[sysshield]系统安全盾

emca

今天自己主动以身试毒，成功地植入上百个病毒文件，系统几乎无法使用，辛辛苦苦折腾一晚上，总算取证成功！
在使用 Syscheck 过程中，发现以下不足：
1. 处理进程和服务时，由于大量病毒进程在反复扫描进程的存在与否，它们相互修复，导致Syscheck停止响应！结果改用 Icesword 并选择“禁止线程创建”，才成功结束所有病毒进程！因此，最好能够也添加一个 “禁止线程创建” 的功能，以方便恶劣情况下的杀毒！

2. 内核 Hook 检测中，最好添加一个“全选”的选项，否则得手工一个个选择，比较麻烦；就算不全选，不选择就不冲突的。

3. FileSearch 可整合到 Syscheck 中。

4. 将来可能的话，建议添加类似 Hijackthis 的生成报告的功能；如果能够根据报告支持生成自动查杀脚本则更好——菜鸟把报告发给高手，高手加载报告后设置关闭进程、删除文件等标志，再发回给菜鸟，菜鸟即可轻松加载并自动杀毒！这个设想可作为远景考虑？

sunkist

谢谢。非常不错啊！
运行起来不吃内存，文件小。DIY就是强。。

namejm

原帖由 wang6071 于 2006-8-7 11:39 PM 发表
关于文字的滚动修改了一下．

恩，修改了两处，但是其他选项下的问题依旧，还是晃眼得很，应该是滚动的时间间隔设置得过短引起的。

emca

与大家共享一下安全盾过滤设置附件，内容包含目前大多数流氓文件名、目录名。
但在我的机器上即使将那些目录设置为全是 × （自定义目录过滤状态），但似乎也仍然能够创建文件并保存下来。请 Wangsea 看看问题出在哪儿。

Filter.dat 内容如下（另见附件）：

[SysSheild_KillFile]
_abbca_.dll
_abbca_.exe
_huytam_.exe
{21ec2020-3aea-1069-
~glh0000.tmp
~glh0001.tmp
1.com
1116
14c08f7f
32f77ac0.094
3721.exe
936
a2dd-08002b30309d}
abhcop.sys
ac2d8be0.dll
ac2i8be.exe
ac2o8be0.dll
ac2o8be1.dll
aclayer.dll
aclayer.exe
activebandobject.dll
ad.exe
ad2.exe
addeliverer.dll
addeliverer.ini
adfilter.dll
ahook.sys
ak.dat
akl.dat
alliveex.dll
alrex.dll
amstream.dll
amstreamxb.dll
apihookdll.dll
asbar.dll
asiesec.dll
asmenu.dll
assecblk.dll
assist.dll
assistant
assistse.exe
aswipe.dll
aupdate.exe
autolive.dll
autolive1.dll
autorun.inf
baidu.exe
baidubar.dll
baigoo
bala
bandobjs.dll
bcup.exe
bd.exe
bdc.dll
bdc.exe
bdc_dll.dll
bdcjins.exe
bdgdins.dll
bdguard.sys
benben.exe
bg_bandle11.exe
bg_ppgoumini.exe
bgoobar
bgoobho.dll
bgoocos
bgoohk.dll
bgook.dll
bgoolink
bgoomain.exe
bind.exe
bind_8433.exe
bo.exe
bocaitoolbar.dll
brasil.exe
bse.dll
buup.exe
c0nime.exe
caishow
caishow.exe
cast.config
castp.dat
castvxml.dat
castxml.dat
cdn.dll
cdn.exe
cdnaux.dll
cdnctr.exe
cdndet.dll
cdnglo.dll
cdnhook.sys
cdniehlp.dll
cdnns.dll
cdnprh.dll
cdnprot.dat
cdnprot.sys
cdnspie.dll
cdntdns.dll
cdntran.sys
cdnunins.exe
cdnup.exe
cfs7zd.dll
cfsbho.dll
cfsupd.dll
cfsys.dll
cid_store.dat
cj.xl
client.dll
clnt_321.exe
cnminpk.sys
cnnic
cns.dll
cns.exe
cnshook.dll
cnsmin.dll
cnsminkp.sys
comime.exe
command.com
conf.dll
conime.exe
contmenu.dll
controlpanel.
cooldown.exe
coolupdate.exe
copyso.exe
ctfm0n.exe
ctfmon.exe
dbint.dll
dddiemon.dll
dddmext.dll
dddspocx.dll
dddupdate.exe
dhelp.dll
diskud.sys
dit
diybar2.dll
diynetsetupuni.exe
dm_install_program.job
dmbar.dll
dmdaemon.dll
dmipn.dll
dmsched
dn.flg
dodoorrssfinder
downews.ini
download.dll
downloadpig.exe
dtap.dll
dtctr.dll
dudu.exe
duduacc.exe
dudupros.exe
duduprosvc.exe
dvl~1
dvldr32.exe
dwnsetup
ebaytb.dll
ebaytbdaemon.ex
ebaytbdaemon.exe
ebaytoolbarcomm.dll
edodo_install.exe
embedded
estalive.dll
exeroute.exe
exert.exe
exiorer.exe
exp1orer.exe
expl0rer.exe
explore.dll
explore.exe
explorekey.dll
explorer.com
explorer.exe
fileupdate.exe
finder.com
firewall_anti.dll
firewall_anti.exe
flbar.exe
frundlll.exe
g_server.dll
g_server.exe
g_server_hook.dll
g_serverkey.dll
game.dll
game.exe
game_hook.dll
gamekey.dll
geturl.htm
gimmy.txt
gimmysmileys
gpedit.exe
guid.vxd
hacker.com.cn.ini
hap.dll
hbhap.dll
hbhelper.dll
hbsetup.log
hcalway.sys
hda.ini
hdp.dll
hdp.ini
hello.exe
helper.dll
helperservice.dll
henbagkiller.exe
henbang.exe
henbang.ini
hfind.exe
hhelp.dll
hmapi.dll
hmtoolbar.dll
hookdll.dll
hotlist
hwd~had09.dat
idnconv.dll
idnmail.exe
ieangel.dll
ie-bar
iebar.exe
iebaradv.ini
iebarmain.ini
iebarmenu.ini
iehelper.dll
ieserv32.dll
ieserva32.dll
ieurldive.exe
iexpl0re.exe
iexplor.exe
iexplore.exe
iexplorer.exe
imaconv.dll
imaoe.dll
imaol.dll
imuiepls.dll
imuliver.dll
incomplete
index.reg
inetapi32.dll
infofobar.dll
internet explorer
iservc.dll
iservc.exe
ispubdrv.sys
kb910436.log
kernel32.exe
khdap.sys
knqtwz]`.dll
kvshell_1.dll
letscool
letscool.exe
linbak.dll
lladrufg.dll
lowlvl.dll
lssas.exe
m2syadll.dll
madbp.sys
mcqd
menuinfo.dll
meobjsdt.dll
microapmddt.dll
microsoft.exe
minib.dll
minidata
miniddd.exe
minippg2iedown.dll
minippgou
minippgou.dll
minippgou.exe
minippgou2core.dll
mmsassist.dll
mop
mousel.dll
mouser.exe
mouser.xl
movesearch.exe
mrup.exe
mscache
msetup.exe
msibm.dll
msicn
msinfo.dll
msinthk.dll
msplus.dll
msplus1.dll
msshapi.dll
msupdate.exe
mtsrv.exe
mwqu_32.dll
myshares.exe
n0tepad.exe
nbar.exe
netcount.exe
netcounter
netlib.exe
netmanager.exe
netpig_setup.exe
newweb.exe
nmview.dll
nmwizarda14.exe
notepad.exe
notifier.dll
notpad.exe
ntd11.dll
ntd1l.dll
ntdl1.dll
ntdll.dll
ntjcn.emm
ntjdo
onlydown.com toolbar
optimum.dll
p2psvr.exe
pagefile.pif
patch03.dll
patch05.dll
patch06.dll
patch10.dll
pcsporl
pguserinfo.ini
pig.exe
pig3setup.exe
pig4setup.exe
pluginenlog.dll
pnorton2.dll
pnpsvc.inf
popservice.exe
powerlist.ocx
powerplayer.dll
prostrdll.dll
pupw.sys
qqbiaoqing.exe
quartz32.dll
qyule.exe
ranx.dll
rar.exe
rar.hta
raspapi.dll
rasvss.dll
rdriv.sys
realsched.exe
reg.exe
regsvr.exe
rep.exe
repair.dll
rss.dll
run.exe
run32.dll
rund1132.exe
rund1l32.exe
rundl132.exe
rundll.exe
rundll32.exe
rv.ini
s.dll
s.exe
s_bdextinsu217.exe
saga.sys
schemas
scrblock.dll
scrss.exe
scszppg2.dll
sctongjiv.dll
scvchost.exe
scvh0st.exe
scvhost.exe
search.exe
secur.dll
sendshell.exe
serinit32.exe
server.exe
service.exe
setup1.exe
setup2.exe
setup99.exe
skin.dll
skymmstp017.exe
skymmstprar.exe
skype.exe
smss.exe
sobarnetinstaller.exe
sodaie.dll
sodaie.dll
soft1202.exe
softreg20.exe
softreg38.exe
sogou.exe
spoolsv
spoolsv.exe
sporl.exe
ssl.dll
std.ini
stdup.dll
svch0st.exe
svchost.dll
svchost.exe
svohost.exe
sys.exe
sys1.exe
sys2.exe
sysmini.exe
sysmonde64.dll
syspphash.dll
sysppmultthd.dll
sysskip.srg
system.dll
system.exe
system.ini
system_dll.dll
system_hook.dll
systemtoolbar.dll
tasklist.dll
tcgg.exe
temp0.dll
temp1.dll
temp1.dll =
temp2.inf
tftewal.exe
tgbrfv_.exe
tgbrfv_5.dll
thdstat.exe
thirda
tj.flg
toolbar.dll
toolbar.exe
toolbaru88.dll
tpflag.rg
tqppmtw
tqppmtw.fyf
ttsky.exe
tutuag32.exe
tvclient.bin
u88.exe
u88setup.exe
uninstall.exe
unpig.exe
unregister.ini
updstdup.ini
usign.dll
ustqilnr.sys
version.ini
vfp104.exe
visionnet.dll
vkclient.exe
vkreader.exe
vpip.exe
wabimp.dll
wbauninstall.exe
webad.dll
webband.dll
win.ini
windcheck2.exe
windows.exe
winhelp.exe
winhtp.dll
winl0gon.exe
winlog0n.exe
winsc.dll
winsc32.dll
winsc64.dll
winup.exe
wiwshost.exe
wlzsetup30.exe
wmimgr.exe
ws2_32.dll
ws2-64.dll
wshcon32.dll
wsock32.exe
wsocket.dll
wuauc1t.exe
xpstyle.dll
xpwindow.dll
yadfilter.dll
yadwreg.dll
yahoo.exe
yalive.dll
yaliveex.dll
yalliveex.dll
yangling.dll
yasbar.dll
yascenter.exe
yasctrlh.dll
yasfsks.dll
yasierres.dll
yasiesec.dll
yasnoad.dll
yassecblk.dll
yassisres.dll
yassist.dll
yassist4.exe
yassistex.dll
yassistse.exe
yaswiper.dll
ydragsearch.dll
ydtmain.exe
yeheocx.dll
yhelper.dll
yieacore.dll
yieangel.dll
yieares.dll
yieaui.dll
yisou.dll
yisou_znmq.exe
yisoub.dll
yisous.dll
yisouu.dll
ykeepmain.dll
ylive.exe
ymenuinfo.dll
ynotifier.dll
yok_supersearch.dll
yoptimum.dll
yprockg.dll
yrepair.dll
yscrblock.dll
ysettings.dll
yule.exe
yulesetup.exe
yuninst.dll
ywiper.dll
yzsnetproto.dll
zazhi.exe
zcommanage.exe
zcomupdate.exe
zplatform.exe
zsearch.exe
zsmod.dll
zunins.exe
炫彩图铃.exe
忆多多

[SysSheild_PassFile]

[SysSheild_UserDir]
Computer=HFUT-SECU
c:\|a
c:\documents and settings\administrator\local settings\|eb
c:\program files\|e
c:\program files\360so|a
c:\program files\3721\|a
c:\program files\ad4all|a
c:\program files\baidu|a
c:\program files\baigoo|a
c:\program files\caishow tech|a
c:\program files\cnet|a
c:\program files\cnnic|a
c:\program files\coolwebsite|a
c:\program files\deskadtop|a
c:\program files\desktop media|a
c:\program files\dodoorrssfinder|a
c:\program files\dudu|a
c:\program files\ebay|a
c:\program files\fzdown|a
c:\program files\gimmysmileys|a
c:\program files\google|a
c:\program files\hbclient|a
c:\program files\hbhdp|a
c:\program files\henbang|a
c:\program files\huaci|a
c:\program files\ibar|a
c:\program files\ie-bar|a
c:\program files\infofo bar|a
c:\program files\letscool|a
c:\program files\minippgou|a
c:\program files\mmsassist|a
c:\program files\mop|a
c:\program files\mysec|a
c:\program files\netcounter|a
c:\program files\netease|a
c:\program files\p4p|a
c:\program files\pcast|a
c:\program files\qqhelper|a
c:\program files\qyule|a
c:\program files\sandai|a
c:\program files\searchnet|a
c:\program files\system|a
c:\program files\vika|a
c:\program files\visionnet|a
c:\program files\vvsn|a
c:\program files\wint|a
c:\program files\wsearch|a
c:\program files\yahoo!|a
c:\program files\yayad|a
c:\program files\yisou|a
c:\program files\yulexk|a
c:\program files\zcom|a
c:\program files\网络猪|a
c:\program files\忆多多|a
c:\windows\|ebd

[SysSheild_Filter]
onlymon=*.exe;*.inf;*.vbs;*.sys;*.bat;*.cmd;*.dll;*.txt;*.ini;*.dat;*.bin;*.tmp;*.ocx;
blurring=0-9.exe;0-9.dll;baidu.exe;yisou.dll;yass.dll;bar.dll;bar.exe;ppgou;assist;cdn.dll;cdn.exe;dudu;

[ 本帖最后由 emca 于 2006-8-9 07:49 AM 编辑 ]

sunkist

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"AutoEndTasks"="1"
"HungAppTimeout"="200"
"WaitToKillAppTimeout"="200"
"WaitTOKillService"="200"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="200"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
"EnablePrefetcher"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:ffffff9d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL]
@="0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoSharewks"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows]
"NoPopUpsOnBoot"=dword:00000001
[HKEY_CLASSES_ROOT\lnkfile]
@="快捷方式"
"EditFlags"=dword:00000001
"NeverShowExt"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace\{2227A280-3AEA-1069-A2DE-08002B30309D}]
@="Printers"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
"Link"=hex:00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
"EnablePrefetcher"=dword:00000003
[HKEY_USERS\.DEFAULT\Control Panel\Desktop]
"FontSmoothing"="2"
"FontSmoothingType"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MaxConnectionsPer1_0Server"=dword:00000008
"MaxConnectionsPerServer"=dword:00000008
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control]
"WaitToKillServiceTimeout"="1000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Shareaza.exe]
"Debugger"="c:\\中国超级BT.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\4047.exe]
"Debugger"="c:\\中国超级BT捆绑的病毒.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TuoTu.exe]
"Debugger"="c:\\P2P类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qqfo1.0_dl.exe]
"Debugger"="c:\\P2P类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperLANadmin.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinPcap30.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinPcap.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Robocop.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diaoxian.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\network.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\冰点还原终结者.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389.rar]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstsc.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389dl.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3389dl.rar]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\黑社会.exe]
"Debugger"="c:\\破坏类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Poco2004.exe]
"Debugger"="c:\\下载类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vagaa.exe]
"Debugger"="c:\\下载类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Kamun.exe]
"Debugger"="c:\\下载类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\黑社会.exe]
"Debugger"="c:\\下载类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\还原精灵密码察看器.exe]
"Debugger"="bcvb"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yuyuyu.exe]
"Debugger"="c:\\下载类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KuGoo.exe]
"Debugger"="c:\\下载类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmcc.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bczp.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3721.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PodcastBarMiniStarter.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnns.dll]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnns.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupcnnic.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SurfingPlus.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ok.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\123.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IESearch.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSC32.dll]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZComService.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skin.dll]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zPlatform.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zcomUpdate.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbhelper.dll]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Weather_24.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Weather.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inkv3.dll]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDE.EXE]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boba_super_setup-1.1.0.15.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PodcastBarMini.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PodcastBarMiniStarter.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sogou_yahoo.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_aHR0cDovL3d3dy5xeXVsZS5jb20v.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Qyule.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lianmeng_sitesowang.EXE]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iShare.Ver0.40.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishare_user.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\assist4.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bbseesetup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Crack.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bind_8286.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RedVIP.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIP.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iShare.Ver0.40.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishare_user.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\assist4.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bbseesetup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\p2psvr.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSSV20.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQSSV1.8.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SixthSense.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netrobocop_setup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetRobocop.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-8CIEP.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinPca.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinPca_3.1.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\P2P网络管理员.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARPOver.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnnetcut.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INSEC.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcut.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvIst.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSIF1.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetMon.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LanecatTrial.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LEC_Client.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BTBaby.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebThunder1.0.4.28deluxbeta.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebThunder.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-TEQG7.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TingTing1.1.0.8Beta.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-C6R99.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-00KC0.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\100baoSetup120.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GLBD.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DDD4_DXT168.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppstreamsetup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PPStream.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TV100.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-S5LOA.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-S5L0A.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teng.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TENG.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-RP216.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rongtv.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hjsetup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJSETUP.EXE]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rep.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dudupros.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DuDuAcc.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Dmad-install.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\D-mad.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\004-PPGou-Dmad.EXE]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PPGou.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kugoo.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KuGoo.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDUpdate.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PodcastBarMini.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MyShares.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfp02.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\is-5SKT1.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bgoomain.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_L0029.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ns40.tmp]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1032.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yAssistSe.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ddos.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BitTorrent.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Win98局域网攻击工具.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetThief.exe]
"Debugger"="c:\\网络神偷.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RemoteComputer.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQTailer.exe]
"Debugger"="c:\\制造出来的QQ病毒.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\傀儡僵尸DDOS攻击集合.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Alchem.exe]
"Debugger"="c:\\以下是存在风险病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\actalert.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aqadcup.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\archive.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arr.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARUpdate.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\asm.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avserve.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avserve2.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\backWeb.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bargains.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\basfipm.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\belt.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Biprep.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blss.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bokja.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootconf.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brasil.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BRIDGE.DLL]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Buddy.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BUGSFIX.EXE]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bvt.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cashback.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdaEngine.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd32.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conscorr.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crss.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cxtpls.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcomx.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Desktop.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\directs.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dmserver.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpi.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dssagent.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvdkeyauth.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emsw.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exdl.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exec.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXP.EXE]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explore.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Fash.exe]
"Debugger"="c:\\病毒类.exe"

能否把这个注册表加入软件中，在注册表里不要运行病毒。
以上是我在bbs.txwm.com.copy过来的。

wang6071

最近在亲身处理"落雪"木马过程中发现

安全盾的规则确要需要增加一些对文件关联的保护,
文件过滤的默认设置类型也不够多,需要增强

只是目前正在修改syscheck,所以没时间更新安全盾,近期会做一个更新的．

关于界面滚动提示的问题没找到到好的方案，试用了一个控件效果还不如目前的代码，所以就不修改它了．

sycheck目前修正了几个文件检测不全的问题，修正了部份服务路径检测失败的问题．
正在加入＂禁止线程创建＂功能，拟考虑用Win32的ApiHook解决，目前的问题是生成的dll大约有300余K,正想方法减小它的大小．所以这些修订本次就不上传了，等修正基本完成再上传．


最后再次感谢  emca  ,sunkist的资料，将分析并加入新版的安全盾．

freesoft00

最后的软件稍大些也无所谓，关键是功能强大，稳定，易用。

freesoft00

反馈：
文件搜索挺好用，就是配置不能保存。
希望加进syscheck中
我刚用它删除落雪木马。

emca

原帖由 sunkist 于 2006-8-9 08:56 AM 发表
Windows Registry Editor Version 5.00

引用：
"AutoEndTasks"="1"
"HungAppTimeout"="200"
"WaitToKillAppTimeout"="200"
"WaitTOKillServi ...

…………………………
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe]
"Debugger"="c:\\病毒类.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Fash.exe]
"Debugger"="c:\\病毒类.exe"

能否把这个注册表加入软件中，在注册表里不要运行病毒。
以上是我在bbs.txwm.com.copy过来的。
-----------------------------------------------------------------------------------------------

将上述注册表内容添加到注册表免疫恶意程序的执行是可行的，其实就是深山红叶 PE 中早就包含的“流氓程序限制工具”。但我发现使用这些后，会导致运行 CMD 时速度极度缓慢，其他应用程序的使用倒是没有受到明显影响。因此这些条目太多时可能要慎用，以免影响命令行的使用。深山红叶PE光盘的 X:\PROGRAMS\WinTools\安全设置\RogueList\rogulist.txt 有一个非常多内容的流氓文件清单。

注意！！！！！！！！！！！！
不管怎么说，上述做法是一个对付流氓的思路：
当一个存在进程的可执行文件无法被当场杀掉时，就可以添加到上述内容中（即软件限制策略），重新启动系统后，这个被加入的可执行文件就无法得到执行（软件限制策略优先级非常高）！因此这个机制实现不难，就是向注册表添加一个带有指定恶意可执行文件文件名的注册表项目而已。因此，Syscheck 的资源管理器中，是否可在目前延迟删除的基础上，再添加一项“免疫此可执行文件的执行”的选项？
可惜的是对非 exe 文件无效！

    深山红叶

sunkist

可惜的是对非 exe 文件无效！
是啊。。要不然就好办拉，现在的软件真的太那个了。有时下载安装就怕。

wang6071

下午有一点时间，先将两个软件作一个基本更新．

安全盾20060809更新说明:
   1:加入更多的文件关联的禁用.
   2:注册表工具点应用后延时5秒禁用安全盾的注册表保护以使其可以写入.
   3:注册表启动项修改时提示框弹出10秒后自动选择<终止进程>,确保无人时的保护.
   4:黑名单更新为红叶兄搜集的黑名单,在此感谢红叶兄为网络安全所做的贡献.
这里提供的仅是更新文件（适用于已安装了安全盾的兄弟覆盖更新），完整版请到http://wangsea.ys168.com下载．

syscheck1.0.0.12:
加入检测.exe等的关联,以前只检测了exefile等的关联。
加入内核hook选择的全选项。
加入限制线程的创建功能。
加入内核HOOK页的全选。
再次修证服务页的文件路径判断。
文件搜索的功能下次加入．下一版加入“免疫此可执行文件的执行”,欢迎各位提供各类安全检测键值与安全设置方面的相关资料．

这里提供的syscheck是去皮肤版，要美观的可去http://wangsea.ys168.com下载有皮肤版

wang6071

syscheck 1.0.0.12

emca

平生第一次沙发！

emca

希望以后能够同时得到没有 Skin 的版本，本人就是酷爱素雅的、苗条的：）

小木头

今天我安装了新版安全盾20060809出现了以下问题：在注册表工具中执行红叶提供的防黑注册表键值时出现了蓝屏。重启后又试了一次还是出现蓝屏，我使用以前的版本安全盾20060628 时都正常 。不知他与什么软件冲突 。对了我安装者微点。可是 安装以前 版本安全盾时也安装着微点。

小木头

退出微点又试了一次，执行红叶提供的防黑注册表键值时还是会蓝屏死机！忧郁中.......

wang6071

先关闭安全盾,再试试地安全盾目录下双击tmp.reg,此文件即是您最后执行的导入注册表文件.如果不出现兰屏那就是安全盾的问题了.

sunkist

是否能加进对一些进程的限制。比如我只要一些exe文件运行，其他的一个也不给运行 。。

liangliang

强杀进程功能真是太好了～～～

emca

SysShield bug报告：
今天Windows自动更新报告找到9个更新，让它安装，结果6个不能安装成功！
排查了一上午的原因，最终用Syscheck检查，发现HOOK列表中存在两个项目，都是安全盾的 SafeReg.sys。还原Hook，然后更新，一切恢复正常！但此时我并没有自动启动 安全盾。因此只好自己临时写一个内存卸载脚本，以方便遇到此种情况下的问题解决：
@echo off
rem 本程序用于从内存卸载安全盾，并且卸载其驱动。以解决Windows升级失败等故障。
taskkill /F /IM SysShield.exe
reg delete HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SafeReg /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SafeReg /f
exit
另外，如果再运行一次安全盾，然后正常退出，则HOOK会自动消失。看来问题出在安全盾主程序没有自动运行，但内核驱动已经加载，从而导致文件读写被监视。这个问题请大家再验证并看看用什么办法解决。

sunkist

今天郁闷用1.0.0.11版本删了点活动文件，就是IE的右键，然后就上不了IE了。然后修复IE。也出错。。郁闷！！
我升级了安全盾，正常没事，但没有装其他东西。
现在问题是病毒太历害了。二台机子坏了。。受不了。

wang6071

关于红叶兄报告的:没有自动启动 安全盾,但安全盾的驱动在工作中有点奇怪,因为:
1:安全盾的驱动是运行后再加载的.
2:该驱动的启动方式是手动启动,也就是说即使是安全盾不正常中止,下次开机而又未运行安全盾该驱动也不会启动.
3:是否是之前用杀进程工具终止的安全盾(或者是安全盾已启动但没有托盘图标使其无法退出?),安全盾必须使用自身的退了才会停止驱动,如果是被杀进程工具所杀则驱动仍然有效.

关于sunkist 反应的用1.0.0.11版本删了点活动文件，就是IE的右键,出现了IE无法启动的问题应该与syscheck无关,可以用其它工具查一下是否是恶意程序装多了!

sunkist

收到，谢谢，我正在找点什么东西可以防止垃圾的，不知道楼主有什么可介绍的，二年没动系统了，哎。以前还学习得快，现在不行了。对电脑失去兴趣，可又在公司搞维护累啊！
用的都是windows2000/xp 郁闷着。自己的系统可不会出现过这样，就安全盾一直开着，其他什么杀毒软件一个也不装

xubo1971

才2天没来，就变化这么快！

小木头

原帖由 wang6071 于 2006-8-9 11:11 PM 发表
先关闭安全盾,再试试地安全盾目录下双击tmp.reg,此文件即是您最后执行的导入注册表文件.如果不出现兰屏那就是安全盾的问题了.

试了一下:在安全盾目录下双击红叶提供的防黑注册表项的tmp.reg没有出现蓝屏!

wang6071

原帖由 小木头 于 2006-8-10 08:03 PM 发表
试了一下:在安全盾目录下双击红叶提供的防黑注册表项的tmp.reg没有出现蓝屏!

这个问题有点奇怪,我的测试中未出现这样的现象.估计与微点有关系,可以这样测试一下,不要启动安全盾,只启动微点,用syschek检查一下它HOOK的内核函数是否有与安全盾相同的项目;然后退出微点,再用syscheck检查一下退出后微点它Hook的内核函数项是否是没有消失?(即程序退出后驱动仍在活动中)
这个现象可能与加载的顺序有关系，可以试着退出安全盾，再重启动安全盾,再执行注册表工具中的项目测试．

to sunkist :
     由于公司的机器一般都有重要数据，不宜轻易重做系统，所以我建议每机安装杀软，再安装EruNt备份注册表，杀软的目的是避免经常性的杀软可识别的病毒的处理．而EruNT备份的注册表(默认是在windows\erunt\以时间命名的目录下)可以在安全模式或红叶光盘启动后恢复．这样即使中了木马，恢复注册表后它也不可能生效，文件就当它是垃圾，杀软升级到某个版本后会清除它的．当然，如落雪类的生成与系统文件名相同的.com的木马，最好用光盘系统启动清除一下，否则.com的优先执行会让系统再次感染．
   另外，公司机器的系统版本最好统一成几个，这样可以做几张Ghost还原的光碟，出问题后用光盘启动，执行GhostExp.exe提取windows目录下的系统文件恢复还原过去，注意恢复时要排除system32\config文件夹下的文件,原因我就不多说了．

小木头

与微点是有关系.我在任务管理器中结束了微点的全部进程并在syscheck中恢复了HOOK.再次运行红叶防黑注册表项没有蓝屏!谢谢王兄...

sunkist

to sunkist :
     由于公司的机器一般都有重要数据，不宜轻易重做系统，所以我建议每机安装杀软，再安装EruNt备份注册表，杀软的目的是避免经常性的杀软可识别的病毒的处理．而EruNT备份的注册表(默认是在windows\erunt\以时间命名的目录下)可以在安全模式或红叶光盘启动后恢复．这样即使中了木马，恢复注册表后它也不可能生效，文件就当它是垃圾，杀软升级到某个版本后会清除它的．当然，如落雪类的生成与系统文件名相同的.com的木马，最好用光盘系统启动清除一下，否则.com的优先执行会让系统再次感染．
   另外，公司机器的系统版本最好统一成几个，这样可以做几张Ghost还原的光碟，出问题后用光盘启动，执行GhostExp.exe提取windows目录下的系统文件恢复还原过去，注意恢复时要排除system32\config文件夹下的文件,原因我就不多说了．


好的，谢谢wang6071  。ghost版我倒有一二张在手上。

wang6071

安全盾1.23版升级说明:(完整安装版请到http://wangsea.ys168.com下载)
   1:加入.html关联的保护
   2:对符合条件的删除文件在删除不了时增加结束进程再尝试删除.

syscheck 1.0.0.13 (去皮肤版，美化版同样请到http://wangsea.ys168.com下载)
加入HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows键下值名AppInit_DLLs的检测
在进程模块显示的右键方式下增加<永久禁止此文件的执行>
增加文件搜索页面.（文件搜索页的默认日期为当前日期-7天,默认目录为%windows%）

本贴附件安全盾升级程序上传错误,已删除,请下载楼下的升级程序.

[ 本帖最后由 wang6071 于 2006-8-12 12:36 AM 编辑 ]

wang6071

syscheck　１．０．０．１３