Вирус на Сервере.Windows 2008 Standart Edition R2

[DenisB]

Логи AVZ прикрепил, Вирус создает очень большой исходящий трафик на разные IP.

Забивает весь полезный HTTP трафик. Бьюсь с ним уже недели две.virusinfo_syscure.zipvirusinfo_syscheck.ziphijackthis.log

[Info_bot]

Уважаемый(ая) DenisB, спасибо за обращение на наш форум!

Помощь при заражении комьютера на VirusInfo.Info оказывается абсолютно бесплатно. Хелперы, в самое ближайшее время, ответят на Ваш запрос. Для оказания помощи необходимо предоставить логи сканирования утилитами АВЗ и HiJackThis, подробнее можно прочитать в правилах оформления запроса о помощи.

Если наш сайт окажется полезен Вам и у Вас будет такая возможность - пожалуйста поддержите проект.

[Vvvyg]

С помощью KWF, Tcpview отследили, какие именно процессы потребляют много трафика с/на каие узлы, ip он уходит? Если через KWF в интернет выходят другие компьютеры, проблема может быть на них.

[DenisB]

Добрый день Vvvyg! Смотрю логи KWF. Все компы выключены. С Сервера идут соединения по портам с номерами от 50000 или 6000. лог прикрепил погляди.
23/Dec/2013 01:35:14] [ID] 4662 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61267 -> favicon.yandex.net (213.180.204.36):80 [Duration] 124 sec [Bytes] 646/731/1377 [Packets] 6/6/12
[23/Dec/2013 01:35:23] [ID] 4660 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61265 -> bs.yandex.ru (213.180.204.90):80 [Duration] 134 sec [Bytes] 224/132/356 [Packets] 5/3/8
[23/Dec/2013 01:35:23] [ID] 4656 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61257 -> bs.yandex.ru (213.180.204.90):80 [Duration] 134 sec [Bytes] 5578/26537/32115 [Packets] 18/28/46
[23/Dec/2013 01:35:27] [ID] 4676 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61292 -> virusinfo.info (88.198.66.84):80 [Duration] 121 sec [Bytes] 1046/895/1941 [Packets] 5/6/11
[23/Dec/2013 01:35:27] [ID] 4670 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61290 -> virusinfo.info (88.198.66.84):80 [Duration] 122 sec [Bytes] 1451/24459/25910 [Packets] 14/24/38
[23/Dec/2013 01:35:28] [ID] 4689 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61312 -> host05.rax.ru (88.212.196.105):80 [Duration] 121 sec [Bytes] 754/565/1319 [Packets] 5/5/10
[23/Dec/2013 01:35:38] [ID] 4687 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61307 -> bs.yandex.ru (213.180.204.90):80 [Duration] 132 sec [Bytes] 1759/10669/12428 [Packets] 9/12/21
[23/Dec/2013 01:35:43] [ID] 4699 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61324 -> a23-215-63-19.deploy.static.akamaitechnologies.com (23.215.63.19):80 [Duration] 136 sec [Bytes] 252/132/384 [Packets] 6/3/9
[23/Dec/2013 01:35:43] [ID] 4698 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61322 -> a23-215-63-19.deploy.static.akamaitechnologies.com (23.215.63.19):80 [Duration] 136 sec [Bytes] 252/132/384 [Packets] 6/3/9
[23/Dec/2013 01:35:43] [ID] 4697 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61319 -> a23-66-97-224.deploy.static.akamaitechnologies.com (23.66.97.224):80 [Duration] 136 sec [Bytes] 172/132/304 [Packets] 4/3/7
[23/Dec/2013 01:35:43] [ID] 4696 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61318 -> a23-66-97-224.deploy.static.akamaitechnologies.com (23.66.97.224):80 [Duration] 136 sec [Bytes] 172/132/304 [Packets] 4/3/7
[23/Dec/2013 01:35:43] [ID] 4695 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61316 -> a23-66-97-224.deploy.static.akamaitechnologies.com (23.66.97.224):80 [Duration] 136 sec [Bytes] 172/132/304 [Packets] 4/3/7
[23/Dec/2013 01:35:43] [ID] 4688 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61309 -> a23-215-63-51.deploy.static.akamaitechnologies.com (23.215.63.51):80 [Duration] 137 sec [Bytes] 212/132/344 [Packets] 5/3/8
[23/Dec/2013 01:35:43] [ID] 4683 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61303 -> srv119-131.vkontakte.ru (87.240.131.119):80 [Duration] 137 sec [Bytes] 172/132/304 [Packets] 4/3/7
[23/Dec/2013 01:35:43] [ID] 4682 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61302 -> srv117-131.vkontakte.ru (87.240.131.117):80 [Duration] 137 sec [Bytes] 172/132/304 [Packets] 4/3/7
[23/Dec/2013 01:35:43] [ID] 4681 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61300 -> srv242-131.vkontakte.ru (87.240.143.242):80 [Duration] 137 sec [Bytes] 172/132/304 [Packets] 4/3/7
[23/Dec/2013 01:35:43] [ID] 4680 [Rule] Firewall traffic [Service] HTTP [Connection] TCP SERVER.dalx.local (82.162.62.40):61298 -> srv242-131.vkontakte.ru (87.240.143.242):80 [Duration] 137 sec [Bytes] 172/132/304 [Packets] 4/3/7

[Vvvyg]

Сделайте полный образ автозапуска uVS, только программу скачайте отсюда.

[DenisB]

Добрый день! Сделал Лог.

[Vvvyg]

Невидно ничего подозрительного. Анализируйте тщательно сетевой трафик, больше ничего не могу предложить.