瑞星卡卡安全论坛

我的电脑在开机后就自动重启.用瑞星18.10.32在安全模式下已经找出 Trojan.RootKit.Vanti.bm 病毒并将其杀死,但开机还是重启.请教大家能不能教我怎么做.谢谢!

重装系统吧~

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

请教日志是才从哪里找到上传的?

Process    PID    CPU    Description    Company Name
System Idle Process    0    91.51       
Interrupts    n/a    0.94    Hardware Interrupts   
DPCs    n/a    0.94    Deferred Procedure Calls   
System    4           
  smss.exe    684        Windows NT Session Manager    Microsoft Corporation
  csrss.exe    732        Client Server Runtime Process    Microsoft Corporation
  winlogon.exe    760        Windows NT Logon Application    Microsoft Corporation
    services.exe    804    2.83    Services and Controller app    Microsoft Corporation
    ibmpmsvc.exe    976           
    svchost.exe    1032        Generic Host Process for Win32 Services    Microsoft Corporation
    svchost.exe    1116        Generic Host Process for Win32 Services    Microsoft Corporation
    CCenter.exe    1212        CCenter    Beijing Rising Technology Co., Ltd.
    svchost.exe    1228        Generic Host Process for Win32 Services    Microsoft Corporation
    svchost.exe    1440        Generic Host Process for Win32 Services    Microsoft Corporation
    svchost.exe    1664        Generic Host Process for Win32 Services    Microsoft Corporation
    RavMonD.exe    1720        RavMond    Beijing Rising Technology Co., Ltd.
      RavStub.exe    240        Rising RavStub    Beijing Rising Technology Co., Ltd.
    rfwsrv.exe    1760        Rising Personal FireWall Service    Beijing Rising Technology Co., Ltd.
      rfwmain.exe    540        Rising Personal FireWall Main Program    Beijing Rising Technology Co., Ltd.
    spoolsv.exe    196        Spooler SubSystem App    Microsoft Corporation
    ati2evxx.exe    676           
    QCONSVC.EXE    860           
    svchost.exe    1336        Generic Host Process for Win32 Services    Microsoft Corporation
    wdfmgr.exe    1800        Windows User Mode Driver Manager    Microsoft Corporation
    MsPMSPSv.exe    396        WMDM PMSP Service    Microsoft Corporation
    alg.exe    1484        Application Layer Gateway Service    Microsoft Corporation
    lsass.exe    824        LSA Shell (Export Version)    Microsoft Corporation
explorer.exe    1632        Windows Explorer    Microsoft Corporation
tp4serv.exe    3072        IBM PS/2 TrackPoint Daemon    IBM Corporation
TPHKMGR.exe    3104           
realsched.exe    3252        RealNetworks Scheduler    RealNetworks, Inc.
cdnup.exe    3448        LiveUpdate Module   
RavTask.exe    3504        RavTimer    Beijing Rising Technology Co., Ltd.
  RavMon.exe    3580        RavMon    Beijing Rising Technology Co., Ltd.
iexplore.exe    4024        Internet Explorer    Microsoft Corporation
procexp.exe    924    3.77    Sysinternals Process Explorer    Sysinternals
ctfmon.exe    3880        CTF Loader    Microsoft Corporation

Process: System Pid: 4

Type    Name
Directory    \Device\Harddisk0
Directory    \Device\WinDfs
Directory    \Device\Http
Event    \Security\TRKWKS_EVENT
Event    \Device\IrEnumIoEvent
Event    \KernelObjects\LowMemoryCondition
Event    \BaseNamedObjects\PrefetchTracesReady
Event    \LanmanServerAnnounceEvent
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\LanmanRedirector
File    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
File    C:\hiberfil.sys
File    C:\pagefile.sys
File    C:\WINDOWS\system32\config\SECURITY
File    C:\WINDOWS\system32\config\SECURITY.LOG
File    C:\WINDOWS\system32\config\SOFTWARE
File    C:\WINDOWS\system32\config\software.LOG
File    \Device\Tcp
File    C:\WINDOWS\system32\config\SYSTEM
File    C:\WINDOWS\system32\config\system.LOG
File    \Device\Tcp
File    C:\WINDOWS\system32\config\DEFAULT
File    C:\WINDOWS\system32\config\default.LOG
File    \Device\Tcp
File    C:\WINDOWS\system32\config\SAM
File    C:\WINDOWS\system32\config\SAM.LOG
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Gpc
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    C:\Documents and Settings\use\ntuser.dat.LOG
File    \Device\IrDA
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
File    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
File    C:\Documents and Settings\NetworkService\ntuser.dat.LOG
File    C:\Documents and Settings\NetworkService\NTUSER.DAT
File    C:\System Volume Information\_restore{43B7DA0B-0B5A-49B6-9DCD-5DC5FC360DF8}\RP380\change.log
File    C:\Documents and Settings\use\ntuser.dat
File    \Device\NwlnkIpx
File    C:\Documents and Settings\use\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
File    C:\Documents and Settings\use\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
File    \Device\Udp
File    C:\Documents and Settings\LocalService\ntuser.dat.LOG
File    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
File    \Device\IrDA
File    \Device\Tcp
File    C:\Documents and Settings\LocalService\NTUSER.DAT
File    \Device\Udp
File    \Device\IrDA
File    \Device\IrDA
File    \Device\IrDA
File    \Device\IrDA
File    \Device\IrDA
File    \Device\NwlnkNb
File    \Device\NwlnkIpx
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\NetbiosSmb
File    \Device\Mup
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NTPNP_PCI0009\Topology
File    \Device\NamedPipe\
File    \Device\RawIp\255
File    \Device\Udp
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NwlnkNb
File    \Device\WebDavRedirector
File    \Device\NwlnkNb
File    \Device\Mup
File    \Device\Udp
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NwlnkNb
File    \Device\NwlnkNb
File    \Device\NwlnkIpx
File    \Device\NwlnkIpx
File    \Device\NwlnkNb
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NetBT_Tcpip_{DA40E1D3-08E9-41D5-A475-9B3A5CFE83B0}
File    \Device\NetbiosSmb
File    \Device\NetbiosSmb
File    \Device\NetbiosSmb
File    \Device\NetbiosSmb
File    \Device\NetbiosSmb
File    \Device\NetbiosSmb
File    \Device\Udp
File    \Device\Tcp
File    \Device\Udp
File    \Device\Udp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Ip
File    \Device\RawIp\47
File    \Device\Tcp
File    \Device\Udp
File    \Device\Gpc
File    \Device\Tcp
File    \Device\Udp
File    \Device\NwlnkNb
File    \Device\Tcp
File    \Device\Udp
File    C:\Program Files\CNNIC\Cdn\cdnunins.exe
File    \Device\Tcp
File    \Device\Tcp
File    \Device\NwlnkNb
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Tcp
File    \Device\Udp
File    \Device\Tcp
File    \Device\Gpc
File    \Device\Gpc
File    \Device\Tcp
File    \Device\Udp
File    \Device\Tcp
File    \Device\Tcp
Key    \REGISTRY
Key    HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
Key    HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
Key    HKLM\SYSTEM\Setup
Key    HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
Key    HKLM\SYSTEM\WPA\Key-QB73PBDMF6XM2798HY4BB
Key    HKLM\SYSTEM\WPA\PnP
Key    HKLM\SYSTEM\WPA\EntryHash-QCCYKBJBDYRHTP
Key    HKLM\SYSTEM\WPA\ReSigningHash-QCCYKBJBDYRHTP
Key    HKLM\SYSTEM\WPA\SigningHash-J2X2CYPVVTP4HV
Key    HKLM\SYSTEM\WPA\SigningHash-QCCYKBJBDYRHTP
Key    HKLM\SYSTEM\ControlSet001\Control\ProductOptions
Key    HKLM\SYSTEM\ControlSet001\Services\Eventlog
Key    HKLM\SYSTEM\ControlSet001\Control\Video\{803E3E15-1506-4871-AC49-A84AAF956192}\0001\VolatileSettings
Key    HKLM\SYSTEM\ControlSet001\Control\Video\{803E3E15-1506-4871-AC49-A84AAF956192}\0000\VolatileSettings
Key    HKLM\SYSTEM\ControlSet001\Services\ACPI\Parameters
Key    HKLM\SYSTEM\ControlSet001\Services\HTTP\Parameters\UrlAclInfo
Key    HKLM\SYSTEM\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters
Key    HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000
Key    HKLM\SYSTEM\ControlSet001
Key    HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
Key    HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter
Port    \SeRmCommandPort
Process    System(4)
Process    (1632)
Process    (824)
Process    (824)
Process    iexplore.exe(4024)
Process    (196)
Process    svchost.exe(1228)
Process    (824)
Section    \BaseNamedObjects\mc2IInjT$4
Thread    System(4): 12
Thread    System(4): 116
Thread    System(4): 96
Thread    System(4): 1660
Thread    System(4): 124
Thread    System(4): 120
Thread    System(4): 660
Thread    System(4): 2684
Thread    System(4): 2680
Thread    System(4): 2688
Thread    System(4): 2692
Thread    System(4): 2696
Thread    System(4): 328
Thread    System(4): 148
Thread    System(4): 144
Thread    System(4): 356
Thread    System(4): 360
Thread    System(4): 416
Token    NT AUTHORITY\ANONYMOUS LOGON

请老大帮忙看看

注意看贴，是Autoruns日志不是procexp的

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ ATIModeChangeATI 2D Mode componentATI Technologies, Inc.c:\windows\system32\ati2mdxx.exe

+ ccenterCCenterBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ccenter.exe

+ CdnCtrLiveUpdate Modulec:\program files\cnnic\cdn\cdnup.exe

+ MSPY2002c:\windows\system32\ime\pintlgnt\imscinst.exe

+ RavTaskRavTimerBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravtask.exe

+ TkBellExeRealNetworks SchedulerRealNetworks, Inc.c:\program files\common files\real\update_ob\realsched.exe

+ TP4EXIBM TrackPoint Accessibility FeaturesIBM Corporationc:\windows\system32\tp4ex.exe

+ TPHOTKEYc:\program files\thinkpad\pkgmgr\hotkey\tphkmgr.exe

+ TrackPointSrvIBM PS/2 TrackPoint DaemonIBM Corporationc:\windows\system32\tp4serv.exe

C:\Documents and Settings\use\「开始」菜单\程序\启动

+ 腾讯QQ.lnkQQTENCENTc:\program files\tencent\qq\qq.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ cnshook.dll3721 CNS Module北京三七二一科技有限公司c:\windows\downloaded program files\cnshook.dll

+ CnsMin.dllFile not found: C:\WINDOWS\DOWNLO~1\CnsMin.dll

+ Rising Execute File Exts hookRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ RISINGRising Shell Ext ModuleBeijing Rising Technology Co., Ltd.c:\windows\system32\ravext.dll

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.c:\program files\real\realone player\rpshell.dll

+ Yahoo!PhotoFile not found: C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\yphtb.dll

+ 粉碎文件File not found: C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\ywiper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ CNNIC_IDNCndnIEHelper Modulec:\program files\cnnic\cdn\cdniehlp.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ cnshook.dll3721 CNS Module北京三七二一科技有限公司c:\windows\downloaded program files\cnshook.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ 浩方对战平台浩方对战平台上海浩方在线信息技术有限公司c:\program files\浩方对战平台\gameclient.exe

+ 清理上网记录File not found: http://assistant.3721.com/clean1.htm?fb=Cns

+ 情景聊天File not found: http://cn.rd.yahoo.com/home/messenger/bjk/clientbtn/?http://cn.messenger.yahoo.com/

+ 上网助手File not found: http://assistant.3721.com/index.htm?fb=Cns

+ 手机短信File not found: http://sms.3721.com/ie/index.htm?pid=209

+ 腾讯QQQQTENCENTc:\program files\tencent\qq\qq.exe

+ 修复浏览器File not found: http://assistant.3721.com/security1.htm?fb=Cns

+ 寻宝乐趣多File not found: http://hot.3721.com/rd/shop_btn.htm

Task Scheduler

+ BMMTask.jobc:\program files\thinkpad\utilities\bmmtask.exe

HKLM\System\CurrentControlSet\Services

+ Ati HotKey Pollerc:\windows\system32\ati2evxx.exe

+ IBMPMSVCc:\windows\system32\ibmpmsvc.exe

+ QCONSVCc:\windows\system32\qconsvc.exe

+ RfwServiceRising Personal Firewall ServiceBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rfwsrv.exe

+ RsCCenterCCenterBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ccenter.exe

+ RsRavMonRavMondBeijing Rising Technology Co., Ltd.c:\program files\rising\rav\ravmond.exe

+ W32Times为计算机网络提供同步的时间计划服务(NMCT),此服务被终止或禁用,多数基于 Windows 的软件将无法正常运行.c:\windows\system32\timeman32.exe

+ WintimeFile not found: C:\WINDOWS\System32\SVCH0ST.EXE

HKLM\System\CurrentControlSet\Services

+ AgereSoftModemSoftModem Device DriverAgere Systemsc:\windows\system32\drivers\agrsm.sys

+ ati2mtagATI RAGE 6 Miniport DriverATI Technologies Inc.c:\windows\system32\drivers\ati2mtag.sys

+ BaseTDIbasetdiBeijing Rising Technology Co., Ltd.c:\windows\system32\drivers\basetdi.sys

+ cdnprotcdnprotCNNICc:\windows\system32\drivers\cdnprot.sys

+ cdntrancdnhookCNNICc:\windows\system32\drivers\cdntran.sys

+ DSMBATTDriver for battery informationc:\windows\system32\drivers\dsmbatt.sys

+ E100BNDIS 5 driverIntel Corporationc:\windows\system32\drivers\e100b325.sys

+ EGATHDRVc:\windows\system32\egathdrv.sys

+ ExpScanerExpScan.sysc:\program files\rising\rav\expscan.sys

+ GT680xFile not found: System32\DRIVERS\GT680x.SYS

+ HookContTDI HOOK DriverRising tech Co. ltdc:\program files\rising\rav\hookcont.sys

+ HookRegc:\program files\rising\rav\hookreg.sys

+ HookSysHooksysRisingc:\program files\rising\rav\hooksys.sys

+ IBMPMDRVIBM ThinkPad Power Management DriverIBM Corp.c:\windows\system32\drivers\ibmpmdrv.sys

+ IBMTPCHKc:\windows\system32\drivers\ibmbldid.sys

+ k750busSony Ericsson 750 DriverMCCIc:\windows\system32\drivers\k750bus.sys

+ k750mdflSony Ericsson 750 USB WMC Modem FilterMCCIc:\windows\system32\drivers\k750mdfl.sys

+ k750mdmSony Ericsson 750 USB WMC Modem DriversMCCIc:\windows\system32\drivers\k750mdm.sys

+ k750mgmtSony Ericsson 750 USB WMC Device Management DriversMCCIc:\windows\system32\drivers\k750mgmt.sys

+ k750obexSony Ericsson 750 USB WMC OBEX Interface DriversMCCIc:\windows\system32\drivers\k750obex.sys

+ kmsinputc:\windows\system32\drivers\kmsinput.sys

+ MEMSCANMemScan Driver瑞星软件有限公司c:\program files\rising\rav\memscan.sys

+ mProcRsRising Personal FireWall  mprocrs.sysBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\mprocrs.sys

+ NETMDUSBNet MD USB DriverSony Corporationc:\windows\system32\drivers\netmdusb.sys

+ New0c:\windows\system32\new.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.c:\program files\tencent\qq\npkcrypt.sys

+ NPPTNTnProtect NPSC Kernel Mode Driver for NTINCA Internet Co., Ltd.c:\windows\system32\npptnt.sys

+ NSCIRDANSC Fast Infrared Driver.National Semiconductor Corporationc:\windows\system32\drivers\nscirda.sys

+ PCDRDRVFile not found: system32\drivers\PCDRDRV.sys

+ PcdrNtPC-Doctor NT Support DriverPC-Doctor Inc.c:\windows\system32\drivers\pcdrnt.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\windows\system32\drivers\ptilink.sys

+ RsFwDrvnt_fwdrvBeijing Rising Technology Co., Ltd.c:\program files\rising\rfw\rsfwdrv.sys

+ SecdrvSafeDisc driverc:\windows\system32\drivers\secdrv.sys

+ Ser2plUSB-to-Serial Cable DriverProlific Technology Inc.c:\windows\system32\drivers\ser2pl.sys

+ smwdmSoundMAX Integrated Digital Audio Analog Devices, Inc.c:\windows\system32\drivers\smwdm.sys

+ SNPHV71PC Camera driverc:\windows\system32\drivers\snphv71.sys

+ SONYPVU1Sony USB Lower Filter driverSony Corporationc:\windows\system32\drivers\sonypvu1.sys

+ TDSMAPIc:\windows\system32\drivers\tdsmapi.sys

+ Tp4TrackIBM PS/2 TrackPoint Mouse Filter DriverIBM Corporationc:\windows\system32\drivers\tp4track.sys

+ TPPWRIBM ThinkPad Power Management Device DriverIBM Corp.c:\windows\system32\drivers\tppwr.sys

+ TSMAPIPc:\windows\system32\drivers\tsmapip.sys

+ W32Times为计算机网络提供同步的时间计划服务(NMCT),此服务被终止或禁用,多数基于 Windows 的软件将无法正常运行.c:\windows\system32\timeman32.exe

删除启动项
重启
删除c:\windows\system32\timeman32.exe试试