zhousam - 2006-5-15 13:16:00
今天用雅虎助手扫描进程,发现有两个木马,位置在 X:\windows\system32\rundill32.exe .再用卡卡扫描的进程为以下,希望高手给予分析,谢谢!
Logfile of Kaka v2. 0. 0. 8 Scan Module v2. 0. 0. 1
Scan saved at 12:52:15, on 2006-05-15
Platform: Microsoft Windows XP Professional (Build 2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000 (xpclient.010817-1148))
Running processes:
[SMSS.EXE]
CommandLine =
[CSRSS.EXE]
CommandLine = D:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
[WINLOGON.EXE]
CommandLine = winlogon.exe
[SERVICES.EXE]
CommandLine = D:\WINDOWS\system32\services.exe
[LSASS.EXE]
CommandLine = D:\WINDOWS\system32\lsass.exe
[SVCHOST.EXE]
CommandLine = D:\WINDOWS\system32\svchost -k rpcss
[CCenter.exe]
CommandLine = "D:\Program Files\Rising\Rav\CCenter.exe"
[SVCHOST.EXE]
CommandLine = D:\WINDOWS\System32\svchost.exe -k netsvcs
[SVCHOST.EXE]
CommandLine = D:\WINDOWS\System32\svchost.exe -k NetworkService
[SVCHOST.EXE]
CommandLine = D:\WINDOWS\System32\svchost.exe -k LocalService
[RavMonD.exe]
CommandLine = "D:\Program Files\Rising\Rav\Ravmond.exe"
[RFWSRV.EXE]
CommandLine = "d:\program files\rising\rfw\rfwsrv.exe"
[EXPLORER.EXE]
CommandLine = D:\WINDOWS\Explorer.EXE
[RUNDLL32.EXE]
CommandLine = Rundll32.exe D:\WINDOWS\DOWNLO~1\CnsMin.dll,Rundll32
[SPOOLSV.EXE]
CommandLine = D:\WINDOWS\system32\spoolsv.exe
[RavStub.exe]
CommandLine = "D:\Program Files\Rising\Rav\RavStub.exe" /RAVMOND
[RFWMAIN.EXE]
CommandLine = -StartUp
[LMGRD.EXE]
CommandLine = "D:\Program Files\flexnet\i486_nt\obj\lmgrd.exe"
[LMGRD.EXE]
CommandLine = "D:\Program Files\flexnet\i486_nt\obj\lmgrd.exe" -c "D:\Program Files\flexnet\licensing\license.dat" -l "D:\Program Files\flexnet\licensing\ptclmgrd.log" -z
[NVSVC32.EXE]
CommandLine = D:\WINDOWS\System32\nvsvc32.exe
[SCARDSVR.EXE]
CommandLine = D:\WINDOWS\System32\SCardSvr.exe
[SMAgent.exe]
CommandLine = "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe"
[SVCHOST.EXE]
CommandLine = D:\WINDOWS\System32\svchost.exe -k imgsvc
[WDFMGR.EXE]
CommandLine = D:\WINDOWS\System32\wdfmgr.exe
[PTC_D.EXE]
CommandLine = "D:\Program Files\flexnet\i486_nt\obj\ptc_d.exe" -T billgates 10.8 -1 -c "D:\Program Files\flexnet\licensing\license.dat" --lmgrd_start 4467bbe4 -l "D:\Program Files\flexnet\licensing\ptclmgrd.log"
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\IEXPLORE.EXE"
[SMTray.exe]
CommandLine = "D:\Program Files\Analog Devices\SoundMAX\SMTray.exe"
[VM_STI.EXE]
CommandLine = "D:\WINDOWS\VM_STI.EXE" BigDogPath
[RavTask.exe]
CommandLine = "D:\PROGRAM FILES\RISING\RAV\RAVTASK.EXE" -SYSTEM
[WangWang.exe]
CommandLine = "D:\Program Files\淘宝网\淘宝旺旺\WangWang.EXE"
[RavMon.exe]
CommandLine = "D:\Program Files\Rising\Rav\Ravmon.exe" -SYSTEM
[yassistse.exe]
CommandLine = "D:\PROGRA~1\Yahoo!\Assistant\yassistse.exe"
[RUNDLL32.EXE]
CommandLine = "D:\WINDOWS\system32\rundll32.exe" D:\PROGRA~1\3721\helper.dll,Rundll32
[CTFMON.EXE]
CommandLine = "D:\WINDOWS\System32\ctfmon.exe"
[酷石英钟4.0.exe]
CommandLine = "C:\pf\酷石英钟4.0\酷石英钟4.0.exe"
[MSNMSGR.EXE]
CommandLine = "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\iexplore.exe" -nohome
[YLIVE.EXE]
CommandLine = "D:\PROGRA~1\Yahoo!\ASSIST~1\ylive.exe"
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\IEXPLORE.EXE"
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\IEXPLORE.EXE"
[conime.exe]
CommandLine = D:\WINDOWS\System32\conime.exe
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\iexplore.exe" -nohome "http://127.0.0.1:3451/04BCB79F6933DF47B69F862A38AA145F/"
[QQ.EXE]
CommandLine = "D:\Tencent\QQ\QQ.exe"
[TIMPlatform.exe]
CommandLine = D:\Tencent\QQ\TIMPlatform.exe -Embedding
[TM.EXE]
CommandLine = "D:\Tencent\TM\TMDlls\TM.exe" Launch_Tencent_Messenger
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\IEXPLORE.EXE"
[TTraveler.exe]
CommandLine = "D:\Tencent\TT\TTraveler.exe"
[IEXPLORE.EXE]
CommandLine = "D:\Program Files\Internet Explorer\IEXPLORE.EXE"
[KkScan.exe]
CommandLine = "D:\Program Files\Rising\KakaToolBar\KkScan.exe"
© 2000 - 2025 Rising Corp. Ltd.