woauolt.exe,System.exe,Update.dll,MPKrnl.dll,360mon.dll,upnpsrv.dll等1

最新推荐文章于 2021-11-14 08:26:35 发布
最新推荐文章于 2021-11-14 08:26:35 发布
阅读量123 收藏
点赞数
文章标签: runtime shell
woauolt.exe,System.exe,Update.dll,MPKrnl.dll,360mon.dll,upnpsrv.dll等1
endurer 原创
2008-11-14 第 1
一位朋友说他的电脑最近反应很慢,拔号上网时卡住。请偶帮忙检修。
使用 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块部分有省略): 
pe_xscan 07-07-21 by Purple Endurer 
2000-1-1 8:26:35 
Windows XP Service Pack 2(5.1.2600) 
管理员用户组 
[System Process]  0 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:21:28 
   2000-1-1 0:18:44 
   2000-1-1 0:18:24 
   2000-1-1 0:16:4 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:24:6 
   2000-1-1 0:23:40 
   2000-1-1 0:23:2 
   2000-1-1 0:22:22 
   2000-1-1 0:22:0 
   2000-1-1 0:21:6 
   2000-1-1 0:19:46 
   2000-1-1 0:19:26 
   2000-1-1 0:19:4 
   2000-1-1 0:17:46 
   2000-1-1 0:14:34 
   2000-1-1 0:13:38 
   2000-1-1 0:12:48 
C:/windows/system32/csrss.exe 508  2004-8-23 16:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  Client Server Runtime Process  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  CSRSS.Exe  CSRSS.Exe 
   2005-7-26 12:39:50 
   2005-7-26 12:39:50 
   2005-7-26 12:39:50 
C:/windows/system32/winlogon.exe 532  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Windows NT Logon Application  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  winlogon  WINLOGON.EXE 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
  
   2000-1-1 0:16:28 
C:/windows/system32/services.exe 576  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Services and Controller app  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  services.exe  services.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
C:/windows/system32/lsass.exe 588  2004-8-23 16:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  LSA Shell (Export Version)  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  lsass.exe  lsass.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
C:/windows/system32/svchost.exe 744  2004-8-23 16:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  Generic Host Process for Win32 Services  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  svchost.exe  svchost.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2005-7-26 12:39:50 
   2005-7-26 12:39:50  Microsoft? Windows? Operating System  5.1.2600.2726  Distributed COM Services  ? Microsoft Corporation. All rights reserved.  5.1.2600.2726 (xpsp_sp2_gdr.050725-1528)  Microsoft Corporation ?  rpcss.dll  rpcss.dll 
   2000-1-1 0:18:24 
   2000-1-1 0:19:46 
   2000-1-1 0:12:48 
   2000-1-1 0:19:26 
   2000-1-1 0:21:6 
   2000-1-1 0:21:28 
   2000-1-1 0:19:4 
   2000-1-1 0:22:0 
   2000-1-1 0:24:6 
   2000-1-1 0:13:38 
   2000-1-1 0:23:2 
   2000-1-1 0:23:40 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2000-1-1 8:16:12 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:22:22 
   2000-1-1 0:18:44 
   2000-1-1 0:17:46 
   2000-1-1 0:16:4 
   2000-1-1 0:14:34 
C:/windows/system32/svchost.exe 1056  2004-8-23 16:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  Generic Host Process for Win32 Services  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  svchost.exe  svchost.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  7.00.5730.13  UPnP Device Host Service  ? Microsoft Corporation. All rights reserved.  7.00.5730.13 (longhorn(wmbla).070711-1130)  Microsoft Corporation ?  UPNPSRV.DLL  UPNPSRV.DLL 
C:/windows/System32/svchost.exe 1316  2004-8-23 16:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  Generic Host Process for Win32 Services  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  svchost.exe  svchost.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2004-8-17 20:0:0  STMP  5.1.2600.2180  Microsoft STMP Manager API (uses WinSNMP)  Copyright @ 2004  5.1.2600.2180  @ Microsoft Corporation. All rights reserved.   STMP  STMP.dll 
C:/WINDOWS/system32/Userinit.exe 1604  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  5, 1, 2600, 2180  Userinit Logon Application  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation   USERINIT.EXE  userinit.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:21:6 
   2000-1-1 0:21:28 
   2000-1-1 0:19:4 
   2000-1-1 0:22:0 
   2000-1-1 0:24:6 
   2000-1-1 0:23:40 
   2000-1-1 0:19:26 
   2000-1-1 0:12:48 
   2000-1-1 0:14:34 
   2000-1-1 0:19:46 
   2000-1-1 0:13:38 
   2000-1-1 0:23:2 
   2000-1-1 0:25:24 
   2000-1-1 0:22:22 
   2000-1-1 0:18:24 
   2000-1-1 0:17:46 
   2000-1-1 0:16:4 
   2000-1-1 0:18:44 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
C:/windows/explorer.exe 1664  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  6.00.2900.2180  Windows Explorer  (C) Microsoft Corporation. All rights reserved.  6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  explorer  EXPLORER.EXE 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2000-1-1 0:12:48 
   2000-1-1 0:13:38 
   2000-1-1 0:14:34 
   2000-1-1 0:16:4 
   2000-1-1 0:17:46 
   2000-1-1 0:18:24 
   2000-1-1 0:18:44 
   2000-1-1 0:19:4 
   2000-1-1 0:19:26 
   2000-1-1 0:19:46 
   2000-1-1 0:21:6 
   2000-1-1 0:21:28 
   2000-1-1 0:22:0 
   2000-1-1 0:22:22 
   2000-1-1 0:23:2 
   2000-1-1 0:23:40 
   2000-1-1 0:24:6 
   2000-1-1 0:25:24 
   2008-10-16 10:23:16 
   2008-10-16 10:23:36 
   2008-10-16 10:23:52 
   2008-10-16 10:24:12 
   2008-10-16 10:24:36 
   2008-10-16 10:25:14 
   2008-10-16 10:25:40 
   2008-10-16 10:27:8 
   2008-10-16 10:27:46 
   2008-10-16 10:26:46 
   2008-10-16 10:27:24 
   2008-10-16 10:28:2 
   2008-10-16 10:28:36 
   2008-10-16 10:28:54 
   2008-10-16 10:29:14 
   2008-10-16 10:29:34 
   2008-10-16 10:29:56 
   2008-10-16 10:30:18 
   2000-1-1 0:13:10 
   2000-1-1 0:11:18 
   2000-1-2 0:47:48 
   2000-1-2 0:48:10 
   2000-1-2 0:51:40 
   2000-1-2 0:51:0 
   2000-1-2 0:52:24 
   2000-1-2 0:56:14 
   2000-1-1 0:16:2 
   2000-1-1 0:16:26 
   2000-1-1 0:52:8 
   2000-1-1 0:39:36 
   2000-1-1 0:40:32 
   2000-1-1 0:44:38 
   2000-1-1 0:22:32 
   2000-1-1 0:23:36 
   2000-1-1 0:24:8 
   2000-1-1 0:24:6 
   2000-1-1 0:24:44 
   2000-1-1 0:26:36 
   2000-1-1 0:27:26 
   2000-1-1 0:27:52 
   2000-1-1 0:41:58 
   2000-1-1 0:39:2 
   2000-1-1 0:27:56 
   2000-1-1 8:13:56 
   2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  7.00.5730.13  UPnP Device Host Service  ? Microsoft Corporation. All rights reserved.  7.00.5730.13 (longhorn(wmbla).070711-1130)  Microsoft Corporation ?  UPNPSRV.DLL  UPNPSRV.DLL 
   2000-1-1 0:28:6  ThunderAdvise Module  5, 0, 8, 74  ThunderAdvise Module  Copyright 2004-2008  5, 0, 8, 74  Thunder Networking Technologies,LTD ?  ThunderAdvise ? 
   2000-1-1 8:16:22 
C:/windows/system32/ctfmon.exe 1864  2004-8-23 16:0:0  Microsoft? Windows? Operating System  5.1.2600.2180  CTF Loader  ? Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  CTFMON  CTFMON.EXE 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2000-1-1 0:12:48 
   2000-1-1 0:21:6 
   2000-1-1 0:19:46 
   2000-1-1 0:19:26 
   2000-1-1 0:16:4 
   2000-1-1 0:14:34 
   2000-1-1 0:13:38 
   2000-1-1 0:19:4 
   2000-1-1 0:18:44 
   2000-1-1 0:18:24 
   2000-1-1 0:17:46 
   2000-1-1 0:21:28 
   2000-1-1 0:25:24 
   2000-1-1 0:24:6 
   2000-1-1 0:23:40 
   2000-1-1 0:23:2 
   2000-1-1 0:22:22 
   2000-1-1 0:22:0 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
C:/windows/system32/rundll32.exe 2768  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Run a DLL as an App  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  rundll  RUNDLL.EXE 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:27:22 
   2000-1-1 0:22:22 
   2000-1-1 0:22:0 
   2000-1-1 0:19:26 
   2000-1-1 0:18:24 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:24:6 
   2000-1-1 0:23:40 
   2000-1-1 0:23:2 
   2000-1-1 0:21:28 
   2000-1-1 0:21:6 
   2000-1-1 0:19:46 
   2000-1-1 0:19:4 
   2000-1-1 0:18:44 
   2000-1-1 0:17:46 
   2000-1-1 0:16:4 
   2000-1-1 0:14:34 
   2000-1-1 0:13:38 
   2000-1-1 0:12:48 
 3056  2008-10-16 10:21:40  HB Inject Application  1, 2, 1, 1007  HB Inject Application Version 1.2.1.1007  Copyright ? 2008, HB Software  1, 2, 1, 1007  HB Software ?  HBInject  HBInject.exe 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2000-1-1 0:21:6 
   2000-1-1 0:18:44 
   2000-1-1 0:19:46 
   2000-1-1 0:22:0 
   2000-1-1 0:17:46 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:24:6 
   2000-1-1 0:23:40 
   2000-1-1 0:23:2 
   2000-1-1 0:22:22 
   2000-1-1 0:21:28 
   2000-1-1 0:19:26 
   2000-1-1 0:19:4 
   2000-1-1 0:18:24 
   2000-1-1 0:16:4 
   2000-1-1 0:14:34 
   2000-1-1 0:13:38 
   2000-1-1 0:12:48 
C:/windows/system32/rundll32.exe 3144  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Run a DLL as an App  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  rundll  RUNDLL.EXE 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:10 
   2000-1-1 0:17:46 
   2000-1-1 0:23:40 
   2000-1-1 0:18:44 
   2000-1-1 0:22:0 
   2000-1-1 0:19:4 
   2000-1-1 0:19:46 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:24:6 
   2000-1-1 0:23:2 
   2000-1-1 0:22:22 
   2000-1-1 0:21:28 
   2000-1-1 0:21:6 
   2000-1-1 0:19:26 
   2000-1-1 0:18:24 
   2000-1-1 0:16:4 
   2000-1-1 0:14:34 
   2000-1-1 0:13:38 
   2000-1-1 0:12:48 
C:/windows/system32/rundll32.exe 3236  2004-8-23 16:0:0  Microsoft(R) Windows(R) Operating System  5.1.2600.2180  Run a DLL as an App  (C) Microsoft Corporation. All rights reserved.  5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)  Microsoft Corporation ?  rundll  RUNDLL.EXE 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:27:46 
   2000-1-1 0:14:34 
   2000-1-1 0:19:4 
   2000-1-1 0:22:0 
   2000-1-1 0:23:2 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:24:6 
   2000-1-1 0:23:40 
   2000-1-1 0:22:22 
   2000-1-1 0:21:28 
   2000-1-1 0:21:6 
   2000-1-1 0:19:46 
   2000-1-1 0:19:26 
   2000-1-1 0:18:44 
   2000-1-1 0:18:24 
   2000-1-1 0:17:46 
   2000-1-1 0:16:4 
   2000-1-1 0:13:38 
   2000-1-1 0:12:48 
 3576  2008-10-16 10:13:10 
   2008-10-16 10:13:10 
   2000-1-1 0:35:6 
   2000-1-2 18:31:12 
   2000-1-2 0:46:4 
   2000-1-1 0:5:58 
   2000-1-2 18:29:56 
   2000-1-1 0:37:44 
   2000-1-1 0:7:38 
   2000-1-1 0:10:20 
   2000-1-1 0:6:52 
   2000-1-1 0:30:40 
   2000-1-1 0:25:26 
   2000-1-2 18:30:30 
   2000-1-1 0:28:0 
   2000-1-1 0:33:48 
   2000-1-1 0:22:38 
   2000-1-1 0:25:2 
   2000-1-1 0:24:6 
   2000-1-1 0:21:6 
   2000-1-1 0:23:2 
   2000-1-1 0:19:26 
   2000-1-1 0:23:40 
   2000-1-1 0:18:24 
   2000-1-1 0:19:46 
   2008-10-16 10:28:2 
   2008-10-16 10:27:24 
   2008-10-16 10:26:46 
   2008-10-16 10:27:46 
   2008-10-16 10:27:8 
   2008-10-16 10:25:40 
   2008-10-16 10:25:14 
   2008-10-16 10:24:36 
   2008-10-16 10:24:12 
   2008-10-16 10:23:52 
   2008-10-16 10:23:36 
   2008-10-16 10:23:16 
   2000-1-1 0:25:24 
   2000-1-1 0:22:22 
   2000-1-1 0:22:0 
   2000-1-1 0:21:28 
   2000-1-1 0:19:4 
   2000-1-1 0:18:44 
   2000-1-1 0:17:46 
   2000-1-1 0:16:4 
   2000-1-1 0:14:34 
   2000-1-1 0:13:38 
   2000-1-1 0:12:48
F2 - REG: system.ini: UserInit=,

O2 - BHO Info cache - {285AB8C6-FB22-4D17-8834-064E2BA0A6F0} -
O2 - BHO ThunderHlpObj Class - {97421D0D-E07F-40DF-8F07-99597B9585AD} -
O2 - BHO - {F6A454AE-156A-415E-9F89-3795677A8A91} -
O4 - HKLM/../Run: [361kary]
O4 - HKLM/../Run: [HBService32]
O4 - HKLM/../Run: [3PMmUpdate] rundll32 ,Main 
O4 - HKLM/../Run: [MPKrnl] rundll32 ,KrnlMsgProc 
O4 - HKLM/../Policies/Explorer/Run: [visin]
O4 - HKLM/../Policies/Explorer/Run: [kcodn]
O4 - HKLM/../Policies/Explorer/Run: [nwiz]
O4 - HKLM/../Policies/Explorer/Run: [MPMKrnl] rundll32 ,KMainProc 
O20 - AppInit_DLLs =,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
O20 - Winlogon Notify: xy3safe -
O21 - SSODL - Upnp(A) - {DE01DA19-A6A8-EB80-4D47-248DEB2A9399} =
O21 - SSODL - ThunderAdvise(ThunderHlpObj Class) - {97421D0D-E07F-40DF-8F07-99597B9585AD} =O23 - 服务: 19b5406 (19b5406) - 2000-1-1 0:12:8(手动) 
O23 - 服务: 4901228 (4901228) - 2008-10-16 10:23:14(手动) 
O23 - 服务: 4c70249 (4c70249) - 2008-10-16 10:25:38(手动) 
O23 - 服务: 5102a80 (5102a80) - 2000-1-2 0:54:28(手动) 
O23 - 服务: 8882fa1 (8882fa1) - 2008-10-16 10:26:20(手动) 
O23 - 服务: 9fd8db (9fd8db) - 2000-1-2 0:47:46(手动) 
O23 - 服务: acpidisk (acpidisk) - 2008-11-12 10:27:44(自动) 
O23 - 服务: aecff9 (aecff9) - 2008-10-16 10:24:12(手动) 
O23 - 服务: AlerMang (Alerter Manager) - C:/windows/System32/svchost.exe -k krnlsrvc -> 2004-8-17 20:0:0  STMP  5.1.2600.2180  Microsoft STMP Manager API (uses WinSNMP)  Copyright @ 2004  5.1.2600.2180  @ Microsoft Corporation. All rights reserved.   STMP  STMP.dll(自动) 
O23 - 服务: aliimz () - (手动) 
O23 - 服务: c39e8db (c39e8db) - 2000-1-1 0:25:52(手动) 
O23 - 服务: c551839 (c551839) - 2008-10-16 10:26:44(手动) 
O23 - 服务: ca99d57 (ca99d57) - 2000-1-1 0:39:30(手动) 
O23 - 服务: cceus (cceus) - (引导) 
O23 - 服务: d4f876 (d4f876) - 2008-10-16 10:23:52(手动) 
O23 - 服务: d7b49fa (d7b49fa) - 2000-1-1 0:22:16(手动) 
O23 - 服务: elsuo (elsuo) -(手动) 
O23 - 服务: HBKernel32 (HBKernel32 Driver) - (引导) 
O23 - 服务: msiffei () - (手动) 
O23 - 服务: pppccc (pppccc) - 2000-1-1 0:14:6(手动) 
O23 - 服务: SafeMon0 (360 safe mon) - 2000-1-1 0:16:40(系统) 
O24 - ShlExecHook: [MICROSOFT] - {021F087F-4378-545F-74FA-37D345AD7A8C} =
O24 - ShlExecHook: [MICROSOFT] - {E8A3B193-77E3-4FB3-986D-F4FA4828BAFC} =
O24 - ShlExecHook: [MICROSOFT] - {C0595A7E-2E2F-4B34-A83A-019270A0A464} =
O24 - ShlExecHook: [MICROSOFT] - {A9895933-6636-4281-BC58-EE6DE2AF96E3} =
O24 - ShlExecHook: [MICROSOFT] - {0B846B26-BFE6-4E8E-A948-1DB17B77B483} =
O24 - ShlExecHook: [MICROSOFT] - {8C41B7F7-3168-400D-A702-0E7EFE0BA304} =
O24 - ShlExecHook: [MICROSOFT] - {17DFD111-BF3A-4CB4-ADB0-88FCBFE69821} =
O24 - ShlExecHook: [MICROSOFT] - {006CA8A1-61BC-4774-A54C-F49034270BAD} =
O24 - ShlExecHook: [MICROSOFT] - {EA5D4B0E-B8CE-4761-8C7E-5D26369F0EC6} =
O24 - ShlExecHook: [MICROSOFT] - {45AADFAA-DD36-42AB-83AD-0521BBF58C24} =
O24 - ShlExecHook: [MICROSOFT] - {4D165A2A-4BC1-4CA8-8299-08E05AAAB5A4} =
O24 - ShlExecHook: [MICROSOFT] - {B29583D8-033A-4B9F-8553-7C5458F3FB8E} =
O24 - ShlExecHook: [MICROSOFT] - {73AE86E6-7F03-4C3B-8980-FB1DA157D3C7} =
O24 - ShlExecHook: [MICROSOFT] - {1E51C0FD-EE36-434B-AD2A-FD1FF3731C38} =
O24 - ShlExecHook: [MICROSOFT] - {259BF3CF-194D-4FE6-9ADB-DE6544B098B6} =
O24 - ShlExecHook: [MICROSOFT] - {53D44DB6-E22B-4B17-97D3-572C96CCA6E1} =
O24 - ShlExecHook: [MICROSOFT] - {7914E0AA-ECCB-4311-B584-C49538227824} =
O24 - ShlExecHook: [MICROSOFT] - {50A8A8C4-EDC9-4ABD-A0A2-2E2418982189} =
O24 - ShlExecHook: [8] - {43ACDCC5-9009-4AF4-B80A-93BC656EF298} =
O24 - ShlExecHook: [F] - {DE02F764-C51A-4788-9597-D78ECC2AC08F} =
O24 - ShlExecHook: [0] - {C56BCC10-503E-43AB-B208-3CD37FCFCE40} =
O24 - ShlExecHook: [C] - {122B901E-493F-4AD9-BC69-7DE8C3E52FCC} =
O24 - ShlExecHook: [8] - {82710040-F86E-42E0-B1F8-04EDF75856F8} =
O24 - ShlExecHook: [B] - {C250CF20-5F89-4310-9854-4BC261FB14FB} =
O24 - ShlExecHook: [8] - {E4814792-EFA3-4C20-93D0-8B130A59F9A8} =
O24 - ShlExecHook: [6] - {22D75360-199D-4F79-880D-82E766675F06} =
O24 - ShlExecHook: [0] - {3474A8C2-BEF9-46C8-983A-A26A0030EC30} =
O24 - ShlExecHook: [C] - {7ADC2AB1-5C6A-4178-82DA-94863354AF7C} =
O24 - ShlExecHook: [F] - {4BF9CBA3-8DEE-41A1-8BDB-FC28D30E949F} =
O24 - ShlExecHook: [B] - {DA63E650-537C-4042-87BB-9D19D844680B} =
O24 - ShlExecHook: [F] - {B3721C07-62B3-411A-9DC7-F5F27E3E21FF} =
O24 - ShlExecHook: [1] - {4EFDDEBE-303C-4D1A-8C9E-E4F215C43651} =
O24 - ShlExecHook: [1] - {8566F82E-03A4-416E-AEAC-66600D8881F1} =
O24 - ShlExecHook: [0] - {495271CA-D0C6-4052-ABE6-5B01C73CDFB0} =
O24 - ShlExecHook: [E] - {08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} =
O24 - ShlExecHook: [3] - {9CA963CA-107C-4089-B0AB-31380F90D7E3} =
O24 - ShlExecHook: [E] - {58FF3024-8A83-4B1A-88E9-302F47646EEE} =
O24 - ShlExecHook: [3] - {D7C79813-9233-4AE0-832C-99B2E8019673} =
O24 - ShlExecHook: [F] - {CABA599D-5089-4865-9420-E41FA3C1F55F} =
O24 - ShlExecHook: [2] - {3D144530-43DA-47CC-B7C7-A3A9F3B9A6B2} =
O24 - ShlExecHook: [B] - {E3367679-4775-4244-A62E-4CFE58FC850B} =
O24 - ShlExecHook: [1] - {12B02216-AC3F-42A7-8313-449771237061} =
O24 - ShlExecHook: [1] - {9F684DE8-3E87-4174-9033-E02A3DFD8B61} =
O24 - ShlExecHook: [F] - {E0D39066-96D7-4891-8527-488ADAFCD60F} =
O24 - ShlExecHook: [A] - {DFEC5CB7-E2AA-4B0A-BEB3-D140E59ED53A} =
O24 - ShlExecHook: [F] - {2EF0D734-21FD-4225-A1A2-BCD296182AAF} =
O24 - ShlExecHook: [] - {F6A454AE-156A-415E-9F89-3795677A8A91} =
O24 - ShlExecHook: [4] - {BA7EDF54-8408-4B21-B351-7B447B344BA4} =
O24 - ShlExecHook: [C] - {F65BDEC7-4BF3-4512-840F-68B166B6D7AC} =
O24 - ShlExecHook: [8] - {66AFCB56-FAA9-42D2-8C72-2767A46C7FA8} =
O24 - ShlExecHook: [1] - {3F21AA0C-2A9E-4BE9-9083-9E58AB41BA01} =
O24 - ShlExecHook: [8] - {59964D2B-044A-40AE-8837-0ED9EE8BDA08} =
O24 - ShlExecHook: [C] - {F2CBFAC4-6FF9-4DE9-BCB1-0F2FA2AA0B4C} =
O24 - ShlExecHook: [4] - {F8E07BB2-7A19-4057-80F1-E14646E630B4} =
O24 - ShlExecHook: [4] - {E5D39975-A103-4A21-9EE9-A638E9DD9EB4} =
O24 - ShlExecHook: [6] - {4D023DE9-F4B5-4BE0-99C6-7C7AD0CF5426} =
O24 - ShlExecHook: [F] - {93DEE065-EC9B-4505-ADD3-19880AD3C38F} =
O24 - ShlExecHook: [9] - {C8FFD223-C0FB-40C5-94A0-FD7891AC18E9} =
O24 - ShlExecHook: [B] - {5243F5FA-75D6-4469-90A8-A181E2AAAA5B} =
O24 - ShlExecHook: [8] - {01AFE3DC-2242-436E-9B44-6DD1C664E828} =
O24 - ShlExecHook: [4] - {70B0129E-726E-4789-A7C0-5DDC33241E94} =

(未完待续)
iteye_6637
关注
内网渗透(九)之内网信息收集-手动本地信息收集
把自己活成一道光,因为你不知道,谁会借着你的光,走出了黑暗。请保持心中的善良,因为你不知道,谁会借着你的善良,走出了绝望。请保持你心中的信仰,因为你不知道,谁会借着你的信仰,走出了迷茫。请相信自己的力量,因为你不知道,谁会因为相信你,开始相信了自己....
02-06 656
不管是在外网中还是在内网中,信息收集都是重要的第一步。对于内网中的一台机器,其所处内网的结构是什么样的、其角色是什么、使用这台机器的人的角色是什么,以及这台机器上安装了什么杀毒软件、这台机器是通过什么方式上网的、这台机器是笔记本电脑还是台式机等问题,都需要通过信息收集来解答。
woauolt.exe,System.exe,Update.dll,MPKrnl.dll,360mon.dll,upnpsrv.dll等2
Purpleendurer@CSDN
11-17 3268
woauolt.exe,System.exe,Update.dll,MPKrnl.dll,360mon.dll,upnpsrv.dll等2 endurer 原创2008-11-17 第1版 (续1) 由于连不了网,所以上面的log是使用机子中上次留存的老版本的pe_xscan来扫描的。该版本没有集成数字签名检测信息。不过userinit.exe进程没有自动退出,实在令人
Vector Commitment Techniques and Applications to Verifiable Decentralized Storage学习笔记
mutourend的博客
07-03 2419
1. 引言 Campanelli等人 2020年论文《Vector Commitment Techniques and Applications to Verifiable Decentralized Storage》,介绍视频参看:https://www.youtube.com/watch?v=MFJMWA0Pk1s 代码实现: https://github.com/nicola/rust-yinyan 被VMware research和以太坊团队2020年论文《Aggregatable Subvecto
Flash Builder 4.0(Gumbo) UI、功能的新体验
czx33859066的专栏
06-22 405
 Flash Builder 4.0(Gumbo) UI、功能的新体验(一)http://www.k-zone.cn/zblog/post/flash-builder-gumbo-experience-1.html   Flash Builder 4.0(Gumbo) UI、功能的新体验(二) http://www.k-zone.cn/zblog/post/flas
Caused by: java.lang.IllegalStateException: No suitable default RequestUpgradeStrategy found
Simon111Qiu的博客
11-03 2171
使用Junit进行测试时遇到报错信息如下(一定需要注意看上下文,根据上下文进行问题的处理): 2020-11-03 14:08:17,113 ERROR [org.springframework.test.context.TestContextManager] - Caught exception while allowing TestExecutionListener [org.springframework.test.context.web.ServletTestExecutionListener@
Oracle 19c 单实例 19.3.0 升级到19.11.0
hbhe0316的专栏
11-14 1226
1.查看当前DB环境 [oracle@db01 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.9 (Maipo) [oracle@db01 ~]$ uname -r 3.10.0-1160.el7.x86_64 [oracle@db01 ~]$ lsnrctl status LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 12-SEP-2021 2
Windows XP所有系统DLLEXE、SYS文件
weixin_34087503的博客
10-20 2228
摘自:[url]http://blog.phpwind.net/blog-htm-do-showone-type-blog-itemid-56083.html[/url] TRIEDIT.DLLWSTDECOD.DLLBTPANUI.DLLNEWDEV.DLLODBC32.DLLAVICAP.DLLODBC32GT.DLLODBCBCP.DLLODBCCON...
python充电时刻
qq_14983349的博客
09-21 808
十章、充电时刻
《深入理解Windows操作系统》笔记6
夜澜偶作庄周梦 酒后聊为楚客狂
02-24 7843
lkd> lm kvstart    end        module name804d8000 806e5000   nt         (pdb symbols)          c:\windows\symbols\exe\ntkrpamp.pdb    Loaded symbol image file: ntkrpamp.exe    Image path: ntkrpamp.exe
电脑硬件检测软件鲁大师
04-21
一个很不错的电脑软件,可以检测电脑硬件,CPU温度,风扇转速的软件
沉积物运移趋势(GISedTrend)
02-16
基于QGIS开发的沉积物运移趋势的插件,基于Gao-Cline模型开发的,在该插件中加入了地形等因素。
Aut2exe 老朽痴拙汉化版(Au3转换为EXE)
11-16
Aut2exe老朽痴拙汉化版(Au3转换为 EXE)
Aut2exe(将.au3脚本转.exe文件)V3官方绿色免费版
07-27
Aut2exe是一款十分专业的.au3脚本文件转换为.exe可执行文件的免费电脑工具。并且支持icon图标自定义。软体积小,绿色免安装,只需要选择源文件,选择相应图标就可以成功进行转换了。 使用教程 方法 1 - 开始菜单(Start Menu) 此方法要求完整安装AutoIt. 1. 打开开始菜单并选择 AutoIt v3 程序组。 2. 点击“Compile Script to .e
c++函数映射(Mapping Functions to a Map in C++)
begson的专栏
10-19 6953
C++函数映射 Mapping Functions to a Map in C++
jQuery基础学习8——层次选择器next()和prev()方法
weixin_34372728的博客
09-05 133
$('.one + div').css("background","#bbffaa"); //和next()方法是等价的,前后关系,和prev()方法是对立的 $('.one').next('div').css("background","#bbffaa"); $('.one').next().css("background","#bbffaa"); //不指定向后查找的元素条
freemarker导出word文档
weixin_30340353的博客
01-18 2811
使用freemarker导出word文档的过程 ************************************************************************************* 我在开发过程中,使用到了freemarker导出报表,报表内容包括文字说明,表格数据以及图表展示,其中最多工作是在配置ftl文件格式,根据word导出排版进行调整文字...
python3 aes 报错 ValueError: Incorrect AES key length (95 bytes)的解决方案
whatday的专栏
07-29 1万+
解决方案, 1.key的长度一定要是 16 的倍数 而且不能超长, 2.如果是自己随机出来的key 不是16的倍数,加密时不影响,但是在解密时,用 b'\x00' 补齐16的倍数 具体分析如下: 错误信息: Traceback(mostrecentcalllast): File“C:\Users\billl\AppData\Local\Continuum\anaconda3\...
php服务不可用,ThinkPHP/Library/Vendor/Tcpdf/fonts/uni2cid_ak12.php · 白俊遥/thinkphp-bjyadmin - Gitee.com...
热门推荐
weixin_39630441的博客
03-21 69万+
// unicode to cid conversion table is from// ftp://ftp.oreilly.com/pub/examples/nutshell/cjkv/adobe/// cid2code.txt in ak12.tar.Z$cidinfo['uni2cid'] = array(32=>1,33=>2,34=>3,35=>4,36=>...
SQLite数据库与System.Data.SQLite.DLL详解
1. **引用DLL**:在.NET项目中,添加对System.Data.SQLite.DLL的引用,以便使用它的类和方法。 2. **创建连接**:通过`SQLiteConnection`类建立与SQLite数据库的连接,使用正确的连接字符串。 3. **执行SQL**:...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值