查杀新rundl132.exe病毒的过程

查杀新rundl132.exe病毒 的过程 一台机子突然不能接移动硬盘，症状是闪一下窗口，看不到移动硬盘盘符。经询问,昨天下载 了不少电影 和相关软件 。于是用 Hijackthis 扫描，日志如下：
Logfile of HijackThis v1.99.1
Scan saved at 9:41:36, on 2006-9-28
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KV2005\KVMonXP.kxp
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\KV2005\KVSrvXP.exe
C:\Program Files\KV2005\kvwsc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\KV2005\TrojDie.kxp
C:\Program Files\KV2005\KRegEx.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
F:\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O1 - Hosts: 60.191.60.114 w ww.1ting.com
O1 - Hosts: 60.191.60.114 w ww.6621.com
O1 - Hosts: 60.191.60.114 w ww.qq163.com
O1 - Hosts: 60.191.60.114 w ww.13139.com
O1 - Hosts: 60.191.60.114 w ww.haoting.com
O1 - Hosts: 60.191.60.114 ok.wo99.com
O1 - Hosts: 60.191.60.114 w ww.666ccc.com
O1 - Hosts: 60.191.60.114 w ww.5fad.com
O1 - Hosts: 60.191.60.114 w ww.520music.com
O1 - Hosts: 60.191.60.114 w ww.7t7t.com
O1 - Hosts: 60.191.60.114 w ww.cococ.com
O1 - Hosts: 60.191.60.114 w ww.7322.com
O1 - Hosts: 60.191.60.114 w ww.4199.com
O1 - Hosts: 218.5.76.175 w ww.huoche.com.cn
O1 - Hosts: 218.5.76.175 w ww.lieche.cn
O1 - Hosts: 218.5.76.175 w ww.123cha.com
O1 - Hosts: 218.5.76.175 train.hepost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: QQIEHelper - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O2 - BHO: BrowseHelper Class - {80BF4637-D65B-43F3-BB60-C5DD3D5FB7B9} - C:\Program Files\KV2005\KvShell_2.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: 百度搜霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\WINDOWS\DOWNLO~1\BaiDuBar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: 江民杀毒工具 栏 - {B5A34A93-D538-43A7-8371-864CB6148D12} - C:\Program Files\KV2005\KvShell_2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KvMonXP] "C:\Program Files\KV2005\KVMonXP.kxp" /auto
O4 - HKLM\..\Run: [NvCplDaemon] ; RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] ; "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [InCD] ; C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [iTunesHelper] ; "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSPY2002] ; C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NeroFilterCheck] ; C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PHIME2002A] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] ; C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [RemoteControl] ; "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SysExplr] ; C:\Herosoft\HeroV8\SysExplr.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"-osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Messenger.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKLM\..\Run: [Realplayer.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKLM\..\Run: [Messager.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PowerBar] ; "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Messenger.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKCU\..\Run: [Realplayer.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKCU\..\Run: [Messager.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: 百度下吧.lnk = C:\Program Files\Baidu\BaiduX\BaiduX.exe
O8 - Extra context menu item: 上传到QQ网络 硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: 百度Flash搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/FLASHSEARCH.HTM
O8 - Extra context menu item: 百度mp3搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUMP3.HTM
O8 - Extra context menu item: 百度信息快递搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIE.HTM
O8 - Extra context menu item: 百度图片搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUIMG.HTM
O8 - Extra context menu item: 百度搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUSEARCH.HTM
O8 - Extra context menu item: 百度新闻搜索 - res://C:\WINDOWS\DOWNLO~1\BaiDuBar.dll/BAIDUNEWS .HTM
O8 - Extra context menu item: 豪杰超级解霸V8实时播放 - C:\Herosoft\HeroV8\MPURLGET.HTM
O9 - Extra button: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra 'Tools' menuitem: 豪杰超级解霸V8 - {367E0A21-8601-4986-9C9A-153BF5ACA118} - C:\Herosoft\HeroV8\STHSDVD.EXE
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwspxp_1.dll
O18 - Filter: text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:\WINDOWS\system32\Maxthonz.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KVSrvXP - JiangMin New Tech Ltd. - C:\PROGRA~1\KV2005\KVSrvXP.exe
O23 - Service: KVWSC - Jiangmin Co.Ltd - C:\Program Files\KV2005\kvwsc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe看日志中了病毒，KV2005 9月27日病毒库没有检测出病毒，是个新病毒。检查 IE 首页修改成 http:// 7b. c o m .cn（又一个导航类的网站）。

断网，运行未知病毒检测，C:\WINDOWS\rundl132.exe、C:\Program Files\Tencent\QQ\Messenger.exe、C:\WINDOWS\system32\Maxthonz.dll在可疑文件中，结束其运行。

去了文件和文件夹隐藏属性，在 c:\windows中，发现了rundl132.exe，同时还发现一个 logo1_.exe,日期相同的文件，图标都是 Winrar 的图标。到Temp中还发现了 scvhost.exe、V20060925.rar,同时发现所有文件夹中和盘符下都有 _desktop.ini。

将这些文件编入样本库 ，结果发现rundl132.exe和logo1_.exe是相同文件，扫描样本库，将上述文件全部杀除。将 IE 首页改为空白。在 Hijackthis中，勾选日志中红色的键值修复。

将KV2005升级到9月28日病毒再杀，没有发现病毒。