Comments: Today, when I checked the server logs, I found that McAfee successfully intercepted the trojan again. Let's share it with you.
Important:
The defense alone still cannot solve the problem. below is how we find out the real culprit.
We will introduce you to a tool that can be used to display sessions that log on to your computer over the network, just like the sessions folder in the MMC Computer Management Unit,
The remote service management unit displays Remote Desktop login sessions, but no tool can display all login sessions-regardless of any login type-and the list of programs used by these users.
This tool is Sysinternals (now Microsoft)'s LogoSessions tool!
Http://www.microsoft.com/technet/sysinternals/security/logonsessions.mspx
You can download Free from this address.
You can associate the display code in LogoSessions with the information displayed by other tools.
The Code is as follows:
Logs
==========
Logonsesions v1.1
Copyright (C) 2004 maid and Mark Russinovich
Sysinternals-wwww.sysinternals.com
[0] Logon session 00000000: 000003e7:
User name: WORKGROUP \ SDAHFPWE
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: S-1-5-18
Logon time: 15:33:05
Logon server:
DNS Domain:
UPN:
356: \ SystemRoot \ System32 \ smss.exe
404 :\?? \ C: \ WINDOWS \ system32 \ csrss.exe
428 :\?? \ C: \ WINDOWS \ system32 \ winlogon.exe
472: C: \ WINDOWS \ system32 \ services.exe
484: C: \ WINDOWS \ system32 \ lsass.exe
692: C: \ WINDOWS \ system32 \ svchost.exe
836: C: \ WINDOWS \ System32 \ svchost.exe
960: C: \ WINDOWS \ system32 \ spoolsv.exe
1128: C: \ Program Files \ Symantec \ pcAnywhere \ awhost32.exe
1164: C: \ WINDOWS \ System32 \ svchost.exe
1300: C: \ Program Files \ McAfee \ Common Framework \ FrameworkService.exe
1376: C: \ Program Files \ McAfee \ VirusScan Enterprise \ vstskmgr.exe
1452: C: \ Program Files \ McAfee \ Common Framework \ naPrdMgr.exe
1532: C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUDaemon.exe
1696: C: \ WINDOWS \ System32 \ svchost.exe
1912: C: \ WINDOWS \ System32 \ svchost.exe
3844: C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
4000: C: \ WINDOWS \ system32 \ dllhost.exe
3172: C: \ Program Files \ McAfee \ VirusScan Enterprise \ mcshield.exe
3960 :\?? \ C: \ WINDOWS \ system32 \ csrss.exe
396 :\?? \ C: \ WINDOWS \ system32 \ winlogon.exe
372: C: \ WINDOWS \ system32 \ inetsrv \ inetinfo.exe
2920: C: \ WINDOWS \ System32 \ svchost.exe
2780 :\?? \ C: \ WINDOWS \ system32 \ csrss.exe
1576 :\?? \ C: \ WINDOWS \ system32 \ winlogon.exe
[1] Logon session 00000000: 81e5:
User name:
Auth package: NTLM
Logon type: (none)
Session: 0
Sid: (none)
Logon time: 15:33:05
Logon server:
DNS Domain:
UPN:
[2] Logon session 00000000: 109c0f7:
User name: nt authority \ ANONYMOUS LOGON
Auth package: NTLM
Logon type: Network
Session: 0
Sid: S-1-5-7
Logon time: 15:33:08
Logon server:
DNS Domain:
UPN:
[3] Logon session 00000000: 000003e5:
User name: nt authority \ LOCAL SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-19
Logon time: 15:33:09
Logon server:
DNS Domain:
UPN:
[4] Logon session 00000000: 5cbf7d87:
User name: SDAHFPWE-WUYMBI \ maggie
Auth package: NTLM
Logon type: RemoteInteractive
Session: 2
Sid: S-1-5-21-1476199771-2381760486-1211474579-1009
Logon time: 9:44:18
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
3164: C: \ WINDOWS \ system32 \ rdpclip.exe
740: C: \ WINDOWS \ Explorer. EXE
3528: C: \ Program Files \ McAfee \ VirusScan Enterprise \ SHSTAT. EXE
392: C: \ WINDOWS \ system32 \ ctfmon.exe
3952: C: \ WINDOWS \ system32 \ mmc.exe
336: C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUAdmin.exe
[5] Logon session 00000000: 60d81435:
User name: SDAHFPWE-WUYMBI \ IUSR_SDAHFPWE-WUYMBI
Auth package: NTLM
Logon type: NetworkCleartext
Session: 0
Sid: S-1-5-21-1476199771-2381760486-1211474579-1015
Logon time: 10:55:33
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
[6] Logon session 00000000: 000003e4:
User name: nt authority \ NETWORK SERVICE
Auth package: Negotiate
Logon type: Service
Session: 0
Sid: S-1-5-20
Logon time: 15:33:06
Logon server:
DNS Domain:
UPN:
2496: c: \ windows \ system32 \ inetsrv \ w3wp.exe
[7] Logon session 00000000: 000309aa:
User name: SDAHFPWE-WUYMBI \ jooline2008sh
Auth package: NTLM
Logon type: RemoteInteractive
Session: 1
Sid: S-1-5-21-1476199771-2381760486-1211474579-500
Logon time: 15:35:34
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
[8] Logon session 00000000: 60f64f82:
User name: SDAHFPWE-WUYMBI \ jooline2008sh
Auth package: NTLM
Logon type: RemoteInteractive
Session: 3
Sid: S-1-5-21-1476199771-2381760486-1211474579-500
Logon time: 11:06:47
Logon server: SDAHFPWE-WUYMBI
DNS Domain:
UPN:
1840: C: \ WINDOWS \ system32 \ rdpclip.exe
3580: C: \ WINDOWS \ Explorer. EXE
2876: C: \ Program Files \ McAfee \ VirusScan Enterprise \ SHSTAT. EXE
888: C: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUTray.exe
3280: C: \ WINDOWS \ system32 \ cmd.exe
376: C: \ WINDOWS \ system32 \ conime.exe
1820: C: \ Program Files \ McAfee \ VirusScan Enterprise \ mcconsol.exe
720: C: \ WINDOWS \ system32 \ NOTEPAD. EXE
2320: E: \ logonsessions.exe
====================================
In security log events, you can associate the output login session ID with the security log event description to find logon events and session-related events.
This makes it easy to find out what is going on ....