瑞星卡卡安全论坛

注册表

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
(ctfmon.exe)(C:\WINDOWS\system32\ctfmon.exe) [(Verified)Microsoft Windows Publisher]
(bgswitch)(C:\WINDOWS\system32\bgswitch.exe) []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
(load)() [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
(SoundMan)(SOUNDMAN.EXE) [(Verified)Microsoft Windows Hardware Compatibility Publisher]
(PHIME2002ASync)(C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC) [(Verified)Microsoft Windows Publisher]
(PHIME2002A)(C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName) [(Verified)Microsoft Windows Publisher]
(IMJPMIG8.1)("C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32) [(Verified)Microsoft Windows Publisher]
(BigDogPath)(C:\WINDOWS\VM_STI.EXE 新泰超级摄像头) [N/A]
(RavTask)("C:\Program Files\Rising\Rav\RavTask.exe" -system) [Beijing Rising Technology Co., Ltd.]
(runeip)(C:\Program Files\Rising\AntiSpyware\runiep.exe) [Beijing Rising Technology Co., Ltd.]
(RfwMain)("C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup) [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
(RavStub)("C:\PROGRAM FILES\RISING\RAV\ravstub.exe" /RUNONCE) [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
(shell)(Explorer.exe) [(Verified)Microsoft Windows Publisher]
(Userinit)(C:\WINDOWS\system32\userinit.exe,) [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
(AppInit_DLLs)() [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
(UIHost)(logonui.exe) [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
({32CD708B-60A7-4C00-9377-D73EAA495F0F})(C:\WINDOWS\system32\RavExt.dll) [Beijing Rising Technology Co., Ltd.]



启动文件夹

[河南网通宽带用户客户端]
(C:\Documents and Settings\All Users\「开始」菜单\程序\启动\河南网通宽带用户客户端.lnk --) C:\PROGRA~1\RACER-~1\racer.exe [Putian Runway])(N)



服务

[Help and Support / helpsvc][Stopped/Auto Start]
(C:\WINDOWS\System32\svchost.exe -k netsvcs--)%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll)(N/A)
[Human Interface Device Access / HidServ][Stopped/Disabled]
(C:\WINDOWS\System32\svchost.exe -k netsvcs--)%SystemRoot%\System32\hidserv.dll)(N/A)
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
(c:\program files\rising\rfw\rfwproxy.exe)(Beijing Rising Technology Co., Ltd.)
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
(c:\program files\rising\rfw\rfwsrv.exe)(Beijing Rising Technology Co., Ltd.)
[Remote Procedure Call System(RPCSEXE) / RpcSEXE][Running/Auto Start]
(C:\WINDOWS\system32\Rpcsexe.exe)(Microsoft Corporation)
[Remote Procedure Call System(RPCSm) / RpcSm][Running/Auto Start]
(C:\WINDOWS\system32\Rpcsm.exe)(Microsoft Corporation)
[Remote Procedure Call System(RPCSRsd) / RpcSR][Running/Auto Start]
(C:\WINDOWS\system32\RpcSr.exe)(Microsoft Corporation)
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
("C:\Program Files\Rising\Rav\CCenter.exe")(Beijing Rising Technology Co., Ltd.)
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
("C:\PROGRAM FILES\RISING\RAV\Ravmond.exe")(Beijing Rising Technology Co., Ltd.)
[Windows Management Instrumentation Driver System / wmids][Running/Auto Start]
(C:\Program Files\Common Files\System\wmids.exe)(Microsoft Corporation)

隐藏进程

[384] C:\Program Files\Common Files\System\wmids.exe

[Windows Management Instrumentation Driver System / wmids][Running/Auto Start]
(C:\Program Files\Common Files\System\wmids.exe)(Microsoft Corporation)
把这个服务停了或删了，把文件删了

没见过  既然是隐藏的  估计不是啥好东西

这个进程我终止不了
啊

在任务管理器里能看到么

任务管理器里面没有这个进程

那个服务停止了么？

而且我的瑞星一开机就检测到一个病毒backdoor.Jusi.aa

你可以试试 在运行里输入CMD
然后输 ntsd -c q -p 384
然后删文件

不行！参数错误啊

那你现在再扫一下，看看那个隐藏进程里前面的数字是不是384了，如果不是了就换成新的数字。
我这也是现学现卖。
那个服务一定要停