瑞星查到病毒名为Trojan.dockiller.p，但是仍有问题…… bbs.ikaka.com

jszgk123 - 2005-10-29 19:52:00

请高手帮忙！实验室好几台电脑中病毒了，用瑞星和诺盾都可以杀到，瑞星提示病毒名为Trojan.dockiller.p，其中被感染的文件都变成了可
执行性文件，文件夹下无法查看全部文件，进程中怀疑木马的doc.exe文件，在DOS下手动删除，同时取消启动项中该程序，但是现在的
问题是：
不管是用什么杀毒软件，杀完之后文件夹选项的查看全部文件仍然无法打开，重新调整之后，马上又复原到隐藏文件夹下，是不是还有未完全清除的木马或病毒呢？
好像这个病毒不太像WORD文件杀手病毒，因为他在C：\WINDOWS\下建立的是一个DOC.EXE文件，而不是SYS.EXE文件，难道是一个变种病毒？？
系统名称: WINDOWSXPSP1
[正在运行任务]

名称路径处理 ID 优先顺序最小工作设置最大工作设置开始时间版本大小文件日期
system idle process 不可用 0 0 不可用不可用不可用不可用不可用不可用
system 不可用 4 8 0 1413120 不可用不可用不可用不可用
smss.exe c:\windows\system32\smss.exe 576 11 204800 1413120 2005-10-24 23:52 5.1.2600.1106 (xpsp1.020828-1920) 44.50 KB (45,568 字节) 2002-10-7 12:00
csrss.exe 不可用 640 13 不可用不可用 2005-10-24 23:52 不可用不可用不可用
winlogon.exe c:\windows\system32\winlogon.exe 668 13 204800 1413120 2005-10-24 23:52 5.1.2600.1106 (xpsp1.020828-1920) 490.00 KB (501,760 字节) 2002-10-7 12:00
services.exe c:\windows\system32\services.exe 716 9 204800 1413120 2005-10-24 23:52 5.1.2600.0 (xpclient.010817-1148) 99.00 KB (101,376 字节) 2002-10-7 12:00
lsass.exe c:\windows\system32\lsass.exe 728 9 204800 1413120 2005-10-24 23:52 5.1.2600.1106 (xpsp1.020828-1920) 11.50 KB (11,776 字节) 2002-10-7 12:00
svchost.exe c:\windows\system32\svchost.exe 888 8 204800 1413120 2005-10-24 23:52 5.1.2600.0 (xpclient.010817-1148) 12.50 KB (12,800 字节) 2002-10-7 12:00
svchost.exe c:\windows\system32\svchost.exe 932 8 204800 1413120 2005-10-24 23:52 5.1.2600.0 (xpclient.010817-1148) 12.50 KB (12,800 字节) 2002-10-7 12:00
svchost.exe 不可用 1028 8 不可用不可用 2005-10-24 23:52 不可用不可用不可用
svchost.exe 不可用 1040 8 不可用不可用 2005-10-24 23:52 不可用不可用不可用
explorer.exe c:\windows\explorer.exe 1332 8 204800 1413120 2005-10-24 23:52 6.00.2800.1106 (xpsp1.020828-1920) 926.50 KB (948,736 字节) 2002-10-7 12:00
spoolsv.exe c:\windows\system32\spoolsv.exe 1400 8 204800 1413120 2005-10-24 23:52 5.1.2600.0 (XPClient.010817-1148) 50.00 KB (51,200 字节) 2002-10-7 12:00
alg.exe 不可用 1500 8 不可用不可用 2005-10-24 23:52 不可用不可用不可用
cdantsrv.exe c:\windows\system32\drivers\cdantsrv.exe 1516 8 204800 1413120 2005-10-24 23:52 3.24.010 31.50 KB (32,256 字节) 2005-9-22 22:09
defwatch.exe d:\symant~1\symant~1\defwatch.exe 1552 8 204800 1413120 2005-10-24 23:52 8.1.0.821 32.00 KB (32,768 字节) 2003-5-16 14:08
igfxtray.exe c:\windows\system32\igfxtray.exe 1688 8 204800 1413120 2005-10-24 23:52 3.0.0.2209 152.00 KB (155,648 字节) 2003-7-9 20:25
hkcmd.exe c:\windows\system32\hkcmd.exe 1704 8 204800 1413120 2005-10-24 23:52 3.0.0.2209 112.00 KB (114,688 字节) 2003-7-9 20:13
realsched.exe c:\program files\common files\real\update_ob\realsched.exe 1728 8 204800 1413120 2005-10-24 23:52 0.1.0.1622 148.04 KB (151,597 字节) 2005-3-20 23:00
vptray.exe d:\symant~1\symant~1\vptray.exe 1744 8 204800 1413120 2005-10-24 23:52 8.1.0.821 88.00 KB (90,112 字节) 2003-5-19 15:28
explore.exe c:\windows\system\explore.exe 1756 8 204800 1413120 2005-10-24 23:52 不可用 368.00 KB (376,832 字节) 2002-3-11 11:17
rtvscan.exe d:\symant~1\symant~1\rtvscan.exe 1768 8 204800 1413120 2005-10-24 23:52 8.1.0.821 596.00 KB (610,304 字节) 2003-5-30 10:37
taskmgr.exe c:\windows\system32\taskmgr.exe 1008 13 204800 1413120 2005-10-24 23:53 5.1.2600.1106 (xpsp1.020828-1920) 113.00 KB (115,712 字节) 2002-10-7 12:00
helpctr.exe c:\windows\pchealth\helpctr\binaries\helpctr.exe 1232 8 204800 1413120 2005-10-24 23:54 5.1.2600.1106 (xpsp1.020828-1920) 725.00 KB (742,400 字节) 2005-3-7 23:07
helpsvc.exe c:\windows\pchealth\helpctr\binaries\helpsvc.exe 1320 8 204800 1413120 2005-10-24 23:54 5.1.2600.1106 (xpsp1.020828-1920) 687.00 KB (703,488 字节) 2005-3-7 23:07
rnathchk.exe c:\program files\common files\real\update_ob\rnathchk.exe 1972 8 204800 1413120 2005-10-25 0:00 7.0.0.1176 56.04 KB (57,389 字节) 2005-3-20 23:00
wmiprvse.exe 不可用 228 8 不可用不可用 2005-10-25 0:00 不可用不可用不可用

jszgk123 - 2005-10-30 20:26:00

大侠们，帮帮忙啊！

七彩黄花菜萱草 - 2005-10-30 22:27:00

explore.exe c:\windows\system\explore.exe 值得怀疑.
下个Hijackthis 1.99.1吧
HijackThis1.99.1可以到【公告】反病毒论坛暂行条例（2005.9.12更新）及本版常用小工具1楼中下载
或.（反浏览器劫持版）置顶贴[必读]本版说明及常用小软件下载
用HijackThis扫描，然后把日志贴上来看看.

jszgk123 - 2005-11-1 21:36:00

谢谢了，先试试看！

jszgk123 - 2005-11-5 18:44:00

StartupList report, 2005-11-1, 下午 11:19:39
StartupList version: 1.52
Started from : D:\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SYSTEM\explore.exe
D:\SYMANT~1\SYMANT~1\DefWatch.exe
D:\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
D:\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\diskman.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\jszgk\「开始」菜单\程序\启动]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\「开始」菜单\程序\启动]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
vptray = D:\SYMANT~1\SYMANT~1\vptray.exe
diskscan = C:\WINDOWS\SYSTEM\explore.exe
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

jszgk123 - 2005-11-5 18:46:00

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\INFERN~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\xunleibho_v5.dll - {0005A87D-D626-4B3A-84F9-1D9571695F55}
(no name) - C:\WINDOWS\System32\NaviHelper.dll - {3E422F49-1566-40D3-B43D-077EF739AC32}
(no name) - d:\Program Files\Tencent\QQ\QQIEHelper.dll - {54EBD53A-9BC1-480B-966A-843A333CA162}
(no name) - C:\Program Files\justDo\FlashSaver\Jd2002.dll - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E}
(no name) - C:\WINDOWS\System32\qylhelper.dll - {CE7C3CF0-4B15-11D1-ABED-709549C10000}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[InstaFred]
InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx
CODEBASE = file://D:\AUTOCAD\InstFred.ocx

[{24311111-1111-1121-1111-111191113457}]
CODEBASE = file://c:\eied_s7.cab

[{33331111-1111-1111-1111-611111193457}]
CODEBASE = file://c:\ex.cab

[{33331111-1111-1111-1111-611111193458}]
CODEBASE = file://c:\ex.cab

[{43331111-1111-1111-1111-611111195622}]
CODEBASE = file://c:\ex.cab

[AcDcToday 控件]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACDCTO~1.OCX
CODEBASE = file://D:\AUTOCAD\AcDcToday.ocx

[NOXLATE-BANR]
InProcServer32 = C:\WINDOWS\DOWNLO~1\InstBanr.ocx
CODEBASE = file://D:\AUTOCAD\InstBanr.ocx

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[AcPreview 控件]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX
CODEBASE = file://D:\AUTOCAD\AcPreview.ocx

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

瑞星卡卡安全论坛