这是我的页面头部
续上篇:比较彻底的清除"代理木马下载器"的方法
今天才发现前天手工清除的"代理木马下载器"病毒不干净。它总是复活,甚至在我重装了N次系统以后,被改成www.4419.com的IE首页还在向我自豪地笑。最后终于发现。病毒原来隐藏在D盘的QQ里。今天花了一个晚上时间研究了一下它做些什么。下面是研究资料和我认为比较彻底的清除方法。
一、监视病毒网页、文件目录和注册表获得的信息
使用工具: filemonNT by Mark Russinovich and Bryce Cogswell http://www.sysinternals.com
Regmon by Mark Russinovich and Bryce Cogswell http://www.sysinternals.com
regshot 1.7 by TiANWEi http://regshot.yeah.net/
监视网页http//www.4199.com获得的信息:
修改注册表,以修改IE起始页start page 为 http://www.4199.com (此网页中有ad11.jpg为病毒文件)。
创建文件
C:\WINDOWS\system32\rsrc.dll
用IE打开3570端口。
创建文件
C:\WINDOWS\system32\rsrc.dll
用IE打开3570端口。
运行并监视硬盘上可疑文件Timeplantform.exe获得的一些信息:
在QQ安装目录下生成Timeplantform.exe 和user.dll
生成c:\windows\system32\drives\modol.sys
生成c:\windows\system32\ravdm.dll
生成 c:\windows\system32\rsrc.dll
修改 C:\WINDOWS\system32\drivers\etc\hosts ,将localhost解析为125.91.1.20
添加注册表启动项,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"="C:\\WINDOWS\\system32\\Ravdm.exe"
"KernelCheck"="C:\\WINDOWS\\system32\\winasse.exe"
生成c:\windows\system32\drives\modol.sys
生成c:\windows\system32\ravdm.dll
生成 c:\windows\system32\rsrc.dll
修改 C:\WINDOWS\system32\drivers\etc\hosts ,将localhost解析为125.91.1.20
添加注册表启动项,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"="C:\\WINDOWS\\system32\\Ravdm.exe"
"KernelCheck"="C:\\WINDOWS\\system32\\winasse.exe"
借鉴其它电脑出现的类似问题,还可能伴随以下情况:
生成 c:\windows\winlogon.exe
生成 c:\windows\vbarun.dll
生成 C:\WINDOWS\DNSAPI.dll
生成 C:\WINDOWS\hnetcfg.dll
生成 C:\WINDOWS\rasadhlp.dll
生成 c:\windows\system32\user.dll //弹出http://www.4199.com 的元凶e
生成 c:\windows\system32\ravdm.exe
生成 C:\WINDOWS\system32\rundll32.com
生成 c:\windows\system32\realplayer.exe //弹出http://www.7939.com 的元凶
分区根目录下有autorun.inf
生成 c:\windows\vbarun.dll
生成 C:\WINDOWS\DNSAPI.dll
生成 C:\WINDOWS\hnetcfg.dll
生成 C:\WINDOWS\rasadhlp.dll
生成 c:\windows\system32\user.dll //弹出http://www.4199.com 的元凶e
生成 c:\windows\system32\ravdm.exe
生成 C:\WINDOWS\system32\rundll32.com
生成 c:\windows\system32\realplayer.exe //弹出http://www.7939.com 的元凶
分区根目录下有autorun.inf
生成以下注册表项
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="user.dll"
"001"="rsrc.dll"
[HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="user.dll"
"001"="rsrc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"run"="rundll32 rsrc.dll s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
"rundll"="rundll32 user.dll s"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,\
57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,\
6d,00,6f,00,64,00,6f,00,6c,00,2e,00,73,00,79,00,73,00,00,00,00,00,00,00
//注:hex(7)的值是字符串\??\C:\WINDOWS\system32\drivers\modol.sys 的十六进制表示。
windows NT\currentversion\windwos:load
(msconfig显示这里也产生了可疑的东东,我不知道是什么。)
"000"="user.dll"
"001"="rsrc.dll"
[HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="user.dll"
"001"="rsrc.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"run"="rundll32 rsrc.dll s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
"rundll"="rundll32 user.dll s"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,\
57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,33,00,32,00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,\
6d,00,6f,00,64,00,6f,00,6c,00,2e,00,73,00,79,00,73,00,00,00,00,00,00,00
//注:hex(7)的值是字符串\??\C:\WINDOWS\system32\drivers\modol.sys 的十六进制表示。
windows NT\currentversion\windwos:load
(msconfig显示这里也产生了可疑的东东,我不知道是什么。)
二、清除方法。需要清除的有:病毒文件和注册表相关信息
这个病毒有不同的版本,下面所列的文件中,有的可能你的电脑上没有。
注意:有的文件隐藏得很深,比如"realplayer.exe",即使在“文件夹选项”中选择“显示所有的文件和文件夹”,你也找不到它。查看是不是有这个文件的办法是在命令提示符下使用命令"attrib realplayer.exe"。
需清除的文件列表:
del system32\GroupPolicy\Machine\Scripts\scripts.ini
del C:\WINDOWS\DNSAPI.dll
del C:\WINDOWS\hnetcfg.dll
del C:\WINDOWS\rasadhlp.dll
del C:\WINDOWS\vbarun.dll
del c:\windows\winlogon.exe
del C:\WINDOWS\system32\realplayer.exe
del C:\WINDOWS\system32\Ravdm.exe
del C:\WINDOWS\system32\rsrc.dll
del C:\WINDOWS\system32\rundll32.com
del C:\WINDOWS\system32\winasse.exe
del C:\WINDOWS\system32\user.dll
del c:\windows\system32\drives\modol.sys
将 hosts 文件(路径: C:\WINDOWS\system32\drivers\etc\)中不认识的东东都删掉。或干脆把这个文件删掉。
删除d:\ e:\…等盘符根目录下的autorun.inf
完全删除QQ的安装目录。
del C:\WINDOWS\DNSAPI.dll
del C:\WINDOWS\hnetcfg.dll
del C:\WINDOWS\rasadhlp.dll
del C:\WINDOWS\vbarun.dll
del c:\windows\winlogon.exe
del C:\WINDOWS\system32\realplayer.exe
del C:\WINDOWS\system32\Ravdm.exe
del C:\WINDOWS\system32\rsrc.dll
del C:\WINDOWS\system32\rundll32.com
del C:\WINDOWS\system32\winasse.exe
del C:\WINDOWS\system32\user.dll
del c:\windows\system32\drives\modol.sys
将 hosts 文件(路径: C:\WINDOWS\system32\drivers\etc\)中不认识的东东都删掉。或干脆把这个文件删掉。
删除d:\ e:\…等盘符根目录下的autorun.inf
完全删除QQ的安装目录。
然后把下面的文本保存成.reg文件,双击导入注册表。方括号内的减号表示删除整个注册表项。键名右边的减号表示删除此键。注意文件末的回车不能省略。
如果你能看懂注册表,最好亲自把下面所列的项检查一下,把可疑的删掉。记住,修改这前先备份注册表!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"=-
"KernelCheck"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5602]
[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5602]
[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"run"=-
"rundll"=-
"realplayer"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
"rundll"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"9"=-
"KernelCheck"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5602]
[-HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5602]
[-HKEY_USERS\S-1-5-21-2000478354-1715567821-1417001333-500\Software\Microsoft\Search Assistant\ACMru\5603]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"run"=-
"rundll"=-
"realplayer"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KASDisabled]
"rundll"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager]
"PendingFileRenameOperations"=-
附:系统监视相关记录
下面是使用regshot 对运行timeplatform.exe前后的注册表进行对比的结果
要点注释:after run Timeplatform
日期时间:2006/10/3 18:57:26 , 2006/10/3 18:59:01
计算机名:CRACK , CRACK
使用者名:624 , 624
增加键:2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
增加值:3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\9: 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 52 61 76 64 6D 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d: "D:\1499\before run tpf.hiv"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\c: "D:\1499\before run tpf.hiv"
修改值:5
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000019
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000001D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000013
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000016
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "ba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "cba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
文件增加:2
C:\WINDOWS\system32\drivers\modol.sys
C:\WINDOWS\system32\Ravdm.exe
文件修改:2
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
总计:14
日期时间:2006/10/3 18:57:26 , 2006/10/3 18:59:01
计算机名:CRACK , CRACK
使用者名:624 , 624
增加键:2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
增加值:3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\9: 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 52 61 76 64 6D 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d: "D:\1499\before run tpf.hiv"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\c: "D:\1499\before run tpf.hiv"
修改值:5
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000019
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000001D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000013
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000016
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "ba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hiv\MRUList: "cba"
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
HKU\S-1-5-21-2000478354-1715567821-1417001333-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: ""
文件增加:2
C:\WINDOWS\system32\drivers\modol.sys
C:\WINDOWS\system32\Ravdm.exe
文件修改:2
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG
总计:14
下面是使用filemon获得的文件读写记录
1272 2:58:06 TIMPlatform.exe:1456 WRITE C:\WINDOWS\system32\Drivers\modol.sys SUCCESS Offset: 0 Length: 768 1274 2:58:06 TIMPlatform.exe:1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS Offset: 0 Length: 65536 1275 2:58:06 TIMPlatform.exe:1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS Offset: 65536 Length: 4096 1276 2:58:06 TIMPlatform.exe:1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe SUCCESS FileBasicInformation 1278 2:58:06 TIMPlatform.exe:1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Length: 18740 1279 2:58:06 TIMPlatform.exe:1456 WRITE D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Offset: 0 Length: 18740 1280 2:58:06 TIMPlatform.exe:1456 SET INFORMATION D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS FileBasicInformation 1282 2:58:06 TIMPlatform.exe:1456 SET INFORMATION C:\Documents and Settings\624\ntuser.dat.LOG SUCCESS Length: 49152 1283 2:58:07 svchost.exe:720 DELETE D:\1499\TIMPlatform.exe SUCCESS 下面是运行QQ安装目录下已被替换为病毒文件的timeplatform.exe时的文件读写监控。有删节,保留了文件读取失败的内容。可以看出病毒文件在找哪些文件。
1 3:12:30 QQ.exe:400 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Options: Open Access: All
2 3:12:30 QQ.exe:400 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe.Manifest NOT FOUND Options: Open Access: All
3 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\Prefetch\TIMPLATFORM.EXE-0DEDB957.pf NOT FOUND Options: Open Access: All
13 3:12:30 TIMPlatform.exe:2044 OPEN D:\autorun.inf NOT FOUND Options: Open Access: All
14 3:12:30 TIMPlatform.exe:2044 OPEN D:\autorun.inf NOT FOUND Options: Open Access: All
15 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\Winlogon.exe NOT FOUND Options: Open Access: All
16 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\Winlogon.exe NOT FOUND Options: Open Access: All
17 3:12:30 TIMPlatform.exe:2044 CREATE C:\WINDOWS\system32\Drivers\modol.sys SHARING VIOLATION Options: OverwriteIf Access: All
25 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All
26 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\AppPatch\systest.sdb NOT FOUND Options: Open Access: All
27 3:12:30 TIMPlatform.exe:2044 OPEN D:\Program Files\tencent\QQ2006\ SUCCESS Options: Open Directory Access: All
34 3:12:30 TIMPlatform.exe:2044 OPEN D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe.Manifest NOT FOUND Options: Open Access: All
35 3:12:30 svchost.exe:888 OPEN C:\WINDOWS\Prefetch\TIMPLATFORM.EXE-0DEDB957.pf NOT FOUND Options: Open Access: All
36 3:12:30 svchost.exe:720 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Options: Open Sequential Access: All
37 3:12:30 svchost.exe:720 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Options: Open Access: All
38 3:12:30 svchost.exe:720 DELETE D:\Program Files\tencent\QQ2006\TIMPlatform.exe CANNOT DELETE
2 3:12:30 QQ.exe:400 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe.Manifest NOT FOUND Options: Open Access: All
3 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\Prefetch\TIMPLATFORM.EXE-0DEDB957.pf NOT FOUND Options: Open Access: All
13 3:12:30 TIMPlatform.exe:2044 OPEN D:\autorun.inf NOT FOUND Options: Open Access: All
14 3:12:30 TIMPlatform.exe:2044 OPEN D:\autorun.inf NOT FOUND Options: Open Access: All
15 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\Winlogon.exe NOT FOUND Options: Open Access: All
16 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\Winlogon.exe NOT FOUND Options: Open Access: All
17 3:12:30 TIMPlatform.exe:2044 CREATE C:\WINDOWS\system32\Drivers\modol.sys SHARING VIOLATION Options: OverwriteIf Access: All
25 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\AppPatch\sysmain.sdb SUCCESS Options: Open Access: All
26 3:12:30 TIMPlatform.exe:2044 OPEN C:\WINDOWS\AppPatch\systest.sdb NOT FOUND Options: Open Access: All
27 3:12:30 TIMPlatform.exe:2044 OPEN D:\Program Files\tencent\QQ2006\ SUCCESS Options: Open Directory Access: All
34 3:12:30 TIMPlatform.exe:2044 OPEN D:\Program Files\tencent\QQ2006\TIMPlatfrom.exe.Manifest NOT FOUND Options: Open Access: All
35 3:12:30 svchost.exe:888 OPEN C:\WINDOWS\Prefetch\TIMPLATFORM.EXE-0DEDB957.pf NOT FOUND Options: Open Access: All
36 3:12:30 svchost.exe:720 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Options: Open Sequential Access: All
37 3:12:30 svchost.exe:720 OPEN D:\Program Files\tencent\QQ2006\TIMPlatform.exe SUCCESS Options: Open Access: All
38 3:12:30 svchost.exe:720 DELETE D:\Program Files\tencent\QQ2006\TIMPlatform.exe CANNOT DELETE
范晨鹏
------------------
软件是一种态度
成功是一种习惯
