我们首先来看日志的开头部分（以kuing的日志为例，本人应该不会介意吧……）：

Quote:

[CODE]
2007-07-07,22:56:31
System Repair Engineer 2.5.16.900
Smallfrogs (http://www.KZTechs.com)
Windows XP Professional Service Pack 2 (Build 2600) - 管理权限用户 - 完整功能
以下内容被选中：
    所有的启动项目（包括注册表、启动文件夹、服务等）
    浏览器加载项
    正在运行的进程（包括进程模块信息）
    文件关联
    Winsock 提供者
    Autorun.inf
    HOSTS 文件
    进程特权扫描

　　这些信息说明了SREng的版本、操作系统版本、扫描用户权限、扫描时间和扫描项目。不用去管它。
　　
　　现在我们来看这部分：

Quote:

启动项目
注册表
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    <ctfmon.exe><C:WINDOWSsystem32ctfmon.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]
    <load> <>  [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
    <igfxtray><C:WINDOWSsystem32igfxtray.exe>  [(Verified)Microsoft Windows Publisher]
  <igfxhkcmd><C:WINDOWSsystem32hkcmd.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <igfxpers><C:WINDOWSsystem32igfxpers.exe>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
    <RavTask><"C:Program FilesRisingRavRavTask.exe" -system>  [Beijing Rising Technology Co., Ltd.]
    <RfwMain><"C:Program FilesRisingRfw fwmain.exe" -Startup>  [Beijing Rising Technology Co., Ltd.]
  <runeip><"C:Program FilesRisingAntiSpyware uniep.exe" /startup>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]
    <KKDelay><C:Program FilesRisingAntiSpywareRunOnce.exe> [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:WINDOWSsystem32userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
    <{32CD708B-60A7-4C00-9377-D73EAA495F0F}><C:WINDOWSsystem32RavExt.dll>  [Beijing Rising Technology Co., Ltd.]
    <{AC2DC2EF-5165-40A3-8CDF-41DCA1B0901A}><C:WINDOWSsystem32shlhook.dll>  [Beijing Rising Technology Co., Ltd.]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
    <WPDShServiceObj><C:WINDOWSsystem32WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyigfxcui]
    <WinlogonNotify: igfxcui><igfxdev.dll>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyWgaLogon]
    <WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components>{26923b43-4d38-484f-9b9e-de460746276c}]
    <Internet Explorer><%systemroot%system32shmgrate.exe OCInstallUserConfigIE>  [N/A]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    <Outlook Express><%systemroot%system32shmgrate.exe OCInstallUserConfigOE>  [N/A]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    <Themes Setup><%SystemRoot%system32 egsvr32.exe /s /n /i:/UserInstall %SystemRoot%system32 hemeui.dll>  [N/A]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    <Microsoft Outlook Express 6><"%ProgramFiles%Outlook Expresssetup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    <NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFmsnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    <Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFmsmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    <Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:WINDOWSINFwmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{7790769C-0471-11d2-AF11-00C04FA35D02}]
    <通讯簿 6><"%ProgramFiles%Outlook Expresssetup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]

==================================
启动文件夹
N/A

　　这段日志里可以看出，你电脑开机的时候都会运行哪些程序。
　　粉色字样的是是注册表项。也就是这个程序在注册表中的位置。如果是病毒，可以通过开始——运行输入regedit，查找该键值来取消病毒的自动启动。
　　注册表项下一行，“< >”里面的，前面的是这个注册表项的键，后面的是这个键的键值。再后面，是程序的公司版本信息。如果通过了数字签名验证，在Microsoft的前面会有(Verified) 的字样。
　　PS：颜色是我自己加上的。颜色只弄了一部分，其他的类推，不用我全弄上了吧……


　　分析方法：对于新手来说，最重要的就是熟悉进程和进程模块。当大家遇到自己不熟悉的进程和进程模块，（*.exe、*.dll），可以上www.google.cn去搜索一下，时间长了，积累些经验，下次再看到这些进程的时候，心里就有点底啦！注册表里面的启动项一般都有输入法、杀毒软件、声卡显卡的优化软件（如 ATi催化剂、音效管理员）等。不过还要注意后面的公司版本信息。如果一个你比较熟悉的进程，后面的公司信息是[N/A]，这个很有可能就是病毒！！

%systemroot%是系统安装目录，如果是Win98或者XP之类的，对应目录一般为C:WINDOWS；如果为WinNT或者2000，对应目录一般为C:WINNT
============================================================　　
一般的启动程序都是在下面这些项里面了，要好好分析哦~~对于不确定的进程，到www.google.cn里面查。
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx]
============================================================
下面这四项要注意，如果日志里面的和这四个不一样，那么很可能就有问题
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
    <Userinit><C:WINDOWSsystem32userinit.exe,>  [(Verified)Microsoft Windows Publisher]（注意那个逗号！这个逗号不可省略）
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
          <AppInit_DLLs><>        [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
          <UIHost><logonui.exe>        [Microsoft Corporation]
============================================================
如果有下面的这两项，“<>”里面有进程，很可能有问题
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]
          <load><>        [N/A]
          <run><>        [N/A]
============================================================
下面这两项下面如果有键，也可能有问题
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
============================================================
下面的三项如果有除了杀毒软件之外的键，很可能有问题
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler]
============================================================
可信项目（即有N/A，但可以确定没问题的项目）：
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]
    <load> <>  [N/A]
    <run> <>  [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
    <AppInit_DLLs><>  [N/A]

如果“<>”里面没有东西，以上几项可以排除

%systemroot%system32shmgrate.exe
这个进程，虽然有些网站上说是病毒，但是貌似只有新版的SREng才能扫出来这个，本人目前可以确定这个进程没问题
%ProgramFiles%Outlook Expresssetup50.exe
这个进程也可以确定没问题
要注意路径！！
<KernelFaultCheck><; %systemroot%system32dumprep 0 -k>  [N/A]
这一项也可以排除
============================================================
还有的病毒，公司名称会假冒微软的数字签名，不过在启动项目——注册表里面，如果通过数字签名，在公司名称的前面会有个(Verified)

启动文件夹，就是你点“开始”——“程序”——“启动”那里面的文件，一般不会有什么问题（因为大部分病毒没那么弱智……放在这里，一般的菜鸟都能看出来……），但也不能掉以轻心！！

举几个病毒的例子：

<MsServer><msfir80.exe>  [N/A]
很明显的，有 [N/A]，一下就注意到这个了。

<x0w3srs6w><C:DOCUME~1李牧原\LOCALS~1Temp undl132.exe> [N/A]
这个有点难度，注意[N/A]、奇怪的键名<x0w3srs6w>和那个红色的1，正常的应该是两个字母l（rundll32.exe）。

<4sqlllc7mh3><C:DOCUME~1李牧原\LOCALS~1Tempservicer.exe> []
这个和上面的那个是一个类型的，这个程序的名称一般人都能看出来有问题……还没有公司信息，键名也很奇怪。

上面的三个都是在[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]下面的

这两个有点特殊：
<{E25C29AB-12B9-4523-A53C-324B5FBA648C}><e:program files ising fwzpkjuwgv.dll> []
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><> [N/A]

这两个是在[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]下面的，所以是病毒，删掉。

还有个特殊的：SYSEXPLR.EXE这个程序，如果在超级解霸的目录下（比如HeroV8），那么就可以排除……如果在别的地方，可能就是冰河木马

这一项就介绍到这里啦~~

这一项可以说是整个日志的主体部分，一般来说也是最长的一部分！（有时驱动可能会更长）虽然分析这一项时需要注意的事项并不多，但是一定要细心，还要有耐心！不要错过任何一个可能是病毒的项目！

这次用谁的日志好呢……这次就用我自己的好了……o(∩_∩)o...哈哈

Quote:

正在运行的进程
[PID: 712][SystemRootSystem32smss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 776][??C:WINDOWSsystem32csrss.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 292][C:WINDOWSsystem32ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 320][e:program files ising fwRfwMain.exe] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 70]
[e:program files ising fwRsGuiLib.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 33]
[e:program files ising fwRSCOMMON.DLL] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 5]
[e:program files ising fwRfwCtrl.dll] [Beijing Rising Technology Co., Ltd., 5, 0, 0, 11]
[e:program files ising fwRsXML.dll] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 2]
[e:program files ising fwPngDll.dll] [Beijing Rising Technology Co., Ltd., 18, 0, 0, 5]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[C:DOCUME~1李牧原\LOCALS~1TempQqzo0.dll] [N/A, ]
[PID: 1164][C:Program FilesATI TechnologiesATI.ACEcli.exe] [ATI Technologies Inc., 1.11.0.0]
[C:WINDOWSsystem32mscoree.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322mscorwks.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322fusion.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsmicrosoft.netframeworkv1.1.4322mscorlib.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322mscorlib1.0.5000.0__b77a5c561934e089_422c3599mscorlib.dll] [N/A, ]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322mscorsn.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322MSCORJIT.DLL] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassemblygacsystem.windows.forms1.0.5000.0__b77a5c561934e089system.windows.forms.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system.windows.forms1.0.5000.0__b77a5c561934e089_14cb2b7bsystem.windows.forms.dll] [N/A, ]
[c:program filesati technologiesati.acecli.implementation.dll] [ATI Technologies Inc., 1.2.2114.465]
[c:program filesati technologiesati.acelog.foundation.dll] [ATI Technologies Inc., 1.2.2026.29944]
[c:program filesati technologiesati.acecli.foundation.dll] [ATI Technologies Inc., 1.2.2026.29944]
[c:program filesati technologiesati.acelog.foundation.service.dll] [ATI Technologies Inc., 1.2.2114.464]
[c:program filesati technologiesati.acelog.foundation.shared.dll] [ATI Technologies Inc., 1.2.2026.29970]
[c:windowsassemblygacsystem1.0.5000.0__b77a5c561934e089system.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system1.0.5000.0__b77a5c561934e089_96df10ffsystem.dll] [N/A, ]
[c:program filesati technologiesati.acecli.foundation.xmanifestation.dll] [ATI Technologies Inc., 1.2.2114.464]
[c:windowsassemblygacsystem.xml1.0.5000.0__b77a5c561934e089system.xml.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system.xml1.0.5000.0__b77a5c561934e089_b39e651esystem.xml.dll] [N/A, ]
[c:windowsassemblygacsystem.runtime.remoting1.0.5000.0__b77a5c561934e089system.runtime.remoting.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSsystem32ldmedia4.dll] [N/A, ]
[c:program filesati technologiesati.acecli.component.runtime.dll] [ATI Technologies Inc., 1.2.2114.465]
[c:program filesati technologiesati.aceaem.foundation.dll] [ATI Technologies Inc., 1.2.2026.29944]
[c:windowsassemblygacsystem.drawing1.0.5000.0__b03f5f7f11d50a3asystem.drawing.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system.drawing1.0.5000.0__b03f5f7f11d50a3a_d3d144b1system.drawing.dll] [N/A, ]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[c:program filesati technologiesati.acecli.caste.graphics.runtime.dll] [ATI Technologies Inc., 1.2.2114.456]
[c:program filesati technologiesati.acecli.component.runtime.shared.dll] [ATI Technologies Inc., 1.2.2026.29946]
[c:program filesati technologiesati.acecli.caste.graphics.shared.dll] [ATI Technologies Inc., 1.2.2028.21076]
[c:program filesati technologiesati.acedem.foundation.dll] [ATI Technologies Inc., 1.2.2026.29944]
[c:program filesati technologiesati.acedem.graphics.displaysmanager.shared.dll] [ATI Technologies Inc., 1.2.2026.29945]
[c:program filesati technologiesati.acedem.graphics.demosinfo.dll] [ATI Technologies Inc., 1.2.2026.29947]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322perfcounter.dll] [Microsoft Corporation, 1.1.4322.573]
[c:program filesati technologiesati.acedem.graphics.demosadapterinfo.dll] [ATI Technologies Inc., 1.2.2026.29960]
[c:program filesati technologiesati.acedem.graphics.dematiadapterinfo.dll] [ATI Technologies Inc., 1.2.2095.19505]
[c:program filesati technologiesati.acedem.graphics.demdriversettings.dll] [ATI Technologies Inc., 1.2.2026.29947]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_isapi.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassemblygacsystem.web1.0.5000.0__b03f5f7f11d50a3asystem.web.dll] [Microsoft Corporation, 1.1.4322.573]
[PID: 1152][D:Program FilesCyberLinkPowerDVDPDVDServ.exe] [Cyberlink Corp., 6.00.1027]
[D:Program FilesCyberLinkPowerDVDCLRCEngine2.dll] [CyberLink Corp., 3.2.2021 ]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 1532][C:Program FilesRisingAntiSpyware uniep.exe] [Beijing Rising Technology Co., Ltd., 1, 0, 1, 6]
[C:Program FilesRisingAntiSpywareiep_ctrl.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 4]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 1844][C:Program FilesMSILive Update 3LMonitor.exe] [, 1, 0, 0, 3]
[C:Program FilesMSILive Update 3Lang es804.dll] [N/A, ]
[C:Program FilesMSILive Update 3 vgpio.dll] [NVIDIA Corporation, 1.0.1.5]
[C:WINDOWSsystem32msdmo.dll] [, ]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 1972][C:WINDOWSSOUNDMAN.EXE] [Realtek Semiconductor Corp., 5, 1, 0, 58]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 1960][C:Syswm1jsvchost.exe] [N/A, ]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 556][C:Program FilesATI TechnologiesATI.ACECLI.exe] [ATI Technologies Inc., 1.11.0.0]
[C:WINDOWSsystem32mscoree.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322mscorwks.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322fusion.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsmicrosoft.netframeworkv1.1.4322mscorlib.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322mscorlib1.0.5000.0__b77a5c561934e089_422c3599mscorlib.dll] [N/A, ]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322mscorsn.dll] [Microsoft Corporation, 1.1.4322.573]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322MSCORJIT.DLL] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassemblygacsystem.windows.forms1.0.5000.0__b77a5c561934e089system.windows.forms.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system.windows.forms1.0.5000.0__b77a5c561934e089_14cb2b7bsystem.windows.forms.dll] [N/A, ]
[c:program filesati technologiesati.acecli.implementation.dll] [ATI Technologies Inc., 1.2.2114.465]
[c:program filesati technologiesati.acelog.foundation.dll] [ATI Technologies Inc., 1.2.2026.29944]
[c:program filesati technologiesati.acecli.foundation.dll] [ATI Technologies Inc., 1.2.2026.29944]
[c:program filesati technologiesati.acelog.foundation.service.dll] [ATI Technologies Inc., 1.2.2114.464]
[c:program filesati technologiesati.acelog.foundation.shared.dll] [ATI Technologies Inc., 1.2.2026.29970]
[c:windowsassemblygacsystem1.0.5000.0__b77a5c561934e089system.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system1.0.5000.0__b77a5c561934e089_96df10ffsystem.dll] [N/A, ]
[c:program filesati technologiesati.acecli.foundation.xmanifestation.dll] [ATI Technologies Inc., 1.2.2114.464]
[c:windowsassemblygacsystem.xml1.0.5000.0__b77a5c561934e089system.xml.dll] [Microsoft Corporation, 1.1.4322.573]
[c:windowsassembly ativeimages1_v1.1.4322system.xml1.0.5000.0__b77a5c561934e089_b39e651esystem.xml.dll] [N/A, ]
[c:windowsassemblygacsystem.runtime.remoting1.0.5000.0__b77a5c561934e089system.runtime.remoting.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSsystem32ldmedia4.dll] [N/A, ]
[c:program filesati technologiesati.acecli.component.systemtray.dll] [ATI Technologies Inc., 1.2.2114.432]
[c:program filesati technologiesati.acecli.caste.graphics.shared.dll] [ATI Technologies Inc., 1.2.2028.21076]
[c:program filesati technologiesati.acedem.graphics.displaysmanager.shared.dll] [ATI Technologies Inc., 1.2.2026.29945]
[c:windowsassemblygacsystem.web1.0.5000.0__b03f5f7f11d50a3asystem.web.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322perfcounter.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_isapi.dll] [Microsoft Corporation, 1.1.4322.573]
[PID: 1400][E:Program FilesYahoo!Messengerymsgr_tray.exe] [Yahoo! Inc., 8,1,0,0]
[E:Program FilesYahoo!MessengerMSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[E:Program FilesYahoo!MessengerMSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:Program FilesYahoo!SharedYbSkin2.dll] [Yahoo! Inc., 2006, 10, 11, 1]
[E:Program FilesYahoo!Messenger es_msgr.dll] [Yahoo! Inc., 8,5,0,1]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 2032][C:WINDOWSsystem32wuauclt.exe] [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 2468][E:Program FilesMaxthonMaxthon.exe] [Maxthon International Ltd., 1, 5, 9, 80]
[E:Program FilesMaxthonmaxzlib.dll] [ , 1, 0, 0, 2]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:WINDOWSsystem32mscoree.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322CorperfmonExt.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[E:Program FilesMaxthonServicesRealTime eal_time.dll] [, 1, 0, 0, 1]
[C:WINDOWSsystem32ldmedia4.dll] [N/A, ]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322mscorie.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSMicrosoft.NETFrameworkv1.1.4322mscorld.dll] [Microsoft Corporation, 1.1.4322.573]
[C:WINDOWSsystem32MacromedFlashFlash9b.ocx] [Adobe Systems, Inc., 9,0,28,0]
[C:DOCUME~1李牧原\LOCALS~1TempQqzo0.dll] [N/A, ]
[PID: 3956][E:Program FilesRisingRavRsAgent.exe] [Beijing Rising Technology Co., Ltd., 19, 0, 0, 12]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[E:Program FilesRisingRavRsCommX.dll] [rising, 18, 0, 0, 1]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 4020][C:WINDOWSmsagentAgentSvr.exe] [Microsoft Corporation, 2.00.0.3424]
[C:PROGRA~1Yahoo!ASSIST~1Yhelper.dll] [N/A, ]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 2208][C:WINDOWSexplorer.exe] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[C:Program FilesCommon FilesMicrosoft SharedMSINFONewInfo.dll] [N/A, ]
[e:program files ising fwjifvpyyl.dll] [N/A, ]
[D:Program FilesAdobeAcrobat 7.0ActiveXPDFShell.dll] [Adobe Systems, Inc., 7.0.0.0]
[C:WINDOWSsystem32ldmedia4.dll] [N/A, ]
[C:WINDOWSsystem32mppds.dll] [N/A, ]
[e:program files ising fwzpkjuwgv.dll] [N/A, ]
[C:DOCUME~1李牧原\LOCALS~1TempQqzo0.dll] [N/A, ]
[PID: 3780][C:WINDOWSsystem32conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[PID: 3624][C:DOCUME~1李牧原\LOCALS~1TempRar$EX02.359SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:Program FilesRisingAntiSpywareieprot.dll] [Beijing Rising Technology Co., Ltd., 1, 0, 0, 10]
[C:Syswm1jGhook.dll] [N/A, ]
[C:DOCUME~1李牧原\LOCALS~1TempQqzo0.dll] [N/A, ]
[C:WINDOWSsystem32ldmedia4.dll] [N/A, ]

==================================

http://bbs.pep.com.cn/viewthread.php?tid=90515
秋风树林的这个精华帖对于进程的名称已经讲得很明白了，对于进程名我就不想多说什么了。

下面讲一下分析方法：
PID:XXX：对于这一项，有兴趣的朋友可以参考一下10楼：什么是PID（进程标识符）
一般来说，进程前面没有[PID:XXXX]的进程是安全的，不用去分析。
我这个日志是用旧版的SREng扫描的，新版的SREng在进程前面的方括号[ ]里除了PID参数外，还有用户名。我的新版日志的方括号里面就是这样的：
[PID: 932 / SYSTEM][SystemRootSystem32smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 296 / 李牧原][C:WINDOWSExplorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]

“PID:XXX/　”后面的SYSTEM和李牧原就是运行这项进程的用户名。SYSTEM说明这项进程为系统进程。

PID参数后面的，就是进程路径了。SystemRoot，如果是NT和2000系统，就是X:WINNT，如果是XP之类的，就是C:WINDOWS。再后面，就是公司信息。和前几项一样，如果是[N/A]或者假冒Microsoft Corporation，那么就是有问题的。

进程名称的下几行（如果有的话）是进程加载的dll。一般来说，有[N/A]的就是有问题的。这时候应该用Google搜索一下这个dll，如果发现有问题或者根本搜索不到，就应该删除。有的dll名称是随机的n位字母数字，一般来说都是有问题的。如：
[C:WINDOWSsystem32ldmedia4.dll] [N/A, ]
[C:WINDOWSsystem32mppds.dll] [N/A, ]
[e:program files ising fwzpkjuwgv.dll] [N/A, ]

对于Explorer.EXE加载的dll要格外注意！

Hijackthis的作用在这里就显示出来啦！对应hijackhtis的02、03、08、09、016项，可以用 Hijackthis辅助分析，注意假冒假冒microsoft和macromedia的项

Hijackthis的使用及分析方法可以看人教论坛Full-Moon版主的置顶帖。

不过要讲的是SREng日志的分析方法，这一项也不能略过……

这次引用下竹风铃的日志……

Quote:

浏览器加载项
[Thunder Browser Helper]
  {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} <D:迅雷\ComDllsXunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll, Adobe Systems Incorporated>
[启动迅雷5]
  {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} <D:迅雷\Thunder.exe, Thunder Networking Technologies,LTD>
[豪杰超级解霸V8]
  {367E0A21-8601-4986-9C9A-153BF5ACA118} <D:豪杰超级解霸V8STHSDVD.EXE, N/A>
[信息检索(&R)]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL, Microsoft Corporation>
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:WINDOWSsystem32LegitCheckControl.DLL, Microsoft Corporation>
[Tencent Safety Online Base Module]
  {C09B522F-8AED-4E21-A65C-DC1AB652BAEE} <C:WINDOWSDOWNLO~1TSOBase.ocx, Tencent Corporation>
[ScienceWord Control 5.0]
  {C29E7AB7-8C79-421A-AB75-0AE00E848C2D} <C:WINDOWSsystem32SCIENC~1.OCX, Novoasoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:WINDOWSsystem32MacromedFlashFlash9b.ocx, Adobe Systems, Inc.>
[CPasswordEditCtrl Object]
  {E787FD25-8D7C-4693-AE67-9406BC6E22DF} <C:WINDOWSsystem32qqeditqqedit.dll, 腾讯科技（深圳）有限公司>
[Thunder Browser Helper]
  {06849E9E-C8D7-4D59-B87D-784B7D6BE0B3} <D:迅雷\ComDllsXunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll, Adobe Systems Incorporated>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%system32mshtml.dll, N/A>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:WINDOWSsystem32wmp.dll, Microsoft Corporation>
[Thunder Browser Helper]
  {889D2FEB-5411-4565-8998-1DD2C5261283} <D:迅雷\ComDllsXunLeiBHO_007.dll, Thunder Networking Technologies,LTD>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%system32shdocvw.dll, N/A>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:WINDOWSsystem32wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:WINDOWSsystem32wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:WINDOWSsystem32MacromedFlashFlash9b.ocx, Adobe Systems, Inc.>
[&使用迅雷下载]
  <D:迅雷\Programgeturl.htm, N/A>
[&使用迅雷下载全部链接]
  <D:迅雷\Programgetallurl.htm, N/A>
[上传到QQ网络硬盘]
  <E:QAddToNetDisk.htm, N/A>
[导出到 Microsoft Office Excel(&X)]
  <res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000, N/A>
[添加到QQ自定义面板]
  <E:QAddPanel.htm, N/A>
[添加到QQ表情]
  <E:QAddEmotion.htm, N/A>
[用QQ彩信发送该图片]
  <E:QSendMMS.htm, N/A>
[豪杰超级解霸V8实时播放]
  <D:豪杰超级解霸V8MPURLGET.HTM, N/A>

==================================

粉色的是浏览器加载项名（也就是常说的BHO），蓝色部分是CLSID（有的BHO没有CLSID），一般每一种BHO都有唯一的CLSID，否则可能会有冲突，不用去分析。橙色部分是文件路径，紫色部分为公司名称。

分析的时候还是要注意公司名称，对公司名为N/A的，Google搜索一下。
下列几个为排除项目：
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%system32mshtml.dll, N/A>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%system32shdocvw.dll, N/A>
还有最下面那几项QQ和迅雷的，如果文件路径没有问题，也可以排除。

感谢ho121在我写这一项时对我的帮助！^_^

这里的服务和驱动，显示的是非Windows自带的第三方服务驱动。
粉红色的是服务或驱动的名称，红色的是状态，蓝色的是启动方式，橙色的为文件的路径，紫色的为公司名称信息。

[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:WINDOWSSystem32svchost.exe -k netsvcs-->%SystemRoot%System32hidserv.dll><N/A>
这个服务，如果在进程里面没有特殊项的时候，是可信的，不用管它。
如果发现有其他的公司名称为N/A的或者假冒微软的服务和驱动，还有的服务驱动名称很奇怪，这样用Google和百度都搜索一下，搜索不到就有问题了。
再引用下kuing的日志……

Quote:

服务
[Human Interface Device Access / HidServ][Stopped/Disabled]
  <C:WINDOWSSystem32svchost.exe -k netsvcs-->%SystemRoot%System32hidserv.dll><N/A>
[Rising Proxy  Service / RfwProxySrv][Stopped/Manual Start]
  <c:program files ising fw fwproxy.exe><Beijing Rising Technology Co., Ltd.>
[Rising Personal Firewall Service / RfwService][Running/Auto Start]
  <c:program files ising fw fwsrv.exe><Beijing Rising Technology Co., Ltd.>
[Rising Process Communication Center / RsCCenter][Running/Auto Start]
  <"C:Program FilesRisingRavCCenter.exe"><Beijing Rising Technology Co., Ltd.>
[Rising RealTime Monitor / RsRavMon][Running/Auto Start]
  <"C:PROGRAM FILESRISINGRAVRavmond.exe"><Beijing Rising Technology Co., Ltd.>
==================================
驱动程序
[2310_00 / 2310_00][Stopped/Boot Start]
  <SystemRootSystem32BIRD2310_00.sys><HighPoint Technologies, Inc.>
[3WAREDRV / 3WAREDRV][Stopped/Boot Start]
  <SystemRootSystem32BIRD3WAREDRV.SYS><N/A>
[A320RAID / A320RAID][Stopped/Boot Start]
  <SystemRootSystem32BIRDa320raid.sys><Adaptec, Inc.>
[AAC / AAC][Stopped/Boot Start]
  <SystemRootSystem32BIRDaac.sys><Adaptec, Inc.>
[AACSAS / AACSAS][Stopped/Boot Start]
  <SystemRootSystem32BIRDaacsas.sys><Adaptec, Inc.>
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
  <system32driversALCXWDM.SYS><Realtek Semiconductor Corp.>
[AmdK8 Compatible Device / AmdK8][Stopped/System Start]
  <System32BIRDamdk8.sys><Advanced Micro Devices>
[ARCM_X86 / ARCM_X86][Stopped/Boot Start]
  <SystemRootSystem32BIRDarcm_x86.sys><ARECA  Technology Corporation>
[Rising TDI Base Driver / BaseTDI][Running/Auto Start]
  <System32DRIVERSBaseTDI.SYS><Beijing Rising Technology Co., Ltd.>
[BCHTSW32 / BCHTSW32][Stopped/Boot Start]
  <SystemRootSystem32BIRDchtsw32.sys><Broadcom Corporation>
[dpti2o / dpti2o][Running/Boot Start]
  <SystemRootSystem32BIRDdpti2o.sys><Microsoft Corporation>
[ExpScaner / ExpScaner][Running/Auto Start]
  <??C:PROGRAM FILESRISINGRAVExpScan.sys><>
[FASTSX / FASTSX][Running/Boot Start]
  <SystemRootSystem32BIRDfastsx.sys><Promise Technology, Inc.>
[FASTTRAK / FASTTRAK][Running/Boot Start]
  <??C:WINDOWSsystem32drivershjg47ql8p.sys><N/A>
[HookCont / HookCont][Running/Auto Start]
  <??C:PROGRAM FILESRISINGRAVHOOKCONT.sys><Rising>
[HookReg / HookReg][Running/Auto Start]
  <??C:PROGRAM FILESRISINGRAVHookReg.sys><>
[HookSys / HookSys][Running/Auto Start]
  <??C:PROGRAM FILESRISINGRAVHookSys.sys><Rising>
[HookUrl / HookUrl][Running/Auto Start]
  <??C:Program FilesRisingRfwHookUrl.sys><Beijing Rising Technology Co., Ltd.>
[HPT3XX / HPT3XX][Stopped/Boot Start]
  <SystemRootSystem32BIRDhpt3xx.sys><HighPoint Technologies, Inc.>
[ialm / ialm][Running/Manual Start]
  <system32DRIVERSialmnt5.sys><Intel Corporation>
[IASTOR / IASTOR][Running/Boot Start]
  <SystemRootSystem32BIRDiaStor.sys><Intel Corporation>
  <SystemRootSystem32BIRDm5289.sys><ULi Electronics Inc.>
[MEGAIDE / MEGAIDE][Running/Boot Start]
  <SystemRootSystem32BIRDMegaIDE.sys><LSI Logic Corporation.>
[MEMSCAN / MEMSCAN][Running/Auto Start]
  <??C:PROGRAM FILESRISINGRAVMEMSCAN.sys><瑞星软件有限公司>
[mProcRs / mProcRs][Running/Auto Start]
  <??c:program files ising fwmProcRs.sys><Beijing Rising Technology Co., Ltd.>
[mraid35x / mraid35x][Running/Boot Start]
  <SystemRootSystem32BIRDmraid35x.sys><LSI Logic Corporation>
[NFRD960 / NFRD960][Stopped/Boot Start]
  <SystemRootSystem32BIRD frd960.sys><IBM Corporation>
[Netgroup Packet Filter / NPF][Stopped/Manual Start]
  <system32drivers pf.sys><Politecnico di Torino>
[npkcrypt / npkcrypt][Running/Auto Start]
  <??C:Program FilesTencentQQ pkcrypt.sys><INCA Internet Co., Ltd.>
[nv / nv][Stopped/Manual Start]
  <system32DRIVERS v4_mini.sys><NVIDIA Corporation>
[NVATABUS / NVATABUS][Running/Boot Start]
  <SystemRootSystem32BIRDNVATABUS.SYS><NVIDIA Corporation>
[PNP680R / PNP680R][Stopped/Boot Start]
  <SystemRootSystem32BIRDpnp680r.sys><Silicon Image, Inc>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32DRIVERSptilink.sys><Parallel Technologies, Inc.>
[ql1080 / ql1080][Running/Boot Start]
  <SystemRootSystem32BIRDql1080.sys><QLogic Corporation>
[ql12160 / ql12160][Running/Boot Start]
  <SystemRootSystem32BIRDql12160.sys><QLogic Corporation>
[ql1280 / ql1280][Running/Boot Start]
  <SystemRootSystem32BIRDql1280.sys><QLogic Corporation>
[RAIDSRC / RAIDSRC][Stopped/Boot Start]
  <SystemRootSystem32BIRD aidsrc.sys><Intel/ICP>
[RR232X / RR232X][Stopped/Boot Start]
  <SystemRootSystem32BIRD r232x.sys><HighPoint Technologies, Inc.>
[RsAntiSpyware / RsAntiSpyware][Running/Boot Start]
  <SystemRootsystem32driversRsBoot.sys><Beijing Rising Technology Co., Ltd.>
[RsFwDrv / RsFwDrv][Running/Auto Start]
  <??C:Program FilesRisingRfwRsFwDrv.sys><Beijing Rising Technology Co., Ltd.>
[RsNTGDI / RsNTGDI][Running/Boot Start]
  <SystemRootsystem32DriversRsNTGdi.sys><Beijing Rising Technology Co., Ltd.>
[RSPPSYS / RSPPSYS][Running/Auto Start]
  <??C:PROGRAM FILESRISINGRAVRSPPSYS.sys><Rising>
[Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver / RTL8023xp][Running/Manual Start]
  <system32DRIVERSRtlnicxp.sys><Realtek Semiconductor Corporation>
[Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver / rtl8139][Stopped/Manual Start]
  <system32DRIVERSRTL8139.SYS><Realtek Semiconductor Corporation>
[S150SX8 / S150SX8][Running/Boot Start]
  <SystemRootSystem32BIRDS150sx8.sys><Promise Technology, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32DRIVERSsecdrv.sys><N/A>
[SI3112 / SI3112][Stopped/Boot Start]
  <SystemRootSystem32BIRDSI3112.sys><Silicon Image, Inc.>
[sym_u3 / sym_u3][Running/Boot Start]
  <SystemRootSystem32BIRDsym_u3.sys><LSI Logic>
[TwoTrack Compatible Device / TwoTrack][Stopped/Manual Start]
  <System32DRIVERSTwoTrack.sys><IBM Corporation>
==================================

我把BIRD的驱动省略掉了好多，否则篇幅会是现在的n倍……
如果驱动程序的路径是SystemRootSystem32BIRD，完全可以无视掉……

[Secdrv / Secdrv][Stopped/Manual Start]
  <system32DRIVERSsecdrv.sys><N/A>

[klif / klif][Running/System Start]
  <??C:WINDOWSsystem32driversklif.sys><Kaspersky Lab>
这两个驱动程序都是可信的，虽然第二个有时候可能显示为有<N/A>，但大家也不用去管它，注意路径就可以了。
有时候会出现双驱动的情况，要格外注意！双驱动就是在一个路径下，同时出现两个文件名，文件名之间用空格隔开。这样的一定要看准啦！！

文件关联:一般来说，有Error的都是要修复的，除非关联的程序是自己安装的。例：txt的关联为UltraEdit-32。

Winsock 提供者：默认为N/A，如果不是N/A，先搜索一下，如果有问题，用LSPFix修复。修复后如果不能上网就用WinsockxpFix修复。
不过现在兔子，360，卡卡都有强力修复Winsock

Quote:

Winsock 提供者
MSAFD Tcpip [TCP/IP]
C:WINDOWSsystem32ldmedia4.dll(, N/A)
MSAFD Tcpip [RAW/IP]
C:WINDOWSsystem32ldmedia4.dll(, N/A)

==================================

这个ldmedia4.dll就是有问题的，修复之后再删除这个文件就行了

Autorun.inf：默认也是空值，如果有程序，先搜索一下，如果有问题，删除该程序。例：

Quote:

Autorun.inf
[C:]
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shellAutocommand=auto.exe
[D:]
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shellAutocommand=auto.exe
[E:]
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shellAutocommand=auto.exe
[F:]
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shellAutocommand=auto.exe
==================================

删除各磁盘根目录下的autorun.inf和auto.exe。

HOSTS 文件：默认值为：

Quote:

HOSTS 文件
127.0.0.1 localhost
==================================

如果和默认值不符，一般需要用SREng修复HOSTS文件。

进程特权扫描：搜索进程，如果是病毒，删除之。

API HOOK：先搜索那几个文件，如果有问题，启动SREng时，右下角会出来提示，先点击“查看详情”，再点“修复入口点错误”就可以了。

隐藏进程：搜索进程，如果是病毒，删除之。