瑞星卡卡安全论坛

系统提示：DANGER:SPYWARE
要求去下载razespyware，目前系统运行时不停向外发送邮件。使用microsoft antispyware关闭了所有spyware仍然无法解除，求高手指点。

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

本人比较菜，请详细说明怎样提取日志，我打开控制面板里的管理工具中查看计算机管理里的性能日志和警报里的更总日志为空，请进一步提示。谢谢！

我把hijackthis的扫描记录发上来请帮我看看

这是autorun的日志，求backstone给看看

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ 00THotkeyTHotkey东芝公司c:\windows\system32\00thotkey.exe

+ Acrobat Assistant 7.0AcroTrayAdobe Systems Inc.c:\program files\adobe\acrobat 7.0\distillr\acrotray.exe

+ assistseFile not found: ;

+ ccAppCommon Client User SessionSymantec Corporationc:\program files\common files\symantec shared\ccapp.exe

+ cPadAlarmFile not found: ;

+ DU MeterFile not found: ;

+ iTunesHelperFile not found: ;

+ mmtaskFile not found: ;

+ NeroCheckFile not found: ;

+ nwizFile not found: ;

+ QtRunFile not found: ;

+ QuickTime TaskFile not found: ;

+ SynTPEnhSynaptics TouchPad EnhancementsSynaptics, Inc.c:\program files\synaptics\syntp\syntpenh.exe

+ SynTPLprTouchPad Driver Helper ApplicationSynaptics, Inc.c:\program files\synaptics\syntp\syntplpr.exe

+ TcmTrayFile not found: ;

+ TFncKyTFncKyTOSHIBA CorporationC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

+ TFNF5TFnF5Toshiba Corp.c:\windows\system32\tfnf5.exe

+ TkBellExeFile not found: ;

+ TouchED触摸板 开/关 实用程序东芝公司c:\program files\toshiba\touched\touched.exe

+ Tpwrtray东芝省电东芝公司c:\windows\system32\tpwrtray.exe

+ vptraySymantec AntiVirusSymantec Corporationc:\program files\symantec antivirus\vptray.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ d3dupdate.exeFile not found: ;

+ IDManFile not found: ;

+ msnmsgrFile not found: ;

+ ShareazaFile not found: ;

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

+ NVMLCFile not found: C:\WINDOWS\System32\ronvidiat.dll

+ WinMediaRoNVidiaRoNVidiac:\windows\system32\nvbworks.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

+ SysTray.ExysFile not found: C:\WINDOWS\system32\bnhkdkig.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Adobe.Acrobat.ContextMenuAdobe Acrobat Context MenuAdobe Systems Inc.c:\program files\adobe\acrobat 7.0\acrobat elements\contextmenu.dll

+ AutoCAD 数字签名图标覆盖处理程序AcSignIcon ModuleAutodeskc:\windows\system32\acsignicon.dll

+ Autodesk Drawing PreviewAcThumbnail ModuleAutodeskc:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll

+ Autodesk DWF PreviewAcThumbnail ModuleAutodeskc:\program files\common files\autodesk shared\thumbnail\acdwfthmbprxy16.dll

+ CuteFTP Shell ExtensionGlobalSCAPE, Inc.c:\program files\globalscape\cuteftp zh\cuteshell.dll

+ Desktop ExplorerNVIDIA Desktop Explorer, Version 36.39 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Desktop Explorer MenuNVIDIA Desktop Explorer, Version 36.39 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ GT IndicatorIndicatorCUGtranc:\program files\gtran\zte dialer\gtindicator.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ LDVP Shell ExtensionsSymantec AntiVirusSymantec Corporationc:\program files\common files\symantec shared\ssc\vpshell2.dll

+ pkcsetup.dllc:\windows\system32\pkcsetup.dll

+ robdyctl.dllc:\windows\system32\robdyctl.dll

+ Samsung YP-55Shell HookSamsung YP-55 Shell ExtensionSamsung, Inc.c:\windows\system32\yp55h.dll

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.c:\program files\real\realone player\rpshell.dll

+ TouchED触摸板 开/关 实用程序东芝公司c:\program files\toshiba\touched\touched.dll

+ WinRAR shell extensionc:\program files\winrar\rarext.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ Yahoo! MailYMMAPI ModuleYahoo! Inc.c:\program files\yahoo!\common\ymmapi.dll

+ {506F4668-F13E-4AA1-BB04-B43203AB3CC0}c:\program files\microsoft office\visio11\visshe.dll

+ {D66DC78C-4F61-447F-942B-3FB6980118CF}c:\program files\microsoft office\visio11\visshe.dll

+ 粉碎文件Wiper 动态链接库c:\program files\yahoo!\assistant\assist\ywiper.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell ExtensionPDF Shell ExtensionAdobe Systems, Inc.c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ &FlashGetFlashGetAmaze Softc:\program files\flashget\flashget.exe

Task Scheduler

+ Symantec NetDetect.jobSymantec NetDetectSymantec Corporationc:\program files\symantec\liveupdate\ndetect.exe

HKLM\System\CurrentControlSet\Services

+ C-DillaSrvC-Dilla RTS ServiceC-Dilla Ltdc:\windows\system32\drivers\cdantsrv.exe

+ ccEvtMgrSymantec 事件管理器Symantec Corporationc:\program files\common files\symantec shared\ccevtmgr.exe

+ ccSetMgrSymantec 设置管理器Symantec Corporationc:\program files\common files\symantec shared\ccsetmgr.exe

+ CVPNDCisco Systems VPN ClientCisco Systems, Inc.c:\program files\cisco systems\vpn client\cvpnd.exe

+ DefWatch监控和维护病毒定义。Symantec Corporationc:\program files\symantec antivirus\defwatch.exe

+ NVSvcNVIDIA Driver Helper Service, Version 36.39NVIDIA Corporationc:\windows\system32\nvsvc32.exe

+ Symantec AntiVirus提供 Symantec AntiVirus 的实时病毒扫描、报告和管理功能。Symantec Corporationc:\program files\symantec antivirus\rtvscan.exe

HKLM\System\CurrentControlSet\Services

+ ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys

+ atapic:\windows\system32\drivers\atapi.sys

+ C-DillaC-Dilla Windows NT RTSMacrovisionc:\windows\system32\drivers\cdant.sys

+ CA561Universal Serial Bus Camera DriverSPc:\windows\system32\drivers\spca561.sys

+ CVirtACisco Systems VPN AdapterCisco Systems, Inc.c:\windows\system32\drivers\cvirta.sys

+ CVPNDRVACisco Systems VPN Client IPSec DriverCisco Systems, Inc.c:\windows\system32\drivers\cvpndrva.sys

+ d346busPnP BIOS Extension c:\windows\system32\drivers\d346bus.sys

+ d346prtSCSI miniport c:\windows\system32\drivers\d346prt.sys

+ E100BNDIS 5 driverIntel Corporationc:\windows\system32\drivers\e100b325.sys

+ GEARAspiWDMCDRom Class Filter DriverGEAR Software Inc.c:\windows\system32\drivers\gearaspiwdm.sys

+ gwbxpcFile not found: System32\DRIVERS\gwbxpc.sys

+ hwi4857USB Flash Memory Controller DriverCowon Systems, Inc.c:\windows\system32\drivers\hwi4857.sys

+ kmsinputc:\windows\system32\drivers\kmsinput.sys

+ LHidFlt2Logitech HID Filter DriverLogitechc:\windows\system32\drivers\lhidflt2.sys

+ LHidUsbLogitech USB ReceiverLogitechc:\windows\system32\drivers\lhidusb.sys

+ LKbdFlt2Logitech Keyboard Filter DriverLogitechc:\windows\system32\drivers\lkbdflt2.sys

+ LMouFlt2Logitech Mouse Filter DriverLogitechc:\windows\system32\drivers\lmouflt2.sys

+ NAVAPELFile not found: C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS

+ NAVENGAV EngineSymantec Corporationc:\program files\common files\symantec shared\virusdefs\20051130.006\naveng.sys

+ NAVEX15AV EngineSymantec Corporationc:\program files\common files\symantec shared\virusdefs\20051130.006\navex15.sys

+ NETMDUSBNet MD USB DriverSony Corporationc:\windows\system32\drivers\netmdusb.sys

+ NPFNPF Driver - TME extensionsPolitecnico di Torinoc:\windows\system32\drivers\npf.sys

+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys

+ pciSdTOSSDPCI.SYSTOSHIBAc:\windows\system32\drivers\tossdpci.sys

+ pfcPadus(R) ASPI ShellPadus, Inc.c:\windows\system32\drivers\pfc.sys

+ PortRSTBaromTec HMS30C6001 Reset DriverBarom Technologies Co., Ltd.c:\windows\system32\drivers\portrst.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ PxHelp20Px Engine Device Driver for Windows 2000/XPSonic Solutionsc:\windows\system32\drivers\pxhelp20.sys

+ rfsafeFile not found: system32\drivers\rfsafe.sys

+ SAVRTAutoProtectSymantec Corporationc:\program files\symantec antivirus\savrt.sys

+ SAVRTPELSAVRTPELSymantec Corporationc:\program files\symantec antivirus\savrtpel.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ SERIALOXDotSurfer Serial Device Driver for Win2K (JULY 18, 2001) GTRAN Korea INC.c:\windows\system32\drivers\serialox.sys

+ SMCIRDASMC IrCC NDIS 5.0 IrDA FIR Device DriverSMCc:\windows\system32\drivers\smcirda.sys

+ sonypvs1Sony Digital ImagingSony Corporationc:\windows\system32\drivers\sonypvs1.sys

+ SparrowAdaptec AIC-6x60 series SCSI miniportAdaptec, Inc.c:\windows\system32\drivers\sparrow.sys

+ SymEventSymantec Event LibrarySymantec Corporationc:\program files\symantec\symevent.sys

+ SYMREDRVRedirector Filter DriverSymantec Corporationc:\windows\system32\drivers\symredrv.sys

+ SYMTDINetwork Dispatch DriverSymantec Corporationc:\windows\system32\drivers\symtdi.sys

+ SynTPSynaptics Touchpad DriverSynaptics, Inc.c:\windows\system32\drivers\syntp.sys

+ TOSHIBASoftModemSoftModem Device DriverLTc:\windows\system32\drivers\ltsm.sys

+ tsdhdSD Card Host Controller DriverTOSHIBA Corporationc:\windows\system32\drivers\tsdhd.sys

+ TVALDToshiba ACPI-Based Value Added Logical Device DriverToshiba Corporationc:\windows\system32\drivers\tvald.sys

+ TVALDXToshiba ACPI-Based Value Added Logical Device Extension DriverToshiba Corporationc:\windows\system32\drivers\tvaldx.sys

+ TVALGTOSHIBA Value Added Logical and General Purpose Device DriverTOSHIBA Corporationc:\windows\system32\drivers\tvalg.sys

+ vsdatantTrueVector Device DriverZone Labs Inc.c:\windows\system32\vsdatant.sys

+ WDM_YAMAHAAC97YAMAHA AC-XG WDMYAMAHA CORPORATIONc:\windows\system32\drivers\yacxgc.sys

+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

+ APIHookDll.dllFile not found: APIHookDll.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ NavLogonSymantec AntiVirus Logon NotificationSymantec Corporationc:\windows\system32\navlogon.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Adobe PDF PortAcrobat ? PDF PortAdobe Systems Incorporated.c:\windows\system32\adobepdf.dll

+ HP LaserJet 5 Language MonitorWin32 Language Monitor for direct connect HP printersHewlett-Packardc:\windows\system32\hpdcmon.dll

请帮帮我啊

使用procexp查发现其中一个svchost的cpu占用率较高，却不知是哪个进程调用的

blackstone大侠帮我看看阿

日志未看出异常，可以把那些File not found的垃圾项删掉

去下载一个
http://www.sysinternals.com/Files/TcpView.zip
看看是那个进程不停的访问网络

File not found的垃圾项已删掉，仍然不停的向外发送邮件，谢谢blackstone，我再按照你的方法查查tcp,谢谢！！

使用tcpview察看发现在对外发邮件时ccapp.exe及winlogon.exe对外建立连接，连接多个ip地址，下一步该怎么办啊！！

引用:

【yingke的贴子】使用tcpview察看发现在对外发邮件时ccapp.exe及winlogon.exe对外建立连接，连接多个ip地址，下一步该怎么办啊！！ ...........................

ccapp.exe是诺顿的吧，

发一个procexp的日志上来看看。

这是procexp的日志，麻烦你了，谢谢
ProcessPIDCPUDescriptionCompany Name
System Idle Process0
Interruptsn/aHardware Interrupts
DPCsn/a1.94Deferred Procedure Calls
System4
  smss.exe664Windows NT Session ManagerMicrosoft Corporation
  csrss.exe7160.97
  winlogon.exe752Windows NT Logon ApplicationMicrosoft Corporation
    services.exe7961.94Services and Controller appMicrosoft Corporation
    svchost.exe972Generic Host Process for Win32 ServicesMicrosoft Corporation
      gcasDtServ.exe3272Microsoft AntiSpyware Data ServiceMicrosoft Corporation
    svchost.exe1020
    svchost.exe1084Generic Host Process for Win32 ServicesMicrosoft Corporation
      wuauclt.exe3212Automatic UpdatesMicrosoft Corporation
    svchost.exe1172
    svchost.exe1280
    ccSetMgr.exe1452Common Client Settings Manager ServiceSymantec Corporation
    ccEvtMgr.exe1480Common Client Event Manager ServiceSymantec Corporation
    spoolsv.exe1604Spooler SubSystem AppMicrosoft Corporation
    CDANTSRV.EXE1728C-Dilla RTS ServiceC-Dilla Ltd
    cvpnd.exe1748Cisco Systems VPN ClientCisco Systems, Inc.
    DefWatch.exe1768Virus Definition DaemonSymantec Corporation
    mdm.exe1800Machine Debug ManagerMicrosoft Corporation
    sqlservr.exe1856SQL Server Windows NTMicrosoft Corporation
    nvsvc32.exe236NVIDIA Driver Helper Service, Version 36.39NVIDIA Corporation
    svchost.exe33290.29Generic Host Process for Win32 ServicesMicrosoft Corporation
    svchost.exe404Generic Host Process for Win32 ServicesMicrosoft Corporation
    Rtvscan.exe420Symantec AntiVirusSymantec Corporation
    tmesbs32.exe452tmesbs32东芝
    wdfmgr.exe548
    alg.exe2652
    lsass.exe808LSA Shell (Export Version)Microsoft Corporation
explorer.exe13160.97Windows ExplorerMicrosoft Corporation
00THotkey.exe2060THotkey东芝公司
TPWRTRAY.EXE2068东芝省电东芝公司
TFncKy.exe2076TFncKyTOSHIBA Corporation
tmesbs32.exe2084tmesbs32东芝
TouchED.exe2092触摸板 开/关 实用程序东芝公司
SynTPEnh.exe2100Synaptics TouchPad EnhancementsSynaptics, Inc.
SynTPLpr.exe2124TouchPad Driver Helper ApplicationSynaptics, Inc.
acrotray.exe2132AcroTrayAdobe Systems Inc.
ccApp.exe2144Common Client User SessionSymantec Corporation
VPTray.exe2164Symantec AntiVirusSymantec Corporation
gcasServ.exe2172Microsoft AntiSpyware ServiceMicrosoft Corporation
TFNF5.exe2192TFnF5Toshiba Corp.
WCESCOMM.EXE2200Connection ManagerMicrosoft Corporation
ctfmon.exe2216CTF LoaderMicrosoft Corporation
procexp.exe31923.88Sysinternals Process ExplorerSysinternals

Process: Procexp Pid: -2

TypeName

看不出来，再发个Autorun的日志上来。

4楼就是autorun的日志

我的意思是你重新扫描一个发上来

哈哈
现在，安全助手就可以提起日记了

这是新的autorun扫描日志


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ 00THotkeyTHotkey东芝公司c:\windows\system32\00thotkey.exe

+ Acrobat Assistant 7.0AcroTrayAdobe Systems Inc.c:\program files\adobe\acrobat 7.0\distillr\acrotray.exe

+ ccAppCommon Client User SessionSymantec Corporationc:\program files\common files\symantec shared\ccapp.exe

+ SynTPEnhSynaptics TouchPad EnhancementsSynaptics, Inc.c:\program files\synaptics\syntp\syntpenh.exe

+ SynTPLprTouchPad Driver Helper ApplicationSynaptics, Inc.c:\program files\synaptics\syntp\syntplpr.exe

+ TFncKyTFncKyTOSHIBA CorporationC:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

+ TFNF5TFnF5Toshiba Corp.c:\windows\system32\tfnf5.exe

+ TouchED触摸板 开/关 实用程序东芝公司c:\program files\toshiba\touched\touched.exe

+ Tpwrtray东芝省电东芝公司c:\windows\system32\tpwrtray.exe

+ vptraySymantec AntiVirusSymantec Corporationc:\program files\symantec antivirus\vptray.exe

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

+ NVMLCFile not found: C:\WINDOWS\System32\ronvidiat.dll

+ WinMediaRoNVidiaRoNVidiac:\windows\system32\nvbworks.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

+ SysTray.ExysFile not found: C:\WINDOWS\system32\bnhkdkig.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Adobe.Acrobat.ContextMenuAdobe Acrobat Context MenuAdobe Systems Inc.c:\program files\adobe\acrobat 7.0\acrobat elements\contextmenu.dll

+ AutoCAD 数字签名图标覆盖处理程序AcSignIcon ModuleAutodeskc:\windows\system32\acsignicon.dll

+ Autodesk Drawing PreviewAcThumbnail ModuleAutodeskc:\program files\common files\autodesk shared\thumbnail\acthumbnail16.dll

+ Autodesk DWF PreviewAcThumbnail ModuleAutodeskc:\program files\common files\autodesk shared\thumbnail\acdwfthmbprxy16.dll

+ CuteFTP Shell ExtensionGlobalSCAPE, Inc.c:\program files\globalscape\cuteftp zh\cuteshell.dll

+ Desktop ExplorerNVIDIA Desktop Explorer, Version 36.39 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Desktop Explorer MenuNVIDIA Desktop Explorer, Version 36.39 NVIDIA Corporationc:\windows\system32\nvshell.dll

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ GT IndicatorIndicatorCUGtranc:\program files\gtran\zte dialer\gtindicator.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\windows\system32\hticons.dll

+ LDVP Shell ExtensionsSymantec AntiVirusSymantec Corporationc:\program files\common files\symantec shared\ssc\vpshell2.dll

+ pkcsetup.dllc:\windows\system32\pkcsetup.dll

+ robdyctl.dllc:\windows\system32\robdyctl.dll

+ Samsung YP-55Shell HookSamsung YP-55 Shell ExtensionSamsung, Inc.c:\windows\system32\yp55h.dll

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.c:\program files\real\realone player\rpshell.dll

+ TouchED触摸板 开/关 实用程序东芝公司c:\program files\toshiba\touched\touched.dll

+ WinRAR shell extensionc:\program files\winrar\rarext.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ WinZipWinZip Shell Extension DLLWinZip Computing, Inc.c:\program files\winzip\wzshlstb.dll

+ Yahoo! MailYMMAPI ModuleYahoo! Inc.c:\program files\yahoo!\common\ymmapi.dll

+ {506F4668-F13E-4AA1-BB04-B43203AB3CC0}c:\program files\microsoft office\visio11\visshe.dll

+ {D66DC78C-4F61-447F-942B-3FB6980118CF}c:\program files\microsoft office\visio11\visshe.dll

+ 粉碎文件Wiper 动态链接库c:\program files\yahoo!\assistant\assist\ywiper.dll

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

+ PDF Shell ExtensionPDF Shell ExtensionAdobe Systems, Inc.c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ &FlashGetFlashGetAmaze Softc:\program files\flashget\flashget.exe

Task Scheduler

+ Symantec NetDetect.jobSymantec NetDetectSymantec Corporationc:\program files\symantec\liveupdate\ndetect.exe

HKLM\System\CurrentControlSet\Services

+ C-DillaSrvC-Dilla RTS ServiceC-Dilla Ltdc:\windows\system32\drivers\cdantsrv.exe

+ ccEvtMgrSymantec 事件管理器Symantec Corporationc:\program files\common files\symantec shared\ccevtmgr.exe

+ ccSetMgrSymantec 设置管理器Symantec Corporationc:\program files\common files\symantec shared\ccsetmgr.exe

+ CVPNDCisco Systems VPN ClientCisco Systems, Inc.c:\program files\cisco systems\vpn client\cvpnd.exe

+ DefWatch监控和维护病毒定义。Symantec Corporationc:\program files\symantec antivirus\defwatch.exe

+ NVSvcNVIDIA Driver Helper Service, Version 36.39NVIDIA Corporationc:\windows\system32\nvsvc32.exe

+ Symantec AntiVirus提供 Symantec AntiVirus 的实时病毒扫描、报告和管理功能。Symantec Corporationc:\program files\symantec antivirus\rtvscan.exe

HKLM\System\CurrentControlSet\Services

+ ac97intcIntel(r) Integrated Controller Hub Audio DriverIntel Corporationc:\windows\system32\drivers\ac97intc.sys

+ atapic:\windows\system32\drivers\atapi.sys

+ C-DillaC-Dilla Windows NT RTSMacrovisionc:\windows\system32\drivers\cdant.sys

+ CA561Universal Serial Bus Camera DriverSPc:\windows\system32\drivers\spca561.sys

+ CVirtACisco Systems VPN AdapterCisco Systems, Inc.c:\windows\system32\drivers\cvirta.sys

+ CVPNDRVACisco Systems VPN Client IPSec DriverCisco Systems, Inc.c:\windows\system32\drivers\cvpndrva.sys

+ d346busPnP BIOS Extension c:\windows\system32\drivers\d346bus.sys

+ d346prtSCSI miniport c:\windows\system32\drivers\d346prt.sys

+ E100BNDIS 5 driverIntel Corporationc:\windows\system32\drivers\e100b325.sys

+ GEARAspiWDMCDRom Class Filter DriverGEAR Software Inc.c:\windows\system32\drivers\gearaspiwdm.sys

+ hwi4857USB Flash Memory Controller DriverCowon Systems, Inc.c:\windows\system32\drivers\hwi4857.sys

+ i386pc:\windows\system32\drivers\i386p.sys

+ kmsinputc:\windows\system32\drivers\kmsinput.sys

+ LHidFlt2Logitech HID Filter DriverLogitechc:\windows\system32\drivers\lhidflt2.sys

+ LHidUsbLogitech USB ReceiverLogitechc:\windows\system32\drivers\lhidusb.sys

+ LKbdFlt2Logitech Keyboard Filter DriverLogitechc:\windows\system32\drivers\lkbdflt2.sys

+ LMouFlt2Logitech Mouse Filter DriverLogitechc:\windows\system32\drivers\lmouflt2.sys

+ NAVENGAV EngineSymantec Corporationc:\program files\common files\symantec shared\virusdefs\20051130.006\naveng.sys

+ NAVEX15AV EngineSymantec Corporationc:\program files\common files\symantec shared\virusdefs\20051130.006\navex15.sys

+ NETMDUSBNet MD USB DriverSony Corporationc:\windows\system32\drivers\netmdusb.sys

+ NPFNPF Driver - TME extensionsPolitecnico di Torinoc:\windows\system32\drivers\npf.sys

+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 NVIDIA Corporationc:\windows\system32\drivers\nv4_mini.sys

+ pciSdTOSSDPCI.SYSTOSHIBAc:\windows\system32\drivers\tossdpci.sys

+ pfcPadus(R) ASPI ShellPadus, Inc.c:\windows\system32\drivers\pfc.sys

+ PortRSTBaromTec HMS30C6001 Reset DriverBarom Technologies Co., Ltd.c:\windows\system32\drivers\portrst.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ PxHelp20Px Engine Device Driver for Windows 2000/XPSonic Solutionsc:\windows\system32\drivers\pxhelp20.sys

+ SAVRTAutoProtectSymantec Corporationc:\program files\symantec antivirus\savrt.sys

+ SAVRTPELSAVRTPELSymantec Corporationc:\program files\symantec antivirus\savrtpel.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ SERIALOXDotSurfer Serial Device Driver for Win2K (JULY 18, 2001) GTRAN Korea INC.c:\windows\system32\drivers\serialox.sys

+ SMCIRDASMC IrCC NDIS 5.0 IrDA FIR Device DriverSMCc:\windows\system32\drivers\smcirda.sys

+ sonypvs1Sony Digital ImagingSony Corporationc:\windows\system32\drivers\sonypvs1.sys

+ SparrowAdaptec AIC-6x60 series SCSI miniportAdaptec, Inc.c:\windows\system32\drivers\sparrow.sys

+ SymEventSymantec Event LibrarySymantec Corporationc:\program files\symantec\symevent.sys

+ SYMREDRVRedirector Filter DriverSymantec Corporationc:\windows\system32\drivers\symredrv.sys

+ SYMTDINetwork Dispatch DriverSymantec Corporationc:\windows\system32\drivers\symtdi.sys

+ SynTPSynaptics Touchpad DriverSynaptics, Inc.c:\windows\system32\drivers\syntp.sys

+ TOSHIBASoftModemSoftModem Device DriverLTc:\windows\system32\drivers\ltsm.sys

+ tsdhdSD Card Host Controller DriverTOSHIBA Corporationc:\windows\system32\drivers\tsdhd.sys

+ TVALDToshiba ACPI-Based Value Added Logical Device DriverToshiba Corporationc:\windows\system32\drivers\tvald.sys

+ TVALDXToshiba ACPI-Based Value Added Logical Device Extension DriverToshiba Corporationc:\windows\system32\drivers\tvaldx.sys

+ TVALGTOSHIBA Value Added Logical and General Purpose Device DriverTOSHIBA Corporationc:\windows\system32\drivers\tvalg.sys

+ vsdatantTrueVector Device DriverZone Labs Inc.c:\windows\system32\vsdatant.sys

+ WDM_YAMAHAAC97YAMAHA AC-XG WDMYAMAHA CORPORATIONc:\windows\system32\drivers\yacxgc.sys

+ ZSMC301bVideo streaming and Capture Device DriverVMc:\windows\system32\drivers\usbvm31b.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

+ APIHookDll.dllFile not found: APIHookDll.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ msctl32.dllc:\windows\system32\msctl32.dll

+ NavLogonSymantec AntiVirus Logon NotificationSymantec Corporationc:\windows\system32\navlogon.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Adobe PDF PortAcrobat ? PDF PortAdobe Systems Incorporated.c:\windows\system32\adobepdf.dll

+ HP LaserJet 5 Language MonitorWin32 Language Monitor for direct connect HP printersHewlett-Packardc:\windows\system32\hpdcmon.dll

别沉底了，自己顶一下吧！求助啊

请blackstone大侠帮忙啊！

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ msctl32.dllc:\windows\system32\msctl32.dll

删除启动项
重启
删除c:\windows\system32\msctl32.dll试试

若删除不掉
用Unlocker工具删除试试
工具下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7471002

谢谢blackstone,按照你的做法我已经清除了启动项及msctl32.dll文件，现在已停止向外发送邮件，但是目前cpu的占用率一直为100%，占用进程为svchost.exe，不知道是什么原因，在中毒之前没有发生过这种情况，能否帮助解决一下！非常感谢你的帮助

svchost.exe的cpu的占用率为100%原因很多

你先用procexp把那个占100%的svchost.exe关闭看看机器有啥反映

procexp无法停止该进程

提示什么？

系统提示：
error opening process:拒绝访问

引用:

【yingke的贴子】系统提示： error opening process:拒绝访问 ...........................

查看一下那个svhost.exe的信息

附件: 5887812005127123556.JPG

该进程的扫描属性图像为：
图像传不上来，具体描述如下：
(not verify)microsoft coporation

command line:
c:\windows\system32\svchost.exe -k netsvcs

其他内容与blackstone提供的图片一致
不知道能否明白

顺便问一下，此论坛上传图片需要自己写代码吗？

回复时选择“标志模式按钮”，再选择浏览按钮就可以了。