【求助】清除了cq0dll.dll病毒，还是没解决杀毒软件被自动关闭的问题！ bbs.ikaka.com

飞鸿踏雪3344 - 2005-10-12 14:54:00

Windows98se操作系统，中了病毒，瑞星被自动关闭，
换了Symantec AntiVirus，进入系统，Symantec AntiVirus文件实时防护被关闭，手动也启用不了！！
msconfig中没有可疑启动项，到安全模式下查杀，发现cq0dll.dll、RUNDLL32.EXE等病毒，清除失败，隔离失败！
***********************************************************
在网上搜到的：
“病毒的EXE程序没有建立启动项，而是使用了替换原来系统文件的方法来达到病毒程序可被运行的目的，病毒感染系统后将原系统文件C:\WINDOWS\RUNDLL32.EXE（调用运行DLL的系统程序）和C:\WINDOWS\SYSTEM\INTERNAT.EXE（输入法）复制备份到C盘根目录变成C:\INTERNAT.EXE和C:\RUNDLL32.EXE，然后用病毒自身覆盖掉C:\WINDOWS\RUNDLL32.EXE和C:\WINDOWS\SYSTEM\INTERNAT.EXE，以后在系统启动时（输入法INTERNAT.EXE在启动项中）或一些操作（如查看文件属性、打开控制面板等操作时会调用到RUNDLL32.EXE）时病毒就会被激活，因此也较难清除/删除此病毒。
清除方法：
Windows 9X的用户可以到DOS下将C盘根目录的那两个程序覆盖掉系统里的病毒文件。重新启动计算机，按“F8”键，在出现“Start Menu”启动菜单后选择“Command Prompt Only”进入DOS，然后依此执行以下命令完成覆盖操作：

attrib -s -h -r C:\WINDOWS\RUNDLL32.EXE
attrib -s -h -r C:\WINDOWS\SYSTEM\INTERNAT.EXE
copy C:\RUNDLL32.EXE C:\WINDOWS\RUNDLL32.EXE
copy C:\INTERNAT.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE

************************************************************
在C盘根目录下的确发现了INTERNAT.EXE和RUNDLL32.EXE！
按照上面方法：
attrib -s -h -r C:\WINDOWS\RUNDLL32.EXE
attrib -s -h -r C:\WINDOWS\SYSTEM\INTERNAT.EXE
copy C:\RUNDLL32.EXE C:\WINDOWS\RUNDLL32.EXE
copy C:\INTERNAT.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE
重启以后Symantec AntiVirus文件实时防护依然被自动关闭，手动也启用不了！问题没有解决：（
************************************************************
附hijackthis日志：
HijackThis_zww汉化版扫描日志 V1.99.1
保存于 14:14:29, 日期 05-10-12
操作系统： Windows 98 SE (Win9x 4.10.2222A)
浏览器： Internet Explorer v5.00 (5.00.2614.3500)

当前运行的进程：
[pid] [full path to filename] [file version] [company name]
-15766479 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.0.2222 Microsoft Corporation
-21019 C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.10.0.2222 Microsoft Corporation
-9163 C:\WINDOWS\SYSTEM\MPREXE.EXE 4.10.0.1998 Microsoft Corporation
-1279 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Microsoft Corporation
-77863 C:\WINDOWS\RUNDLL32.EXE 4.10.0.1998 Microsoft Corporation
-156283 C:\WINDOWS\SYSTEM\DDHELP.EXE 4.6.3.518 Microsoft Corporation

O4 - 启动项HKLM\\Run: [SystemTray] SysTray.Exe
O4 - 启动项HKLM\\Run: [internat.exe] internat.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 219.150.32.132,219.146.0.130
O18 - 列举现有的协议: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\SYSTEM\urlmon.dll
O18 - 列举现有的协议: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - 列举现有的协议: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - 列举现有的协议: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - 列举现有的协议: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - 列举现有的协议: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - 列举现有的协议: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\SYSTEM\MSHTML.DLL
O18 - 列举现有的协议: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - 列举现有的协议: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\SYSTEM\ITSS.DLL
O18 - 列举现有的协议: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\SYSTEM\INETCOMM.DLL
O18 - 列举现有的协议: msdaipp - (no CLSID) - (no file)
O18 - 列举现有的协议: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O18 - 列举现有的协议: ipp - (no CLSID) - (no file)

************************************************************
哪位大侠帮忙分析一下吧！！万分感谢！！！

飞鸿踏雪3344 - 2005-10-18 10:55:00

启动项报告： 05-10-18, 10:33:24
启动项扫描器版本： 1.52.2
开始于： D:\BACKUP\HIJACKTHIS1991.EXE
系统检测： Windows 98 SE (Win9x 4.10.2222A)
系统检测： Internet Explorer v5.00 (5.00.2614.3500)
* 使用默认选项
* 选择“列出全部(全面)”方式
==================================================

当前运行的进程：

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\BACKUP\HIJACKTHIS1991.EXE

--------------------------------------------------

文件夹中的启动项

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\启动]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\启动]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
internat.exe = internat.exe

--------------------------------------------------

注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

* 未找到值 *

--------------------------------------------------

注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

* 未找到值 *

--------------------------------------------------

注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

* 未找到值 *

--------------------------------------------------

注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

* 未找到值 *

--------------------------------------------------

注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

* 未找到值 *

--------------------------------------------------

注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

* 未找到值 *

--------------------------------------------------

注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

* 未找到相关注册表键值 *

--------------------------------------------------

注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

* 未找到相关注册表键值 *

--------------------------------------------------

注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

* 未找到相关注册表键值 *

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
* 未找到值 *

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
* 未找到相关注册表键值 *

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
* 未找到相关注册表键值 *

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* 未找到相关注册表键值 *

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
* 未找到相关注册表键值 *

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
* 未找到相关注册表键值 *

--------------------------------------------------

文件打开方式关联 for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(黙认) = "%1" %*

--------------------------------------------------

文件打开方式关联 for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(黙认) = "%1" %*

--------------------------------------------------

文件打开方式关联 for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(黙认) = "%1" %*

--------------------------------------------------

文件打开方式关联 for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(黙认) = "%1" %*

--------------------------------------------------

文件打开方式关联 for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(黙认) = "%1" /S

--------------------------------------------------

文件打开方式关联 for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(黙认) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

文件打开方式关联 for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(黙认) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

* 未找到相关注册表键值 *

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

外壳扩展和屏幕保护程序的键值从 C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 18/10/2005, 10:14:42)

[rename]
NUL=C:\WINDOWS\DOWNLO~1\CNSHOOK.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSHOOK.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSMIN.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSMINIO.DLL
NUL=C:\WINDOWS\DOWNLO~1\CNSIO.DLL

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 10/10/2005, 13:54:36)

[Rename]
C:\WINDOWS\SYSTEM\MSVCRT.DLL=C:\WINDOWS\SYSTEM\TBM5063.TMP
C:\WINDOWS\SYSTEM\shfolder.dll=C:\WINDOWS\SYSTEM\shfolder.001
C:\WINDOWS\SYSTEM\shfolder.dll=C:\WINDOWS\SYSTEM\shfolder.002

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

*File is empty*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

*File not found*

--------------------------------------------------

列举IE浏览器辅助对象(BHO模块):

* 没有发现 BHO 模块 *

--------------------------------------------------

列举“计划任务”服务:

启用 Application Start.job
维护磁盘碎片整理程序.job
维护磁盘扫描程序.job
维护磁盘清理程序.job

--------------------------------------------------

列举下载的程序文件：

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso4.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Internet Explorer Classes for Java]
CODEBASE = file://C:\WINDOWS\SYSTEM\iejava.cab
OSD = C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

--------------------------------------------------

列举 Winsock LSP 文件：

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

列举 ShellServiceObjectDelayLoad 项目：

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
注册表中的启动项:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

* 未找到相关注册表键值 *

--------------------------------------------------

注册表中的启动项:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

* 未找到相关注册表键值 *

--------------------------------------------------

报告完毕，共 10,541 字节
报告生成用时：0.105秒

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

瑞星卡卡安全论坛