大虾进来看看。这是什么东西【求助】 bbs.ikaka.com

hhkeen - 2006-1-8 11:43:00

昨天，别人用我的机器，不知道安装了什么软件，增加了一个服务，文件名字叫SVCHOSI.EXE。

这是服务调用的dll文件列表：
名称描述公司名称版本
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.01.2600.2180
avicap32.dll AVI Capture window class Microsoft Corporation 5.01.2600.0000

c_1252.nls
comctl32.dll Common Controls Library Microsoft Corporation 5.82.2900.2180
comctl32.dll User Experience Controls Library Microsoft Corporation 6.00.2900.2180
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.218
ctype.nls
dnsapi.dll DNS Client API DLL Microsoft Corporation 5.01.2600.2180
gdi32.dll GDI Client DLL Microsoft Corporation 5.01.2600.2818

imm32.dll Windows XP IMM32 API Client DLL Microsoft Corporation 5.01.2600.2180
index.dat
index.dat
index.dat
iphlpapi.dll IP Helper API Microsoft Corporation 5.01.2600.2180
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.01.2600.2180

locale.nls
lpk.dll Language Pack Microsoft Corporation 5.01.2600.2180
mpr.dll Multiple Provider Router DLL Microsoft Corporation 5.01.2600.2180
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.01.2600.2180
MSCTFIME.IME Microsoft Text Frame Work Service IME Microsoft Corporation 5.01.2600.2180
msv1_0.dll Microsoft Authentication Package v1.0 Microsoft Corporation 5.01.2600.2180

msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.00.2600.2180

msvfw32.dll Microsoft Video for Windows DLL Microsoft Corporation 5.01.2600.2180

mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation 5.01.2600.2180

netapi32.dll Net Win32 API DLL Microsoft Corporation 5.01.2600.2180

ntdll.dll NT Layer DLL Microsoft Corporation 5.01.2600.2180

ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.01.2600.2726

oleaut32.dll Microsoft Corporation 5.01.2600.2180

rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation 5.01.2600.2180

rasapi32.dll Remote Access API Microsoft Corporation 5.01.2600.2180

rasman.dll Remote Access Connection Manager Microsoft Corporation 5.01.2600.2180

rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.01.2600.2180

rtutils.dll Routing Utilities Microsoft Corporation 5.01.2600.2180

secur32.dll Security Support Provider Interface Microsoft Corporation 5.01.2600.2180
sensapi.dll SENS Connectivity API DLL Microsoft Corporation 5.01.2600.2180
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.00.2900.2763
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.00.2900.2781

sortkey.nls
sorttbls.nls
SVCHOSI.EXE
tapi32.dll Microsoft(R) Windows(TM) Telephony API Client DLL Microsoft Corporation 5.01.2600.2180
unicode.nls
urlmon.dll OLE32 Extensions for Win32 Microsoft Corporation 6.00.2900.2790
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.01.2600.2622

usp10.dll Uniscribe Unicode script processor Microsoft Corporation 1.420.2600.218
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.00.2900.2180
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.01.2600.2180
wininet.dll Internet Extensions for Win32 Microsoft Corporation 6.00.2900.2781
winmm.dll MCI API DLL Microsoft Corporation 5.01.2600.2180
winrnr.dll LDAP RnR Provider DLL Microsoft Corporation 5.01.2600.2180

wldap32.dll Win32 LDAP API DLL Microsoft Corporation 5.01.2600.2180
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.01.2600.2180
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.01.2600.2180
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.01.2600.2180

这是句柄：
类型名称
Desktop \Default
Directory \Windows

Directory \BaseNamedObjects
Directory \KnownDlls
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\DINPUTWINMM
File \Device\Tcp
File \Device\Tcp
File \Device\Ip

File \Device\Ip
File \Device\Ip
File \Device\Tcp
File \Device\HarddiskVolume4\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File \Device\NetBT_Tcpip_{EE16A716-FD7C-4C92-B19C-D428E1A96252}
File \Device\HarddiskVolume4\Documents and Settings\LocalService\Cookies\index.dat

File \Device\HarddiskVolume4\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
File \Device\HarddiskVolume4\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a...
File \Device\NamedPipe\ROUTER
File \Device\NamedPipe\ROUTER
File \Device\KsecDD
File \Device\HarddiskVolume4\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a...
File \Device\HarddiskVolume4\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a...

File \Device\HarddiskVolume4\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a...

File \Device\HarddiskVolume4\WINDOWS\system32

File \Device\NamedPipe\net\NtControlPipe16

Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage

Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces

Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters

Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Key HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32

Key HKU

Key HKU\.DEFAULT

Key HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001

Key HKLM

Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder

Key HKU\.DEFAULT

Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings

hhkeen - 2006-1-8 11:44:00

HijackThis_815汉化版扫描日志
O2 - BH (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BH Browster BrwIEConnector - {908A31E8-2A6E-4736-8E8A-AAF00C4AE38F} - e:\Program Files\Browster\Browster.dll
O4 - 启动项HKLM\\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - 启动项HKLM\\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [KAVPersonal50] "F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimize
O4 - 启动项HKLM\\Run: [IMSCMig] F:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [SoundMan] SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [NEC e-Border Credential] e:\Program Files\NEC\s5credmgr.exe
O4 - 启动项HKLM\\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 快速启动.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: 卡巴斯基反黑客.lnk = F:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - IE右键菜单中的新增项目: Browster Prefetch On/Off - res://e:\Program Files\Browster\Browster.dll/CustomPrefetchMenu.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - 浏览器额外的按钮: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - D:\Program Files\浩方对战平台\GameClient.exe
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - 浏览器额外的“工具”菜单项: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O10 - 未知的文件在 Winsock LSP: e:\program files\nec\s5spi.dll
O23 - NT 服务: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - NT 服务: ewido security suite guard - ewido networks - E:\BT\木马查杀工具\security suite\ewidoguard.exe
O23 - NT 服务: Windows Fing (Fingrwx) - Unknown owner - F:\Program Files\Internet Explorer\SVCHOSI.EXE
O23 - NT 服务: kavsvc - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe
O23 - NT 服务: PDEngine - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - NT 服务: PDScheduler (PDSched) - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDSched.exe
---------------------------------------------------------------------------------------------

这是SVCHOSI.EXE在进程中的显示：
http://photo.163.com/openpic.php?user=hhkeen&pid=688597356&_dir=%2F27049180
这是服务启动的信息：
http://photo.163.com/openpic.php?user=hhkeen&pid=688587703&_dir=%2F27049180
而且xp启动就出现这个错误：
http://photo.163.com/openpic.php?user=hhkeen&pid=688587731&_dir=%2F27049180

不言放弃 - 2006-1-8 11:48:00

结束进程

禁用服务

删除文件

hhkeen - 2006-1-8 11:58:00

谢谢楼上的朋友，我删掉一次了，把注册表的全部删掉， xp重新启动后，无法登陆用户，也不是死机，一直在登陆，只好恢复了系统。
TCPview的连接信息：
[System Process]:0 TCP 221.221.159.27:1309 66.102.7.18:80 TIME_WAIT
[System Process]:0 TCP 221.221.159.27:1315 205.188.251.88:80 TIME_WAIT
[System Process]:0 TCP 221.221.159.27:1316 66.102.7.18:80 TIME_WAIT
[System Process]:0 TCP 221.221.159.27:1318 66.94.230.40:80 TIME_WAIT
alg.exe:1532 TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
CCProxy.exe:1504 TCP 0.0.0.0:808 0.0.0.0:0 LISTENING
CCProxy.exe:1504 TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING
CCProxy.exe:1504 UDP 0.0.0.0:53 *:*
kavsvc.exe:1772 TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
lsass.exe:688 UDP 0.0.0.0:500 *:*
lsass.exe:688 UDP 0.0.0.0:4500 *:*
svchost.exe:1036 UDP 0.0.0.0:4763 *:*
svchost.exe:1036 UDP 0.0.0.0:4764 *:*
svchost.exe:1036 UDP 0.0.0.0:4786 *:*
svchost.exe:1036 UDP 0.0.0.0:4844 *:*
svchost.exe:1036 UDP 0.0.0.0:4848 *:*
svchost.exe:1092 UDP 127.0.0.1:1900 *:*
svchost.exe:1092 UDP 192.168.1.8:1900 *:*
svchost.exe:1092 UDP 221.221.154.175:1900 *:*
svchost.exe:916 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:4 TCP 192.168.1.8:139 0.0.0.0:0 LISTENING
System:4 UDP 192.168.1.8:137 *:*
System:4 UDP 192.168.1.8:138 *:*

感觉svchost.exe 开放的端口好像有点不正常

不言放弃 - 2006-1-8 12:04:00

若使用瑞星防火墙的话
建议导入本论坛的防火墙规则

hhkeen - 2006-1-8 12:07:00

防火墙用的是卡巴，我把端口封掉了，问题应该不大。
这个是什么病毒，有好的查杀工具或者办法？
再次感谢。

hhkeen - 2006-1-8 19:16:00

另外这几天资源管理器打开特别慢，ie却没有任何问题。

刚开机可以正常关机，尽管感觉关机时间明显变长，而且经常出现关机画面，却不能关机。运行程序一段时间关闭计算机，系统停止响应，不出现关机画面，假死状态。

瑞星卡卡安全论坛