我的机器不知道中的是什么病毒。总是自动弹出网业 "http://www.realcoupon-s.com/normal/yyy65.html"类似的.还有很多网址.在启动项里有 "winsysupd.exe和winsysban.exe"在C盘的目录下自动建立了一个"windows"文件夹.虽然把里边的文件删除了.但启动项里还有。把启动项屏蔽了. 还是自动出网业?
    那位大哥知道告诉我一下好吗?

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

请问是这个吗 .具体我也不太懂.谢谢了
ProcessPIDCPUDescriptionCompany Name
System Idle Process082.09
Interruptsn/a1.49Hardware Interrupts
DPCsn/a1.49Deferred Procedure Calls
System8
  smss.exe148Windows NT Session ManagerMicrosoft Corporation
  csrss.exe1761.49
  winlogon.exe172Windows NT Logon ApplicationMicrosoft Corporation
    services.exe2242.99Services and Controller appMicrosoft Corporation
    svchost.exe424Generic Host Process for Win32 ServicesMicrosoft Corporation
      TIMPlatform.exe956TIMPlatformtencent
      IEXPLORE.EXE13921.49Internet ExplorerMicrosoft Corporation
    spoolsv.exe452Spooler SubSystem AppMicrosoft Corporation
    command.exe512
    svchost.exe560Generic Host Process for Win32 ServicesMicrosoft Corporation
    hidserv.exe580HID Audio ServiceMicrosoft Corporation
    mdm.exe616Machine Debug ManagerMicrosoft Corporation
    netmon.exe680
    svbhost.exe7241.49
    nvsvc32.exe784NVIDIA Driver Helper Service, Version 71.84NVIDIA Corporation
    pppoeservice.ex796
      EnterNet.exe1048
    WinMgmt.exe852Windows Management InstrumentationMicrosoft Corporation
    svchost.exe864Generic Host Process for Win32 ServicesMicrosoft Corporation
    lsass.exe236LSA Executable and Server DLL (Export Version)Microsoft Corporation
Explorer.EXE1004Windows ExplorerMicrosoft Corporation
rundll32.exe1084Run a DLL as an AppMicrosoft Corporation
rundll32.exe552
)?2.0.exe1168xhsd
QQ.exe15241.49QQTENCENT
regsvr32.exe1800Microsoft(C) Register ServerMicrosoft Corporation
procexp.exe18685.97Sysinternals Process ExplorerSysinternals

Process: )?2.0.exe Pid: 1168

TypeName
Desktop\Default
Directory\KnownDlls
Directory\Windows
Directory\BaseNamedObjects
Event\BaseNamedObjects\userenv:  User Profile setup event
Event\BaseNamedObjects\crypt32LogoffEvent
Event\BaseNamedObjects\GuardEventmmGlobalPnpInfoGuard
Event\BaseNamedObjects\mixercallback
Event\BaseNamedObjects\hardwaremixercallback
FileC:\Program Files
FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\O1ODMBOT\search[2].htm
File\Device\Udp
File\Device\NamedPipe\ROUTER
File\Device\Tcp
File\Device\Tcp
File\Device\Ip
File\Device\Ip
File\Device\Ip
FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF2BE0.tmp
FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
FileC:\Documents and Settings\Administrator\Cookies\index.dat
FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
FileC:\WINNT\system32\SHDOCVW.DLL
File\Device\Afd
FileC:\WINNT\system32\stdole2.tlb
File\Device\Tcp
File\Device\Afd
File\Device\KsecDD
File\Device\NamedPipe\ntsvcs
File\Device\NamedPipe\WMIEP_490
File\Device\NamedPipe\WMIEP_490
FileC:\WINNT\system32\mshtml.tlb
File\Device\KsecDD
File\Device\KSENUM#00000001
File\Device\NamedPipe\ntsvcs
FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006012320060124\index.dat
KeyHKU
KeyHKLM\SOFTWARE\MICROSOFT\COM3
KeyHKCR\CLSID
KeyHKCR
KeyHKLM\SOFTWARE\MICROSOFT\COM3
KeyHKU
KeyHKLM\SOFTWARE\MICROSOFT\COM3
KeyHKLM\SOFTWARE\MICROSOFT\COM3
KeyHKCR\CLSID
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKLM\SOFTWARE\MICROSOFT\COM3
KeyHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32
KeyHKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings\ZoneMap
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKLM\SOFTWARE\MICROSOFT\Tracing\RASADHLP
KeyHKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
KeyHKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
KeyHKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
KeyHKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
KeyHKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
KeyHKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
KeyHKLM\SOFTWARE\MICROSOFT\MSSQLServer\Client\SuperSocketNetLib\LastConnect
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\SOFTWARE\MICROSOFT\Internet Explorer\Security\P3Sites
KeyHKCU\Software\Classes
KeyHKCU\SOFTWARE\MICROSOFT\Internet Explorer\Security\P3Global
KeyHKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings
KeyHKCU\Software\Classes
KeyHKLM\SOFTWARE\MICROSOFT\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
KeyHKCU\SOFTWARE\MICROSOFT\Windows\ShellNoRoam
KeyHKCU\SOFTWARE\MICROSOFT\Windows\ShellNoRoam\MUICache
KeyHKU
KeyHKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings\ZoneMap
KeyHKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
KeyHKLM\SYSTEM\ControlSet001\Hardware Profiles\0001
KeyHKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings\P3P\History
KeyHKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings\ZoneMap
KeyHKCU\Software\Classes
KeyHKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\Windows
KeyHKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings\ZoneMap
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKLM\SYSTEM\ControlSet001\Control\Nls\CodePage
KeyHKLM
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKLM\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Explorer
KeyHKCU\Software\Classes
KeyHKCU
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
KeyHKLM\SYSTEM\ControlSet001\Control\Nls\Locale
KeyHKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
KeyHKCU
KeyHKCU\Software\Classes
KeyHKCU\Software\Classes
KeyHKCR
KeyHKLM\SOFTWARE\MICROSOFT\COM3
KeyHKU
KeyHKCR
KeyHKLM\SOFTWARE\MICROSOFT\COM3
Mutant\BaseNamedObjects\RasPbFile
Mutant\BaseNamedObjects\_!MSFTHISTORY!_
Mutant\BaseNamedObjects\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Mutant\BaseNamedObjects\c:!documents and settings!administrator!cookies!
Mutant\BaseNamedObjects\c:!documents and settings!administrator!local settings!history!history.ie5!
Mutant\BaseNamedObjects\WininetStartupMutex
Mutant\BaseNamedObjects\WininetConnectionMutex
Mutant\BaseNamedObjects\WininetProxyRegistryMutex
Mutant\BaseNamedObjects\ZonesCounterMutex
Mutant\BaseNamedObjects\ZonesCacheCounterMutex
Mutant\BaseNamedObjects\_!SHMSFTHISTORY!_
Mutant\BaseNamedObjects\GuardMutexmmGlobalPnpInfoGuard
Mutant\BaseNamedObjects\mxrapi
Mutant\BaseNamedObjects\c:!documents and settings!administrator!local settings!history!history.ie5!mshist012006012320060124!
Port\RPC Control\OLEADEA962B5A544D589392D1D801C0
Section\BaseNamedObjects\UrlZonesSM_Administrator
Section\BaseNamedObjects\DfSharedHeap42BDD
Section\BaseNamedObjects\DFMap0-273379
Section\BaseNamedObjects\DfRoot00042BDD
Section\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_6389760
Section\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_163840
Section\BaseNamedObjects\C:_Documents and Settings_Administrator_Cookies_index.dat_81920
Section\BaseNamedObjects\SENS Information Cache
Section\BaseNamedObjects\MSIMGSIZECacheMap
Section\BaseNamedObjects\mmGlobalPnpInfo
Section\BaseNamedObjects\WDMAUD_Callbacks
Section\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012006012320060124_index.dat_98304
Section\BaseNamedObjects\AutoUnhookMap$00000490$011a0000
Section\BaseNamedObjects\NamedBuffer, mAH, Process $00000490, API $77e86a51
Section\BaseNamedObjects\NamedBuffer, mAH, Process $00000490, API $77e80549
Section\BaseNamedObjects\NamedBuffer, mAH, Process $00000490, API $77f883c8
Section\BaseNamedObjects\NamedBuffer, mAH, Process $00000490, API $77f883e8
Section\BaseNamedObjects\NamedBuffer, mAH, Process $00000490, API $77f88ddc
Semaphore\BaseNamedObjects\OleDfRoot00042BDD
Semaphore\BaseNamedObjects\shell._ie_sessioncount
Semaphore\BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore\BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore\BaseNamedObjects\shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}
Semaphore\BaseNamedObjects\GuardSemmmGlobalPnpInfoGuard
Semaphore\BaseNamedObjects\C:?PROGRAM FILES?温氏分店2.0.EXE
Thread)?2.0.exe(1168): 2852
Thread)?2.0.exe(1168): 1464
Thread)?2.0.exe(1168): 1288
Thread)?2.0.exe(1168): 1288
Thread)?2.0.exe(1168): 300
Thread)?2.0.exe(1168): 2852
Thread)?2.0.exe(1168): 1812
Thread)?2.0.exe(1168): 1412
Thread)?2.0.exe(1168): 1032
Thread)?2.0.exe(1168): 1464
TokenNT AUTHORITY\SYSTEM
WindowStation\Windows\WindowStations\WinSta0
WindowStation\Windows\WindowStations\WinSta0

不是procexp是autoruns的

保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

这个吗?
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ CnsMin3721北京三七二一科技有限公司c:\winnt\downloaded program files\cnsmin.dll

+ NvCplDaemonNVIDIA Display Properties ExtensionNVIDIA Corporationc:\winnt\system32\nvcpl.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

+ cnshook.dll3721 CNS Module北京三七二一科技有限公司c:\winnt\downloaded program files\cnshook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ fintsub.dllFile not found: C:\WINNT\system32\fintsub.dll

+ mdvcrt20.dllc:\winnt\system32\mdvcrt20.dll

+ Shell Extensions for RealOne PlayerRealPlayer Shell ExtensionsRealNetworks, Inc.c:\program files\real\realplayer\rpshell.dll

+ Yahoo Trojan Cleannerc:\program files\3721\ske\contmenu.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Web 文件夹c:\program files\common files\microsoft shared\web folders\msonsext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ CnsHook Class3721 CNS Module北京三七二一科技有限公司c:\winnt\downloaded program files\cnshook.dll

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

+ coolbarCoolBar3721c:\program files\3721\assist\asbar.dll

HKLM\Software\Microsoft\Internet Explorer\Extensions

+ @shdoclc.dll,-864c:\winnt\web\related.htm

HKLM\System\CurrentControlSet\Services

+ awhost32"允许主控端 pcAnywhere 用户连接到此机器。"Symantec Corporationc:\program files\symantec\pcanywhere\awhost32.exe

+ cmdServicec:\winnt\q2xlyxi\command.exe

+ Network Monitorc:\program files\network monitor\netmon.exe

+ network servicesc:\winnt\svbhost.exe

+ NVSvcProvides system and desktop level support to the NVIDIA display driverNVIDIA Corporationc:\winnt\system32\nvsvc32.exe

+ PPPoEServicec:\program files\efficient networks\enternet 500\app\pppoeservice.exe

+ TimerLockFile not found: C:\WINDOWS\Slave.exe

HKLM\System\CurrentControlSet\Services

+ aeaudioAndrea Audio Noise Cancellation DriverAndrea Electronics Corporationc:\winnt\system32\drivers\aeaudio.sys

+ AW_HOSTpcAnywhere Host Driver for Windows 2000Symantec Corporationc:\winnt\system32\drivers\aw_host5.sys

+ awlegacypcAnywhere Legacy DriverSymantec Corporationc:\winnt\system32\drivers\awlegacy.sys

+ dmioNT Disk Manager I/O DriverVERITAS Software Corp.c:\winnt\system32\drivers\dmio.sys

+ dmloadNT Disk Manager Startup DriverVERITAS Software Corp.c:\winnt\system32\drivers\dmload.sys

+ kmsinputc:\winnt\system32\drivers\kmsinput.sys

+ KRegExc:\winnt\system32\drivers\kregex.sys

+ npkcryptnProtect KeyCrypt DriverINCA Internet Co., Ltd.c:\program files\tencent\qq\npkcrypt.sys

+ NTSTAP1NTS TAP Kernel Driver for NTNetwork TeleSystems, Inc.c:\program files\efficient networks\enternet 500\app\ntstap1.sys

+ NTSTAP2NTS TAP Kernel Driver for NTNetwork TeleSystems, Inc.c:\program files\efficient networks\enternet 500\app\ntstap2.sys

+ nvNVIDIA Compatible Windows 2000 Miniport Driver, Version 71.84 NVIDIA Corporationc:\winnt\system32\drivers\nv4_mini.sys

+ PProtectFile not found: C:\WINNT\system32\drivers\PProtect.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\winnt\system32\drivers\ptilink.sys

+ RTL8023Realtek 10/100/1000 NDIS 5.0 Driver                        Realtek Semiconductor Corporation                          c:\winnt\system32\drivers\rtlnic.sys

+ Sentinelc:\winnt\system32\drivers\sentinel.sys

+ smwdmSoundMAX Integrated Digital Audio Analog Devices, Inc.c:\winnt\system32\drivers\smwdm.sys

+ SymEventSymantec Event LibrarySymantec Corporationc:\program files\symantec\symevent.sys

+ TAPBINDNTS TAPBIND Kernel Driver for NTNetwork TeleSystems, Inc.c:\program files\efficient networks\enternet 500\app\tapbind1.sys

+ XPROTECTORc:\winnt\system32\drivers\xprotector.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ ModuleUsageFile not found: C:\WINNT\system32\f42mlef11h2.dll

+ RunOncec:\winnt\system32\mdvcrt20.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

+ C:\WINNT\system32\awgina.dllpcAnywhere Authentication InterfaceSymantec Corporationc:\winnt\system32\awgina.dll

HKCU\Control Panel\Desktop\Scrnsave.exe

+ C:\PROGRA~1\KV2005\KVSCRK~1.SCRFile not found: C:\PROGRA~1\KV2005\KVSCRK~1.SCR

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

+ Lenovo Network PortFile not found: LEXLMPM.DLL

+ pcAnywhere Remote PrintingpcAnywhere Monitor DLLSymantec Corporationc:\winnt\system32\awmon.dll

非常感谢您.帮帮我

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ fintsub.dllFile not found: C:\WINNT\system32\fintsub.dll
+ mdvcrt20.dllc:\winnt\system32\mdvcrt20.dll

HKLM\System\CurrentControlSet\Services
+ cmdServicec:\winnt\q2xlyxi\command.exe
+ network servicesc:\winnt\svbhost.exe

+ TimerLockFile not found: C:\WINDOWS\Slave.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+ ModuleUsageFile not found: C:\WINNT\system32\f42mlef11h2.dll
+ RunOncec:\winnt\system32\mdvcrt20.dll

删除启动项
重启
删除c:\winnt\system32\mdvcrt20.dll；c:\winnt\q2xlyxi\command.exe；c:\winnt\svbhost.exe试试

我先试试.谢谢您

mdvcrt20.dll 这个文件删除删除不了.提示正在使用  command.exe    svbhost.exe  找不到这两个文件  搜索也没搜索到啊

引用:

【zhang维的贴子】mdvcrt20.dll 这个文件删除删除不了.提示正在使用  command.exe    svbhost.exe  找不到这两个文件  搜索也没搜索到啊 ...........................

你删除启动项后重启了嘛

用Unlocker工具删除试试
工具下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7471002

修改一下文件夹选项