最近我的互联网速度急剧下降。我下载了一个工具来查看 Vista 计算机上的 TCP/IP 连接。我发现很多 TCP/IP 连接通过 SVCHost 连接到 212.192.255.240。它似乎正在尝试连接到不同的端口。
我认为我的电脑感染了某种恶意软件,但我不知道如何摆脱它。我对这个 IP 做了一些研究,但没有发现任何线索。
非常感谢您的任何建议。
更新:
这是 HiJackThis 日志文件 - 我没有发现任何奇怪的东西。我发现该程序还试图与位于俄罗斯的 91.205.127.63 建立连接。
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:20:54 PM, on 4/29/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\Taskmgr.exe
C:\Windows\explorer.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Software602\Print2PDF\Print2PDF.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\VertrigoServ\Vertrigo.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\X-NetStat Professional\xns5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\cmd.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.30:8118
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=explorer.exe rundll32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Print2PDF Print Monitor] "C:\Program Files\Software602\Print2PDF\Print2PDF.exe" /server
O4 - HKLM\..\Run: [VertrigoServ] "C:\Program Files\VertrigoServ\Vertrigo.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [CCProxy] C:\CCProxy\CCProxy.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [FileHippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: AutorunsDisabled
O4 - Startup: Locate32 Autorun.lnk = C:\Program Files\Locate\Locate32.exe
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A80AB385-7767-4B5C-AF97-DBD65B29D8D1}: NameServer = 218.248.255.146 218.248.255.212
O17 - HKLM\System\CCS\Services\Tcpip\..\{D10402C1-9CDE-4582-A6B7-6C0D33B0E7BC}: NameServer = 218.248.255.146,218.248.255.212
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CCProxy - Youngzsoft - C:\CCProxy\CCProxy.exe
O23 - Service: Google Update Service (gupdate1c9c328490dac0) (gupdate1c9c328490dac0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Distributed Transaction Coordinator MSDTCwercplsupport (MSDTCwercplsupport) - Unknown owner - C:\Windows\system32\acluiz.exe
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Windows\RtkAudioService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SuperProServer - Unknown owner - C:\Windows\spnsrvnt.exe (file missing)
O23 - Service: Vertrigo_Apache - Apache Software Foundation - C:\Program Files\VertrigoServ\apache\bin\v_apache.exe
O23 - Service: Vertrigo_MySQL - Unknown owner - C:\Program Files\VertrigoServ\mysql\bin\v_mysqld.exe
--
End of file - 10965 bytes
答案1
当我发现无法识别的连接时,我做的第一件事就是追踪它们。
PS C:\Users\self> tracert 212.192.255.240
Tracing route to 212.192.255.240 over a maximum of 30 hops
1 10 ms 10 ms 12 ms ... (omitted)
2 8 ms 8 ms 8 ms 110.ge-0-0-0.cr1.wdc1.speakeasy.net [69.17.83.57]
3 8 ms 8 ms 7 ms if-6-0-3-143.core4.AEQ-Ashburn.as6453.net [216.6.42.17]
4 106 ms 106 ms 106 ms if-5-0-0-908.core1.FR1-Frankfurt.as6453.net [216.6.42.74]
5 105 ms 105 ms 106 ms if-9-0-0.core1.FV0-Frankfurt.as6453.net [195.219.69.53]
6 135 ms 135 ms 135 ms if-7-0-0.core1.STK-Stockholm.as6453.net [195.219.131.45]
7 135 ms 138 ms 135 ms ix-4-0-1.core1.STK-Stockholm.as6453.net [195.219.131.22]
8 150 ms 151 ms 150 ms tug-1-gw.sth.runnet.ru [194.85.40.173]
9 153 ms 152 ms 153 ms bm18-1-gw.spb.runnet.ru [194.85.40.141]
10 152 ms 152 ms 152 ms tv11-1-gw.msk.runnet.ru [194.85.40.137]
11 151 ms 152 ms 151 ms m9-2-gw.msk.runnet.ru [194.85.40.53]
12 151 ms 151 ms 151 ms msu.msk.runnet.ru [194.190.255.234]
13 150 ms 150 ms 151 ms 193.232.127.12
14 152 ms 152 ms 152 ms 193.232.127.253
15 153 ms 153 ms 151 ms 212.192.255.240
Trace complete.
如您所见,该主机位于俄罗斯,因此,除非您在俄罗斯有合法业务,否则它很可能就是恶意软件,正如您所怀疑的那样。
此外劫持,这是 Jon Cage 推荐的,我也建议进程探索器。特别是当被劫持的进程由 svchost.exe 托管时,Process Explorer 将帮助您确定哪些服务特定地托管了恶意软件。
如果您发现反恶意软件程序无法识别或删除恶意软件,则您可能拥有一个复杂的 root 工具包,需要更高级的分析。考虑使用Rootkit 揭露工具找到代码,并(小心地)尝试将其删除。
如果以上方法都无法解决问题,我会自己购买一块新硬盘,在新硬盘上重新安装操作系统,安装反恶意软件,然后将数据文件(有选择地)从原始硬盘移动到新系统,确保事先对其进行扫描。我知道这很复杂而且繁琐,但这可能是删除复杂恶意软件的唯一可靠有效的方法。
答案2
假设防病毒/反恶意软件无法解决您的问题(这应该是您的第一道防线)
!! SVCHOST(至少在我的计算机上)以 SYSTEM、NETWORK SERVICE 或 LOCAL SERVICE 用户身份运行 - 如果它以普通用户身份运行,我认为可以安全地终止它 - 但请记住,您所做的一切都是您自己的责任 :) 以防万一,请准备好 Vista CD :P !!
- 尝试终止正在尝试连接该 IP 的进程。
- 删除计算机上的所有自动启动项 - 最好的工具是Sysinternals 的自动运行
如果程序在终止后立即重新启动 - 你在某处有另一个进程在监视它 - 找到它进程探索器在这里提供帮助。
此时您有 2 个选项(因为您不能同时终止 2 个进程):1. 尝试在安全模式下删除两个进程文件 2. 使用这文章作为指南。
答案3
我发现基于 Linux 的Avira 救援 CD有助于消除大多数感染(尽管它无法消除我见过的一种 Conficker 感染)。
答案4
您的 HijackThis 日志中有一些我不熟悉的内容 - 您安装了 CCProxy 和 SuperProServer 吗?如果您没有管理 CCProxy,那么对手很容易利用它从您的主机反弹流量。
另外,F2 行对我来说很可疑。我不确定它的来源,所以我无法提供任何可靠的建议,但它调用 rundll 的事实表明它可能正在运行任何东西。
另外,您的 DNS 服务器似乎位于印度。这些是您的 ISP 分配的吗?我也会调查这一点。