[求助]这里哪些不是系统的!?
未知家族病毒分析扫描结果:
C:\Program Files\Internet Explorer\IEXPLORE.EXE --> 与 Backdoor.Gpigeon 100%相似.
系统活动进程
C:\WINDOWS\SYSTEM32\SMSS.EXE C:\WINDOWS\SYSTEM32\CSRSS.EXE C:\WINDOWS\SYSTEM32\WINLOGON.EXE C:\WINDOWS\SYSTEM32\MSACM32.DRV
C:\WINDOWS\SYSTEM32\SERVICES.EXE C:\WINDOWS\SYSTEM32\LSASS.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\WUAUCLT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM32\IGFXPPH.DLL
C:\WINDOWS\SYSTEM32\HCCUTILS.DLL
C:\WINDOWS\SYSTEM32\IGFXRES.DLL
C:\WINDOWS\SYSTEM32\IGFXSRVC.DLL
C:\WINDOWS\SYSTEM32\IGFXDEV.DLL
C:\WINDOWS\SYSTEM32\MSACM32.DRV
C:\WINDOWS\SYSTEM32\RAVEXT.DLL
C:\PROGRAM FILES\RISING\RFW\RFWSRV.EXE C:\PROGRAM FILES\RISING\RFW\RFWRULE.DLL
C:\PROGRAM FILES\RISING\RFW\RFWLOG.DLL
C:\PROGRAM FILES\RISING\RFW\RFWDRV.DLL
C:\PROGRAM FILES\RISING\RFW\PSAPI.DLL
C:\PROGRAM FILES\RISING\RFW\MONDRV.DLL
C:\PROGRAM FILES\RISING\RFW\PROCLIB.DLL
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\桌面\RSDETECT.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\RISING\RFW\RFWMAIN.EXE C:\PROGRAM FILES\RISING\RFW\RSGUILIB.DLL
C:\PROGRAM FILES\RISING\RFW\RSCOMMON.DLL
C:\PROGRAM FILES\RISING\RFW\PNGDLL.DLL
C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\JUSCHED.EXE C:\WINDOWS\SYSTEM32\CTFMON.EXE C:\WINDOWS\SYSTEM32\MSIEXEC.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
普通自启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TkBellExe = "C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE" -OSBOOTHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMSCMig = C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /PRELOAD
RavTask = "C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE" -SYSTEM
RfwMain = "C:\PROGRAM FILES\RISING\RFW\RFWMAIN.EXE" -STARTUP
SunJavaUpdateSched = C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\JUSCHED.EXE
ctfmon.exe = C:\WINDOWS\SYSTEM32\CTFMON.EXE
AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs =
系统文件关联
.exe ==> exefile = "%1" %*
.com ==> comfile = "%1" %*
.cmd ==> cmdfile = "%1" %*
.bat ==> batfile = "%1" %*
.txt ==> txtfile = %SystemRoot%\system32\NOTEPAD.EXE %1
.scr ==> scrfile = "%1" /S
.reg ==> regfile = regedit.exe "%1"
.doc ==> Word.Document.8 = "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde
其它启动项
WIN.INI
无信息SYSTEM.INI
SHELL = Explorer.exe
SCRNSAVE.EXE = C:\WINDOWS\doaxbv.scr
Winlogon 启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
crypt32chain = CRYPT32.DLLHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
cryptnet = CRYPTNET.DLL
cscdll = CSCDLL.DLL
igfxcui = IGFXSRVC.DLL
ScCertProp = WLNOTIFY.DLL
Schedule = WLNOTIFY.DLL
sclgntfy = SCLGNTFY.DLL
SensLogn = WLNOTIFY.DLL
termsrv = WLNOTIFY.DLL
wlballoon = WLNOTIFY.DLL
Userinit = USERINIT.EXE,
shell = EXPLORER.EXE
IE - BHO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{A9930D97-9CF0-42A0-A10D-4F28836579D5} = G:\PROGRA~1\KuGoo3\KUGOO3~1.OCX
{AA58ED58-01DD-4d91-8333-CF10577473F7} = c:\program files\google\googletoolbar2.dll
{F1FABE79-25FC-46de-8C5A-2C6DB9D64333} = NULL
Winsock SPI
MSAFD Tcpip [TCP/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [UDP/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD Tcpip [RAW/IP] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
RSVP UDP Service Provider = C:\WINDOWS\SYSTEM32\RSVPSP.DLL
RSVP TCP Service Provider = C:\WINDOWS\SYSTEM32\RSVPSP.DLL
MSAFD nwlnkipx [IPX] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD nwlnkspx [SPX] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD nwlnkspx [SPX] [Pseudo Stream] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD nwlnkspx [SPX II] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD nwlnkspx [SPX II] [Pseudo Stream] = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 4 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 4 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{87CFEA01-C9E9-4D9F-BC4E-C0231C82451C}] SEQPACKET 3 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{87CFEA01-C9E9-4D9F-BC4E-C0231C82451C}] DATAGRAM 3 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4EB1C3F4-B95B-4409-8BDB-E5CE1210BF01}] SEQPACKET 0 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4EB1C3F4-B95B-4409-8BDB-E5CE1210BF01}] DATAGRAM 0 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CC5B9E39-29EC-4DA7-88AE-2BE96F3447B9}] SEQPACKET 7 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{CC5B9E39-29EC-4DA7-88AE-2BE96F3447B9}] DATAGRAM 7 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6C1E5C7-7698-4E92-B30F-6A597F79F850}] SEQPACKET 8 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{A6C1E5C7-7698-4E92-B30F-6A597F79F850}] DATAGRAM 8 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F1ACD02-9062-421D-B216-77557A628BB0}] SEQPACKET 9 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F1ACD02-9062-421D-B216-77557A628BB0}] DATAGRAM 9 = C:\WINDOWS\SYSTEM32\MSWSOCK.DLL
系统服务项
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Adobe LM Service = "C:\PROGRAM FILES\COMMON FILES\ADOBE SYSTEMS SHARED\SERVICE\ADOBELMSVC.EXE"
Alerter = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
ALG = C:\WINDOWS\SYSTEM32\ALG.EXE
AppMgmt = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
aspnet_state = C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\ASPNET_STATE.EXE
AudioSrv = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
BITS = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Browser = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
CiSvc = C:\WINDOWS\SYSTEM32\CISVC.EXE
ClipSrv = C:\WINDOWS\SYSTEM32\CLIPSRV.EXE
clr_optimization_v2.0.50727_32 = C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSCORSVW.EXE
COMSysApp = C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{02D4B3F1-FD88-11D1-960D-00805FC79235}
CryptSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
DcomLaunch = C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH
Dhcp = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
dmadmin = C:\WINDOWS\SYSTEM32\DMADMIN.EXE /COM
dmserver = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Dnscache = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE
ERSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Eventlog = C:\WINDOWS\SYSTEM32\SERVICES.EXE
EventSystem = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
FastUserSwitchingCompatibility = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
helpsvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
HidServ = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
HTTPFilter = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K HTTPFILTER
ImapiService = C:\WINDOWS\SYSTEM32\IMAPI.EXE
lanmanserver = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
lanmanworkstation = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
LmHosts = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
Macromedia Licensing Service = "C:\PROGRAM FILES\COMMON FILES\MACROMEDIA SHARED\SERVICE\MACROMEDIA LICENSING.EXE"
Messenger = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
mnmsrvc = C:\WINDOWS\SYSTEM32\MNMSRVC.EXE
MSDTC = C:\WINDOWS\SYSTEM32\MSDTC.EXE
MSIServer = C:\WINDOWS\SYSTEM32\MSIEXEC.EXE /V
NetDDE = C:\WINDOWS\SYSTEM32\NETDDE.EXE
NetDDEdsdm = C:\WINDOWS\SYSTEM32\NETDDE.EXE
Netlogon = C:\WINDOWS\SYSTEM32\LSASS.EXE
Netman = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Nla = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
NtLmSsp = C:\WINDOWS\SYSTEM32\LSASS.EXE
NtmsSvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
NWCWorkstation = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
ose = "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SOURCE ENGINE\OSE.EXE"
PlugPlay = C:\WINDOWS\SYSTEM32\SERVICES.EXE
PolicyAgent = C:\WINDOWS\SYSTEM32\LSASS.EXE
ProtectedStorage = C:\WINDOWS\SYSTEM32\LSASS.EXE
RasAuto = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
RasMan = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
RDSessMgr = C:\WINDOWS\SYSTEM32\SESSMGR.EXE
RemoteAccess = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
RemoteRegistry = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
RfwProxySrv = C:\PROGRAM FILES\RISING\RFW\RFWPROXY.EXE
RfwService = C:\PROGRAM FILES\RISING\RFW\RFWSRV.EXE
RpcLocator = C:\WINDOWS\SYSTEM32\LOCATOR.EXE
RpcSs = C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS
RsCCenter = "C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE"
RsRavMon = "C:\PROGRAM FILES\RISING\RAV\RAVMOND.EXE"
RSVP = C:\WINDOWS\SYSTEM32\RSVP.EXE
SamSs = C:\WINDOWS\SYSTEM32\LSASS.EXE
SCardSvr = C:\WINDOWS\SYSTEM32\SCARDSVR.EXE
Schedule = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
seclogon = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
SENS = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
SharedAccess = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
ShellHWDetection = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Spooler = C:\WINDOWS\SYSTEM32\SPOOLSV.EXE
srservice = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
SSDPSRV = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
stisvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC
SwPrv = C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{A89D6F98-9890-4C17-81BD-0912FBE5F097}
SysmonLog = C:\WINDOWS\SYSTEM32\SMLOGSVC.EXE
TapiSrv = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
TermService = C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH
Themes = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
TlntSvr = C:\WINDOWS\SYSTEM32\TLNTSVR.EXE
TrkWks = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
UMWdf = C:\WINDOWS\SYSTEM32\WDFMGR.EXE
upnphost = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
UPS = C:\WINDOWS\SYSTEM32\UPS.EXE
VSS = C:\WINDOWS\SYSTEM32\VSSVC.EXE
W32Time = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WebClient = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE
windows_xp2 sjurygirpwhg = C:\WINDOWS.EXE
winmgmt = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WmdmPmSN = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
Wmi = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WmiApSrv = C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE
wscsvc = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
wuauserv = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
WZCSVC = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
xmlprov = C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS
