自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
CnxDslTaskBar = C:\Program Files\OEM\AccessRunner ADSL\CnxDslTb.exe
KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
YLive.exe = C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe
yassistse = "C:\Program Files\Yahoo!\Assistant\yAssistSe.exe"
EagleEye = G:\Program Files\lenovo\tuEagles\EagleSvr.exe
RavTask = "d:\Program Files\Rising\Rav\RavTask.exe" -system

HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
C:\WINDOWS\system32\RavExt.dll= Rising Execute File Exts hook

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\system32\webcheck.dll
SysTray = C:\WINDOWS\system32\stobject.dll
WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\system32\browseui.dll= Browseui 预加载程序
%SystemRoot%\system32\browseui.dll= 组件类别缓存程序


SYSTEM.INI BOOT SHELL Explorer.exe
SYSTEM.INI BOOT SCRNSAVE.EXE C:\WINDOWS\system32\logon.scr


其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> my
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> my
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> C:\WINDOWS\system32\userinit.exe,


WININIT.INI
[Rename]
NUL=C:\PROGRA~1\Tencent\QQ\QQUpdate\QQ\15_33_0\QQ2006~1.EXE

Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

诊断信息


1 EagleH.dll 65% Trojan G:\Program Files\lenovo\tuEagles\EagleH.dll

进程列表

[System Process]
System
C:\PROGRA~1\Yahoo!\ASSIST~1\YLive.exe (Made by )
C:\Program Files\Yahoo!\Assistant\yAssistSe.exe (Made by Yahoo!)

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\OEM\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
d:\Program Files\Rising\Rav\CCenter.exe
d:\Program Files\Rising\Rav\RAVTASK.EXE
d:\Program Files\Rising\Rav\RAV.EXE
d:\Program Files\Rising\Rav\RsAgent.exe
d:\Program Files\Rising\Rav\Ravmond.exe
C:\WINDOWS\msagent\AgentSvr.exe
d:\Program Files\Rising\Rav\RAVMON.EXE
d:\Program Files\Rising\Rav\RavStub.exe
D:\Program Files\Rising\Tools\RsDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe

进程详细信息


C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\Yahoo!\ASSIST~1\Yhelper.dll

!7!7QQh
n _^][
tfHt HHu
HtlHHt7-
>!7!7uWP
S_][^Y
Yt$Vh`w
St[Hua
Software\Yahoo\Assistant\
#32770
YAssistant_Live
kernel32.dll
SCEventInvoke
Action
Yalpath
HelperFunc
Assist
Yassistpath
FuncInvoke
EventInvoke
cnspath
|IEXPLORE.EXE|EXPLORER.EXE|NEO20.EXE|NEO.EXE|NP.EX
ExecFunc
regkper.dll
WINSPEED
ylive_mutex
YASSIST
F9AD9D67
1BB0ABBE
AAB6BCE3
A5ADEAE7
CF67E74A
95E822B6
8417D3DB
EF99BD32
F8CC28B5
58E9B715
5517390C
04D0FD01
CBEF989D
A9267C5F
41654B61
0920BDCF
054BFE5F
FE3ECAE7
E3128A3A
C14F7681
AF53D70E
9C3C2C08
62EED7C6
59E99ADD
57421194
406F94F0
33BBE430
2283BB66
17F1C8E8
4158DB95
C43273A6
BE08F6BC
924F5B3A
38928D50
BB936323
D157330A
B83FC273
1B0E7716
ZSNETPRO
YPHOTO
YFFLASH
ANGLING
TOOLBAR
YALIVE
ASSIST
PENDING
InprocServer32
CLSID\{59E99ADD-E926-40e8-BD6F-1532124A4AAA}
CLSID\{
EK_ENTRY
0E1230F8
054BFF5F
55E99ADD
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Super Rabbit Winspeed
RegDeleteValueW
RegDeleteKeyW
MoveFileWithProgressW
MoveFileWithProgressA
MoveFileExA
MoveFileW
MoveFileExW
DeleteFileW
OpenProcess
RegDeleteValueA
RegDeleteKeyA
ADVAPI32.DLL
TerminateProcess
DeleteFileA
KERNEL32.DLL
user32.dll
Advapi32.dll
canot copy high memory error.
autolive.dll
CabinetWClass
ExploreWClass
IEFrame
Shell DocObject View
yscrblock.dll
mshta.exe
iexplore.exe
helperex.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Internet Explorer\Toolbar
{BB936323-19FA-4521-BA29-ECA6A121BC78}
CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Inpro
DllCBTProc
Button
c:\DfDgInfo.txt
SC:\PROGRA~1\Yahoo!\ASSIST~1\


C:\PROGRA~1\Yahoo!\ASSIST~1\yscrblock.dll (made by Yahoo)

QPJhT`
SOFTWARE\Microsoft\Internet Explorer
Version
%d.%d.%d.%d
7.0.0.208
KVWSH.dll
CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}\InPro
Software\Microsoft\Windows\CurrentVersion\Internet
PROTOCOLS\Handler\ms-its
ms-its: Asychronous Pluggable Protocol Handler
{9D148291-B9C8-11D0-A4CC-0000F80149F6}
Software\yahoo\assistant\yalive\yscrblock
enable
options
notify
MSHTA.EXE
Software\yahoo\assistant\yalive
1.0.1.1000
SOFTWARE\yahoo\assistant\Assist\Modules
%d-%d,%d-%d, ,%d-%d,%s%s,
yscrblock.dll
ScrBlockClosed
Software\yahoo\assistant\assist\Modules
Software\yahoo\assistant
Software\yahoo\assistant\assist
RES://
C:\PROGRA~1\Yahoo!\ASSIST~1\
%ws?ft=%d
%ws?ft=%d&fs=%ws


G:\Program Files\lenovo\tuEagles\EagleH.dll

t+9yDu&
L$ Qj@j
USER32.DLL
EnumWindows
Process32NextW
KERNEL32.DLL
Process32Next
NTDLL.DLL
NtQuerySystemInformation


C:\PROGRA~1\Yahoo!\ASSIST~1\YAlive.dll

SVWh 2
VSPhT1
VWj@Y3
VWj@Y3
Ht;HHt'HHt
SVWj@3
PWVhF3
QQSVWj/
SWj@Y3
VPVVVVh$
SPSSSSh@
Yv!h,8
VWj@Y3
SVWj@3
SVWj@3
HtSHtBH
VWj@Y3
SSSAt$
tW9=([
u7WWj1S
uVSSSS
HtTHu@
tbHt1Hu_
FSOFTWARE\Microsoft\Code Store Database\Distributi
2.0.0.1001
1.0.2.8
2.0.0.1013
2.1.5.1045
Yaltimeisw
Yalinisw
http://cn.download.zs.yahoo.com/download/yalvsw.in
Yaltimei
Yalini
http://cn.download.zs.yahoo.com/download/yalive.in
YALive
Yalliveex
Yalliveex.dll
Yalpath
Software\Yahoo\Assistant\YALive\UserCatch
CFile2
yal03.dat
yal01.dat
YLive.exe
Yalhelper
Yhelper.dll
YAlive.dll
YAlive.inf
Yahoo!Live
Install
{57421194-58FB-49ae-9B4F-FD48869B9AD4}
YALive Class
CurVer
YALive.Live.1
YALive.Live
YNOTIFIER
YSRCBLOCK
YHELPER
YALIVE
ASSIST
Yahoo!\ASSIST~1\
Yallasttime
CheckIntegrity
CLSID\%s\InprocServer32
Software\Yahoo\Assistant
CabinetWClass
ExploreWClass
IEFrame
CLSID\{57421194-58FB-49ae-9B4F-FD48869B9AD4}\Inpro
CNSAutoUpdateMutex
Yalname
Yalinim
Yalicon
Yallastmoduletimesw
Yallasttimesw
Yallastmoduletime
Software\Yahoo\Assistant\%s
Yalreg
%s(%d):
E:\20060106EX\yLive\AutoLive\AutoUpdate.cpp
WindowProp_FileScale
WindowProp_UpdatingStatus
WindowProp_UpdatingName
RunParam
Relation
NotifyFlag
Details
%[^=]=%s
Update\
%s%s%d
%s%s%s
SetModuleUpdateSucc
cn.download.zs.yahoo.com
Yalnotifytime
WindowProp_AutoLiveObject
Yaldetails
http://cn.zs.yahoo.com
.1.log
\\.\Global\CnsMinKP
\\.\CnsMinKP
\\.\CnsMinKP.Vxd
Software\Yahoo\Assistant\
Software\Microsoft\Windows\CurrentVersion\Run
Apartment
ThreadingModel
CLSID\%s
Yahoo%s%d
Yahoo%d
%[^,-],-%d
ProgramFiles
SOFTWARE\Microsoft\Windows\CurrentVersion
ProgramFilesDir
SYSTEM\CurrentControlSet\Services\CnsMinKP
SYSTEM\CurrentControlSet\Services\VxD\CnsMinKP
Global\KPSetupMutex
\cnsinfo.dat
NUL=%s
DIRNUL=%s
[rename]
wininit.ini
%d.%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\RunOnce
rundll32.exe %s,%s
regsvr32 /s %s
Ynotifier.dll
1.0.0.1
Yscrblock.dll
1.0.0.2
SYSTEM\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations
progra~1\Yahoo!\Assistant\%s
%sdownlo~1\%s
%sdownlo~1\
SOFTWARE\Microsoft\Internet Explorer\ActiveX Compa
{62EED7C6-9F02-42f9-B634-98E2899E147B}
{406F94F0-504F-4a40-8DFD-58B0666ABEBD}
{2283BB66-A15D-4ac8-BA72-9C8C9F5A1691}
{E3128A3A-C191-4149-8631-C632C8FC9919}
{FE3ECAE7-0A37-4506-8A7D-3CC9A04D2CA8}
{38928D50-8A48-44C2-945F-D2F23F771410}
{59E99ADD-E926-40e8-BD6F-1532124A4AAA}
%sYahoo!\Assistant\
%sYahoo!\Assistant\%s
%s%s\%s
CLSID\{178DA2CB-5660-42f4-B2E1-2815401C5910}\Inpro
Assistant
helperex.dll
Yalvsw.ini
regkp01.dat
Ypatch*.dll
NewUp.ini
Yalive.ini
regkper.dll
SoftWare\Yahoo
COption
CStyle
SoftWare\Yahoo\Assistant
Software\Yahoo\Assistant\YALive
CLSID\{57421194-58FB-49ae-9B4F-FD48869B9AD4}
yassist.dll
Assist
yasbar.dll
Software\Yahoo\Assistant\Assist
AUTOLIVE
%sUpdate\
ires.dat
QueryInfo
UpdatingText
%program%
%windows%
%system%
software\Yahoo\Assistant\%s
SeShutdownPrivilege
WndProp_GifObject
WndProp_UpdateParam
software\Yahoo\Assistant
_BLANK
HTTP/1.1
CnsMin Agent
cn.zs.yahoo.com
EasyFunctionEx
software\Yahoo\Assistant\assist
assistpath
AssistantBarCtrl
about:blank
Software\Yahoo\Assistant\YALive\Yalrex
cnsminreferer
alrex=
close=
delay=
adcheck=
zorder=
toolbar=
status=
resize=
menubar=
center=
height=
width=
ActionEx
UpdateAlert
FreeGifAni
PauseGifAni
StopGifAni
PlayGifAni
SetPositionGifAni
LoadGifAni
StartActiveXCatch
SCEventInvoke
EventInvoke
Delete
NoRemove
ForceRemove
CSubClass Pointer
.?AV_com_error@@
.?AVtype_info@@
CNSAutoUpdateMutex
C:\PROGRA~1\Yahoo!\ASSIST~1\YAlive.dll
Service Pack 2
C:\PROGRA~1\Yahoo!\ASSIST~1\Yalliveex.dll
LiveErrorMode
ActionEx
Action
lSIST~1\Yalliveex.dll


C:\WINDOWS\system32\xunleibho_v14.dll (made by Thunder Networking Technologies,LTD)

t$AAB;
8A|F9~
tBHuk9N4t
tkVWSS
addallurl
sendurl
#*01#*%s#*02#*%s#*03#*%s#*04#*%s#*05#*
thunder://
Software\Sandai Technologies Inc.\Thunder\Paramete
Software\Thunder Network\ThunderOem\thunder_backwn
Software\Sandai Technologies Inc.\ThunderOem
ThunderOemArray
Software\Thunder Network\ThunderOem
IsMiniVer
PluginIEFloatBar
MenuText
Disable Flash/Media Apperceive
UserConfig.ini
thunder_backwnd
rtspu://
rtsp://
mmst://
mmsu://
mms://
ftp://
https://
http://
CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6
FileName
CLSID:22D6f312-B0F6-11D0-94AB-0080C74C7E95
CLSID:D27CDB6E-AE6D-11CF-96B8-444553540000
classid
ThunderShell.exe
Thunder.exe
MessageCaption
Question
MessageText
Do you want to disable the floatbar?
Internet Explorer_Server
Frame element
IFRAME
OBJECT
IsInvalid
UseDlaccel
Software\Sandai Technologies Inc.\ThunderOem\
Software\Thunder Network\ThunderOem\
Software\3721
yahoo_mini
Config_Monitor
IESuffixs
thunder.ini
Monitor
ExtendNames
.asf;.avi;.exe;.iso;.mp3;.mpeg;.mpga;.ra;.rar;.rm;
MonitoringIE
MonitorIE
TfrmCmdCenter
#32770
#*05#*
#*04#*
#*03#*
#*02#*
#*01#*
maxthon.exe
XDownloadManager Class
ThunderCatchRight Class
ThunderIEHelper Class
Xunleibho.CatchRightClick.1\CLSID
Xunleibho.CatchRightClick.1
\ProgID
CLSID\
Apartment
ThreadingModel
CLSID\%s
CLSID\%s\InprocServer32
ThunderIEHelper
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
DownloadUI
Software\Microsoft\Internet Explorer\
CLSID=
Type=M2Plugin_Other
Comments=Thunder Download Manager
FileName=xunleibho.dll
ModuleType=COM
Version=1.0
Author=XunLei.com
Name=Thunder Maxthon Extension
[General]
\Plugin.ini
\Thunder
\Plugin
Folder
Software\Maxthon
.?AV_com_error@@
.?AVtype_info@@
SpecialSite.ini
SOFTWARE\Thunder Network\ThunderOem\thunder_backwn
NameByComment
TakeParameter
TakeMethod
ShowPosition
LinkExcludeAll
LinkExcludeOne
LinkIncludeAll
LinkIncludeOne
PageExcludeAll
PageExcludeOne
PageIncludeAll
PageIncludeOne
#*05#*
#*04#*
#*03#*
#*02#*


C:\Program Files\Acrobatchs\ActiveX\AcroIEHelper.dll (made by Adobe Systems Incorporated)

PPPPPPP
u=SSSSSSS
E|PSSS
u5SSSSSSS
E|PSSS
SSVSSW
P([_^]
f9X,v3
WWPPPPh
.?AVCAtlException@ATL@@
.?AV_com_error@@
.?AVtype_info@@
!d"_]A