有个IE的病毒不停修改我的HOSTS文件,svchost.exe
可是瑞星不能除掉svchost.exe中的毒,

修改我的HOSTS文件如下:

222.73.4.9    zsrj.168tk.net
222.73.4.9    zs2.98tk.net
222.73.4.9    zs1.98tk.net
222.191.251.149    wwww.w53.net
222.191.251.149    .w53.net
222.191.251.149    wwww.tu44.com
222.191.251.149    .tu44.com
222.191.251.149    wwww.ok898.net
222.191.251.149    .ok898.net
222.191.251.149    wwww.hktuku.com
222.191.251.149    .hktuku.com
222.191.251.149    wwww.hk878.net
222.191.251.149    .hk878.net
222.191.251.149    wwww.ggtk.com
222.191.251.149    .ggtk.com
222.191.251.149    wwww.851212.net
222.191.251.149    .851212.net
222.191.251.149    wwww.50899.com
222.191.251.149    .50899.com
222.191.251.149    wwww.4523.com
222.191.251.149    .4523.com
222.191.251.149    wwww.36488.com
222.191.251.149    .36488.com
222.191.251.149    wwww.256888.net
222.191.251.149    .256888.net
222.191.251.149    wwww.2004tk.com
222.191.251.149    .2004tk.com
222.191.251.149    wwww.1986836.com
222.191.251.149    .1986836.com

.... ....

不知道是什么人,太黑了,抓到判死刑......


希望大家告诉我,到底是什么毒....

【回复“fublogs”的帖子】
把杀软报告贴上来,再用hijackthis把扫描的日志贴到贴子上来。

hijackthis下载：http://forum.ikaka.com/download.asp?id=5188960
hijackthis使用：http://it.rising.com.cn/newSite/Channels/anti_virus/Antivirus_Faq/TopicExplorerPagePackage/hijackthis.htm

把HOSTS文件内容先改为如下:
# Copyright (c) 1993-2001 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97    rhino.acme.com          # source server
#      38.25.63.10    x.acme.com              # x client host

127.0.0.1      localhost

下载这个软件，SREng，发log上来
http://www.kztechs.com/sreng/download.html
智能扫描 扫描 保存

谢谢各位了,我用FileMon,检测到是explorer.exe自动修改了host文件,看来是
explorer.exe中有毒了,

    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 793 Length: 2   
1900    4:00:36    explorer.exe:1368    READ    C:\WINDOWS\system32\mshell.dll    SUCCESS    Offset: 13736 Length: 96   
1901    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 795 Length: 15   
1902    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 810 Length: 1   
1903    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 811 Length: 16   
1904    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 827 Length: 2   
1905    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 829 Length: 15   
1906    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 844 Length: 1   
1907    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 845 Length: 12   
1908    4:00:36    explorer.exe:1368    WRITE    C:\WINDOWS\system32\drivers\etc\hosts    SUCCESS    Offset: 857 Length: 2   
1909    4:00:36    explorer.exe:1368    READ    C:\WINDOWS\system32\mshell.dll    SUCCESS    Offset: 13832 Length: 96   
... ....


因为是2003系统,不能装毒霸,江名可以检测到木马,但杀不了;瑞星根本检测不到,我都升级了最新版本,

explorer.exe被木马注入吧

建议还是先用hijackthis把扫描的日志贴到贴子上来。