自启动项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows\Currentversion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AddrPlus3 = C:\PROGRA~1\TENCENT\AdPlus\Runner.exe C:\PROGRA~1\TENCENT\AdPlus\QAHook.dll Rundll32
BigDogPath = C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
RavTask = "C:\Program Files\Rising\Rav\RavTask.exe" -system

HKEY_CURRENT_USER Software\Microsoft\Windows\Currentversion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
shell32.dll =
C:\WINDOWS\system32\RavExt.dll= Rising Execute File Exts hook

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder = %SystemRoot%\system32\SHELL32.dll
CDBurn = %SystemRoot%\system32\SHELL32.dll
WebCheck = %SystemRoot%\system32\webcheck.dll
SysTray = C:\WINDOWS\system32\stobject.dll

HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
%SystemRoot%\system32\browseui.dll= Browseui 预加载程序
%SystemRoot%\system32\browseui.dll= 组件类别缓存程序


SYSTEM.INI BOOT SHELL Explorer.exe

其他相关项
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultUserName ----> user
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AltDefaultUserName ----> user
HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit ----> C:\WINDOWS\system32\userinit.exe,


Hosts
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

大哥你好我的机器卡的要死了CPU老是100%

进程详细信息


C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\TENCENT\AdPlus\QAHook.dll (made by Tencent)

^$_^][
D$0RPj
D$8RPVWQ
D$(RPVQ
|$ WSUP
D$ _^][
|$ WSUP
D$ _^][
USPQRW
SSQPSSW
L$ QUW
t!9\$Ht
L$@QWU
RSSSSSSSj
QSSSSSSh
QRPPPPP
tSSSSh
D$Pj@PQhD
L$PPQS
T$Hj@RVPh
L$8RQP
RegisterMin
LoadLibraryW
Kernel32
{0A8E0282-924B-4be9-9F19-E98BE98BA34B}
FreeLibrary
Kernel32.dll
LoadLibraryA
LoadLibraryExA
LoadLibraryExW
GetProcAddress
BDSrHook.dll
cdnspie.dll
User32.dll
ExitWindowsEx
ole32.dll
CoCreateInstance
CoGetClassObject
user32.dll
SetWindowLongA
SetWindowLongW
SetWindowsHookExA
SetWindowsHookExW
GetClassNameA
GetClassNameW
Cdnforie.dll
CnsHint.dll
ComboBox
ComboLBox
ComboBoxEx
bdgdins.dll
CnsMinIO.dll
TerminateProcess
OpenProcess
Advapi32.dll
RegOpenKeyA
RegOpenKeyW
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyA
RegEnumKeyW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteValueA
RegDeleteValueW
RegCloseKey
RegEnumValueA
RegEnumValueW
RegQueryValueA
RegQueryValueW
RegQueryValueExA
RegQueryValueExW
RegSetValueA
RegSetValueW
RegSetValueExA
RegSetValueExW
{02496EBD-8455-48db-B3C7-5DAC97D9F5A7}
{B83FC273-3522-4CC6-92EC-75CC86678DA4}
{35980F6E-A137-4E50-953D-813BB8556899}
SOFTWARE\CNNIC\CdnClient\Display\TypedSKWs
SOFTWARE\3721\InputCns
{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}
SOFTWARE\Microsoft\Internet Explorer\UrlSearchHook
{0C7C23EF-A848-485B-873C-0ED954731014}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
AddrPlus3
Apartment
ThreadingModel
Internet
EnableTBH
CLSID\%s\InprocServer32
CLSID\%s
InprocServer32
Apartmant
Xdict.exe
clearhistory.exe
RavTimer.exe
RavStub.exe
RavMonD.exe
RavMon.exe
Rav.exe
Rtxc.exe
TIMPlatform.exe
TMShell.exe
QQ.exe
MainProc_{33A8EF59-6FF0-4e9b-969E-6694CB53D13C}
explorer.exe
Error on GetProcAddress
TBHEntryEx
Error on ghInjectModule==NULL
Error on GetExitCodeThread
Error on CreateRemoteThread
Error on GetProcAddress(LoadLibraryW)
Error on WriteProcessMemory
Error on VirtualAllocEx
Error on OpenProcess
Error on GetProcAddress(FreeLibrary)
UpdateInst_{AED82BA9-7C5C-40b6-B7D5-69BD88679CD8}
UninstallInst_{68ECF03A-41C4-45cc-985F-0F795B868DE
InstallInst_{2B92A3A4-D1C5-40ec-A746-617292DCE13A}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
{C3819BA4-A103-4632-8A13-16839A48E856}
Tencent Browser Helper
Software\Microsoft\Windows\CurrentVersion\Shell Ex
{518D9F8D-A9A0-4698-89F2-6685F1E511C0}
FocusAddressEdit_TBH
Afx:400000:%d:%x:%d:%x
%x_{605272C9-BAE4-4826-9181-8C90A89FF03A}
CLSID\{C3819BA4-A103-4632-8A13-16839A48E856}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Internet Explorer\UrlSearchHook
CLSID\{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
CLSID\{0C7C23EF-A848-485B-873C-0ED954731014}
ExploreWClass
CabinetWClass
IEFrame
EXPLORER.EXE
IEXPLORE.EXE
%d%c%d
SOFTWARE\Microsoft\Internet Explorer
Version
RegisterServiceProcess
kernel32.dll
TBHEntry E
TBHEntry I
TBHEntry R
%s %s %s
Rundll32
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Tencent\TBH
_DynamicCLSID=%s
____123456789abcdefgT##B#H___
Runner.exe
Runner
TCtrl.dll
DReport
Report.dll
Sccount2
Report
Reporter.exe
Sccount
QQHelper
QQHelper.dll
QuickParam
TBHKUMap.dat
Stdtbh
Stdtbh.dat
Config
Update
TBHUpdat.exe
UnitParam
QAHook
TBH.dll
TimeParam
IEHelp
TBHMain.dll
BinKey
Install
TENCENT\AdPlus
Program Files
General
BaseTime
[rename]
[rename]
NUL=%s
wininit.ini
.?AVtype_info@@
ComboBox
ComboBoxEx
ThreadingModel
Apartmant


C:\WINDOWS\VM_STI.EXE

C:\WINDOWS\VM_STI.EXE (made by VM.)

Ht9Hu]
D$ _^][
QQSVWd
t.;t$$t(
sO;>|C;~
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
DSUVWh
VC20XC00U
HHtYHHtF
BIGDOG
Snapshot2
Snapshot1
SOFTWARE\ZSMC\USBCAMERA\
BigDogPath
MyFileMappingObject
C:\WINDOWS\amcap.exe
C:\WINDOWS\VMCap.exe
C:\WINDOWS\VM_STI.EXE
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
((((((((((((((((((((((((((
FriendlyName
((((( H
@device:pnp:\\?\usb#vid_0ac8&pid_301b#5&28869993&0
USB PC Camera 301P
amcap.exe
VMCap.exe


C:\WINDOWS\system32\VM31bPrp.Ax (made by VM)

L$ PQh
D$LPPQ
T$8PQR
T$(jHQ
T$(jHQ
L$Dh8h
D$PPh
T$PRh
D$$h0[
D$lhHh
T$HRh
D$(PVQRj
T$(RVP
L$HQh
T$(RVj
L$HHPh
T$HRh
L$(QVVRj
T$(RVj
L$ jPQP
L$ jPQP
L$ jPQP
D$8JRh
L$8Qh
L$8Qh
tLOt&OuF
D$(h0[
D$ h0[
L$(Qh
D$(Ph
D$(JRh
L$(Qh
D$4Ph
L$4HPh
T$4Rh
l$$VWU
L$$jHP
D$`jHQ
D$(jhR
Q,_^][
Q,_^][
R,_^][
R,_^][
R,_^]3
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
Q,_^][
D$ j(R
T$$j(Q
1AABBf
t&9t$@t
jjjjjjjh
\HV7131B
\HV7121B
\TAS5130C
\TAS5110B
\CS2102
\CS2103
\OV7620
\OVCIF
\HDCS2020
\HDCS1020
\PB0330
\PB0111
\ICM105A
\ICM102A
\PAS202B
\PAS106B
Settings
Vertical
BandWidthAuto
GainAuto
WhiteBalanceAuto
ExposureAuto
Default
Flicker
Mirror
Exposure
FrameRate
ColorEnable
BackLight
WhiteBalance
Sharpness
Saturation
Contrast
Brightness
BandWidth
Software\ZSMC\USBCAMERA\ZC0302\CustomSettings
Software\ZSMC\USBCAMERA\ZC0302\DefaultSettings
SET_REG(%0x,%0x)
GET_REG(%0x,%0x)
SET_REG(%0x,%0x) %d
%x %x %d
Get ZIP302 Batch File
ZIP302 Batch File
.\batch.txt
\HV7131B
\HV7121B
\TAS5130C
\TAS5110B
\CS2102
\CS2103
\OV7620
\OVCIF
\HDCS2020
\HDCS1020
\PB0330
\PB0111
\ICM105A
\ICM102A
\PAS202B
\PAS106B
Service Pack 2
ZSMC BackDoor Property Page
ZSMC Custom Property Page


C:\WINDOWS\Explorer.EXE

C:\Program Files\TENCENT\AdPlus\IEHelp.dll (made by Tencent)

~49~tt
~D9~`t
L$4_^]
t$Lj@f
D$0RPj
D$8RPVWQ
D$(RPVQ
|$ WSUP
D$ _^][
|$ WSUP
D$ _^][
USPQRW
Qj@jmjnV
T$,SRP
]t-9\$
>.t+j.V
tSSSSh
QRPPPPP
D$Pj@PQh
L$PPQS
T$Hj@RVPhD
L$8RQP
D$0QPV
WSSj1P
T$(IRQSV
T$0j&IRQSV
QSUVWh
L$8PRh-
t7Gj"W
UVPSPP
D$8PSUV
D$,_^][
D$ j@Pj
{518D9F8D-A9A0-4698-89F2-6685F1E511C0}
User32.dll
ExitWindowsEx
ole32.dll
CoCreateInstance
CoGetClassObject
user32.dll
SetWindowLongA
SetWindowLongW
SetWindowsHookExA
SetWindowsHookExW
GetClassNameA
GetClassNameW
Cdnforie.dll
CnsHint.dll
ComboBox
ComboLBox
ComboBoxEx
bdgdins.dll
CnsMinIO.dll
%x_{605272C9-BAE4-4826-9181-8C90A89FF03A}
Kernel32.dll
DeactivateActCtx
ActivateActCtx
Unicows.dll
FindActCtxSectionStringW
CreateActCtxW
GetModuleHandleExW
QueryActCtxW
WM_HTML_GETOBJECT
_Register_MinBHO_
_OLDPROC_{33241116-F6BA-468c-85C8-4D465D2A0E2A}
msctls_statusbar32
{0C7C23EF-A848-485B-873C-0ED954731014}
ObjectFromLresult
OLEACC.DLL
Internet Explorer_Server
Advapi32.dll
RegOpenKeyA
RegOpenKeyW
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyA
RegEnumKeyW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteValueA
RegDeleteValueW
RegCloseKey
RegEnumValueA
RegEnumValueW
RegQueryValueA
RegQueryValueW
RegQueryValueExA
RegQueryValueExW
RegSetValueA
RegSetValueW
RegSetValueExA
RegSetValueExW
{02496EBD-8455-48db-B3C7-5DAC97D9F5A7}
{B83FC273-3522-4CC6-92EC-75CC86678DA4}
{35980F6E-A137-4E50-953D-813BB8556899}
SOFTWARE\CNNIC\CdnClient\Display\TypedSKWs
SOFTWARE\3721\InputCns
{DB8B2393-7A6C-4C76-88CE-6B1F6FF6FFE9}
SOFTWARE\Microsoft\Internet Explorer\UrlSearchHook
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
AddrPlus3
Apartment
ThreadingModel
Internet
EnableTBH
CLSID\%s\InprocServer32
CLSID\%s
InprocServer32
Apartmant
ShowHistory
EnableTip
SOFTWARE\Tencent\TBH
ShowTip
HkeyRoot
ValueName
UncheckedValue
CheckedValue
RegPath
DefaultValue
checkvalue
checkbox
Enable
Bitmap
SOFTWARE\Microsoft\Internet Explorer\AdvancedOptio
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
QQAddrBar Drop Target
QQ Search Hook
Tencent Browser Helper
Software\Microsoft\Windows\CurrentVersion\Shell Ex
Program
Program Manager
Runner.exe
Runner
TCtrl.dll
DReport
Report.dll
Sccount2
Report
Reporter.exe
Sccount
QQHelper
QQHelper.dll
QuickParam
TBHKUMap.dat
Stdtbh
Stdtbh.dat
Config
Update
TBHUpdat.exe
UnitParam
QAHook
TBH.dll
TimeParam
IEHelp
TBHMain.dll
BinKey
/ininstaller
UninstallInst_{68ECF03A-41C4-45cc-985F-0F795B868DE
{998B7CF7-8590-48c8-9D72-80104A9F7F7F}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal
SOFTWARE\Microsoft\Code Store Database\Distributio
InstallType
Install
BaseTime
Software\Microsoft\Internet Explorer\TypedUrls
DllUnregisterServer
DllRegisterServer
UpdateInst_{AED82BA9-7C5C-40b6-B7D5-69BD88679CD8}
http://so.qq.com/cgi-bin/qqsearch?gid=%s&word=%s&c
http://so.qq.com/cgi-bin/search?
http://so.qq.com/cgi-bin/qqsearch?
about:blank
drivers\etc\hosts
StrRetToBufA
shlwapi.dll
%%%02x
%d.%d.%d.%d
\StringFileInfo\%04x%04x\
\VarFileInfo\Translation
ProductName
FileDescription
CompanyName
_DynamicCLSID=%s
ExploreWClass
CabinetWClass
IEFrame
Shell DocObject View
IEXPLORE.EXE
%d%c%d
SOFTWARE\Microsoft\Internet Explorer
Version
TBHEntry E
TBHEntry I
TBHEntry R
%s %s %s
Rundll32
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TENCENT\AdPlus
Program Files
General
[rename]
[rename]
NUL=%s
wininit.ini
____123456789abcdefgT##B#H___
ComboBoxEx32
ReBarWindow32
WorkerA
WorkerW
ToolbarWindow32
FocusAddressEdit_TBH
_BASEWNDPTR_{0998978C-DC20-45f0-8F5E-7C2A8A6DF94D}
wmhlpr.dll
CnsMin.dll
SysListView32
Auto-Suggest Dropdown
sccount.qq.com
scdown.qq.com
192.168.3.17
210.22.23.226
219.133.50.46
219.133.51.101
219.133.41.72
210.22.23.52
210.22.23.51
219.133.49.54
ActionData
Action
~TR.log
NextUpdateTime
http://scdown.qq.com/download/Update.htm
setupfile
version
_NULL_
protocol
/update
SOFTWARE\Microsoft\Windows\CurrentVersion
Custom_ID
.?AV_com_error@@
.?AVtype_info@@
{30D3546B-CCB6-4374-B20A-8A013532BF1C}
ComboBox
ComboBoxEx
Kernel32.dll
l???.???
Comctl32.dll
ThreadingModel
Apartmant


C:\WINDOWS\system32\xunleibho_v8.dll (made by Thunder Networking Technologies,LTD)