【求助】急！服务器中病毒，感染了所有ASP和htm文件！高手来看看！ bbs.ikaka.com

dcyuan - 2007-6-12 11:59:00

这两天公司服务器中病毒了，估计是木马，自动向服务器里面的ASP，htm文件里写入一个<iframe>代码，连接到一个有病毒的地址，用杀毒也差不出来，请问谁知道这是什么木马?

下面是sreng2检测系统的日志文件，大家帮忙看看

Windows 2000 Server Service Pack 4 (Build 2195)
- 管理权限用户 - 完整功能

以下内容被选中：
所有的启动项目（包括注册表、启动文件夹、服务等）
浏览器加载项
正在运行的进程（包括进程模块信息）
文件关联
Winsock 提供者
Autorun.inf
HOSTS 文件

启动项目
注册表
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Internat.exe><internat.exe> [(Verified)Microsoft Corporation]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<kis><"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Corporation]
<Userinit><C:\WINNT\system32\userinit.exe,> [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
<WinlogonNotify: klogon><C:\WINNT\system32\klogon.dll> [Kaspersky Lab]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
<WinlogonNotify: PCANotify><PCANotify.dll> [Symantec Corporation]
[HKEY_CURRENT_USER\Control Panel\Desktop]
<SCRNSAVE.EXE><(无)> [N/A]

==================================
启动文件夹
[服务管理器]
<C:\Documents and Settings\All Users\「开始」菜单\程序\启动\服务管理器.lnk --> C:\PROGRA~1\MICROS~4\80\Tools\Binn\sqlmangr.exe [Microsoft Corporation]><N>

==================================
服务
[卡巴斯基互联网安全套装 6.0 / AVP][Running/Auto Start]
<C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe -r><Kaspersky Lab>
[pcAnywhere Host Service / awhost32][Running/Auto Start]
<C:\Program Files\Symantec\pcAnywhere\awhost32.exe><Symantec Corporation>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
<C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[MSSQL$MSFW / MSSQL$MSFW][Running/Auto Start]
<C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe -sMSFW><Microsoft Corporation>
[MSSQLServerADHelper / MSSQLServerADHelper][Stopped/Manual Start]
<C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe><Microsoft Corporation>
[SQLAgent$MSFW / SQLAgent$MSFW][Stopped/Manual Start]
<C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlagent.EXE -i MSFW><Microsoft Corporation>

==================================
驱动程序
[atirage3 / atirage3][Running/Manual Start]
<System32\DRIVERS\atimpab.sys><ATI Technologies Inc.>
[awlegacy / awlegacy][Running/System Start]
<\SystemRoot\System32\Drivers\awlegacy.sys><Symantec Corporation>
[AW_HOST / AW_HOST][Running/System Start]
<system32\drivers\aw_host5.sys><Symantec Corporation>
[dmboot / dmboot][Stopped/Disabled]
<System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
<\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
<\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[Intel PRO Adapter Driver / E100B][Running/Manual Start]
<System32\DRIVERS\e100bnt5.sys><Intel Corporation>
[IP Network Address Translator / IpNat][Stopped/Disabled]
</Path overridden by ISA Server - do not edit/><N/A>
[kl1 / kl1][Running/Boot Start]
<\SystemRoot\system32\drivers\kl1.sys><Kaspersky Lab>
[klif / klif][Running/System Start]
<\??\C:\WINNT\system32\drivers\klif.sys><Kaspersky Lab>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[SymEvent / SymEvent][Stopped/Manual Start]
<\??\C:\Program Files\Symantec\SYMEVENT.SYS><Symantec Corporation>
[sym_u3 / sym_u3][Running/Boot Start]
<\SystemRoot\system32\drivers\sym_u3.sys><LSI Logic>

==================================
浏览器加载项
[Web反病毒保护]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} <C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll, Kaspersky Lab>
[@shdoclc.dll,-866]
{c95fe080-8f5d-11d2-a20b-00aa003c157a} <, N/A>
[电台(&R)]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINNT\system32\msdxm.ocx, Microsoft Corporation>

dcyuan - 2007-6-12 12:01:00

==================================
正在运行的进程
[PID: 196][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 220][\??\C:\WINNT\system32\csrss.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 240][\??\C:\WINNT\system32\winlogon.exe] [Microsoft Corporation, 5.00.2195.6997]
[C:\WINNT\system32\klogon.dll] [Kaspersky Lab, 6.0.0.299]
[C:\WINNT\system32\PCANotify.dll] [Symantec Corporation, 10.5.1.505]
[PID: 268][C:\WINNT\system32\services.exe] [Microsoft Corporation, 5.00.2195.7035]
[C:\WINNT\system32\dmserver.dll] [VERITAS Software Corp., 2195.6605.297.3]
[PID: 280][C:\WINNT\system32\lsass.exe] [Microsoft Corporation, 5.00.2195.7011]
[PID: 456][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 492][C:\WINNT\system32\spoolsv.exe] [Microsoft Corporation, 5.00.2195.7059]
[C:\WINNT\system32\awmon.dll] [Symantec Corporation, 9.2.1]
[PID: 536][C:\Program Files\Symantec\pcAnywhere\awhost32.exe] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\Util.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\InstData.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awcfgmgr.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\S32PCAG.DLL] [Symantec Corporation, 15.0.0.14]
[C:\Program Files\Symantec\pcAnywhere\AWSES32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awofrwrk.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awio.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\dundata.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\PowerMgr.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\PCACMNDG.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awgui32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWDS32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awcm32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\crypto.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awtime32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\pcaime.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWHXPRB.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWHPROBEDLL.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\TrayIcon.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWDSP32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awcp.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\IMPLODE.DLL] [PKWare, 1, 0, 0, 1]
[C:\Program Files\Symantec\pcAnywhere\AWHK32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awRes-all.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Common Files\Symantec Shared\ehandres.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awres-host.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AwioResources.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWHPILOT.DLL] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awlog32.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\snmputil.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\libsnmp.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWCONN32.DLL] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWHLOGON.DLL] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awhutil.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AWHSEQ.DLL] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\AW32TCP.DLL] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\awxfer.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\ftstatus.dll] [Symantec Corporation, 10.5.1.505]
[C:\Program Files\Symantec\pcAnywhere\FTStatusResources.dll] [Symantec Corporation, 10.5.1.505]
[PID: 656][C:\WINNT\System32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 704][C:\WINNT\System32\llssrv.exe] [Microsoft Corporation, 5.00.2195.7021]
[PID: 736][C:\Program Files\Microsoft SQL Server\MSSQL$MSFW\Binn\sqlservr.exe] [Microsoft Corporation, 2000.080.0818.00]
[PID: 824][C:\WINNT\system32\MSTask.exe] [Microsoft Corporation, 4.71.2195.6972]
[PID: 864][C:\WINNT\System32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 904][C:\WINNT\System32\WBEM\WinMgmt.exe] [Microsoft Corporation, 1.50.1085.0100]
[PID: 948][C:\WINNT\system32\svchost.exe] [Microsoft Corporation, 5.00.2134.1]
[PID: 964][C:\WINNT\system32\Dfssvc.exe] [Microsoft Corporation, 5.00.2195.6664]
[PID: 992][C:\WINNT\system32\inetsrv\inetinfo.exe] [Microsoft Corporation, 5.00.0984]
[PID: 1024][C:\Program Files\Microsoft ISA Server\isastg.exe] [Microsoft (R) Corporation, 4.0]
[PID: 1104][C:\WINNT\System32\msdtc.exe] [Microsoft Corporation, 1999.9.3421.3]
[PID: 1356][C:\Program Files\Microsoft ISA Server\mspadmin.exe] [Microsoft (R) Corporation, 4.0]
[PID: 1356][C:\Program Files\Microsoft ISA Server\WSPSRV.EXE] [Microsoft (R) Corporation, 4.0]
[PID: 1460][C:\Program Files\Microsoft ISA Server\wspsrv.exe] [Microsoft (R) Corporation, 4.0]
[C:\Program Files\Microsoft ISA Server\ACECLNT.dll] [RSA Security, Inc, 5.3 [1128]]
[C:\Program Files\Microsoft ISA Server\sdmsg.dll] [RSA Security, Inc, 5.3 [1128]]
[PID: 1476][C:\Program Files\Microsoft ISA Server\W3Prefch.exe] [Microsoft (R) Corporation, 4.0]
[PID: 1476][C:\Program Files\Microsoft ISA Server\WSPSRV.EXE] [Microsoft (R) Corporation, 4.0]
[PID: 1760][C:\WINNT\system32\dllhost.exe] [Microsoft Corporation, 5.00.2195.6692]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scr_ch_pg.dll] [Kaspersky Lab, 1.0.6.299]
[C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\klscav.dll] [Kaspersky Lab, 6.0.0.299]
[PID: 1984][C:\WINNT\system32\dllhost.exe] [Microsoft Corporation, 5.00.2195.6692]
[PID: 2224][C:\WINNT\Explorer.EXE] [Microsoft Corporation, 5.00.3700.6690]
[C:\Program Files\Symantec\pcAnywhere\AWHK32.dll] [Symantec Corporation, 10.5.1.505]
[PID: 2332][C:\WINNT\system32\internat.exe] [Microsoft Corporation, 5.00.2920.0000]
[PID: 2364][C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe] [Microsoft Corporation, 2000.080.0760.00]
[PID: 1868][C:\WINNT\system32\mmc.exe] [Microsoft Corporation, 5.00.2195.6601]
[PID: 2056][D:\soft\sreng2\sreng2\SREng.EXE] [Smallfrogs Studio, 2.3.13.690]
[C:\Program Files\Symantec\pcAnywhere\AWHK32.dll] [Symantec Corporation, 10.5.1.505]

==================================
文件关联
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. ["%1" %*]
.COM OK. ["%1" %*]
.PIF OK. ["%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. ["%1" %*]
.SCR OK. ["%1" /S]
.CHM OK. ["C:\WINNT\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock 提供者
N/A

==================================
Autorun.inf
N/A

==================================
HOSTS 文件
127.0.0.1 localhost

==================================
API HOOK
警告！System Repair Engineer 提醒
你下面的函数内容与预期值不符，他
们可能被一些恶意的软件所修改：
RVA 错误： LoadLibraryA
RVA 错误： LoadLibraryExA
RVA 错误： LoadLibraryExW
RVA 错误： LoadLibraryW

瑞星卡卡安全论坛