【求助】高手帮我分析一下日志（有2个），先谢了 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛【求助】高手帮我分析一下日志（有2个），先谢了

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第四十七次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

1

1 / 1 页

跳转页

【求助】高手帮我分析一下日志（有2个），先谢了

水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:	发表于： 2005-10-09 11:43 \| 显示全部短消息资料字号：小中大 1楼【求助】高手帮我分析一下日志（有2个），先谢了我的IE每隔一小时左右会自动弹出一个网页http://web.9983.com/，断线也会，我用HijackThis扫描后得到以下日志： Logfile of HijackThis v1.99.1 Scan saved at 10:17:18, on 2005-10-9 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: G:\WINNT\System32\smss.exe G:\WINNT\system32\csrss.exe G:\WINNT\system32\winlogon.exe G:\WINNT\system32\services.exe G:\WINNT\system32\lsass.exe G:\KAV2005\KWatch.EXE G:\WINNT\system32\svchost.exe G:\WINNT\system32\spoolsv.exe G:\WINNT\System32\svchost.exe G:\KAV2005\KPfwSvc.EXE G:\WINNT\System32\nvsvc32.exe G:\WINNT\system32\regsvc.exe G:\WINNT\system32\MSTask.exe G:\WINNT\system32\stisvc.exe G:\WINNT\System32\WBEM\WinMgmt.exe G:\WINNT\system32\svchost.exe G:\WINNT\Explorer.EXE G:\WINNT\system32\rundll32.exe G:\KAV2005\KAVStart.exe G:\Program Files\SkyNet\FireWall\PFW.exe G:\WINNT\System32\internat.exe G:\KAV2005\KAVPFW.EXE G:\KAV2005\KMailMon.EXE G:\WINNT\System32\wuauclt.exe G:\Program Files\HelloNet\HNMainUI.exe G:\Program Files\Windows Media Player\wmplayer.exe G:\Program Files\Tencent\QQ\QQ.exe G:\Program Files\Tencent\QQ\TIMPlatform.exe G:\Program Files\Tencent\QQ\QQ.exe E:\MYIE2豪华版\MyIE.exe D:\扫描\HijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: KAVIEHelper Class - {1B2F92A1-CDAF-4511-9382-91E3F5CE0880} - G:\Program Files\KOS\KOSIEBar.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file) O3 - Toolbar: 金山毒霸安全助手 - {EF72500A-C234-46C4-BF0A-9AA6913DDF34} - G:\Program Files\KOS\KOSIEBar.dll O4 - HKLM\..\Run: [helper.dll] G:\WINNT\system32\rundll32.exe G:\PROGRA~1\3721\helper.dll,Rundll32 O4 - HKLM\..\Run: [KavStart] "G:\KAV2005\KAVStart.exe" -startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SKYNET Personal FireWall] G:\Program Files\SkyNet\FireWall\PFW.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [KavPFW] "G:\KAV2005\KAVPFW.EXE" O4 - Global Startup: microsoft office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: >> 彩信发送 << - res://G:\PROGRA~1\MMSASS~1\MMSASS~1.DLL/mms.htm O8 - Extra context menu item: 使用网际快车下载 - E:\FlashGet1.60\jc_link.htm O8 - Extra context menu item: 使用网际快车下载全部链接 - E:\FlashGet1.60\jc_all.htm O14 - IERESET.INF: SEARCH_PAGE_URL= O14 - IERESET.INF: START_PAGE_URL= O17 - HKLM\System\CCS\Services\Tcpip\..\{F3A226A9-E059-489F-B867-14AE8A232E7A}: NameServer = 221.7.128.68 221.7.136.68 O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - G:\WINNT\System32\mbprot.dll O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe O23 - Service: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - G:\KAV2005\KPfwSvc.EXE O23 - Service: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - G:\KAV2005\KWatch.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINNT\System32\nvsvc32.exe O23 - Service: Windows Audio Services (winAudSer) - Unknown owner - G:\WINNT\System32\Winms.exe 后来我把06组的三项都做了修复，再次扫描，得到以下日志： Logfile of HijackThis v1.99.1 Scan saved at 11:13:40, on 2005-10-9 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: G:\WINNT\System32\smss.exe G:\WINNT\system32\csrss.exe G:\WINNT\system32\winlogon.exe G:\WINNT\system32\services.exe G:\WINNT\system32\lsass.exe G:\KAV2005\KWatch.EXE G:\WINNT\system32\svchost.exe G:\WINNT\system32\spoolsv.exe G:\WINNT\System32\svchost.exe G:\KAV2005\KPfwSvc.EXE G:\WINNT\System32\nvsvc32.exe G:\WINNT\system32\regsvc.exe G:\WINNT\system32\MSTask.exe G:\WINNT\system32\stisvc.exe G:\WINNT\System32\WBEM\WinMgmt.exe G:\WINNT\system32\svchost.exe G:\WINNT\Explorer.EXE G:\WINNT\system32\rundll32.exe G:\KAV2005\KAVStart.exe G:\Program Files\SkyNet\FireWall\PFW.exe G:\WINNT\System32\internat.exe G:\KAV2005\KAVPFW.EXE G:\KAV2005\KMailMon.EXE G:\WINNT\System32\wuauclt.exe G:\Program Files\HelloNet\HNMainUI.exe G:\Program Files\Windows Media Player\wmplayer.exe G:\Program Files\Tencent\QQ\QQ.exe G:\Program Files\Tencent\QQ\TIMPlatform.exe G:\Program Files\Tencent\QQ\QQ.exe E:\MYIE2豪华版\MyIE.exe D:\扫描\HijackThis.exe G:\WINNT\NOTEPAD.EXE E:\MYIE2豪华版\MyIE.exe G:\WINNT\NOTEPAD.EXE R3 - Default URLSearchHook is missing O2 - BHO: KAVIEHelper Class - {1B2F92A1-CDAF-4511-9382-91E3F5CE0880} - G:\Program Files\KOS\KOSIEBar.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file) O3 - Toolbar: 金山毒霸安全助手 - {EF72500A-C234-46C4-BF0A-9AA6913DDF34} - G:\Program Files\KOS\KOSIEBar.dll O4 - HKLM\..\Run: [helper.dll] G:\WINNT\system32\rundll32.exe G:\PROGRA~1\3721\helper.dll,Rundll32 O4 - HKLM\..\Run: [KavStart] "G:\KAV2005\KAVStart.exe" -startup O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SKYNET Personal FireWall] G:\Program Files\SkyNet\FireWall\PFW.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [KavPFW] "G:\KAV2005\KAVPFW.EXE" O4 - Global Startup: microsoft office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: >> 彩信发送 << - res://G:\PROGRA~1\MMSASS~1\MMSASS~1.DLL/mms.htm O8 - Extra context menu item: 使用网际快车下载 - E:\FlashGet1.60\jc_link.htm O8 - Extra context menu item: 使用网际快车下载全部链接 - E:\FlashGet1.60\jc_all.htm O14 - IERESET.INF: SEARCH_PAGE_URL= O14 - IERESET.INF: START_PAGE_URL= O17 - HKLM\System\CCS\Services\Tcpip\..\{F3A226A9-E059-489F-B867-14AE8A232E7A}: NameServer = 221.7.128.68 221.7.136.68 O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - G:\WINNT\System32\mshtml.dll O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - G:\WINNT\system32\urlmon.dll O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - G:\WINNT\wc98pp.dll O18 - Protocol: ipp - (no CLSID) - (no file) O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - G:\WINNT\System32\itss.dll O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - G:\WINNT\System32\mshtml.dll O18 - Protocol: koboo - {7DEE9D05-FA0A-4416-A6F3-6537D0EAB6A6} - G:\WINNT\System32\mbprot.dll O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - G:\WINNT\System32\mshtml.dll O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - G:\WINNT\System32\inetcomm.dll O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - G:\WINNT\system32\urlmon.dll O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - G:\WINNT\System32\itss.dll O18 - Protocol: msdaipp - (no CLSID) - (no file) O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - G:\WINNT\System32\mshtml.dll O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - G:\WINNT\System32\mshtml.dll O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - G:\WINNT\System32\mshtml.dll O18 - Protocol: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - G:\WINNT\System32\msdxm.ocx O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - G:\WINNT\System32\dmadmin.exe O23 - Service: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - G:\KAV2005\KPfwSvc.EXE O23 - Service: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - G:\KAV2005\KWatch.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINNT\System32\nvsvc32.exe O23 - Service: Windows Audio Services (winAudSer) - Unknown owner - G:\WINNT\System32\Winms.exe 现在不知道怎么回事了，混乱中……求大家帮忙！谢谢了 2005-10-09 13:05:31
水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:	分享到：

水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:	发表于： 2005-10-09 12:01 \| 显示全部短消息资料字号：小中大 2楼已经删了，谢谢，不过系统盘\Program File\里还有一个3721的文件夹，删不掉，提示源文件正在使用。
水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:

水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:	发表于： 2005-10-09 12:09 \| 显示全部短消息资料字号：小中大 3楼我查看了我的系统盘\WINNT\system32\driver\etc\hosts文件，用记事本打开后是以下内容： 127.0.0.1 aifind.info 127.0.0.1 allsearcher.info 127.0.0.1 cadabra.biz 127.0.0.1 ehttp.cc 127.0.0.1 freednshost.info 127.0.0.1 i-lookup.com 127.0.0.1 searchpage.cc 127.0.0.1 web.9983.com 127.0.0.1 www.joyiex.com 127.0.0.1 www.mj2005.com 127.0.0.1 www.mydj2005.com 127.0.0.1 www.nkvd.us 127.0.0.1 www.smart-finder.biz 127.0.0.1 www.xfreehosting.com 127.0.0.1 www.xxx166.com 可能对分析有些帮助，劳大家费心了
水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:

水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:	发表于： 2005-10-09 12:31 \| 显示全部短消息资料字号：小中大 4楼收到，谢谢斑竹，我马上去试
水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:

水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:	发表于： 2005-10-09 13:05 \| 显示全部短消息资料字号：小中大 5楼问题解决了，谢谢斑竹，万分感激～～
水云流初生襁褓狮帖子:6 注册: 2005-10-09 来自:

<<上一主题|下一主题>>

1

1 / 1 页

跳转页

页面顶部

Powered by Discuz!NT