日志
正常注册表、服务、驱动项收集贴
|
一、注册表项目
1.01 透明网关认证程序
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
<renzheng><C:\\renzheng\\webaClient.exe> []
1.02 如下三项为Nvida显卡相关
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
<NvCplDaemon><RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup> [N/A]
<NvMediaCenter><RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit> [N/A]
<nwiz><nwiz.exe /install> [N/A]
1.03 如下几项均为IBM笔记本系列的正常组件的启动 当然可以考虑屏蔽不建议删除。
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\tpfnf2]
<WinlogonNotify: tpfnf2><notifyf2.dll> []
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\tphotkey]
<WinlogonNotify: tphotkey><tphklock.dll>[]
1.04 壁纸自动换
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
<switch><c:\\windows\\system32\\壁纸自动换.exe> []
<switch><c:\\windows\\system32\\bgswitch.exe> []
1.05 摄像头
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
<BigDogPath><C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera> [N/A]
1.06 windows致命错误修复
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
<KernelFaultCheck><%systemroot%\\system32\\dumprep 0 -k> [N/A]
1.07 木马克星软件
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
1.08 某摄像头
<domino><C:\\WINDOWS\\domino.exe>
1.09 \"htpatch.exe\" is a component for SiS AGP patch
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
<HTpatch><C:\\WINDOWS\\htpatch.exe> [N/A]
===========================================================================
二、服务
2.01 XP 人机接口设备
[Human Interface Device Access / HidServ][Stopped/Manual Start]
<C:\\windows\\System32\\svchost.exe -k netsvcs-->%SystemRoot%\\System32\\hidserv.dll><N/A>
2.02 Windows帮助中心
[Help and Support / helpsvc][Stopped/Disabled]
<C:\\windows\\System32\\svchost.exe -k netsvcs-->%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll><N/A>
2.03 如下为IBM笔记本的正常组件的服务启动 可根据需要屏蔽部分但不建议删除。
[Ac Profile Manager Service / AcPrfMgrSvc][Running/Auto Start]
<C:\\Program Files\\ThinkPad\\ConnectUtilities\\AcPrfMgrSvc.exe><N/A>
[Access Connections Main Service / AcSvc][Running/Auto Start]
<C:\\Program Files\\ThinkPad\\ConnectUtilities\\AcSvc.exe><Lenovo>
[ThinkPad PM Service / IBMPMSVC][Running/Auto Start]
<C:\\WINDOWS\\system32\\ibmpmsvc.exe><>
[IBM KCU Service / TpKmpSVC][Running/Auto Start]
<C:\\WINDOWS\\system32\\TpKmpSVC.exe><N/A>
2.04 ATI显卡
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\\WINDOWS\\system32\\ati2sgag.exe><>
2.05 用友财务软件
[UfAutoLoadService / UfAutoLoadService][Stopped/Auto Start]
<C:\\WINDOWS\\system32\\UfAutoLoadService.exe><>
[UfMsgGhost / UfMsgGhost][Running/Auto Start]
<C:\\WINDOWS\\system32\\MsgGhost.exe><>
[U8AuthServer / UFNet][Running/Auto Start]
<C:\\WINDOWS\\system32\\ServerNT.exe><N/A>
2.06 某摄像头的服务
[STI Simulator / STI Simulator][Running/Auto Start]
<C:\\WINDOWS\\System32\\PAStiSvc.exe><N/A>
2.07 时创网络动态域名系统
[Cyberip / Cyberip][Stopped/Manual Start]
<G:\\itsys\\CyberIP.exe><>
[Cyberlink Riccccccccc Service(CRVS) / Riccccccccc][Stopped/Manual Start]
<\"D:\\Program Files\\Cyberlink\\Shared Files\\Riccccccccc.exe\"><>
2.08 影子系统powershadow
[Shadow System Service / ShadowSystemService][Stopped/Manual Start]
<D:\\WINDOWS\\system32\\shadow\\ShadowService.exe><N/A>
2.09 某读卡器
[O2Micro Flash Memory / O2Flash][Running/Auto Start]
<C:\\WINDOWS\\system32\\o2flash.exe><N/A>
===========================================================================
三、驱动
3.01 ALi mini IDE Driver provided by Acer Laboratories Inc
[AliIde / AliIde][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\aliide.sys><N/A>
[atitray / atitray][Stopped/System Start]
<\\??\\e:\\NGOATI~1.3\\ATT\\atitray.sys><N/A>
3.02 Macrovision SECURITY Driver
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\\DRIVERS\\secdrv.sys><N/A>
3.03 VIA AC'97 Audio Controller
[VIA AC'97 Audio Controller (WDM) / VIAudio][Stopped/Manual Start]
<system32\\drivers\\viaudio.sys><N/A>
3.04 天网防火墙
[SKNFW / SKNFW][Running/System Start]
<\\??\\C:\\WINDOWS\\system32\\Drivers\\SKNFW.sys><N/A>
[SkyProcs / SkyProcs][Stopped/Manual Start]
<\\??\\C:\\PROGRA~1\\SkyNet\\Firewall\\SkyProcs.sys><N/A>
3.05 USB摄像头
[USB PC Camera (SNPSTD3) / SNPSTD3][Stopped/Manual Start]
<system32\\DRIVERS\\snpstd3.sys><>
[USB PC Camera 301P / ZSMC301b][Stopped/Manual Start]
<System32\\Drivers\\usbVM31b.sys><VM>
[Teclast WE PC Camera / ZSMC301b][Running/Manual Start]
<System32\\Drivers\\usbVM31b.sys><VM>
[Jollytime PC Camera / ZSMC301b][Stopped/Manual Start]
<System32\\Drivers\\usbVM31b.sys><VM>
[USB Data Cable / usb2vcom][Stopped/Manual Start]
<system32\\DRIVERS\\usb2vcom.sys><>
3.06 sptd.sys是daemon tools虚拟光驱的一个文件
[sptd / sptd][Running/Boot Start]
<\\SystemRoot\\System32\\Drivers\\sptd.sys><N/A>
[dtscsi / dtscsi][Running/Manual Start]
<\\SystemRoot\\System32\\Drivers\\dtscsi.sys><N/A>
[d347bus / d347bus][Running/Boot Start]
<\\SystemRoot\\system32\\DRIVERS\\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
<\\SystemRoot\\System32\\Drivers\\d347prt.sys><>
3.07 QQ加密键盘的几个驱动
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\\??\\C:\\Program files\\Tencent\\QQ\\npkcrypt.sys><N/A>
[npkcusb / npkcusb][Stopped/Auto Start]
<\\??\\C:\\Program files\\Tencent\\QQ\\npkcusb.sys><N/A>
[npkcrypt / npkcrypt][Running/Auto Start]
<\\??\\C:\\Program Files\\Tencent\\QQ\\npkcrypt.sys><INCA Internet Co., Ltd.>
3.08 The SCSI/RAID Host Controller driver by Microtek Lab
[SMPLSCSI / SMPLSCSI][Stopped/Boot Start]
<\\SystemRoot\\System32\\drivers\\SMPLSCSI.SYS><N/A>
3.09 招商银行网上银行大众版登录插件
[CMBProtector / CMBProtector][Running/Auto Start]
<\\??\\D:\\WINDOWS\\system32\\Drivers\\CMBProtector.dat><N/A>
3.10 某主板驱动
[3WAREDRV / 3WAREDRV][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\3WAREDRV.SYS><N/A>
[3WAREGSM / 3WAREGSM][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\3waregsm.sys><N/A>
[3WDRV100 / 3WDRV100][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\3WDRV100.SYS><N/A>
3.11 AntiARP Sniffer的驱动
[oreans32 / oreans32]
<\\??\\C:\\WINDOWS\\system32\\drivers\\oreans32.sys><N/A>
3.12 NTPort.Library: NTPort Library 允许你的Win32程序实时直接访问PC机的I/O端口而无须使用Windows Drivers Development Kit(DDK) 或其他工具。NTPort Library非常容易使用:在Windows NT/2000/XP下,NTPort Library 驱动程序可以动态地加载和卸载,你不需要做任何设置工作。NTPort Library也是BASIC的INP或OUT命令的替代品。NTPort Library还可以获得LPT端口的基地址。
[NTPort Library Driver / zntport][Stopped/Auto Start]
<\\??\\C:\\WINDOWS\\system32\\zntport.sys><N/A>
3.13 某读卡器
[O2MDRDR / O2MDRDR][Running/Boot Start]
<\\SystemRoot\\system32\\DRIVERS\\o2media.sys><O2Micro>
[O2SDRDR / O2SDRDR][Running/Boot Start]
<\\SystemRoot\\system32\\DRIVERS\\o2sd.sys><O2Micro>
3.14 Lenovo的驱动
[Lenovo file protect service / fsp]
<C:\\WINDOWS\\fsp.exe><N/A>
[Lenovo auto login helper / usblogon]
<C:\\WINDOWS\\usblogon.exe><N/A>
3.15 蓝牙设备驱动
[Bluetooth Audio Service / BlueletAudio][Stopped/Manual Start]
<system32\\DRIVERS\\blueletaudio.sys><N/A>
[Bluetooth PAN Network Adapter / BT][Stopped/Manual Start]
<system32\\DRIVERS\\btnetdrv.sys><N/A>
[Bluetooth HID Enumerator / BTHidEnum][Stopped/Manual Start]
<system32\\DRIVERS\\vbtenum.sys><N/A>
[Bluetooth HID Manager Service / BTHidMgr][Stopped/Boot Start]
<\\SystemRoot\\System32\\Drivers\\BTHidMgr.sys><N/A>
[Bluetooth VComm Manager Service / VcommMgr][Stopped/Manual Start]
<System32\\Drivers\\VcommMgr.sys><N/A>
===========================================================================
四、其他(BHO、启动文件夹等)
4.01 如下为惠普打印机的驱动
正在运行的进程中可以看到注入:
[PID: 472][C:\\WINNT\\system32\\spoolsv.exe] [Microsoft Corporation, 5.00.2195.7059]
[C:\\WINNT\\system32\\HPBMMON.DLL] [Hewlett-Packard, 10.00.16]
[C:\\WINNT\\system32\\hpdomon.dll] [Hewlett-Packard, 03.42.00]
[C:\\WINNT\\system32\\HPBHealr.dll] [N/A, N/A]
[C:\\WINNT\\system32\\spool\\PRTPROCS\\W32X86\\hpzpp041.dll] [Hewlett-Packard Corporation, 60.041.41.00]
希望大家慢慢充实
1.01 透明网关认证程序
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
<renzheng><C:\\renzheng\\webaClient.exe> []
1.02 如下三项为Nvida显卡相关
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
<NvCplDaemon><RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup> [N/A]
<NvMediaCenter><RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit> [N/A]
<nwiz><nwiz.exe /install> [N/A]
1.03 如下几项均为IBM笔记本系列的正常组件的启动 当然可以考虑屏蔽不建议删除。
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\tpfnf2]
<WinlogonNotify: tpfnf2><notifyf2.dll> []
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\tphotkey]
<WinlogonNotify: tphotkey><tphklock.dll>[]
1.04 壁纸自动换
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
<switch><c:\\windows\\system32\\壁纸自动换.exe> []
<switch><c:\\windows\\system32\\bgswitch.exe> []
1.05 摄像头
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
<BigDogPath><C:\\WINDOWS\\VM_STI.EXE VIMICRO USB PC Camera> [N/A]
1.06 windows致命错误修复
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
<KernelFaultCheck><%systemroot%\\system32\\dumprep 0 -k> [N/A]
1.07 木马克星软件
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
1.08 某摄像头
<domino><C:\\WINDOWS\\domino.exe>
1.09 \"htpatch.exe\" is a component for SiS AGP patch
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
<HTpatch><C:\\WINDOWS\\htpatch.exe> [N/A]
===========================================================================
二、服务
2.01 XP 人机接口设备
[Human Interface Device Access / HidServ][Stopped/Manual Start]
<C:\\windows\\System32\\svchost.exe -k netsvcs-->%SystemRoot%\\System32\\hidserv.dll><N/A>
2.02 Windows帮助中心
[Help and Support / helpsvc][Stopped/Disabled]
<C:\\windows\\System32\\svchost.exe -k netsvcs-->%WINDIR%\\PCHealth\\HelpCtr\\Binaries\\pchsvc.dll><N/A>
2.03 如下为IBM笔记本的正常组件的服务启动 可根据需要屏蔽部分但不建议删除。
[Ac Profile Manager Service / AcPrfMgrSvc][Running/Auto Start]
<C:\\Program Files\\ThinkPad\\ConnectUtilities\\AcPrfMgrSvc.exe><N/A>
[Access Connections Main Service / AcSvc][Running/Auto Start]
<C:\\Program Files\\ThinkPad\\ConnectUtilities\\AcSvc.exe><Lenovo>
[ThinkPad PM Service / IBMPMSVC][Running/Auto Start]
<C:\\WINDOWS\\system32\\ibmpmsvc.exe><>
[IBM KCU Service / TpKmpSVC][Running/Auto Start]
<C:\\WINDOWS\\system32\\TpKmpSVC.exe><N/A>
2.04 ATI显卡
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\\WINDOWS\\system32\\ati2sgag.exe><>
2.05 用友财务软件
[UfAutoLoadService / UfAutoLoadService][Stopped/Auto Start]
<C:\\WINDOWS\\system32\\UfAutoLoadService.exe><>
[UfMsgGhost / UfMsgGhost][Running/Auto Start]
<C:\\WINDOWS\\system32\\MsgGhost.exe><>
[U8AuthServer / UFNet][Running/Auto Start]
<C:\\WINDOWS\\system32\\ServerNT.exe><N/A>
2.06 某摄像头的服务
[STI Simulator / STI Simulator][Running/Auto Start]
<C:\\WINDOWS\\System32\\PAStiSvc.exe><N/A>
2.07 时创网络动态域名系统
[Cyberip / Cyberip][Stopped/Manual Start]
<G:\\itsys\\CyberIP.exe><>
[Cyberlink Riccccccccc Service(CRVS) / Riccccccccc][Stopped/Manual Start]
<\"D:\\Program Files\\Cyberlink\\Shared Files\\Riccccccccc.exe\"><>
2.08 影子系统powershadow
[Shadow System Service / ShadowSystemService][Stopped/Manual Start]
<D:\\WINDOWS\\system32\\shadow\\ShadowService.exe><N/A>
2.09 某读卡器
[O2Micro Flash Memory / O2Flash][Running/Auto Start]
<C:\\WINDOWS\\system32\\o2flash.exe><N/A>
===========================================================================
三、驱动
3.01 ALi mini IDE Driver provided by Acer Laboratories Inc
[AliIde / AliIde][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\aliide.sys><N/A>
[atitray / atitray][Stopped/System Start]
<\\??\\e:\\NGOATI~1.3\\ATT\\atitray.sys><N/A>
3.02 Macrovision SECURITY Driver
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\\DRIVERS\\secdrv.sys><N/A>
3.03 VIA AC'97 Audio Controller
[VIA AC'97 Audio Controller (WDM) / VIAudio][Stopped/Manual Start]
<system32\\drivers\\viaudio.sys><N/A>
3.04 天网防火墙
[SKNFW / SKNFW][Running/System Start]
<\\??\\C:\\WINDOWS\\system32\\Drivers\\SKNFW.sys><N/A>
[SkyProcs / SkyProcs][Stopped/Manual Start]
<\\??\\C:\\PROGRA~1\\SkyNet\\Firewall\\SkyProcs.sys><N/A>
3.05 USB摄像头
[USB PC Camera (SNPSTD3) / SNPSTD3][Stopped/Manual Start]
<system32\\DRIVERS\\snpstd3.sys><>
[USB PC Camera 301P / ZSMC301b][Stopped/Manual Start]
<System32\\Drivers\\usbVM31b.sys><VM>
[Teclast WE PC Camera / ZSMC301b][Running/Manual Start]
<System32\\Drivers\\usbVM31b.sys><VM>
[Jollytime PC Camera / ZSMC301b][Stopped/Manual Start]
<System32\\Drivers\\usbVM31b.sys><VM>
[USB Data Cable / usb2vcom][Stopped/Manual Start]
<system32\\DRIVERS\\usb2vcom.sys><>
3.06 sptd.sys是daemon tools虚拟光驱的一个文件
[sptd / sptd][Running/Boot Start]
<\\SystemRoot\\System32\\Drivers\\sptd.sys><N/A>
[dtscsi / dtscsi][Running/Manual Start]
<\\SystemRoot\\System32\\Drivers\\dtscsi.sys><N/A>
[d347bus / d347bus][Running/Boot Start]
<\\SystemRoot\\system32\\DRIVERS\\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
<\\SystemRoot\\System32\\Drivers\\d347prt.sys><>
3.07 QQ加密键盘的几个驱动
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\\??\\C:\\Program files\\Tencent\\QQ\\npkcrypt.sys><N/A>
[npkcusb / npkcusb][Stopped/Auto Start]
<\\??\\C:\\Program files\\Tencent\\QQ\\npkcusb.sys><N/A>
[npkcrypt / npkcrypt][Running/Auto Start]
<\\??\\C:\\Program Files\\Tencent\\QQ\\npkcrypt.sys><INCA Internet Co., Ltd.>
3.08 The SCSI/RAID Host Controller driver by Microtek Lab
[SMPLSCSI / SMPLSCSI][Stopped/Boot Start]
<\\SystemRoot\\System32\\drivers\\SMPLSCSI.SYS><N/A>
3.09 招商银行网上银行大众版登录插件
[CMBProtector / CMBProtector][Running/Auto Start]
<\\??\\D:\\WINDOWS\\system32\\Drivers\\CMBProtector.dat><N/A>
3.10 某主板驱动
[3WAREDRV / 3WAREDRV][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\3WAREDRV.SYS><N/A>
[3WAREGSM / 3WAREGSM][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\3waregsm.sys><N/A>
[3WDRV100 / 3WDRV100][Stopped/Boot Start]
<\\SystemRoot\\System32\\DRIVERS\\3WDRV100.SYS><N/A>
3.11 AntiARP Sniffer的驱动
[oreans32 / oreans32]
<\\??\\C:\\WINDOWS\\system32\\drivers\\oreans32.sys><N/A>
3.12 NTPort.Library: NTPort Library 允许你的Win32程序实时直接访问PC机的I/O端口而无须使用Windows Drivers Development Kit(DDK) 或其他工具。NTPort Library非常容易使用:在Windows NT/2000/XP下,NTPort Library 驱动程序可以动态地加载和卸载,你不需要做任何设置工作。NTPort Library也是BASIC的INP或OUT命令的替代品。NTPort Library还可以获得LPT端口的基地址。
[NTPort Library Driver / zntport][Stopped/Auto Start]
<\\??\\C:\\WINDOWS\\system32\\zntport.sys><N/A>
3.13 某读卡器
[O2MDRDR / O2MDRDR][Running/Boot Start]
<\\SystemRoot\\system32\\DRIVERS\\o2media.sys><O2Micro>
[O2SDRDR / O2SDRDR][Running/Boot Start]
<\\SystemRoot\\system32\\DRIVERS\\o2sd.sys><O2Micro>
3.14 Lenovo的驱动
[Lenovo file protect service / fsp]
<C:\\WINDOWS\\fsp.exe><N/A>
[Lenovo auto login helper / usblogon]
<C:\\WINDOWS\\usblogon.exe><N/A>
3.15 蓝牙设备驱动
[Bluetooth Audio Service / BlueletAudio][Stopped/Manual Start]
<system32\\DRIVERS\\blueletaudio.sys><N/A>
[Bluetooth PAN Network Adapter / BT][Stopped/Manual Start]
<system32\\DRIVERS\\btnetdrv.sys><N/A>
[Bluetooth HID Enumerator / BTHidEnum][Stopped/Manual Start]
<system32\\DRIVERS\\vbtenum.sys><N/A>
[Bluetooth HID Manager Service / BTHidMgr][Stopped/Boot Start]
<\\SystemRoot\\System32\\Drivers\\BTHidMgr.sys><N/A>
[Bluetooth VComm Manager Service / VcommMgr][Stopped/Manual Start]
<System32\\Drivers\\VcommMgr.sys><N/A>
===========================================================================
四、其他(BHO、启动文件夹等)
4.01 如下为惠普打印机的驱动
正在运行的进程中可以看到注入:
[PID: 472][C:\\WINNT\\system32\\spoolsv.exe] [Microsoft Corporation, 5.00.2195.7059]
[C:\\WINNT\\system32\\HPBMMON.DLL] [Hewlett-Packard, 10.00.16]
[C:\\WINNT\\system32\\hpdomon.dll] [Hewlett-Packard, 03.42.00]
[C:\\WINNT\\system32\\HPBHealr.dll] [N/A, N/A]
[C:\\WINNT\\system32\\spool\\PRTPROCS\\W32X86\\hpzpp041.dll] [Hewlett-Packard Corporation, 60.041.41.00]
希望大家慢慢充实
