引用: |
【littlefanfan的贴子】我的win2000 server中了一种病毒,使cpu的利用率达到100%!在winnt/system32下总是随机生产1.tmp,4.tmp,8.tmp之类的文件,并写入注册表。把这些东西都删了,但第二天这些又都复制出来,我实在找不出具体的根源,病毒叫什么?如何杀?请帮助。多谢。 ........................... |
Logfile of HijackThis v1.99.0
Scan saved at 14:57:48, on 2005-8-22
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\IMail\IMAP4D32.exe
C:\IMail\iwebmsg.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\IMail\POP3D32.exe
C:\IMail\queuemgr.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\Serv-U\ServUDaemon.exe
C:\IMail\smtpd32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\spoolsv32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\2.tmp
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Serv-U\ServUTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\mysql\bin\winmysqladmin.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\ftp\ftp2\HijackThis.exe
O3 - Toolbar: @msdxmLC.dll,-1@2052,电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Global Startup: 服务管理器.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124507475296
O17 - HKLM\System\CCS\Services\Tcpip\..\{87F880D3-3BEA-4169-B132-779118426567}: NameServer = 210.51.176.71,210.51.16.52
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IMail FINGER Server - Ipswitch, Inc. - C:\IMail\FINGRD32.exe
O23 - Service: IMail LDAP Server - Ipswitch, Inc. - C:\IMail\ILDAP.exe
O23 - Service: IMail IMAP4 Server - Ipswitch, Inc. - C:\IMail\IMAP4D32.exe
O23 - Service: IMail Monitor Service - Ipswitch, Inc. - C:\IMail\IMonitor.exe
O23 - Service: IMail Web Calendar Service - Ipswitch, Inc. - C:\IMail\IWebCal.exe
O23 - Service: IMail Web Service - Ipswitch, Inc. - C:\IMail\iwebmsg.exe
O23 - Service: MySql - Unknown - C:/mysql/bin/mysqld-nt.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: IMail POP3 Server - Ipswitch, Inc. - C:\IMail\POP3D32.exe
O23 - Service: IMail PWD Server - Ipswitch, Inc. - C:\IMail\PSERVE.exe
O23 - Service: IMail Queue Manager Service - Ipswitch, Inc. - C:\IMail\queuemgr.exe
O23 - Service: Serv-U FTP Server - Unknown - C:\PROGRA~1\Serv-U\ServUDaemon.exe
O23 - Service: IMail SMTP Server - Ipswitch, Inc. - C:\IMail\smtpd32.exe
O23 - Service: Microsoft SSL - Unknown - C:\WINNT\system32\ssl.exe
O23 - Service: IMail Sys Logger Service - Ipswitch, Inc. - C:\IMail\SYSLOGD.exe
O23 - Service: IMail WHOIS Server - Ipswitch, Inc. - C:\IMail\WHOISD32.exe
O23 - Service: Win32 AutoDrivers - Unknown - C:\WINNT\spoolsv32.exe
就是日志中的C:\WINNT\system32\2.tmp这个进程吃我的cpu,我删出后过一段时间又出现了,但可能会换个名称,如1.tmp, 3.tmp之类的。