一位朋友因为QQ医生提示发现盗号木马,从网站下载卡巴斯基8想要查杀病毒,不实安装完成后电脑非常卡,无法操作……让他重启电脑到带网络连接的安全模式下,下载 DrWeb CureIt!扫描,查杀出了一些病毒,正常启动,故障依旧……让偶帮忙检修~
按Ctrl+ Alt + Del 都没没反应,只要 reset 电脑,以带网络连接的安全模式启动。然后下载 pe_xscan 扫描 log 并分析,发现如下可疑项(进程模块中相同的部分有省略):
pe_xscan 08-03-27 by Purple Endurer 2008-4-12 11:46:2 Windows XP Service Pack 2(5.1.2600) 管理员用户组 带网络连接的安全模式 [System Process] * 0 C:/WINDOWS/system32/fhdoor1.dll | 2004-8-17 4:0:0 C:/WINDOWS/Fonts/mndoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qhdoor1.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qsdoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qzdoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qqdoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/Explorer.EXE* 276 | 2004-8-17 4:0:0 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE C:/WINDOWS/system32/qhdoor1.dll | 2004-8-17 4:0:0 C:/Program Files/Internet Explorer/OnlO0r.dll | 2008-3-22 0:36:54 | Microsoft Windows Operating System | 6.00.2900.3028 | Microsoft Corporation Windows DLL | Copyright (C) 2001.01 | 1. 0. 0. 1 | Microsoft Corporation| ? | Windows.dll | Windows.dll C:/WINDOWS/Fonts/mndoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qqdoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qzdoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/qsdoor0.dll | 2004-8-17 4:0:0 C:/WINDOWS/system32/fhdoor1.dll | 2004-8-17 4:0:0 O2 - BHO - {C2626E66-D21B-E628-C1DF-1DACCFA36ED2} - C:/Program Files/Common Files/fjOs0r.dll
