那些遇到过的问题

到 212.192.255.240 的连接太多

Cas*_*tor 0 connection malware tcpip

最近我的互联网急剧变慢。我下载了一个工具来查看我的 Vista 计算机上的 TCP/IP 连接。我发现很多 TCP/IP 连接是通过 SVCHost 建立到 212.192.255.240 的。似乎它正在尝试连接到不同的端口。

我认为我的计算机感染了某种恶意软件,但我不确定如何摆脱它。我对这个 IP 做了一些研究,但一无所获。

任何建议都非常感谢。

更新:
这是 HiJackThis 日志文件 - 我找不到任何奇怪的东西。我发现该程序还试图与俄罗斯的 91.205.127.63 建立连接。

    Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:20:54 PM, on 4/29/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\Taskmgr.exe
C:\Windows\explorer.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Software602\Print2PDF\Print2PDF.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\VertrigoServ\Vertrigo.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\X-NetStat Professional\xns5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\cmd.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.30:8118
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=explorer.exe rundll32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Print2PDF Print Monitor] "C:\Program Files\Software602\Print2PDF\Print2PDF.exe" /server
O4 - HKLM\..\Run: [VertrigoServ] "C:\Program Files\VertrigoServ\Vertrigo.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe"  /autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [CCProxy] C:\CCProxy\CCProxy.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [FileHippo.com] "C:\Program Files\filehippo.com\UpdateChecker.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: AutorunsDisabled
O4 - Startup: Locate32 Autorun.lnk = C:\Program Files\Locate\Locate32.exe
O4 - Startup: OneNote Table Of Contents.onetoc2
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: S&end to OneNote - res://C:\PROGRA~1\MICROS~3\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra 'Tools' menuitem: Print2PDF - {5B7027AD-AA6D-40df-8F56-9560F277D2A5} - C:\Program Files\Software602\Print2PDF\Print602.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A80AB385-7767-4B5C-AF97-DBD65B29D8D1}: NameServer = 218.248.255.146 218.248.255.212
O17 - HKLM\System\CCS\Services\Tcpip\..\{D10402C1-9CDE-4582-A6B7-6C0D33B0E7BC}: NameServer = 218.248.255.146,218.248.255.212
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CCProxy - Youngzsoft - C:\CCProxy\CCProxy.exe
O23 - Service: Google Update Service (gupdate1c9c328490dac0) (gupdate1c9c328490dac0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Distributed Transaction Coordinator MSDTCwercplsupport (MSDTCwercplsupport) - Unknown owner - C:\Windows\system32\acluiz.exe
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Windows\RtkAudioService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SuperProServer - Unknown owner - C:\Windows\spnsrvnt.exe (file missing)
O23 - Service: Vertrigo_Apache - Apache Software Foundation - C:\Program Files\VertrigoServ\apache\bin\v_apache.exe
O23 - Service: Vertrigo_MySQL - Unknown owner - C:\Program Files\VertrigoServ\mysql\bin\v_mysqld.exe

--
End of file - 10965 bytes
Run Code Online (Sandbox Code Playgroud)

Jas*_*mbs 5

当我发现我不认识的联系时,我做的第一件事就是追踪它们。

PS C:\Users\self> tracert 212.192.255.240

Tracing route to 212.192.255.240 over a maximum of 30 hops

  1    10 ms    10 ms    12 ms  ... (omitted)
  2     8 ms     8 ms     8 ms  110.ge-0-0-0.cr1.wdc1.speakeasy.net [69.17.83.57]
  3     8 ms     8 ms     7 ms  if-6-0-3-143.core4.AEQ-Ashburn.as6453.net [216.6.42.17]
  4   106 ms   106 ms   106 ms  if-5-0-0-908.core1.FR1-Frankfurt.as6453.net [216.6.42.74]
  5   105 ms   105 ms   106 ms  if-9-0-0.core1.FV0-Frankfurt.as6453.net [195.219.69.53]
  6   135 ms   135 ms   135 ms  if-7-0-0.core1.STK-Stockholm.as6453.net [195.219.131.45]
  7   135 ms   138 ms   135 ms  ix-4-0-1.core1.STK-Stockholm.as6453.net [195.219.131.22]
  8   150 ms   151 ms   150 ms  tug-1-gw.sth.runnet.ru [194.85.40.173]
  9   153 ms   152 ms   153 ms  bm18-1-gw.spb.runnet.ru [194.85.40.141]
 10   152 ms   152 ms   152 ms  tv11-1-gw.msk.runnet.ru [194.85.40.137]
 11   151 ms   152 ms   151 ms  m9-2-gw.msk.runnet.ru [194.85.40.53]
 12   151 ms   151 ms   151 ms  msu.msk.runnet.ru [194.190.255.234]
 13   150 ms   150 ms   151 ms  193.232.127.12
 14   152 ms   152 ms   152 ms  193.232.127.253
 15   153 ms   153 ms   151 ms  212.192.255.240

Trace complete.
Run Code Online (Sandbox Code Playgroud)

如您所见,该主机在俄罗斯,因此除非您在俄罗斯有合法业务,否则正如您所怀疑的那样,它可能是恶意软件。

除了Jon Cage 推荐的Hijack this之外,我还推荐Process Explorer。特别是当被劫持的进程由 svchost.exe 托管时,进程资源管理器将帮助您确定哪些服务特别托管了恶意软件。

如果您发现反恶意软件程序无法识别或删除恶意软件,则您可能拥有需要更高级分析的复杂根工具包。考虑使用Rootkit Revealer查找代码,并(谨慎)尝试删除它。

如果这些都不能解决问题,我自己的做法就是买一块新硬盘,在新硬盘上从头重新安装操作系统,安装反恶意软件,然后移动数据文件(有选择地) ) 从原始硬盘驱动器到新系统,确保事先对其进行扫描。我意识到这既复杂又乏味,但可能是删除复杂恶意软件的唯一可靠有效的方法。

归档时间:

查看次数:

911 次

最近记录:

13 年,9 月 前
相关归档
如何更改 Chrome 中的默认网站连接超时? 72
如何阻止程序访问 Internet? 68
如何生成UDP数据包 25
如何在 Mac OS X 中查看哪些进程打开了 TCP/IP 端口? 24
恶意软件或奇怪的 Windows 服务行为? 10
什么可以防止未经请求的互联网数据包耗尽我的每月数据限制? 9
如何在不设置 SO_REUSEPORT 的情况下使 nc 监听端口 6
如何开始使用 TCP/IP v6? 4
如何在没有互联网的情况下测试 LAN 电缆/连接 2
为什么 rootkit 只攻击 32 位系统? -1
难疑归档
Windows A: 和 B: 驱动器的用途是什么? 989
为什么 ping 192.168.072(只有 2 个点)会返回来自 192.168.0.58 的响应? 381
我怎样才能让 chown 递归工作? 357
如何在 Tmux 中交换两个窗格? 297
阻止 MS Word 选择比我想要的更多 235
.vimrc 文件在 Windows 7 上应该放在什么位置? 192
删除 Google Chrome 中的自动完成字段条目 175
在 Windows 中合并/合并 PDF 文件? 154
“mkdir -p”中的 -p 标志有什么作用? 121
Windows 7 64 位上 Notepad++ 的 ShellExecute 失败 (2) 错误 100