|
一、注册表项目 1.01 透明网关认证程序
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<renzheng><C:\renzheng\webaClient.exe> [] 1.02 如下三项为Nvida显卡相关
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup> [N/A]
<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit> [N/A]
<nwiz><nwiz.exe /install> [N/A] 1.03 如下几项均为IBM笔记本系列的正常组件的启动 当然可以考虑屏蔽不建议删除。
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
<WinlogonNotify: tpfnf2><notifyf2.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
<WinlogonNotify: tphotkey><tphklock.dll>[] 1.04 壁纸自动换
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<switch><c:\windows\system32\壁纸自动换.exe> []
<switch><c:\windows\system32\bgswitch.exe> []
1.05 摄像头
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<BigDogPath><C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera> [N/A]
1.06 windows致命错误修复
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k> [N/A] 1.07 木马克星软件
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><APIHookDll.dll> [N/A]
1.08 某摄像头
<domino><C:\WINDOWS\domino.exe>
1.09 "htpatch.exe" is a component for SiS AGP patch
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<HTpatch><C:\WINDOWS\htpatch.exe> [N/A]
1.10 SRENG 2.5后日志扫出来的如下项目 都不是问题项。 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe> [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub> [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
<通讯簿 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install> [N/A]
二、服务
2.01 XP 人机接口设备
[Human Interface Device Access / HidServ][Stopped/Manual Start]
<C:\windows\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
2.02 Windows帮助中心
[Help and Support / helpsvc][Stopped/Disabled]
<C:\windows\System32\svchost.exe -k netsvcs-->%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll><N/A>
2.03 如下为IBM笔记本的正常组件的服务启动 可根据需要屏蔽部分但不建议删除。
[Ac Profile Manager Service / AcPrfMgrSvc][Running/Auto Start]
<C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe><N/A>
[Access Connections Main Service / AcSvc][Running/Auto Start]
<C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe><Lenovo>
[ThinkPad PM Service / IBMPMSVC][Running/Auto Start]
<C:\WINDOWS\system32\ibmpmsvc.exe><>
[IBM KCU Service / TpKmpSVC][Running/Auto Start]
<C:\WINDOWS\system32\TpKmpSVC.exe><N/A> 2.04 ATI显卡
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><> 2.05 用友财务软件
[UfAutoLoadService / UfAutoLoadService][Stopped/Auto Start]
<C:\WINDOWS\system32\UfAutoLoadService.exe><>
[UfMsgGhost / UfMsgGhost][Running/Auto Start]
<C:\WINDOWS\system32\MsgGhost.exe><>
[U8AuthServer / UFNet][Running/Auto Start]
<C:\WINDOWS\system32\ServerNT.exe><N/A>
2.06 某摄像头的服务
[STI Simulator / STI Simulator][Running/Auto Start]
<C:\WINDOWS\System32\PAStiSvc.exe><N/A>
2.07 时创网络动态域名系统
[Cyberip / Cyberip][Stopped/Manual Start]
<G:\itsys\CyberIP.exe><>
[Cyberlink RichVideo Service(CRVS) / RichVideo][Stopped/Manual Start]
<"D:\Program Files\Cyberlink\Shared Files\RichVideo.exe"><>
2.08 影子系统powershadow
[Shadow System Service / ShadowSystemService][Stopped/Manual Start]
<D:\WINDOWS\system32\shadow\ShadowService.exe><N/A>
2.09 某读卡器
[O2Micro Flash Memory / O2Flash][Running/Auto Start]
<C:\WINDOWS\system32\o2flash.exe><N/A>
三、驱动
3.01 ALi mini IDE Driver provided by Acer Laboratories Inc
[AliIde / AliIde][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\aliide.sys><N/A>
[atitray / atitray][Stopped/System Start]
<\??\e:\NGOATI~1.3\ATT\atitray.sys><N/A>
3.02 Macrovision SECURITY Driver
[Secdrv / Secdrv][Stopped/Manual Start]
<system32\DRIVERS\secdrv.sys><N/A>
3.03 VIA AC'97 Audio Controller
[VIA AC'97 Audio Controller (WDM) / VIAudio][Stopped/Manual Start]
<system32\drivers\viaudio.sys><N/A>
3.04 天网防火墙
[SKNFW / SKNFW][Running/System Start]
<\??\C:\WINDOWS\system32\Drivers\SKNFW.sys><N/A>
[SkyProcs / SkyProcs][Stopped/Manual Start]
<\??\C:\PROGRA~1\SkyNet\Firewall\SkyProcs.sys><N/A>
3.05 USB摄像头
[USB PC Camera (SNPSTD3) / SNPSTD3][Stopped/Manual Start]
<system32\DRIVERS\snpstd3.sys><>
[USB PC Camera 301P / ZSMC301b][Stopped/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[Teclast WE PC Camera / ZSMC301b][Running/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[Jollytime PC Camera / ZSMC301b][Stopped/Manual Start]
<System32\Drivers\usbVM31b.sys><VM>
[USB Data Cable / usb2vcom][Stopped/Manual Start]
<system32\DRIVERS\usb2vcom.sys><>
3.06 sptd.sys是daemon tools虚拟光驱的一个文件
[sptd / sptd][Running/Boot Start]
<\SystemRoot\System32\Drivers\sptd.sys><N/A>
[dtscsi / dtscsi][Running/Manual Start]
<\SystemRoot\System32\Drivers\dtscsi.sys><N/A>
[d347bus / d347bus][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d347prt.sys><> 3.07 QQ加密键盘的几个驱动
[npkcrypt / npkcrypt][Stopped/Auto Start]
<\??\C:\Program files\Tencent\QQ\npkcrypt.sys><N/A>
[npkcusb / npkcusb][Stopped/Auto Start]
<\??\C:\Program files\Tencent\QQ\npkcusb.sys><N/A>
[npkcrypt / npkcrypt][Running/Auto Start]
<\??\C:\Program Files\Tencent\QQ\npkcrypt.sys><INCA Internet Co., Ltd.> 3.08 The SCSI/RAID Host Controller driver by Microtek Lab
[SMPLSCSI / SMPLSCSI][Stopped/Boot Start]
<\SystemRoot\System32\drivers\SMPLSCSI.SYS><N/A>
3.09 招商银行网上银行大众版登录插件
[CMBProtector / CMBProtector][Running/Auto Start]
<\??\D:\WINDOWS\system32\Drivers\CMBProtector.dat><N/A>
3.10 某主板驱动
[3WAREDRV / 3WAREDRV][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\3WAREDRV.SYS><N/A>
[3WAREGSM / 3WAREGSM][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\3waregsm.sys><N/A>
[3WDRV100 / 3WDRV100][Stopped/Boot Start]
<\SystemRoot\System32\DRIVERS\3WDRV100.SYS><N/A>
3.11 AntiARP Sniffer的驱动
[oreans32 / oreans32]
<\??\C:\WINDOWS\system32\drivers\oreans32.sys><N/A> 3.12 NTPort.Library:
NTPort Library
允许你的Win32程序实时直接访问PC机的I/O端口而无须使用Windows Drivers Development Kit(DDK) 或其他工具。NTPort Library非常容易使用:在Windows NT/2000/XP下,NTPort Library 驱动程序可以动态地加载和卸载,你不需要做任何设置工作。NTPort Library也是BASIC的INP或OUT命令的替代品。NTPort Library还可以获得LPT端口的基地址。
[NTPort Library Driver / zntport][Stopped/Auto Start]
<\??\C:\WINDOWS\system32\zntport.sys><N/A> 3.13 某读卡器
[O2MDRDR / O2MDRDR][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\o2media.sys><O2Micro>
[O2SDRDR / O2SDRDR][Running/Boot Start]
<\SystemRoot\system32\DRIVERS\o2sd.sys><O2Micro>
3.14 Lenovo的驱动
[Lenovo file protect service / fsp]
<C:\WINDOWS\fsp.exe><N/A>
[Lenovo auto login helper / usblogon]
<C:\WINDOWS\usblogon.exe><N/A> 3.15 蓝牙设备驱动
[Bluetooth Audio Service / BlueletAudio][Stopped/Manual Start]
<system32\DRIVERS\blueletaudio.sys><N/A>
[Bluetooth PAN Network Adapter / BT][Stopped/Manual Start]
<system32\DRIVERS\btnetdrv.sys><N/A>
[Bluetooth HID Enumerator / BTHidEnum][Stopped/Manual Start]
<system32\DRIVERS\vbtenum.sys><N/A>
[Bluetooth HID Manager Service / BTHidMgr][Stopped/Boot Start]
<\SystemRoot\System32\Drivers\BTHidMgr.sys><N/A>
[Bluetooth VComm Manager Service / VcommMgr][Stopped/Manual Start]
<System32\Drivers\VcommMgr.sys><N/A> 3.16 某ADSL Modem驱动
[PPPoEWin Miniport / PPPoEWin][Stopped/Manual Start]
<system32\DRIVERS\PPPoEWin.SYS><N/A> 3.16 Lenovo的IBM笔记本某驱动
[TDSMAPI / TDSMAPI][Stopped/System Start]
<System32\drivers\TDSMAPI.SYS><N/A>
[TPInput / TPInput][Running/Manual Start]
<System32\DRIVERS\TPInput.sys><IBM Corporation>
[TPPWRIF / TPPWRIF][Stopped/System Start]
<System32\drivers\Tppwrif.sys><N/A>
[TSMAPIP / TSMAPIP][Stopped/System Start]
<System32\drivers\TSMAPIP.SYS><N/A> 3.17 ASIO.SYS is a system service. Manufacturer: ASUS http://support.asus.com.tw/. [AsIO / AsIO][Running/System Start]
<system32\drivers\AsIO.sys><N/A> sptd.sys是daemon tools虚拟光驱的一个文件
c:\windows\system32\sptd.sys <N/A>
四、其他(BHO、启动文件夹等) 4.01 如下为惠普打印机的驱动
正在运行的进程中可以看到注入:
[PID: 472][C:\WINNT\system32\spoolsv.exe] [Microsoft Corporation, 5.00.2195.7059]
[C:\WINNT\system32\HPBMMON.DLL] [Hewlett-Packard, 10.00.16]
[C:\WINNT\system32\hpdomon.dll] [Hewlett-Packard, 03.42.00]
[C:\WINNT\system32\HPBHealr.dll] [N/A, N/A]
[C:\WINNT\system32\spool\PRTPROCS\W32X86\hpzpp041.dll] [Hewlett-Packard Corporation, 60.041.41. | 
发表于 2007-7-19 23:09:23
收藏
|