瑞星卡卡安全论坛

浏览器登陆internet后在ie临时文件夹下生成一文件----2.txt,在另一窗口打开内容为
800,600,http://18ol.21vod.cn/quanpin5.htm?id18=1831
800,600,http://www.smsday.com/adjs/reg.asp?unionid=3031
800,600,http://tl.bestlm.net/adnewslm/sms.php?partner_id=sw88_angly
800,600,http://code.dudusms.com/39.htm?userid=959
800,600,http://mlink.counter.dudu.com:8080/audit?a=5&b=2076&c=1240&d=1477&e=18&g=&f=
800,600,http://mlink.counter.dudu.com:8080/audit?a=5&b=2076&c=1240&d=1477&e=60&g=&f=
地址栏内显示为:http://v2.okunion.com/2.txt
之后一段时间,上述网站自动在ie窗口弹出,间隔时间不定,脱机也一样.
加入受限站点无效,修改注册表无效.

用hijackthis扫描后,把日志贴上来

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\KAV2005\KWatch.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\KAV2005\KPfwSvc.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Tencent\TT\TTraveler.exe
C:\Program Files\Tencent\QQ\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\hj\HijackThis1991汉化版\HijackThis1991zww.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v5.dll
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O3 - IE工具栏增项: BitCometBar - {3F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\BitComet\BitCometBar\BitCometBar0.2.dll
O4 - 启动项HKLM\\Run: [S3hotkey] S3hotkey.exe
O4 - 启动项HKLM\\Run: [VTTimer] VTTimer.exe
O4 - 启动项HKLM\\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - 启动项HKLM\\Run: [internat.exe] internat.exe
O4 - 启动项HKLM\\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - IE右键菜单中的新增项目: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - IE右键菜单中的新增项目: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - IE右键菜单中的新增项目: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - IE右键菜单中的新增项目: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FBA1218-81B5-416B-9318-39F86F78D234}: NameServer = 192.168.1.1
O23 - NT 服务: Kingsoft Personal Firewall Service (KPfwSvc) - Kingsoft Corporation - C:\KAV2005\KPfwSvc.EXE
O23 - NT 服务: Kingsoft Antivirus KWatch Service (KWatchSvc) - Kingsoft Corporation - C:\KAV2005\KWatch.EXE

O4 - 启动项HKLM\\Run: [S3hotkey] S3hotkey.exe这项是什么?

我用的via的c3 那个没有关系的

log没看出问题,我叫斑竹来帮你

【回复“txz2”的帖子】清空IE缓存试试.

开始--控制面版--internet选项--删除文件--删除所有脱机内容

进程名          PID  进程所在路径        描述      公司名
s3hotkey.exe    488  c:\windwos\system32 s3hotkey  S3--
--Grphics.Inc.

当前进程加载的模块  模块所在路径
ntdll.dll　　　　　　c:\windwos\system32
kernel.dll              以下同上
user32.dll
gdi32.dll
advapi32.dll
rpcrt4.dll
imm32.dll
lpk.dll
usp10.dll
uxtheme.dll
msvcrt.dll
msctfime.ime
ole32.dll
msctf.dll

引用:

【花落花又开的贴子】【回复“txz2”的帖子】清空IE缓存试试. 开始--控制面版--internet选项--删除文件--删除所有脱机内容 ...........................

呵呵，删后再登陆ＩＮＴＥＲＮＥＴ　同样会再次生成2.txt
而且我发现这个文件不会马上在临时文件夹内生成生成　好象是在浏览网页一段时间后
自动生成

【回复“txz2”的帖子】
日志无异常

郁闷，这个文件总是能在临时文件夹内看到
浏览网页一段时间就自动生成
怎么办啊

在C:\WINDOWS\system32\drivers\etc里有个hosts文件,可以用记事本打开,在里面加入那些网页,应该可以阻止他们弹出

加入象这样
127.0.0.1 http://v2.okunion.com/2.txt
以次类推,这是个没有办法的办法

是lmhosts.sam这个文件吗？内容如下，该如何加入？
主要是想知道怎样才能禁止自动生成２．txt文件啊？
为什么自动弹出的网页都是２.txt里的网址？
命运，你登陆http://v2.okunion.com/2.txt看看吧
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names.  Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The "#" character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
#      #PRE
#      #DOM:<domain>
#      #INCLUDE <filename>
#      #BEGIN_ALTERNATE
#      #END_ALTERNATE
#      \0xnn (non-printing character support)
#
# Following any entry in the file with the characters "#PRE" will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the "#DOM:<domain>" tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying "#INCLUDE <filename>" will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share "public" in the example below must be in the
# LanManServer list of "NullSessionShares" in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add "public" to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97    rhino        #PRE #DOM:networking  #net group's DC
# 102.54.94.102    "appname  \0x14"                    #special app server
# 102.54.94.123    popular            #PRE            #source server
# 102.54.94.117    localsrv          #PRE            #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the "appname" server contains a special
# character in its name, the "popular" and "localsrv" server names are
# preloaded, and the "rhino" server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the "localsrv"
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.

就hosts文件,你是什么系统?

xp sp1

那应该有这个文件

可能是病毒变种。请楼主在windows\system32\下查找.dat文件，（比如host.dat）有十几个.dat文件吧，搜完了后用记事本依次打开文件，看看里面有没有你所说的恶意网站。如有，你就可以顺藤摸瓜会找到相关DLL文件，然后删掉这些文件。这招麻烦了些，试试吧

晕,删了.dat又出现了1.txt,这次弹出的是http://okww.net
用什么工具能解决啊

在删除一次dat试下

还是不行啊！！！
有什么专杀工具吗？

【回复“txz2”的帖子】没有专杀的说,你发悄悄话问问baohe吧

找个高手看看那些网站的源代码试试
再去浏览器劫持论坛试试

清空IE缓存试试.

开始--控制面版--internet选项--删除文件--删除所有脱机内容

-----------------------------------------------------------

然后在C:\WINDOWS\system32\drivers\etc里有个hosts文件,可以用记事本打开,在里面加入那些网页,应该可以阻止他们弹出

引用:

【txz2的贴子】晕,删了.dat又出现了1.txt,这次弹出的是http://okww.net 用什么工具能解决啊 ...........................

光删.dat文件不行，你必须找到相关的.dll文件，删除，.dat只是网址记录而已。真正的害群之马是相关的.dll文件。否则下次重启IE,.dll照样再起作用。自动生成.dat

不好意思，这个我对链接库知识知道的少，因为我还是学生呢。不如问问斑竹他们



借个地方用