【求助】大家帮忙看看这是什么 bbs.ikaka.com

悲魔剑 - 2005-11-29 12:06:00

今天打开电脑，扫描后发现
Logfile of HijackThis v1.99.1
Scan saved at 12:02:35, on 2005-11-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\陆子乾\桌面\反病毒\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v8.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: Google 搜索(&G) - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: 反向链接 - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 类似网页 - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: 缓存的网页快照 - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: 翻译英文字词(&T) - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

其中多了
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
不知道是什么东西，请大家帮帮忙看一下，

悲魔剑 - 2005-11-29 12:09:00

还有就是点过IE上标准按钮上的搜索后，居然出现3721网络实名带给您。。。。。恶心死了，怎么除掉，希望大家告诉我

天使之剑 - 2005-11-29 12:11:00

【回复“悲魔剑”的帖子】

请楼主使用下面的两个多引擎扫描器扫描下列文件：
C:\WINDOWS\System32\hgqhp.exe
多引擎扫描之Virustotal：

http://www.virustotal.com/
多引擎扫描之Jotti：

http://virusscan.jotti.org/

请务必将报告贴全。
而O17项是一些与DNS解析相关的改变。

飞跃迷离 - 2005-11-29 12:24:00

重新启动到安全模式（进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。）

请关闭所有IE界面，重新使用HijackThis扫描一次，选中下面建议修复的项目，让HijackThis修复，修复前请允许HijackThis保留备份。（如果楼主知道是安全的可以不必勾选）
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe

然后打开我的电脑→再点工具→打开文件夹选项→查看→把隐藏受保护的系统文件（推荐）和隐藏已知文件类型的扩展名的勾去掉→再显示所有文件→找到以下文件并删除：(如果有的话)
C:\WINDOWS\System32\hgqhp.exe

悲魔剑 - 2005-11-29 12:24:00

This is a report processed by VirusTotal on 11/29/2005 at 05:25:20 (CET) after scanning the file "__38470" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.28.2005 Heuristic/Trojan.Downloader
Avast 4.6.695.0 11.26.2005 no virus found
AVG 718 11.28.2005 no virus found
Avira 6.32.0.6 11.28.2005 Heuristic/Trojan.Downloader
BitDefender 7.2 11.29.2005 Trojan.DNSChanger.R
CAT-QuickHeal 8.00 11.28.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 11.28.2005 no virus found
DrWeb 4.33 11.28.2005 no virus found
eTrust-Iris 7.1.194.0 11.29.2005 no virus found
eTrust-Vet 11.9.1.0 11.28.2005 no virus found
Fortinet 2.48.0.0 11.29.2005 suspicious
F-Prot 3.16c 11.28.2005 no virus found
Ikarus 0.2.59.0 11.28.2005 no virus found
Kaspersky 4.0.2.24 11.29.2005 no virus found
McAfee 4638 11.28.2005 no virus found
NOD32v2 1.1307 11.28.2005 a variant of Win32/DNSChanger
Norman 5.70.10 11.28.2005 no virus found
Panda 8.02.00 11.28.2005 Trj/DNSChanger.BD
Sophos 4.00.0 11.28.2005 no virus found
Symantec 8.0 11.29.2005 no virus found
TheHacker 5.9.1.045 11.28.2005 no virus found
VBA32 3.10.5 11.28.2005 suspected of Trojan-Downloader.Agent.31

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com

悲魔剑 - 2005-11-29 12:24:00

Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: hgqhp.exe
Status: INFECTED/MALWARE
MD5 2aa00930a7d48237bab13de162b38f53
Packers detected: -
Scanner results
AntiVir Found Heuristic/Trojan.Downloader (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.DNSChanger.R
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/DNSChanger
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Agent.31 (probable variant)

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: mydoom.scr.bu, detected by:

Scanner Malware name
AntiVir Worm/Mytob.DZ
ArcaVir Worm.Mytob.Ba
Avast JS:BumChang
AVG Antivirus I-Worm/Mytob.FT
BitDefender Win32.Worm.Mytob.BX
ClamAV Worm.Mytob.CA
Dr.Web Win32.HLLM.MyDoom.based
F-Prot Antivirus W32/Mytob.DY@mm
Fortinet W32/MyTob.DY-mm
Kaspersky Anti-Virus Net-Worm.Win32.Mytob.ba
NOD32 Win32/Mytob.CY
Norman Virus Control W32/Mytob.EU
UNA Worm.Win32.Mytob.ba
VBA32 Net-Worm.Win32.Mytob.ba

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

Frequently asked questions - Feedback

Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>

瑞星卡卡安全论坛