很郁闷的中了一项t很神奇的病毒表面症状是在网络开启时，会打开一个网页，似乎是一种adware

用netstat可以看到它有连到一个外部host
TCP ... 220.78.121.35:10009 ESTABLISHED

telnet到那个host上，看到似乎是个IRC server:
:irc.suck6.com NOTICE AUTH :*** Looking up your hostname...
:irc.suck6.com NOTICE AUTH :*** Found your hostname

在注册表里，找到
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAVSCANNER32=“NAVSCANNER32.EXE"

马上要讲到神奇的地方了，那个“NAVSCANNER32.EXE"可以用command prompt运行起来，可是偶搜索了整个硬盘，竟怎么也找不到这个文件，google上也查不到任何关于这个神奇的文件的信息。。。

所以这个病毒仍然留在偶的电脑里除不去。另外，偶的norton antivirus一直开着，它也没讲过什么。。。

真的被它打败了

[快快跑 (6-16 2:42, Long long ago)] [ 传统版 | sForum ][登录后回复]1楼

Maybe some forensic analysis will help you for this case. For example,1) Since you can see it in netstat, check the port which it is using .. then you can use TCP view to check which process is using the port.
http://www.sysinternals.com/ntw2k/utilities.shtml

2) you can also use pstools to check process, trace dlls info on your system.
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml[Rick (6-16 7:52, Long long ago)] [ 传统版 | sForum ][登录后回复]2楼

which navscanner32[Flying (6-16 9:38, Long long ago)] [ 传统版 | sForum ][登录后回复]3楼

(引用 Flying:which navscanner32)BTW, 'which' is assuming cygwin.In any case, you may try a package called Rootkit Detector, which bypasses some system API to expose the truth in your system.[Flying (6-16 9:52, Long long ago)] [ 传统版 | sForum ][登录后回复]4楼

(引用 Rick:Maybe some forensic analysis will help you for this case. For example,1) Since you can see it in netstat, check the port which i ...)3x, will try[快快跑 (6-16 15:46, Long long ago)] [ 传统版 | sForum ][登录后回复]5楼