查杀新rundl132.exe病毒 的过程 一台机子突然不能接移动硬盘,症状是闪一下窗口,看不到移动硬盘盘符。经询问,昨天下载 了不少电影 和相关软件 。于是用 Hijackthis 扫描,日志如下:
Logfile of HijackThis v1.99.1
Scan saved at 9:41:36, on 2006-9-28
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/Program Files/Ahead/InCD/InCDsrv.exe
C:/WINDOWS/Explorer.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/Program Files/KV2005/KVMonXP.kxp
C:/WINDOWS/system32/conime.exe
C:/Program Files/Common Files/Real/Update_OB/realsched.exe
C:/Program Files/QuickTime/qttask.exe
C:/WINDOWS/system32/ctfmon.exe
C:/PROGRA~1/KV2005/KVSrvXP.exe
C:/Program Files/KV2005/kvwsc.exe
C:/Program Files/Microsoft SQL Server/MSSQL/Binn/sqlservr.exe
C:/WINDOWS/system32/nvsvc32.exe
C:/Program Files/Analog Devices/SoundMAX/SMAgent.exe
C:/Program Files/KV2005/TrojDie.kxp
C:/Program Files/KV2005/KRegEx.exe
C:/WINDOWS/system32/DllHost.exe
C:/Program Files/Real/RealPlayer/RealPlay.exe
F:/HijackThis.exe
F3 - REG:win.ini: load=C:/WINDOWS/rundl132.exe
O1 - Hosts: 60.191.60.114 w ww.1ting.com
O1 - Hosts: 60.191.60.114 w ww.6621.com
O1 - Hosts: 60.191.60.114 w ww.qq163.com
O1 - Hosts: 60.191.60.114 w ww.13139.com
O1 - Hosts: 60.191.60.114 w ww.haoting.com
O1 - Hosts: 60.191.60.114 ok.wo99.com
O1 - Hosts: 60.191.60.114 w ww.666ccc.com
O1 - Hosts: 60.191.60.114 w ww.5fad.com
O1 - Hosts: 60.191.60.114 w ww.520music.com
O1 - Hosts: 60.191.60.114 w ww.7t7t.com
O1 - Hosts: 60.191.60.114 w ww.cococ.com
O1 - Hosts: 60.191.60.114 w ww.7322.com
O1 - Hosts: 60.191.60.114 w ww.4199.com
O1 - Hosts: 218.5.76.175 w ww.huoche.com.cn
O1 - Hosts: 218.5.76.175 w ww.lieche.cn
O1 - Hosts: 218.5.76.175 w ww.123cha.com
O1 - Hosts: 218.5.76.175 train.hepost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Program Files/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:/Program Files/Tencent/QQ/QQIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - C:/Program Files/KV2005/KvShell_2.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:/PROGRA~1/FLASHGET/jccatch.dll
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:/WINDOWS/DOWNLO~1/BaiDuBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:/PROGRA~1/FLASHGET/fgiebar.dll
O3 - Toolbar: 江民杀毒工具 栏 - {B5A34A93-D538-43A7-8371-864CB6148D12} - C:/Program Files/KV2005/KvShell_2.dll
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/system32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [KvMonXP] "C:/Program Files/KV2005/KVMonXP.kxp" /auto
O4 - HKLM/../Run: [NvCplDaemon] ; RUNDLL32.EXE C:/WINDOWS/system32/NvCpl.dll,NvStartup
O4 - HKLM/../Run: [IMJPMIG8.1] ; "C:/WINDOWS/IME/imjp8_1/IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM/../Run: [InCD] ; C:/Program Files/Ahead/InCD/InCD.exe
O4 - HKLM/../Run: [iTunesHelper] ; "C:/Program Files/iTunes/iTunesHelper.exe"
O4 - HKLM/../Run: [MSPY2002] ; C:/WINDOWS/system32/IME/PINTLGNT/ImScInst.exe /SYNC
O4 - HKLM/../Run: [NeroFilterCheck] ; C:/WINDOWS/system32/NeroCheck.exe
O4 - HKLM/../Run: [PHIME2002A] ; C:/WINDOWS/system32/IME/TINTLGNT/TINTSETP.EXE /IMEName
O4 - HKLM/../Run: [PHIME2002ASync] ; C:/WINDOWS/system32/IME/TINTLGNT/TINTSETP.EXE /SYNC
O4 - HKLM/../Run: [RemoteControl] ; "C:/Program Files/CyberLink DVD Solution/PowerDVD/PDVDServ.exe"
O4 - HKLM/../Run: [SysExplr] ; C:/Herosoft/HeroV8/SysExplr.EXE
O4 - HKLM/../Run: [TkBellExe] "C:/Program Files/Common Files/Real/Update_OB/realsched.exe" -osboot
O4 - HKLM/../Run: [QuickTime Task] "C:/Program Files/QuickTime/qttask.exe" -atboottime
O4 - HKLM/../Run: [Messenger.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKLM/../Run: [Realplayer.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKLM/../Run: [Messager.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKCU/../Run: [ctfmon.exe] C:/WINDOWS/system32/ctfmon.exe
O4 - HKCU/../Run: [PowerBar] ; "C:/Program Files/CyberLink DVD Solution/Multimedia Launcher/PowerBar.exe" /AtBootTime
O4 - HKCU/../Run: [Messenger.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKCU/../Run: [Realplayer.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKCU/../Run: [Messager.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - Startup: 腾讯QQ.lnk = C:/Program Files/Tencent/QQ/QQ.exe
O4 - Global Startup: 百度下吧.lnk = C:/Program Files/Baidu/BaiduX/BaiduX.exe
O8 - Extra context menu item: 上传到QQ网络 硬盘 - C:/Program Files/Tencent/QQ/AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:/Program Files/FlashGet/jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:/Program Files/FlashGet/jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:/Program Files/Tencent/QQ/AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:/Program Files/Tencent/QQ/AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:/Program Files/Tencent/QQ/SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUNEWS .HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:/Herosoft/HeroV8/MPURLGET.HTM
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:/Herosoft/HeroV8/STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:/Herosoft/HeroV8/STHSDVD.EXE
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:/Program Files/Tencent/QQ/QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:/Program Files/Tencent/QQ/QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:/Program Files/Tencent/QQ/QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:/Program Files/Tencent/QQ/QQIEHelper.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:/WINDOWS/system32/Maxthonz.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:/Program Files/Common Files/InstallShield/Driver/11/Intel 32/IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:/Program Files/Ahead/InCD/InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:/Program Files/iPod/bin/iPodService.exe
O23 - Service: KVSrvXP - JiangMin New Tech Ltd. - C:/PROGRA~1/KV2005/KVSrvXP.exe
O23 - Service: KVWSC - Jiangmin Co.Ltd - C:/Program Files/KV2005/kvwsc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:/WINDOWS/system32/nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:/Program Files/Analog Devices/SoundMAX/SMAgent.exe看日志中了病毒,KV2005 9月27日病毒库没有检测出病毒,是个新病毒。检查 IE 首页修改成 http:// 7b. c o m .cn(又一个导航类的网站)。
断网,运行未知病毒检测,C:/WINDOWS/rundl132.exe、C:/Program Files/Tencent/QQ/Messenger.exe、C:/WINDOWS/system32/Maxthonz.dll在可疑文件中,结束其运行。
去了文件和文件夹隐藏属性,在 c:/windows中,发现了rundl132.exe,同时还发现一个 logo1_.exe,日期相同的文件,图标都是 Winrar 的图标。到Temp中还发现了 scvhost.exe、V20060925.rar,同时发现所有文件夹中和盘符下都有 _desktop.ini。
将这些文件编入样本库 ,结果发现rundl132.exe和logo1_.exe是相同文件,扫描样本库,将上述文件全部杀除。将 IE 首页改为空白。在 Hijackthis 中,勾选日志中红色的键值修复。
将KV2005升级到9月28日病毒再杀,没有发现病毒。
Logfile of HijackThis v1.99.1
Scan saved at 9:41:36, on 2006-9-28
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Running processes:
C:/WINDOWS/System32/smss.exe
C:/WINDOWS/system32/winlogon.exe
C:/WINDOWS/system32/services.exe
C:/WINDOWS/system32/lsass.exe
C:/WINDOWS/system32/svchost.exe
C:/WINDOWS/System32/svchost.exe
C:/Program Files/Ahead/InCD/InCDsrv.exe
C:/WINDOWS/Explorer.EXE
C:/WINDOWS/system32/spoolsv.exe
C:/Program Files/KV2005/KVMonXP.kxp
C:/WINDOWS/system32/conime.exe
C:/Program Files/Common Files/Real/Update_OB/realsched.exe
C:/Program Files/QuickTime/qttask.exe
C:/WINDOWS/system32/ctfmon.exe
C:/PROGRA~1/KV2005/KVSrvXP.exe
C:/Program Files/KV2005/kvwsc.exe
C:/Program Files/Microsoft SQL Server/MSSQL/Binn/sqlservr.exe
C:/WINDOWS/system32/nvsvc32.exe
C:/Program Files/Analog Devices/SoundMAX/SMAgent.exe
C:/Program Files/KV2005/TrojDie.kxp
C:/Program Files/KV2005/KRegEx.exe
C:/WINDOWS/system32/DllHost.exe
C:/Program Files/Real/RealPlayer/RealPlay.exe
F:/HijackThis.exe
F3 - REG:win.ini: load=C:/WINDOWS/rundl132.exe
O1 - Hosts: 60.191.60.114 w ww.1ting.com
O1 - Hosts: 60.191.60.114 w ww.6621.com
O1 - Hosts: 60.191.60.114 w ww.qq163.com
O1 - Hosts: 60.191.60.114 w ww.13139.com
O1 - Hosts: 60.191.60.114 w ww.haoting.com
O1 - Hosts: 60.191.60.114 ok.wo99.com
O1 - Hosts: 60.191.60.114 w ww.666ccc.com
O1 - Hosts: 60.191.60.114 w ww.5fad.com
O1 - Hosts: 60.191.60.114 w ww.520music.com
O1 - Hosts: 60.191.60.114 w ww.7t7t.com
O1 - Hosts: 60.191.60.114 w ww.cococ.com
O1 - Hosts: 60.191.60.114 w ww.7322.com
O1 - Hosts: 60.191.60.114 w ww.4199.com
O1 - Hosts: 218.5.76.175 w ww.huoche.com.cn
O1 - Hosts: 218.5.76.175 w ww.lieche.cn
O1 - Hosts: 218.5.76.175 w ww.123cha.com
O1 - Hosts: 218.5.76.175 train.hepost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:/Program Files/Adobe/Acrobat 5.0/Reader/ActiveX/AcroIEHelper.ocx
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:/Program Files/Tencent/QQ/QQIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - C:/Program Files/KV2005/KvShell_2.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:/PROGRA~1/FLASHGET/jccatch.dll
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:/WINDOWS/DOWNLO~1/BaiDuBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:/PROGRA~1/FLASHGET/fgiebar.dll
O3 - Toolbar: 江民杀毒工具 栏 - {B5A34A93-D538-43A7-8371-864CB6148D12} - C:/Program Files/KV2005/KvShell_2.dll
O4 - HKLM/../Run: [nwiz] nwiz.exe /install
O4 - HKLM/../Run: [NvMediaCenter] RUNDLL32.EXE C:/WINDOWS/system32/NvMcTray.dll,NvTaskbarInit
O4 - HKLM/../Run: [KvMonXP] "C:/Program Files/KV2005/KVMonXP.kxp" /auto
O4 - HKLM/../Run: [NvCplDaemon] ; RUNDLL32.EXE C:/WINDOWS/system32/NvCpl.dll,NvStartup
O4 - HKLM/../Run: [IMJPMIG8.1] ; "C:/WINDOWS/IME/imjp8_1/IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM/../Run: [InCD] ; C:/Program Files/Ahead/InCD/InCD.exe
O4 - HKLM/../Run: [iTunesHelper] ; "C:/Program Files/iTunes/iTunesHelper.exe"
O4 - HKLM/../Run: [MSPY2002] ; C:/WINDOWS/system32/IME/PINTLGNT/ImScInst.exe /SYNC
O4 - HKLM/../Run: [NeroFilterCheck] ; C:/WINDOWS/system32/NeroCheck.exe
O4 - HKLM/../Run: [PHIME2002A] ; C:/WINDOWS/system32/IME/TINTLGNT/TINTSETP.EXE /IMEName
O4 - HKLM/../Run: [PHIME2002ASync] ; C:/WINDOWS/system32/IME/TINTLGNT/TINTSETP.EXE /SYNC
O4 - HKLM/../Run: [RemoteControl] ; "C:/Program Files/CyberLink DVD Solution/PowerDVD/PDVDServ.exe"
O4 - HKLM/../Run: [SysExplr] ; C:/Herosoft/HeroV8/SysExplr.EXE
O4 - HKLM/../Run: [TkBellExe] "C:/Program Files/Common Files/Real/Update_OB/realsched.exe" -osboot
O4 - HKLM/../Run: [QuickTime Task] "C:/Program Files/QuickTime/qttask.exe" -atboottime
O4 - HKLM/../Run: [Messenger.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKLM/../Run: [Realplayer.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKLM/../Run: [Messager.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKCU/../Run: [ctfmon.exe] C:/WINDOWS/system32/ctfmon.exe
O4 - HKCU/../Run: [PowerBar] ; "C:/Program Files/CyberLink DVD Solution/Multimedia Launcher/PowerBar.exe" /AtBootTime
O4 - HKCU/../Run: [Messenger.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKCU/../Run: [Realplayer.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - HKCU/../Run: [Messager.exe] C:/Program Files/Tencent/QQ/Messenger.exe
O4 - Startup: 腾讯QQ.lnk = C:/Program Files/Tencent/QQ/QQ.exe
O4 - Global Startup: 百度下吧.lnk = C:/Program Files/Baidu/BaiduX/BaiduX.exe
O8 - Extra context menu item: 上传到QQ网络 硬盘 - C:/Program Files/Tencent/QQ/AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:/Program Files/FlashGet/jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:/Program Files/FlashGet/jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:/Program Files/Tencent/QQ/AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:/Program Files/Tencent/QQ/AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:/Program Files/Tencent/QQ/SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:/WINDOWS/DOWNLO~1/BaiDuBar.dll/BAIDUNEWS .HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:/Herosoft/HeroV8/MPURLGET.HTM
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:/Herosoft/HeroV8/STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:/Herosoft/HeroV8/STHSDVD.EXE
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:/Program Files/Tencent/QQ/QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:/Program Files/Tencent/QQ/QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:/Program Files/Tencent/QQ/QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:/Program Files/Tencent/QQ/QQIEHelper.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:/windows/system32/kvwspxp_1.dll
O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:/WINDOWS/system32/Maxthonz.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:/Program Files/Common Files/InstallShield/Driver/11/Intel 32/IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:/Program Files/Ahead/InCD/InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:/Program Files/iPod/bin/iPodService.exe
O23 - Service: KVSrvXP - JiangMin New Tech Ltd. - C:/PROGRA~1/KV2005/KVSrvXP.exe
O23 - Service: KVWSC - Jiangmin Co.Ltd - C:/Program Files/KV2005/kvwsc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:/WINDOWS/system32/nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:/Program Files/Analog Devices/SoundMAX/SMAgent.exe看日志中了病毒,KV2005 9月27日病毒库没有检测出病毒,是个新病毒。检查 IE 首页修改成 http:// 7b. c o m .cn(又一个导航类的网站)。
断网,运行未知病毒检测,C:/WINDOWS/rundl132.exe、C:/Program Files/Tencent/QQ/Messenger.exe、C:/WINDOWS/system32/Maxthonz.dll在可疑文件中,结束其运行。
去了文件和文件夹隐藏属性,在 c:/windows中,发现了rundl132.exe,同时还发现一个 logo1_.exe,日期相同的文件,图标都是 Winrar 的图标。到Temp中还发现了 scvhost.exe、V20060925.rar,同时发现所有文件夹中和盘符下都有 _desktop.ini。
将这些文件编入样本库 ,结果发现rundl132.exe和logo1_.exe是相同文件,扫描样本库,将上述文件全部杀除。将 IE 首页改为空白。在 Hijackthis 中,勾选日志中红色的键值修复。
将KV2005升级到9月28日病毒再杀,没有发现病毒。
315
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
