以下是本人曾嘗試過的殺毒過程及相關記錄.供參考.
***************************************************************************************
壹.中毒後: 系統打SP4補丁,
裝360安全衛士,診斷報告:
------------------------------------------------------------------------------
診斷時間: 2010-02-08 23:06:33
診斷平臺: Microsoft Windows 2000 Service Pack 4
IE版本: Internet Explorer V5.00.3700.1000 Build:53700.1000
計算機物理內存:247.48MB - 當前可用內存:128.13MB
O4 - 未知 - HKLM\..\Run: [autoupdatevod] [] C:\ldjlb\upvod.exe
O23 - 未知 - Service: dpjbpdm [Shell Center] - - (starting)
O23 - 未知 - Service: DWMRCS [DameWare Mini Remote Control] - C:\WINNT\SYSTEM32\DWRCS.EXE -service - (running)
O23 - 未知 - Service: OracleOraHome81ClientCache [OracleOraHome81ClientCache] - C:\oracle\ora81\BIN\ONRSD.EXE - (not running)
=======================================
100 - 安全 - Process: SMSS.EXE [該進程為會話管理子系統用以初始化系統變量,ms-dos驅動名稱類似lpt1以及com,調用win32殼子系統和運行在windows登陸過程。] - C:\WINNT\System32\smss.exe
100 - 安全 - Process: CSRSS.EXE [客戶端服務子系統,用以控制windows圖形相關子系統。] - C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=ba
100 - 安全 - Process: WINLOGON.EXE [windows nt用戶登陸程序。] - C:\WINNT\system32\winlogon.exe
100 - 安全 - Process: SERVICES.EXE [用於管理windows服務系統進程。] - C:\WINNT\system32\services.exe
100 - 安全 - Process: LSASS.EXE [本地安全權限服務控制windows安全機制。] - C:\WINNT\system32\lsass.exe
100 - 安全 - Process: svchost.exe [service host process是壹個標準的動態連接庫主機處理服務。] - C:\WINNT\system32\svchost.exe -k netsvcs
100 - 安全 - Process: DWRCS.EXE [dameware公司出品的迷妳控制程序軟件,用於控制客戶機的相關程序。] - C:\WINNT\SYSTEM32\DWRCS.EXE -service
100 - 安全 - Process: svchost.exe [service host process是壹個標準的動態連接庫主機處理服務。] - C:\WINNT\system32\svchost -k rpcss
100 - 安全 - Process: svchost.exe [service host process是壹個標準的動態連接庫主機處理服務。] - C:\WINNT\system32\svchost.exe -k wugroup
100 - 安全 - Process: WinMgmt.exe [windows management service透過windows management instrumentation data (wmi)技術處理來自應用客戶端的請求。] - C:\WINNT\System32\WBEM\WinMgmt.exe
100 - 安全 - Process: explorer.exe [windows program manager或者windows explorer用於控制windows圖形shell,包括開始菜單、任務欄,桌面和文件管理。] - C:\WINNT\Explorer.EXE
100 - 安全 - Process: msiexec.exe [windows installer的壹部分。用來幫助windows installer package files (msi)格式的安裝文件。] - C:\WINNT\System32\MsiExec.exe /V
100 - 安全 - Process: hkcmd.exe [intel顯卡驅動相關軟件。] - C:\WINNT\System32\hkcmd.exe
100 - 安全 - Process: SOUNDMAN.EXE [壹個軟聲卡控制臺軟件。] - C:\WINNT\SOUNDMAN.EXE
100 - 安全 - Process: internat.exe [輸入控制圖標用於更改類似國家設置、鍵盤類型和日期格式。] - C:\WINNT\system32\internat.exe
100 - 安全 - Process: DLLHOST.EXE [dcom dll host進程支持基於com對象支持dll以運行windows程序。] - C:\WINNT\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
100 - 安全 - Process: zhudongfangyu.exe [360主動防禦服務模塊] - C:\Program Files\360\360safe\deepscan\zhudongfangyu.exe
100 - 安全 - Process: 360Safe.exe [360安全衛士] - C:\Program Files\360\360safe\360Safe.exe
100 - 安全 - Process: 360tray.exe [360安全衛士實時保護模塊] - C:\Program Files\360\360safe\safemon\360tray.exe
100 - 安全 - Process: 360hotfix.exe [360安全衛士漏洞修復模塊] - C:\Program Files\360\360safe\360hotfix.exe
R1 - 安全 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\system32\blank.htm
R1 - 安全 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\system32\blank.htm
O1 - 安全 - Host: 127.0.0.1 localhost
O3 - 安全 - Toolbar: (@msdxmLC.dll,-1@2052,電臺(&R)) - [是Windows Media Player播放器ActiveX控制相關文件。] - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - 安全 - HKLM\..\Run: [Synchronization Manager] [資料同步管理器] mobsync.exe /logon
O4 - 安全 - HKLM\..\Run: [IgfxTray] [是Intel顯卡配置和診斷程序,會同Intel 810芯片組的集成顯卡安裝。] C:\WINNT\System32\igfxtray.exe
O4 - 安全 - HKLM\..\Run: [HotKeysCmds] [是Intel顯示卡相關程序,用於配置和診斷相關設備。] C:\WINNT\System32\hkcmd.exe
O4 - 安全 - HKLM\..\Run: [SoundMAXPnP] [analog device公司聲卡驅動程序。] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - 安全 - HKLM\..\Run: [SoundMAX] [analog device公司聲卡驅動程序。] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - 安全 - HKLM\..\Run: [SoundMan] [Realtek聲卡相關程序。] SOUNDMAN.EXE
O4 - 安全 - HKLM\..\Run: [360Safetray] [360safe實時保護功能模塊。] "C:\Program Files\360\360safe\safemon\360tray.exe" /start
O4 - 安全 - HKCU\..\Run: [Internat.exe] [輸入法在任務欄裏的圖標] internat.exe
O9 - 安全 - Extra button: 電臺(HKLM) - C:\WINNT\web\related.htm
O23 - 安全 - Service: EventSystem [] - C:\WINNT\System32\es.dll - (running)
O23 - 安全 - Service: Fax [微軟Microsoft傳真服務相關程序,該服務允許用戶創建和發送傳真到微軟Office組件中。] - C:\WINNT\system32\faxsvc.exe - (not running)
O23 - 安全 - Service: SoundMAX Agent Service (default) [是Analog SoundMAX聲卡產品相關程序。] - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe - (not running)
O23 - 安全 - Service: SysmonLog [Performance Logs and Alerts Service] - C:\WINNT\system32\smlogsvc.exe - (not running)
O23 - 安全 - Service: ZhuDongFangYu [360主動防禦的服務項,提供實時保護、文件變化監控、智能掃描加速等功能。關閉此服務可能導致木馬防不住、查不出,嚴重降低木馬掃描速度。] - "C:\Program Files\360\360safe\deepscan\zhudongfangyu.exe" - (running)
=======================================
O31 - 未知 - Notify: igfxcui - C:\WINNT\system32\igfxsrvc.dll - Intel Corporation - igfxsrvc Module - 3.0.0.1915 - 315392 - f31fbe239d110ff14f2f361166b26b47
O31 - 未知 - SEApproved: {42071714-76d4-11d1-8b24-00a0c9068ff3} - deskpan.dll - - - - 0 -
O31 - 未知 - SEApproved: 無效的CLSID:Shell extensions for file compression - - - - - 0 -
O31 - 未知 - SEApproved: 無效的CLSID:加密上下文菜單 - - - - - 0 -
O31 - 未知 - SEApproved: 無效的CLSID:Shell Extensions for RealOne Player - - - - - 0 -
O31 - 未知 - LSA: Security Packages - sv1_0.dll - - - - 0 -
O31 - 未知 - LSA: Security Packages - channel.dll - - - - 0 -
=======================================
O40 - Explorer.EXE - Intel Corporation - C:\WINNT\system32\igfxres.dll - xxxxres Module - a4a6f119c30ce3db56c8a1e88b7c4119
O40 - Explorer.EXE - Intel Corporation - C:\WINNT\System32\igfxdev.dll - igfxdev Module - 4d97374cd40035e3be7609129cdcd94b
=======================================
O41 - rm847x - MPEG Decoder Minidriver - C:\WINNT\system32\drivers\rm847x.sys - (running) - MPEG Decoder Minidriver - Sigma Designs Inc. - d046e5f400ea925c3597354fcc309c5d
O41 - rmstream - Stream Class Driver - C:\WINNT\system32\drivers\rmstream.sys - (running) - Stream Class Driver - Sigma Designs Inc. - e76d0fc8b4958572c143a6cb3fb48e39
O41 - {6080A529-897E-4629-A488-ABA0C29B635E} - Intel Graphics Platform (SoftBIOS) Driver for Windows 2000(R) & Windows XP(TM) - C:\WINNT\system32\drivers\ialmsbw.sys - (running) - Intel Graphics Platform (SoftBIOS) Driver for Windows 2000(R) & Windows XP(TM) - Intel Corporation - 9b808527870ebae0b1dfb90ef3f861b9
O41 - {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - Intel Graphics Chipset (KCH) Driver for Windows 2000(R) & Windows XP(TM) - C:\WINNT\system32\drivers\ialmkchw.sys - (running) - Intel Graphics Chipset (KCH) Driver for Windows 2000(R) & Windows XP(TM) - Intel Corporation - dba29fe70d66f5a82c860894c91b42c7
O41 - GMSIPCI - GMSIPCI - E:\INSTALL\GMSIPCI.SYS - (not running) - - -
O41 - senfilt - Sensaura WDM 3D Audio Driver - C:\WINNT\system32\drivers\senfilt.sys - (not running) - Sensaura WDM 3D Audio Driver - Sensaura - 118092cd20e1ef60fc846a5e190b6844
O41 - smwdm - SoundMAX Integrated Digital Audio - C:\WINNT\system32\drivers\smwdm.sys - (not running) - SoundMAX Integrated Digital Audio - Analog Devices, Inc. - 58cde3ec67aeab13507b74aad2f82df7
=======================================
360Safe.exe=6.1.0.1016
AntiAdwa.dll=5.1.1.1003
AntiEng.dll=5.0.0.1009
AntiActi.dll=2.0.0.3000
CleanHis.dll=4.2.0.1003
live.dll=1.0.2.1007
二.打上所有補丁
------------------------------------------------------------------------------
其中該補丁:KB923191 Windows 資源管理器中的漏洞可能允許遠程執行 .壹直未能修復.
MS08-067漏洞的KB958644補丁已經打上了.
------------------------------------------------------------------------------
三.用Symantec專殺工具查毒.
------------------------------------------------------------------------------
Symantec W32.Downadup Removal Tool 1.1.0.7
process: svchost.exe, thread: 00000228 (terminated)
process: svchost.exe, thread: 000003F0 (terminated)
process: svchost.exe, thread: 0000027C (terminated)
process: svchost.exe, thread: 00000278 (terminated)
process: svchost.exe, thread: 000003F8 (terminated)
process: svchost.exe, thread: 0000033C (terminated)
process: svchost.exe (terminated)
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\6J2R4Z6J\zfbuks[1].jpg: W32.Downadup.B (unrepairable) (deleted)
C:\WINNT\system32\iinulkmk.dll: W32.Downadup.B (unrepairable) (deleted)
C:\WINNT\system32\iinulkmk.jdq: W32.Downadup.B (unrepairable) (deleted)
scheduled job: Unable to enumerate scheduled jobs. Returned status 2184
scheduled job: Unable to enumerate scheduled jobs. Returned status 2184
W32.Downadup has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 12555
The number of deleted threat files: 3
The number of threat processes terminated: 1
The number of threat threads terminated: 6
The number of registry entries fixed: 0
The system requires a reboot but was not rebooted.
To clean up all remnants of the threat from the system it must be rebooted.
------------------------------------------------------------------------------
第二天再用Symantec專殺工具查毒.再次感染.能查殺壹個病毒文件.
10後再用Symantec專殺工具查毒.再次感染,能查殺多個病毒文件.
***************************************************************************************
大過年的,遇到病毒,過不清凈了.哎........哪位高人能指條明路,在此感謝了!