怀疑中了灰鸽子，那位大师能指点一下。
用冰刃扫描进程发现mstsc.exe为隐藏进程，好像是什么远程桌面的程序，既是xp 的远程桌面为什么要隐藏呢
2007-06-12,08:53:41

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件


启动项目


注册表

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
(ctfmon.exe)(C:\WINDOWS\system32\ctfmon.exe) [(Verified)Microsoft Windows Publisher]
(MsnMsgr)("C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background) [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
(RavTask)("C:\Program Files\Rising\Rav\RavTask.exe" -system) [Beijing Rising Technology Co., Ltd.]
(WangWang)(D:\Program Files\Alisoft\WangWang\WangWang.EXE) [阿里巴巴软件（上海）有限公司]
(RfwMain)("C:\Program Files\Rising\Rfw\rfwmain.exe" -Startup) [Beijing Rising Technology Co., Ltd.]
(WebThunder)(d:\Program Files\Thunder Network\WebThunder\WebThunder.exe) [(Verified)ShenZhen Thunder Networking Technologies

Ltd.]
(runeip)(D:\Program Files\Rising\AntiSpyware\runiep.exe) [Beijing Rising Technology Co., Ltd.]
(360Safetray)(D:\Program Files\360safe\safemon\360Tray.exe /start) [奇虎网]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
(RavStub)("C:\PROGRAM FILES\RISING\RAV\ravstub.exe" /RUNONCE) [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
(shell)(Explorer.exe) [(Verified)Microsoft Windows Publisher]
(Userinit)(C:\WINDOWS\system32\userinit.exe,) [(Verified)Microsoft Windows Component Publisher]
(UIHost)(logonui.exe) [(Verified)Microsoft Windows Publisher]
-------------------------------------------------------------------------------
启动文件夹

N/A
--------------------------------------------------------------------------------
服务

[Human Interface Device Access / HidServ][Stopped/Disabled]
(C:\WINDOWS\System32\svchost.exe -k netsvcs--)%SystemRoot%\System32\hidserv.dll)(N/A)
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
(C:\WINDOWS\system32\nvsvc32.exe)(NVIDIA Corporation)
[Rising Proxy Service / RfwProxySrv][Stopped/Manual Start]
(c:\program files\rising\rfw\rfwproxy.exe)(Beijing Rising Technology Co., Ltd.)
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
(C:\Program Files\Rising\Rfw\rfwsrv.exe)(Beijing Rising Technology Co., Ltd.)
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
("C:\Program Files\Rising\Rav\CCenter.exe")(Beijing Rising Technology Co., Ltd.)
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
("C:\PROGRAM FILES\RISING\RAV\Ravmond.exe")(Beijing Rising Technology Co., Ltd.)
[SmartLinkService / SLService][Running/Auto Start]
(slserv.exe)(Smart Link)
[system / system][Stopped/Auto Start]
(C:\WINDOWS\system32\setup.exe)(N/A)
--------------------------------------------------------------------------------

MSTSC.EXE是远程控制的软件 XP 2003系统自带
开始  运行  输入mstsc 就能打开该软件

该用户帖子内容已被屏蔽

驱动程序

[Service for WDM 3D Audio Driver / ALCXSENS][Running/Manual Start]
(system32\drivers\ALCXSENS.SYS)(Sensaura Ltd)
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
(system32\drivers\ALCXWDM.SYS)(Realtek Semiconductor Corp.)
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
(System32\DRIVERS\BaseTDI.SYS)(Beijing Rising Technology Co., Ltd.)
[ExpScaner / ExpScaner][Running/Auto Start]
(\??\C:\PROGRAM FILES\RISING\RAV\ExpScan.sys)()
[usb Card Device / ft2kEnum][Running/Manual Start]
(system32\DRIVERS\ic2kenum.sys)(OEM Corporation)
[USB Chip Holder Service / GDBaseSmc][Running/Manual Start]
(system32\DRIVERS\Chip_smc.sys)(OEM)
[USB Chip Service / GD_USB][Stopped/Manual Start]
(system32\DRIVERS\Chip_usb.sys)()
[Hardlock / Hardlock][Running/Auto Start]
(\??\C:\WINDOWS\system32\drivers\hardlock.sys)(Aladdin Knowledge Systems)
[Haspnt / Haspnt][Running/Auto Start]
(\??\C:\WINDOWS\system32\drivers\Haspnt.sys)(Aladdin Knowledge Systems)
[HDSYS32 / HDSYS32][Stopped/Manual Start]
(\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hdsys.sys)(N/A)
[HookCont / HookCont][Running/Auto Start]
(\??\C:\PROGRAM FILES\RISING\RAV\HOOKCONT.sys)(Rising)
[HookReg / HookReg][Running/Auto Start]
(\??\C:\PROGRAM FILES\RISING\RAV\HookReg.sys)()
[HookSys / HookSys][Running/Auto Start]
(\??\C:\PROGRAM FILES\RISING\RAV\HookSys.sys)(Rising)
[HookUrl / HookUrl][Running/Auto Start]
(\??\C:\Program Files\Rising\Rfw\HookUrl.sys)(Beijing Rising Technology Co., Ltd.)
[HPMobileDisk / HPMobileDisk][Running/Auto Start]
(\??\C:\WINDOWS\system32\Drivers\hpmobiledisk.sys)(HP)
[MEMSCAN / MEMSCAN][Running/Auto Start]
(\??\C:\PROGRAM FILES\RISING\RAV\MEMSCAN.sys)(瑞星软件有限公司)
[mProcRs / mProcRs][Running/Auto Start]
(\??\c:\program files\rising\rfw\mProcRs.sys)(Beijing Rising Technology Co., Ltd.)
[Mtlmnt5 / Mtlmnt5][Running/Manual Start]
(system32\DRIVERS\Mtlmnt5.sys)(Smart Link)
[Mtlstrm / Mtlstrm][Stopped/Manual Start]
(system32\DRIVERS\Mtlstrm.sys)(Smart Link)
[NtMtlFax / NtMtlFax][Stopped/Manual Start]
(system32\DRIVERS\NtMtlFax.sys)(Smart Link)
[nv / nv][Running/Manual Start]
(system32\DRIVERS\nv4_mini.sys)(NVIDIA Corporation)
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
(system32\DRIVERS\ptilink.sys)(Parallel Technologies, Inc.)
[SmartCard Reader Device / Reader_Device][Running/Manual Start]
(system32\DRIVERS\usbic2k.sys)(OEM)
[RecAgent / RecAgent][Running/Boot Start]
(\SystemRoot\system32\DRIVERS\RecAgent.sys)(Smart Link)
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
(\SystemRoot\system32\drivers\RsBoot.sys)(Beijing Rising)
[RsFwDrv / RsFwDrv][Running/Auto Start]
(\??\C:\Program Files\Rising\Rfw\RsFwDrv.sys)(Beijing Rising Technology Co., Ltd.)
[RsNTGDI / RsNTGDI][Running/Boot Start]
(\SystemRoot\system32\Drivers\RsNTGdi.sys)(Beijing Rising Technology Co., Ltd.)
[RSPPSYS / RSPPSYS][Running/Auto Start]
(\??\C:\PROGRAM FILES\RISING\RAV\RSPPSYS.sys)(Rising)
[Secdrv / Secdrv][Stopped/Manual Start]
(system32\DRIVERS\secdrv.sys)(N/A)
[SiS AGP Filter / SISAGP][Running/Boot Start]
(\SystemRoot\system32\DRIVERS\SISAGPX.sys)(Silicon Integrated Systems Corporation)
[SiS PCI Fast Ethernet Adapter Driver / SISNIC][Running/Manual Start]
(system32\DRIVERS\sisnic.sys)(SiS Corporation)
[Smart Link 56K Modem Driver / Slntamr][Running/Manual Start]
(system32\DRIVERS\slntamr.sys)(Smart Link)
[SlNtHal / SlNtHal][Stopped/Manual Start]
(system32\DRIVERS\Slnthal.sys)(Smart Link)
[SlWdmSup / SlWdmSup][Running/Manual Start]
(system32\DRIVERS\SlWdmSup.sys)(Smart Link)
[Sony USB Filter Driver (SONYPVU1) / SONYPVU1][Stopped/Manual Start]
(system32\DRIVERS\SONYPVU1.SYS)(Sony Corporation)
--------------------------------------------------------------------------------

浏览器加载项

[NavigatMon Class]
{B69F34DD-F0F9-42DC-9EDD-957187DA688D} (D:\Program Files\360safe\safemon\safemon.dll, )
[启动Web迅雷]
{962EFB8E-2683-42d4-AC74-AAA4C759B9C6} (http://my.xunlei.com, N/A)
[EditCtrl Class]
{488A4255-3236-44B3-8F27-FA1AECAA8844} (C:\WINDOWS\system32\aliedit\aliedit.dll, )
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} (C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.)
[WebThunder Browser Helper]
{00000AAA-A363-466E-BEF5-9BB68697AA7F} (D:\Program Files\Thunder Network\WebThunder\WebThunderBHO_Now.dll, Thunder Networking

Technologies,LTD)
[WebThunder Class]
{03507A1A-E0C5-4404-AA26-205385C0892D} (, N/A)
[Web Browser Applet Control]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (C:\WINDOWS\system32\msjava.dll, Microsoft Corporation)
[InfosecCertInstall Class]
{0EB487C8-E9AC-43A6-8C4C-083999B0622F} (C:\WINDOWS\system32\certInStall.dll, )
[CEnroll Class]
{127698E4-E730-4E5C-A2B1-21490A70C8A1} (C:\WINDOWS\system32\xenroll.dll, Microsoft Corporation)
[iTrusPTA Class]
{1E0DFFCF-27FF-4574-849B-55007349FEDA} (C:\WINDOWS\system32\aliedit\pta.dll, )
[Windows Media Player]
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} (C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation)
[HTML Document]
{25336920-03F9-11CF-8FD0-00AA00686F13} (%SystemRoot%\system32\mshtml.dll, N/A)
[DHTML Edit Control Safe for Scripting for IE5]
{2D360201-FFF5-11D1-8D03-00A0C959BC0A} (C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft

Corporation)
[Tabular Data Control]
{333C7BC4-460F-11D0-BC04-0080C7055A83} (C:\WINDOWS\system32\tdc.ocx, Microsoft Corporation)
[EditCtrl Class]
{488A4255-3236-44B3-8F27-FA1AECAA8844} (C:\WINDOWS\system32\aliedit\aliedit.dll, )
[HHCtrl Object]
{52A2AAAE-085D-4187-97EA-8C30DB990436} (C:\WINDOWS\system32\hhctrl.ocx, Microsoft Corporation)
[InfoSecNetSign Class]
{62B938C4-4190-4F37-8CF0-A92B0A91CC77} (C:\WINDOWS\system32\NetSign.dll, Infosec Technologies Co., Ltd.)
[WUWebControl Class]
{6414512B-B978-451D-A0D8-FCFDF33E833C} (C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation)
[Windows Media Player]
{6BF52A52-394A-11D3-B153-00C04F79FAA6} (C:\WINDOWS\system32\wmp.dll, Microsoft Corporation)
[WangWangObj Class]
{6E213FC7-DD5A-4115-B7E6-D4C7838C361E} (D:\Program Files\Alisoft\WangWang\WangWangX4.dll, 阿里软件（中国）有限公司)
[AxInputControl Class]
{73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (C:\WINDOWS\system32\INPUTC~1.DLL, )
[Microsoft Web 浏览器]
{8856F961-340A-11D0-A96B-00C04FD705A2} (C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation)
[AxSubmitControl Class]
{8D9E0B29-563C-4226-86C1-5FF2AE77E1D2} (C:\WINDOWS\system32\SUBMIT~1.DLL, )
[Microsoft Scriptlet Component]
{AE24FDAE-03C6-11D1-8B76-0080C744F389} (C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation)
[SearchAssistantOC]
{B45FF030-4447-11D2-85DE-00C04FA35C89} (%SystemRoot%\system32\shdocvw.dll, N/A)
[NavigatMon Class]
{B69F34DD-F0F9-42DC-9EDD-957187DA688D} (D:\Program Files\360safe\safemon\safemon.dll, )
[RDS.DataSpace]
{BD96C556-65A3-11D0-983A-00C04FC29E36} (C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation)
[CSetLET Class]
{C35D7AE1-0865-4A30-BF07-29FA29324155} (C:\WINDOWS\system32\GDSetLET.dll, )
[VIDEO__X_MS_WMV Moniker Class]
{CD3AFA94-B84F-48F0-9393-7EDC34128127} (C:\WINDOWS\system32\wmp.dll, Microsoft Corporation)
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} (C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx, Adobe Systems, Inc.)
[AxUSBKey Class]
{DA215190-98B2-47DE-AE24-DA95481DFFBA} (C:\WINDOWS\system32\USBKey.dll, )
[PasswordEditCtrl Class]
{E787FD25-8D7C-4693-AE67-9406BC6E22DF} (C:\WINDOWS\system32\qqedit\qqedit.dll, 腾讯科技（深圳）有限公司)
[使用Web迅雷下载]
(D:\Program Files\Thunder Network\WebThunder\GetUrl.htm, N/A)
[使用Web迅雷下载全部链接]
(D:\Program Files\Thunder Network\WebThunder\GetAllUrl.htm, N/A)
[导出到 Microsoft Office Excel(&X)]
(res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000, N/A)
[添加到QQ表情]
(d:\Program Files\Tencent\QQ\AddEmotion.htm, N/A)
--------------------------------------------------------------------------------

正在运行的进程

[PID: 460][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 540][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1252][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[PID: 1824][D:\Program Files\Alisoft\WangWang\WangWang.EXE] [阿里巴巴软件（上海）有限公司, 5, 1, 0, 9]
[D:\Program Files\Alisoft\WangWang\MFC80.DLL] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\Alisoft\WangWang\MFC80CHS.DLL] [Microsoft Corporation, 8.00.50727.42]
[D:\Program Files\Alisoft\WangWang\AliSkin.dll] [阿里巴巴软件（上海）有限公司, 1.0.0.1]
[D:\Program Files\Alisoft\WangWang\zlib.dll] [, 1.2.3]
[D:\Program Files\Alisoft\WangWang\Ali_Res.DLL] [N/A, ]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\Alisoft\WangWang\WangWangX4.dll] [阿里软件（中国）有限公司, 1, 0, 0, 1]
[D:\Program Files\Alisoft\WangWang\RichOne.dll] [阿里巴巴软件（上海）有限公司, 1.0.0.1]
[D:\Program Files\Alisoft\WangWang\TBProgress.dll] [阿里巴巴软件（上海）有限公司, 1.0.0.1]
[D:\Program Files\Alisoft\WangWang\MessageNotify.dll] [, 1, 0, 0, 1]
[D:\Program Files\Alisoft\WangWang\ww_network.dll] [, 1, 0, 1, 23]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\Program Files\Rising\Rav\RavScrCh.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 4]
[D:\Program Files\Alisoft\WangWang\AliViewMedia.dll] [阿里巴巴软件（上海）有限公司, 1, 0, 0, 2]
[D:\Program Files\Alisoft\WangWang\VLNetwork.dll] [阿里巴巴软件（上海）有限公司, 1, 0, 0, 6]
[D:\Program Files\Alisoft\WangWang\VideoCap.dll] [, 1, 0, 0, 4]
[D:\Program Files\Alisoft\WangWang\VLAudio.dll] [阿里巴巴软件（上海）有限公司, 1, 0, 0, 5]
[D:\Program Files\Alisoft\WangWang\JsmShow.dll] [阿里巴巴软件（上海）有限公司, 1, 0, 0, 4]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[PID: 1840][C:\Program Files\Rising\Rfw\RfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 72]
[C:\Program Files\Rising\Rfw\RsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[C:\Program Files\Rising\Rfw\RSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[C:\Program Files\Rising\Rfw\RfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[C:\Program Files\Rising\Rfw\RsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[C:\Program Files\Rising\Rfw\PngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1920][D:\Program Files\Thunder Network\WebThunder\WebThunder.exe] [深圳市迅雷网络技术有限公司, 1, 8, 4, 130]
[D:\Program Files\Thunder Network\WebThunder\RegisterDll.dll] [Thunder Networking Technologies,LTD, 2, 13, 4, 58]
[D:\Program Files\Thunder Network\WebThunder\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[D:\Program Files\Thunder Network\WebThunder\TaskManager.dll] [Thunder Networking Technologies,LTD, 1, 1, 1, 24]
[D:\Program Files\Thunder Network\WebThunder\download_interface.dll] [Thunder Networking Technologies,LTD, 2, 15, 2, 98]
[D:\Program Files\Thunder Network\WebThunder\stlport_vc646.dll] [STLport Consulting, Inc., 4.6.2003.1031]
[D:\Program Files\Thunder Network\WebThunder\asyn_dns.dll] [Thunder Networking Technologies,LTD, 2, 15, 2, 98]
[D:\Program Files\Thunder Network\WebThunder\Inmedia\iEmbedShell.dll] [　, 1, 0, 0, 19]
[d:\Program Files\Thunder Network\WebThunder\InMedia\iEmbed10.dll] [　, 3, 3, 1, 82]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\Thunder Network\WebThunder\CacheServer.dll] [, 1, 0, 0, 1]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1960][D:\Program Files\Rising\AntiSpyware\runiep.exe] [Beijing Rising Technology Co., Ltd., 1, 0, 1, 6]
[D:\Program Files\Rising\AntiSpyware\iep_ctrl.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 1992][D:\Program Files\360safe\safemon\360Tray.exe] [奇虎网, 3, 4, 0, 1001]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\360safe\safemon\SafeKrnl.dll] [奇虎网, 3, 4, 0, 1001]
[D:\Program Files\360safe\AntiAdwa.dll] [360Safe.com, 3, 4, 0, 1001]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2004][C:\WINDOWS\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 2020][C:\Program Files\MSN Messenger\MsnMsgr.Exe] [Microsoft Corporation, 8.1.0178.00]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\WINDOWS\system32\msdmo.dll] [, ]
[PID: 2988][D:\Program Files\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[PID: 3168][C:\Documents and Settings\Administrator\桌面\QQ截图小工具.exe] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\krnln.fnr] [, 1, 0, 0, 1]
[D:\Program Files\360safe\safemon\safemon.dll] [, 3, 4, 0, 1001]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\xplib.fne] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\shellEx.fne] [N/A, ]
[D:\Program Files\Rising\AntiSpyware\ieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\BmpOperate.fne] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\Taolibv1.fne] [N/A, ]
--------------------------------------------------------------------------------

文件关联

.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\system32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]
--------------------------------------------------------------------------------
Winsock 提供者

N/A
--------------------------------------------------------------------------------
Autorun.inf

N/A
--------------------------------------------------------------------------------
HOSTS 文件

127.0.0.1 localhost
--------------------------------------------------------------------------------
API HOOK

入口点错误：CreateProcessA (危险等级: 一般, 被下面模块所HOOK: D:\Program Files\360safe\safemon\safemon.dll)
入口点错误：CreateProcessW (危险等级: 一般, 被下面模块所HOOK: D:\Program Files\360safe\safemon\safemon.dll)
--------------------------------------------------------------------------------
隐藏进程

[268] C:\WINDOWS\system32\mstsc.exe

瑞星正版用户，升级频率一天一次，在安全模式下删除了C:\WINDOWS\system32\目录下的mstsc.exe，重起后还有，晕

该用户帖子内容已被屏蔽

system / system][Stopped/Auto Start]
(C:\WINDOWS\system32\setup.exe)(N/A)
将此服务设为disabled；下面几项，在安全模式下删除文件，然后重启，再扫日志让别人帮看看：
HDSYS32 / HDSYS32][Stopped/Manual Start]
(\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hdsys.sys)(N/A)


[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\BmpOperate.fne] [N/A, ]
[C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_4\Taolibv1.fne] [N/A, ]