或者是重启icesword后。。就报告hidden process 为零了。。这真是很诡异。。我不知道这个到底是误报。。还是怎么回事？用其他的隐藏进程查看工具如:gmer\ECQ-ps\process master 等查也没有发现任何pid为-1的进程。。启动和
ie加载项中也没有任何不正常。不关用什么工具都没有发现-1进程。。让我心中很不踏实。。。也许是我太担心了。。因为是内存地址。。所以我无法知道到底是什么进程。。。汗。。水平低下啊。。但是，如果真是有后门的话。又是在是很不甘心。。所以，就扫了个sreg的报告上来。。给各位大大们看看。。上次问的问题也没有结果。。。没人回答我。。这次请一定要替我解决解决啊。。。个人反正是没有看到有什么问题。。也不知道现在的驱动级后门是否牛逼到了连icesword这样的工具也检测不出来的程度。。所以请这次一定要给我个答案。。实在是谢谢了~~



[CODE]

2007-04-12,18:47:49

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件


启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <ctfmon.exe><C:\windows\system32\ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <RunShadowTip><C:\WINDOWS\system32\shadow\ShadowTip.exe>  [PowerShadow]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]

==================================
启动文件夹
N/A

==================================
服务
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
  <C:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[Ati HotKey Poller / Ati HotKey Poller][Stopped/Disabled]
  <C:\windows\system32\Ati2evxx.exe><ATI Technologies Inc.>
[ATI Smart / ATI Smart][Stopped/Disabled]
  <C:\WINDOWS\system32\ati2sgag.exe><>
[Autodesk Licensing Service / Autodesk Licensing Service][Stopped/Manual Start]
  <"C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"><Autodesk>
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Shadow System Service / ShadowSystemService][Running/Auto Start]
  <C:\WINDOWS\system32\shadow\ShadowService.exe><N/A>
[Windows Media Connect Service / WMConnectCDS][Stopped/Manual Start]
  <C:\Program Files\Windows Media Connect 2\wmccds.exe><Microsoft Corporation>
[WMDM PMSP Service / WMDM PMSP Service][Stopped/Disabled]
  <C:\WINDOWS\system32\MsPMSPSv.exe><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework / WudfSvc][Stopped/Manual Start]
  <C:\windows\system32\svchost.exe -k WudfServiceGroup-->%SystemRoot%\System32\WUDFSvc.dll><Microsoft Corporation>

==================================
驱动程序
[aic78xx / aic78xx][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\aic78xx.sys><Microsoft Corporation>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Stopped/Manual Start]
  <system32\drivers\ALCXWDM.SYS><N/A>
[AMD Processor Driver / AmdK8][Running/System Start]
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[ati2mtag / ati2mtag][Running/Manual Start]
  <system32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[ATITool Overclocking Utility / ATITool][Running/System Start]
  <system32\DRIVERS\ATITool.sys><>
[ICatch (VI) PC Camera / CA561][Running/Manual Start]
  <System32\Drivers\SPCA561.SYS><SP>
[cdrblock / cdrblock][Running/System Start]
  <system32\DRIVERS\cdrblock.sys><Canopus Co,. Ltd.>
[cdrport / cdrport][Running/System Start]
  <system32\DRIVERS\cdrport.sys><Canopus Co,. Ltd.>
[Creative AC3 Software Decoder / ctac32k][Running/Manual Start]
  <system32\drivers\ctac32k.sys><Creative Technology Ltd>
[Creative Audio Driver (WDM) / ctaud2k][Running/Manual Start]
  <system32\drivers\ctaud2k.sys><Creative Technology Ltd>
[Creative DVD-Audio Device Driver / ctdvda2k][Stopped/Manual Start]
  <system32\drivers\ctdvda2k.sys><Creative Technology Ltd>
[Creative Proxy Driver / ctprxy2k][Running/Manual Start]
  <system32\drivers\ctprxy2k.sys><Creative Technology Ltd>
[Creative SoundFont Management Device Driver / ctsfm2k][Running/Manual Start]
  <system32\drivers\ctsfm2k.sys><Creative Technology Ltd>
[d347bus / d347bus][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
  <\SystemRoot\System32\Drivers\d347prt.sys><>
[e2eCap - WDM Video Capture / E2ECAP][Stopped/Auto Start]
  <system32\DRIVERS\e2ecap.sys><e2eSoft>
[EagleNT / EagleNT][Stopped/Manual Start]
  <\??\C:\WINDOWS\system32\drivers\EagleNT.sys><N/A>
[E-mu Plug-in Architecture Driver / emupia][Running/Manual Start]
  <system32\drivers\emupia2k.sys><Creative Technology Ltd>
[Gmer / Gmer][Stopped/Manual Start]
  <System32\DRIVERS\gmer.sys><GMER>
[GMSIPCI / GMSIPCI][Stopped/Manual Start]
  <\??\D:\INSTALL\GMSIPCI.SYS><N/A>
[Creative Hardware Abstract Layer Driver / ha10kx2k][Running/Manual Start]
  <system32\drivers\ha10kx2k.sys><Creative Technology Ltd>
[Hamachi Network Interface / hamachi][Stopped/Manual Start]
  <system32\DRIVERS\hamachi.sys><LogMeIn, Inc.>
[Creative P16V HAL Driver / hap16v2k][Running/Manual Start]
  <system32\drivers\hap16v2k.sys><Creative Technology Ltd>
[Creative P17V HAL Driver / hap17v2k][Stopped/Manual Start]
  <system32\drivers\hap17v2k.sys><Creative Technology Ltd>
[IPvE Adapter Driver / IPvE][Stopped/Manual Start]
  <system32\DRIVERS\IPvE.sys><Hongtien>
[MAGIX_ASIO_BoostDriver / MagixASIODrv][Stopped/Manual Start]
  <\??\D:\安装软件\Samplitude_V8_professional\mxasio.sys><MAGIX AG>
[npkcrypt / npkcrypt][Running/Auto Start]
  <\??\D:\安装软件\QQ2006py_3.72\QQ\npkcrypt.sys><INCA Internet Co., Ltd.>
[nvata / nvata][Running/Boot Start]
  <\SystemRoot\system32\DRIVERS\nvata.sys><NVIDIA Corporation>
[NVIDIA nForce Networking Controller Driver / NVENETFD][Running/Manual Start]
  <system32\DRIVERS\NVENETFD.sys><NVIDIA Corporation>
[NVIDIA Network Bus Enumerator / nvnetbus][Running/Manual Start]
  <system32\DRIVERS\nvnetbus.sys><NVIDIA Corporation>
[Creative OS Services Driver / ossrv][Running/Manual Start]
  <system32\drivers\ctoss2k.sys><Creative Technology Ltd.>
[PfDetNT / PfDetNT][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\PfModNT.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv][Running/Auto Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology>
[StarForce Protection Synchronization Driver (version 3.x) / sfsync03][Running/Boot Start]
  <\SystemRoot\System32\drivers\sfsync03.sys><Protection Technology>
[sptd / sptd][Running/Boot Start]
  <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[TSP / TSP][Stopped/Manual Start]
  <\??\C:\windows\system32\drivers\klif.sys><N/A>
[VNN VNC Virtual Network Adapter / vnndev][Stopped/Manual Start]
  <system32\DRIVERS\vnnvnic.sys><VNN B.J.>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <system32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Platform Driver / WudfPf][Stopped/Manual Start]
  <system32\DRIVERS\WudfPf.sys><Microsoft Corporation>
[Windows Driver Foundation - User-mode Driver Framework Reflector / WudfRd][Stopped/Manual Start]
  <system32\DRIVERS\wudfrd.sys><Microsoft Corporation>

==================================
浏览器加载项
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[&使用迅雷下载]
  <D:\安装软件\Thunder553264_diy\Thunder\Program\geturl.htm, N/A>
[&使用迅雷下载全部链接]
  <D:\安装软件\Thunder553264_diy\Thunder\Program\getallurl.htm, N/A>
[使用 IDM 下载]
  <D:\安装软件\Internet Download Manager\Internet Download Manager\IEExt.htm, N/A>
[使用 IDM 下载所有链接]
  <D:\安装软件\Internet Download Manager\Internet Download Manager\IEGetAll.htm, N/A>
[使用KuGoo3下载(&K)]
  <D:\安装软件\KuGoo_3.233_wj\KuGoo\KuGoo3DownX.htm, N/A>

==================================
正在运行的进程
[PID: 672][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 724][\??\C:\windows\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1948][C:\windows\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 16.2.54.0]
    [C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll]  [Autodesk, 16.2.54.0]
    [C:\windows\system32\asfsipc.dll]  [Microsoft Corporation, 1.1.00.3917]
[PID: 232][C:\windows\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 420][D:\安装软件\GreenBrowser_0906_DIY\GreenBrowser\GreenBrowser.exe]  [MoreQuick, 1, 0, 0, 0]
    [C:\WINDOWS\system32\AcSignIcon.dll]  [Autodesk, 16.2.54.0]
    [C:\windows\system32\SOGOUPY.IME]  [Sohu.com Inc., 1, 5, 0, 0]
    [D:\安装软件\SogouInput\SogouInput\Plugin\SgImeWord.dll]  [, 1, 0, 0, 31]
[PID: 632][D:\安装软件\sreng2.4.12.806\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
文件关联
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\windows\hh.exe" %1]
.HLP  OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1      localhost
127.0.0.1    registeridm.com
127.0.0.1    207.44.199.159
127.0.0.1    207.44.199.16
127.0.0.1 www.hao123.com
127.0.0.1 www.qq3344.com
127.0.0.1 www.dj3344.com
127.0.0.1 www.yysky.net
127.0.0.1 www.qq168.net
127.0.0.1 www.777888.com
127.0.0.1 www.5dsoft.com
127.0.0.1 www.wokoo.net
127.0.0.1 www.coolcdrom.com
127.0.0.1 www.mtv51.com
127.0.0.1 www.yibinren.com
127.0.0.1 yeapple.com
127.0.0.1 movie.sx.zj.cn
127.0.0.1 www.cctv8.net
127.0.0.1 www.kuliao.com
127.0.0.1 www.yyqy.com
127.0.0.1 www.sunvod.com
127.0.0.1 www.t168.com
127.0.0.1 www.boliwo.com
127.0.0.1 www.zhengdian.com
127.0.0.1 girlchinese.com
127.0.0.1 www.37021.com
127.0.0.1 www.cnqb.net
127.0.0.1 www.58589.com
127.0.0.1 www.pixpox.com
127.0.0.1 www.k163.com
127.0.0.1 www.pk.com
127.0.0.1 www.xxx.com
127.0.0.1 www.ehomeday.com
127.0.0.1 www.jinpin.net
127.0.0.1 www.es158.com
127.0.0.1 www.aisa-girl.net
127.0.0.1 www.boliwu.com
127.0.0.1 www.cctv1.net
127.0.0.1 www.play.cn.gs
127.0.0.1 www.nnptt.com
127.0.0.1 vod.hengshui.com
127.0.0.1 tv.megajoy.com
127.0.0.1 www.my288.com
127.0.0.1 www.youmiss.com
127.0.0.1 www.laws-online.net
127.0.0.1 www.435000.com
127.0.0.1 www.eastedu.com.cn
127.0.0.1 www.ezhgc.com
127.0.0.1 www.mmgirls.com
127.0.0.1 www.qq520.com
127.0.0.1 www.love520.net
127.0.0.1 www.hj168.net
127.0.0.1 www.9911.com
127.0.0.1 36920.com

==================================
API HOOK
N/A

==================================
隐藏进程
N/A

==================================


[/CODE]

谢谢。。。host列表不是我自己加的。。不知怎么就变成这样了。。我也是觉得里面的网址是有点问题的。。。而且我是很小心的那种人。。。从来不上我怀疑有毒的网页。。。影子系统没有在运行中。。。只是开机的时候有影子系统的shardowsever这个在内存中跑。。虽然也知道禁用这个没有问题。。不影响影子系统。。但是因为是在正常模式下所以，也没有去多此一举的禁用它。。
而且影子系统也不是那个-1的pid的进程啊。。。我总觉得有可疑。。因为我比较的倒霉。。以前也是有人订我。。在我系统中放加壳n次后门。。就是我水平有限。。不会反击。。只会防守。。而且我现在的补丁应该是全的。。危险的服务也关了。。就是不知道上次突然显示api hook library被修改了。。可是。。重启后又不再提示有和预设值不符了。。这真是很鬼。。平时在port中也没有看到有任何的连接是不太正常的。。。可还是怀疑有高级驱动后门在。。。当然不排除误报的可能。。所以版主有什么好的建议啊。。除了重装外。。我的驱动太多了不太感删。。用的东西比较多。。呵呵呵。。请版主大大再给点建议。。我感激不经

我用过了windows优化大师的屏蔽不良网页的功能。。host列表应该是那个软件加的。。。

版主再说说把~！！ 实在是很讨厌有问题的后门。。而且我不喜欢杀毒软件的庞大和低能。一般都是有问题才装它用完查完就删的。。对于系统监控注册表和当前运行进程放行式的主动防御软件有觉得太烦了。。有问题都是自己查的。。所以。。真的是很烦。。望版主再给点建议把~！

以下是用sreg扫到的可疑文件名：望版主分析一下阿~！
1shadowtip.exe.v
2ACSIGNICON.DLL.V
3ASFSIPC.DLL.V
4ACSIGNCORE16.DLL.V
ADSKSCSRV.EXE.V
ATI2EVXX.EXE.V
IDRIVERT.EXE.V
SHADOWSERVICE.EXE.V
WUDFSVC.DLL.V
ASPNET_STATE.EXE.V
ATI2SGAG.EXE.V
MSPMSPSV.EXE.V
WMCCDS.EXE.V