瑞星卡卡安全论坛技术交流区反病毒/反流氓软件论坛 求助:机器里的0号进程(idle)好像中了木马,能帮我看一下吗

1   1  /  1  页   跳转

求助:机器里的0号进程(idle)好像中了木马,能帮我看一下吗

收藏
zzzzzaddr
头像
初生襁褓狮
  • 帖子:5
  • 注册: 2005-12-28
  • 来自:
发表于: 2006-01-04 11:39 | 只看楼主 短消息 资料
字号: 1楼

求助:机器里的0号进程(idle)好像中了木马,能帮我看一下吗

下面是log
HijackThis_zww汉化版扫描日志 V1.99.1
保存于      11:13:13, 日期 2006-1-4
操作系统:  Windows XP SP2 (WinNT 5.01.2600)
浏览器:    Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程:         
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSNShell\BIN\MSNShell.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\MYIE2\MyIE.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\rainbow\LOCALS~1\Temp\Rar$EX00.860\HijackThis1991zww.exe

R3 - URLSearchHook: BDSrchHook Class - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - C:\WINDOWS\DOWNLO~1\BDSrHook.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O2 - BHO: BDHlprObj Class - {CA92B524-BC8A-4610-BD2C-6BD3E28155D0} - C:\WINDOWS\DOWNLO~1\BDHelper.dll
O3 - IE工具栏增项: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - IE工具栏增项: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\zh-cn\msntb.dll
O4 - 启动项HKLM\\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - 启动项HKLM\\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [BIE] Rundll32 C:\WINDOWS\DOWNLO~1\BDPlugin.dll,Rundll32
O4 - 启动项HKLM\\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - 启动项HKLM\\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - 启动项HKLM\\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - 启动项HKLM\\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - 启动项HKLM\\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - 启动项HKLM\\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - 启动项HKLM\\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - 启动项HKLM\\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - 启动项HKLM\\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - 启动项HKLM\\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSNShell] C:\Program Files\MSNShell\BIN\MSNShell.exe autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: 金山词霸 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O8 - IE右键菜单中的新增项目: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - IE右键菜单中的新增项目: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - IE右键菜单中的新增项目: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - 浏览器额外的按钮: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - 浏览器额外的按钮: 词霸 - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O9 - 浏览器额外的按钮: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - 浏览器额外的“工具”菜单项: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - 浏览器额外的按钮: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - 浏览器额外的“工具”菜单项: 易趣购物 - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - 浏览器额外的按钮: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - 浏览器额外的“工具”菜单项: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {098A3F72-3110-4004-B954-2F9DC44934B4} (AddSHCARoot Control) - http://www.sheca.com/AddSHCARootCert.cab
O16 - DPF: {2161B600-8A0F-11D0-B320-00A0C90825E1} (Microsoft SNA Server 5250 Web Client Download) - http://10.101.100.119/sna/5250full.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {548E8FF0-8A14-11D0-B320-00A0C90825E1} (OLE Automation Control for SNA Server) - http://10.101.100.119/sna/snactrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD6009C-812F-4990-BFD9-8259F19C35CA}: Domain = xxxxxx
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD6009C-812F-4990-BFD9-8259F19C35CA}: NameServer = xxxxxxxxx
O18 - 列举现有的协议: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\PROGRA~1\Kingsoft\POWERW~1\XDictExB.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - NT 服务: iPod 服务 (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - NT 服务: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - NT 服务: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

最后编辑2006-01-04 12:39:03
分享到:
gototop
 
zzzzzaddr
头像
初生襁褓狮
  • 帖子:5
  • 注册: 2005-12-28
  • 来自:
发表于: 2006-01-04 11:40 | 只看楼主 短消息 资料
字号: 2楼

还有tcpview的
[System Process]:0TCP10.101.100.49:365010.101.101.186:135TIME_WAIT
[System Process]:0TCP10.101.100.49:365910.101.100.214:135TIME_WAIT
[System Process]:0TCP10.101.100.49:366810.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:367210.101.100.78:135TIME_WAIT
[System Process]:0TCP10.101.100.49:367410.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:367510.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:367610.101.100.78:445TIME_WAIT
[System Process]:0TCP10.101.100.49:367910.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:368010.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:368110.101.101.186:135TIME_WAIT
[System Process]:0TCP10.101.100.49:368210.101.101.186:135TIME_WAIT
[System Process]:0TCP10.101.100.49:368410.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:368510.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:368710.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:368810.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:368910.101.100.214:135TIME_WAIT
[System Process]:0TCP10.101.100.49:369010.101.100.214:135TIME_WAIT
[System Process]:0TCP10.101.100.49:369210.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:369310.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:369510.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:369810.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:369910.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:370110.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:370210.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:370310.101.100.78:135TIME_WAIT
[System Process]:0TCP10.101.100.49:370510.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:370610.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:370710.101.100.78:445TIME_WAIT
[System Process]:0TCP10.101.100.49:371010.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:371110.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:371210.101.101.186:135TIME_WAIT
[System Process]:0TCP10.101.100.49:371310.101.101.186:135TIME_WAIT
[System Process]:0TCP10.101.100.49:371510.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:371610.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:371810.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:371910.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:372010.101.100.214:135TIME_WAIT
[System Process]:0TCP10.101.100.49:372110.101.100.214:135TIME_WAIT
[System Process]:0TCP10.101.100.49:372310.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:372410.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:372510.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:372610.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:372910.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:373010.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:373210.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:373310.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:373410.101.100.78:135TIME_WAIT
[System Process]:0TCP10.101.100.49:373610.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:373710.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:373910.101.100.78:139TIME_WAIT
[System Process]:0TCP10.101.100.49:374210.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:374310.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:374410.101.101.186:135TIME_WAIT
[System Process]:0TCP10.101.100.49:374710.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:374810.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:375010.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:375110.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:375210.101.100.214:135TIME_WAIT
[System Process]:0TCP10.101.100.49:375510.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:375810.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:376110.101.100.54:135TIME_WAIT
[System Process]:0TCP10.101.100.49:375610.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:376410.101.100.54:139TIME_WAIT
[System Process]:0TCP10.101.100.49:374010.101.100.78:139TIME_WAIT
[System Process]:0TCP10.101.100.49:376510.101.100.54:139TIME_WAIT
alg.exe:216TCP127.0.0.1:10260.0.0.0:0LISTENING
EXPLORER.EXE:220UDP127.0.0.1:3575*:*
javaw.exe:1572TCP0.0.0.0:52250.0.0.0:0LISTENING
javaw.exe:1572TCP0.0.0.0:52260.0.0.0:0LISTENING
javaw.exe:1572TCP0.0.0.0:80080.0.0.0:0LISTENING
javaw.exe:1572TCP127.0.0.1:80050.0.0.0:0LISTENING
javaw.exe:1572TCP127.0.0.1:5226127.0.0.1:1104ESTABLISHED
javaw.exe:1572TCP127.0.0.1:1105127.0.0.1:5225CLOSE_WAIT
kavsvc.exe:1512TCP0.0.0.0:10990.0.0.0:0LISTENING
LSASS.EXE:732UDP0.0.0.0:500*:*
LSASS.EXE:732UDP0.0.0.0:4500*:*
msnmsgr.exe:1560TCP10.101.100.49:2818207.46.0.100:1863ESTABLISHED
msnmsgr.exe:1560UDP0.0.0.0:4988*:*
msnmsgr.exe:1560UDP10.101.100.49:45284*:*
msnmsgr.exe:1560UDP10.101.100.49:9*:*
msnmsgr.exe:1560UDP127.0.0.1:2952*:*
MyIE.exe:2996TCP10.101.100.49:357361.132.72.41:80ESTABLISHED
MyIE.exe:2996TCP10.101.100.49:352461.155.107.20:80CLOSE_WAIT
MyIE.exe:2996TCP10.101.100.49:354261.155.107.20:80CLOSE_WAIT
MyIE.exe:2996UDP127.0.0.1:1280*:*
MyIE.exe:2996UDP127.0.0.1:2132*:*
OUTLOOK.EXE:2264TCP10.101.100.49:1032172.16.18.33:1025ESTABLISHED
OUTLOOK.EXE:2264TCP10.101.100.49:1035172.16.18.36:10073ESTABLISHED
OUTLOOK.EXE:2264UDP0.0.0.0:1033*:*
StatusClient.exe:1024TCP127.0.0.1:1104127.0.0.1:5226ESTABLISHED
SVCHOST.EXE:1056UDP10.101.100.49:123*:*
SVCHOST.EXE:1056UDP127.0.0.1:123*:*
SVCHOST.EXE:1144UDP0.0.0.0:3446*:*
SVCHOST.EXE:1144UDP0.0.0.0:2044*:*
SVCHOST.EXE:1144UDP0.0.0.0:1025*:*
SVCHOST.EXE:952TCP0.0.0.0:1350.0.0.0:0LISTENING
SVCHOST.EXE:952TCP10.101.100.49:374510.101.101.186:135ESTABLISHED
SVCHOST.EXE:952TCP10.101.100.49:375310.101.100.214:135ESTABLISHED
SVCHOST.EXE:952TCP10.101.100.49:376210.101.100.54:135ESTABLISHED
SVCHOST.EXE:952TCP10.101.100.49:376610.101.100.78:135ESTABLISHED
System:4TCP0.0.0.0:4450.0.0.0:0LISTENING
System:4TCP10.101.100.49:1390.0.0.0:0LISTENING
System:4UDP0.0.0.0:445*:*
System:4UDP10.101.100.49:137*:*
System:4UDP10.101.100.49:138*:*
gototop
 
zzzzzaddr
头像
初生襁褓狮
  • 帖子:5
  • 注册: 2005-12-28
  • 来自:
发表于: 2006-01-04 11:43 | 只看楼主 短消息 资料
字号: 3楼

还有idle进程的tcp贴图
因为使用的是0号进程所以任务管理器看上去是空闲的

附件附件:

下载次数:423
文件类型:image/pjpeg
文件大小:
上传时间:2006-1-4 11:43:43
描述:
gototop
 
zzzzzaddr
头像
初生襁褓狮
  • 帖子:5
  • 注册: 2005-12-28
  • 来自:
发表于: 2006-01-04 11:45 | 只看楼主 短消息 资料
字号: 4楼

这台是装卡巴的,卡巴一点都没反应都没有。另一台装瑞星网络版(每天都升级的)的也没有报警。是其他机器受到攻击才知道有病毒。
gototop
 
不言放弃
头像
社区嘉宾
  • 帖子:30678
  • 注册: 2004-09-17
  • 来自:蓝色星球
发表于: 2006-01-04 12:21 | 短消息 资料
字号: 5楼

日志中没有什么问题
gototop
 
zzzzzaddr
头像
初生襁褓狮
  • 帖子:5
  • 注册: 2005-12-28
  • 来自:
发表于: 2006-01-04 12:39 | 只看楼主 短消息 资料
字号: 6楼

那我下一步怎么办?从tcpview和进程来看肯定有木马的。
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT