关于一个小小病毒分析的疑问！解决方法

关于一个小小病毒分析的疑问！！！
小弟 用Process Monitor 看了一个病毒 这个病毒 吧windows自带的防火墙关闭了 可是我没发现有关闭防火墙的相关注册表操作呀 请高手们看下 我把所有写注册表的操作都写下来了 请高手们指教！ 谢谢！！
 

C/C++ code

18:17:29.3651907    111.exe    1584    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: C2 74 80 13 5A C9 35 88 B9 1F 98 A8 BE A2 DA 1B18:17:29.7338962    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: 19 BA F3 DF D4 71 F2 99 44 93 B6 4D 94 9B 2C 7118:17:30.0260392    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache    SUCCESS    Type: REG_SZ, Length: 140, Data: C:\Documents and Settings\tao\Local Settings\Temporary Internet Files18:17:30.0309094    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory    SUCCESS    Type: REG_SZ, Length: 164, Data: C:\Documents and Settings\tao\Local Settings\Temporary Internet Files\Content.IE518:17:30.0309393    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths    SUCCESS    Type: REG_DWORD, Length: 4, Data: 418:17:30.0309982    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath    SUCCESS    Type: REG_SZ, Length: 178, Data: C:\Documents and Settings\tao\Local Settings\Temporary Internet Files\Content.IE5\Cache118:17:30.0310331    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath    SUCCESS    Type: REG_SZ, Length: 178, Data: C:\Documents and Settings\tao\Local Settings\Temporary Internet Files\Content.IE5\Cache218:17:30.0310583    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath    SUCCESS    Type: REG_SZ, Length: 178, Data: C:\Documents and Settings\tao\Local Settings\Temporary Internet Files\Content.IE5\Cache318:17:30.0310834    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath    SUCCESS    Type: REG_SZ, Length: 178, Data: C:\Documents and Settings\tao\Local Settings\Temporary Internet Files\Content.IE5\Cache418:17:30.0311077    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit    SUCCESS    Type: REG_DWORD, Length: 4, Data: 3269418:17:30.0311315    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit    SUCCESS    Type: REG_DWORD, Length: 4, Data: 3269418:17:30.0311547    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit    SUCCESS    Type: REG_DWORD, Length: 4, Data: 3269418:17:30.0311778    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit    SUCCESS    Type: REG_DWORD, Length: 4, Data: 3269418:17:30.0341933    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies    SUCCESS    Type: REG_SZ, Length: 76, Data: C:\Documents and Settings\tao\Cookies18:17:30.0352999    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History    SUCCESS    Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\tao\Local Settings\History18:17:30.1033027    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.1033367    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.1033655    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.1067464    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.1067785    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.1068073    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.2133158    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: AE B1 D8 7B 93 2C A3 15 D4 80 2F 95 8C 6A 03 F018:17:30.2135479    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: D6 90 F1 3D C1 61 1B 95 CF FB 93 EC 0E 4C 2C 7318:17:30.2139628    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: 03 26 F0 A9 29 01 17 6F CB DE 76 E0 01 E7 86 7118:17:30.2142195    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: 91 A3 8B ED EF A3 E2 46 6F 87 20 17 00 10 1C 7E18:17:30.2144802    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: 79 81 B7 1C 2D 0E FA C4 7B 03 60 0E 8A 93 54 1B18:17:30.2147082    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: B3 9E 60 6A 40 19 E4 A4 4D C5 6D C3 5E 4E B8 1618:17:30.2149059    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed    SUCCESS    Type: REG_BINARY, Length: 80, Data: 76 5C 58 21 29 D7 B7 93 C0 0F 82 34 08 E0 AC 3F18:17:30.3703327    111.exe    1600    RegSetValue    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData    SUCCESS    Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data18:17:30.3825988    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData    SUCCESS    Type: REG_SZ, Length: 94, Data: C:\Documents and Settings\tao\Application Data18:17:30.3828823    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy    SUCCESS    Type: REG_DWORD, Length: 4, Data: 118:17:30.3835140    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable    SUCCESS    Type: REG_DWORD, Length: 4, Data: 018:17:30.3854871    111.exe    1600    RegSetValue    HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable    SUCCESS    Type: REG_DWORD, Length: 4, Data: 018:17:30.3858380    111.exe    1600    RegSetValue    HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings    SUCCESS    Type: REG_BINARY, Length: 56, Data: 3C 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00 
 

BatchFile code

net stop sharedaccess /y
[解决办法]
为啥很多人认为所有的东西都放在注册表里面？
[解决办法]
如果是关闭防火墙相关的服务，是不需要修改注册表的。

简单的说，在 WINDOWS 系统内部，关闭服务是通过 SCM （服务控制管理器，其对应的可执行文件为 SERVICES.EXE）向服务发送关闭通知实现的。