瑞星卡卡安全论坛

最近公司一台电脑无缘无故的自己安装一些软件和自动弹出一些网站，还有右下角购物小网站的窗口，附上SRENG报告，请大虾帮忙看下

附件: SREngLOG.log

下面这些都是些什么软件呢？

我就懒得去搜索了，你自己翻找看看吧

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <\\服装1\EPSON ME Office 70><C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEC.EXE /FU "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_S9.tmp" /EF "HKCU">  [File is missing]
    <EPSON ME Office 70><C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEC.EXE /FU "C:\WINDOWS\TEMP\E_SB3.tmp" /EF "HKCU">  [File is missing]
    <\\包袋1\EPSON ME Office 70><C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEC.EXE /FU "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_SF8.tmp" /EF "HKCU">  [File is missing]
    <\\财务1\EPSON ME Office 70><C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEEC.EXE /FU "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_S667.tmp" /EF "HKCU">  [File is missing]

==================================
服务
[EPSON V5 Service4(01) / EPSON_EB_RPCV4_01][Running/Auto Start]
  <C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE><SEIKO EPSON CORPORATION>

[EPSON V3 Service4(01) / EPSON_PM_RPCV4_01][Running/Auto Start]
  <C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE><SEIKO EPSON CORPORATION>

[jyueservice / jyueservice][Stopped/Auto Start]
  <C:\Documents and Settings\Administrator\Local Settings\Application Data\jyrili\jyriliapp\jyueservice.exe><(File is missing)>

[MANC / MANC][Running/Auto Start]
  <C:\WINDOWS\system32\MANC.exe><N/A>
==================================
正在运行的进程
[PID: 1320 / SYSTEM][c:\windows\system32\msres\svchost.exe]  [, 5, 0, 0, 1]

[PID: 1392 / SYSTEM][C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE]  [SEIKO EPSON CORPORATION, 4.00]

[PID: 1460 / SYSTEM][C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE]  [SEIKO EPSON CORPORATION, 4.02]

[PID: 1488 / SYSTEM][C:\WINDOWS\system32\MANC.exe]  [N/A, ]

[PID: 196 / SYSTEM][C:\WINDOWS\system32\msres\sysaid.exe]  [, 5, 0, 0, 1]
    [C:\WINDOWS\system32\uxtheme.dll]  [Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
    [C:\WINDOWS\system32\msctfime.ime]  [Microsoft Corporation, 5.1.2600.5768 (xpsp_sp3_gdr.090226-1442)]
    [C:\WINDOWS\system32\MsgTrack.dll]  [, 1, 0, 2, 104]
    [C:\WINDOWS\system32\msres\YTFunDll32.dll]  [TODO: <公司名>, 1.0.0.1]

==================================
计划任务
[已启用] jyueUpate.job
        C:\WINDOWS\system32\net.exe
[已禁用] WpsUpdateTask_Administrator.job
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Kingsoft\WPS Office\9.1.0.5133\wtoolex\wpsupdate.exe
[已禁用] WpsNotifyTask_Administrator.job
        C:\Documents and Settings\Administrator\Local Settings\Application Data\Kingsoft\WPS Office\9.1.0.5108\wtoolex\wpsnotify.exe

启动项目
注册表
那些是爱普生打印机的文件
服务前两个是爱普生打印机的
[jyueservice / jyueservice][Stopped/Auto Start]
  <C:\Documents and Settings\Administrator\Local Settings\Application Data\jyrili\jyriliapp\jyueservice.exe><(File is missing)> 这个有问题
<C:\WINDOWS\system32\MANC.exe><N/A> 这个是监控类的文件
进程这个应该有很多问题PID: 1320 / SYSTEM][c:\windows\system32\msres\svchost.exe]  [, 5, 0, 0, 1]
后面两个是爱普生打印机的
[PID: 1488 / SYSTEM][C:\WINDOWS\system32\MANC.exe]  [N/A, ]
[PID: 196 / SYSTEM][C:\WINDOWS\system32\msres\sysaid.exe]  [, 5, 0, 0, 1]
这两个应该是监控类的文件

金山的防御：
系统防御日志 如下:
[2015-08-14 10:47:22]
说明:写注册表
操作:已拒绝并结束程序
进程:C:\WINDOWS\explorer.exe
注册表位置:HKEY_USERS\S-1-5-21-789336058-1500820517-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表项名:B3D70C08B4B5935CFB41873D3BCA44E1
注册表内容:"C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\Tmp\QiJi_D33_1.exe"
操作文件 MD5:9eb867933136ad37eaf7f2ecb97e3a4d
[2015-08-14 10:47:19]
说明:写注册表
操作:已拒绝并结束程序
进程:C:\WINDOWS\explorer.exe
注册表位置:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

注册表项名:B3D70C08B4B5935CFB41873D3BCA44E1
注册表内容:"C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\Tmp\QiJi_D33_1.exe"
操作文件 MD5:9eb867933136ad37eaf7f2ecb97e3a4d
[2015-08-14 10:46:07]
说明:写注册表
操作:已拒绝并结束程序
进程:C:\WINDOWS\explorer.exe
注册表位置:HKEY_USERS\S-1-5-21-789336058-1500820517-1801674531-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表项名:5A463970162687B22011A345B8A56310
注册表内容:"C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\Tmp\2345pcsafe_800781_3174_v1.5_silence.exe"
操作文件 MD5:9eb867933136ad37eaf7f2ecb97e3a4d
[2015-08-14 10:46:04]
说明:写注册表
操作:已拒绝并结束程序
进程:C:\WINDOWS\explorer.exe
注册表位置:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
注册表项名:5A463970162687B22011A345B8A56310
注册表内容:"C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\Tmp\2345pcsafe_800781_3174_v1.5_silence.exe"
操作文件 MD5:9eb867933136ad37eaf7f2ecb97e3a4d

临时文件夹在自动下载病毒，天月在帮忙看下，还有那个地方遗落了

新的扫描日志在帮忙看下

附件: SREngLOG 123.log

这些是什么呢？你怎一直不去结束这些进程呢？

==================================
服务
[MANC / MANC][Running/Auto Start]
  <C:\WINDOWS\system32\MANC.exe><N/A>

==================================
正在运行的进程
[PID: 1216 / Administrator][C:\WINDOWS\Explorer.EXE]  [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
    [C:\WINDOWS\system32\MsgTrack.dll]  [, 1, 0, 2, 104]
    [C:\WINDOWS\system32\msres\YTFunDll32.dll]  [TODO: <公司名>, 1.0.0.1]
    [C:\WINDOWS\system32\xfnet.dll]  [yt Corporation, 2, 0, 0, 67]


[PID: 1972 / SYSTEM][c:\windows\system32\msres\svchost.exe]  [, 5, 0, 0, 1]
[PID: 444 / SYSTEM][C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE]  [SEIKO EPSON CORPORATION, 4.00]
[PID: 728 / SYSTEM][C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE]  [SEIKO EPSON CORPORATION, 4.02]
[PID: 908 / SYSTEM][C:\WINDOWS\system32\MANC.exe]  [N/A, ]
[PID: 1364 / SYSTEM][C:\WINDOWS\system32\msres\sysaid.exe]  [, 5, 0, 0, 1]