一个xpaj的驱动似乎(似乎,到底是不是还需要楼主测试)做到了,XP时代的玩意,创建文件和驱动自删除火绒剑看不见了
18:17:55:552, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x000F003F , 0x00000000 [操作成功完成。 ],
18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\awzhk, type:0x00000004 datalen:4 data:'6D 25 09 A1 ' , 0x00000000 [操作成功完成。 ],
18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Start, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\ErrorControl, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Group, type:0x00000001 datalen:36 data:'42 6F 6F 74 20 42 75 73 20 45 78 74 65 6E 64 65 ' , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum, access:0x000F003F , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN, access:0x000F003F , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000, access:0x000F003F , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control, access:0x000F003F , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\*NewlyCreated*, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Service, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Legacy, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ConfigFlags, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Class, type:0x00000001 datalen:26 data:'4C 65 67 61 63 79 44 72 69 76 65 72 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ClassGUID, type:0x00000001 datalen:78 data:'7B 38 45 43 43 30 35 35 44 2D 30 34 37 46 2D 31 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\DeviceDesc, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\0, type:0x00000001 datalen:54 data:'52 6F 6F 74 5C 4C 45 47 41 43 59 5F 4B 43 41 51 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\ActiveService, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:833, System, 4:52, 0, SYS_load_kmod, C:\WINDOWS\System32\Drivers\kcaqevyin.sys, , 0x00000000 [操作成功完成。 ],
18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Security, , 0x00000000 [操作成功完成。 ],
18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Enum, , 0x00000000 [操作成功完成。 ],
18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service, , 0x00000000 [操作成功完成。 ],
18:17:55:849, 加驱用.exe, 3028:3036, 3028, SYS_load_kmod, C:\Documents and Settings\bubuquoyq.sys\桌面\xpaj.sys, , 0xC0000001 [连到系统上的设备没有发挥作用。 ],
18:17:55:849, services.exe, 776:3252, 0, FILE_open, C:\WINDOWS\system32\dnsapi.dll, access:0x00100020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:927, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。 ],
18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:068, services.exe, 776:3256, 0, FILE_touch, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, access:0x00120196 alloc_size:0 attrib:0x00000004 share_access:0x00000000 disposition:0x00000003 options:0x00000064 , 0x00000000 [操作成功完成。 ],
18:17:56:068, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x0000002F , 0x00000000 [操作成功完成。 ],
18:17:56:068, services.exe, 776:3256, 0, FILE_modified, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, , 0x00000000 [操作成功完成。 ],
18:17:56:068, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, access:0x02000000 , 0x00000000 [操作成功完成。 ],
18:17:56:068, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort, type:0x00000004 datalen:4 data:'FE FF 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPFinWait2Delay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxHashTableSize, type:0x00000004 datalen:4 data:'00 00 01 00 ' , 0x00000000 [操作成功完成。 ],
18:17:56:115, services.exe, 776:3256, 0, FILE_open, C:\WINDOWS\system32\drivers\tcpip.sys, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
18:17:56:130, services.exe, 776:3256, 0, SYS_opendev, \Device\{00B7EE7D-2FF5-EDCA-35-CF872F11ECD5}, devtype:23 access:0x00100080 share:0x00000000 , 0x00000000 [操作成功完成。 ],
18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ],
18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ],
18:17:56:162, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\uYf7bKh2, type:0x00000003 datalen:8 data:'6C B0 62 9A 28 E6 B2 CB ' , 0x00000000 [操作成功完成。 ],
18:17:56:193, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ],
18:17:56:318, services.exe, 776:3256, 0, NET_connect, 13.82.28.61:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
18:17:56:927, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ],
18:18:02:740, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ],
18:18:02:787, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ],
18:18:02:802, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Cookies\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ],
18:18:02:818, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ],
18:18:02:974, services.exe, 776:1388, 0, NET_connect, 64.13.192.76:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ],
18:18:02:990, services.exe, 776:1388, 0, NET_http, en.wikipedia.org/wiki/Special:Random, protocol:(TCP)0 cmd:'GET' datalen:275 , 0x00000000 [操作成功完成。 ],
18:18:03:865, services.exe, 776:3256, 0, NET_http, hollyjesus.com/viewforum.php?f=108, protocol:(TCP)0 cmd:'POST' datalen:586 , 0x00000000 [操作成功完成。 ],
18:18:39:396, services.exe, 776:3256, 0, NET_http, hollyjesus.com/blog.php?85dd25d8a069da288b6bcec5e546504a, protocol:(TCP)0 cmd:'POST' datalen:598 , 0x00000000 [操作成功完成。 ],
18:21:03:677, services.exe, 776:3256, 0, NET_http, hollyjesus.com/index.php?topic=115.13, protocol:(TCP)0 cmd:'POST' datalen:597 , 0x00000000 [操作成功完成。 ],