查殺新rundl132.exe病毒 的過程 一臺機(jī)子突然不能接移動硬盤，癥狀是閃一下窗口，看不到移動硬盤盤符。經(jīng)詢問,昨天下載 了不少電影 和相關(guān)軟件 。于是用 Hijackthis 掃描，日志如下：
Logfile of HijackThis v1.99.1
Scan saved at 9:41:36, on 2006-9-28
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KV2005\KVMonXP.kxp
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\KV2005\KVSrvXP.exe
C:\Program Files\KV2005\kvwsc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\KV2005\TrojDie.kxp
C:\Program Files\KV2005\KRegEx.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
F:\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O1 - Hosts: 60.191.60.114 w ww.1ting.com
O1 - Hosts: 60.191.60.114 w ww.6621.com
O1 - Hosts: 60.191.60.114 w ww.qq163.com
O1 - Hosts: 60.191.60.114 w ww.13139.com
O1 - Hosts: 60.191.60.114 w ww.haoting.com
O1 - Hosts: 60.191.60.114 ok.wo99.com
O1 - Hosts: 60.191.60.114 w ww.666ccc.com
O1 - Hosts: 60.191.60.114 w ww.5fad.com
O1 - Hosts: 60.191.60.114 w ww.520music.com
O1 - Hosts: 60.191.60.114 w ww.7t7t.com
O1 - Hosts: 60.191.60.114 w ww.cococ.com
O1 - Hosts: 60.191.60.114 w ww.7322.com
O1 - Hosts: 60.191.60.114 w ww.4199.com
O1 - Hosts: 218.5.76.175 w ww.huoche.com.cn
O1 - Hosts: 218.5.76.175 w ww.lieche.cn
O1 - Hosts: 218.5.76.175 w ww.123cha.com
O1 - Hosts: 218.5.76.175 train.hepost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - C:\Program Files\KV2005\KvShell_2.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 江民殺毒工具 欄 - {B5A34A93-D538-43A7-8371-864CB6148D12} - C:\Program Files\KV2005\KvShell_2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KvMonXP] "C:\Program Files\KV2005\KVMonXP.kxp" /auto
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [InCD] ; C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSPY2002] ; C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PHIME2002A] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [RemoteControl] ; "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SysExplr] ; C:\Herosoft\HeroV8\SysExplr.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"-osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Messenger.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKLM\..\Run: [Realplayer.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKLM\..\Run: [Messager.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] ; "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Messenger.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKCU\..\Run: [Realplayer.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKCU\..\Run: [Messager.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - Startup: 騰訊QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: 百度下吧.lnk = C:\Program Files\Baidu\BaiduX\BaiduX.exe
O8 - Extra context menu item: 上傳到QQ網(wǎng)絡(luò) 硬盤 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用網(wǎng)際快車下載 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用網(wǎng)際快車下載全部鏈接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信發(fā)送該圖片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快遞搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度圖片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新聞搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS .HTM
O8 - Extra context menu item: 豪杰超級解霸V8實(shí)時播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: 豪杰超級解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超級解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 騰訊QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具條設(shè)置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:\WINDOWS\system32\Maxthonz.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KVSrvXP - JiangMin New Tech Ltd. - C:\PROGRA~1\KV2005\KVSrvXP.exe
O23 - Service: KVWSC - Jiangmin Co.Ltd - C:\Program Files\KV2005\kvwsc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe看日志中了病毒，KV2005 9月27日病毒庫沒有檢測出病毒，是個新病毒。檢查 IE 首頁修改成 http:// 7b. c o m .cn（又一個導(dǎo)航類的網(wǎng)站）。

斷網(wǎng)，運(yùn)行未知病毒檢測，C:\WINDOWS\rundl132.exe、C:\Program Files\Tencent\QQ\Messenger.exe、C:\WINDOWS\system32\Maxthonz.dll在可疑文件中，結(jié)束其運(yùn)行。

去了文件和文件夾隱藏屬性，在 c:\windows中，發(fā)現(xiàn)了rundl132.exe，同時還發(fā)現(xiàn)一個 logo1_.exe,日期相同的文件，圖標(biāo)都是 Winrar 的圖標(biāo)。到Temp中還發(fā)現(xiàn)了 scvhost.exe、V20060925.rar,同時發(fā)現(xiàn)所有文件夾中和盤符下都有 _desktop.ini。

將這些文件編入樣本庫 ，結(jié)果發(fā)現(xiàn)rundl132.exe和logo1_.exe是相同文件，掃描樣本庫，將上述文件全部殺除。將 IE 首頁改為空白。在 Hijackthis中，勾選日志中紅色的鍵值修復(fù)。

將KV2005升級到9月28日病毒再殺，沒有發(fā)現(xiàn)病毒。

總結(jié)

以上是生活随笔為你收集整理的查杀新rundl132.exe病毒的过程的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。