瑞星卡卡安全论坛

最近我的电脑在关机的时候发现点了关闭后没有反映，只在等一会以后才出现一个结束任务的窗口，上面就是正在结束qqjddExe，请问这是什么？是病毒吗？

没见过这个东西，贴个Hijackthis日志上来看看

HijackThis@Qoo的扫描日志  V1.97.7
Scan saved at 10:03:38, on 2006-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rising\Rav\Ravmond.exe
c:\program files\rising\rfw\rfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Rising\Rav\RavStub.exe
c:\program files\rising\rfw\RfwMain.exe
C:\Program Files\Rising\Rav\RavTask.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Rising\Rav\Ravmon.exe
C:\Program Files\Rising\AntiSpyware\runiep.exe
C:\Program Files\Tencent\qq\QQ.exe
C:\Program Files\Tencent\QQ\TIMPlatform.exe
C:\Program Files\Tencent\qq\QQexternal.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Program Files\Tencent\TT\TTraveler.exe
D:\Program Files\Tencent\TT\TCPlus.exe
C:\Documents and Settings\Administrator\桌面\hijackthis1.97_qoo\HijackThis.exe

O2 - BHO: WebThunderBHO - {00000AAA-A363-466E-BEF5-9BB68697AA7F} - D:\Program Files\Thunder Network\WebThunder\WebThunderBHO_015.dll
O2 - BHO: ThunderBHO - {0005A87C-D626-4B3A-84F9-1D9571695F55} - D:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_006.dll
O2 - BHO: (no name) - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v5.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SafeMe Internet Explorer Helper - {3AE06CEE-58A6-4F5F-AF89-6C5350842F16} - C:\WINDOWS\system32\SafeHelper12.dll
O3 - Toolbar: ????? - {DB9ECD4F-FB8F-4311-B3CE-90B976C2707C} - C:\WINDOWS\system32\kakatool.dll
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [RfwMain] "c:\program files\rising\rfw\rfwmain.exe" -startup
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [runeip] C:\Program Files\Rising\AntiSpyware\runiep.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: NTUSER.DAT.LOG
O4 - Startup: ntuser.ini
O4 - Startup: dir
O4 - Startup: ntuser.pol
O4 - Startup: Motorola_Driver_Log.txt
O4 - Startup: USBMOT2000.INF
O4 - Startup: usbsermpt.sys
O4 - Startup: USB_CMCS_2000.INF
O4 - Startup: usbsermptxp.sys
O4 - Startup: USBMOT2000XP.INF
O4 - Startup: 1164786270-oem2.inf
O4 - Startup: 1164786270-oem2.PNF
O4 - Startup: 1164786271-oem3.inf
O4 - Startup: 1164786271-oem3.PNF
O4 - Startup: 1164786271-oem4.inf
O4 - Startup: 1164786271-oem4.PNF
O4 - Startup: USB_MOT_A1000.INF
O4 - Startup: USB_MOT_BRIT.INF
O4 - Startup: 1164787244-oem2.inf
O4 - Startup: 1164787244-oem2.PNF
O4 - Startup: 1164787244-oem3.inf
O4 - Startup: 1164787244-oem3.PNF
O4 - Startup: 1164787244-oem4.inf
O4 - Startup: 1164787244-oem4.PNF
O4 - Startup: 1164787244-oem9.inf
O4 - Startup: 1164787244-oem9.PNF
O4 - Startup: 1164787244-oem10.inf
O4 - Startup: 1164787244-oem10.PNF
O4 - Global Startup: ntuser.pol
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &使用迅雷下载 - D:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - D:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\qq\AddToNetDisk.htm
O8 - Extra context menu item: 使用Web迅雷下载 - D:\Program Files\Thunder Network\WebThunder\GetUrl.htm
O8 - Extra context menu item: 使用Web迅雷下载全部链接 - D:\Program Files\Thunder Network\WebThunder\GetAllUrl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 用比特精灵下载(&B) - D:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: QQ (HKLM)
O13 - WWW Prefix:
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O17 - HKLM\System\CCS\Services\Tcpip\..\{1338784B-CAB4-4E87-8ABF-0DEF3623BDF4}: NameServer = 219.150.150.150,219.150.23.123

请帮忙看看分析一下，到底是什么原因

大家帮帮忙，谢谢了

老大们  拜托看看分析下
非常感谢

我也有同样的情况
高手帮忙指点~

同样遇到!!!

我也遇到了，怎么没人解答呢？

是个大问题啊。偶高了几天了，也没有结果！请教高手啊！！！

【回复“水井中地鱼”的帖子】
可能是30%病毒,70%是木马.先卸载QQ,下载重新安装

rojan.PSW.QQPass.qxp( isignup.sys isignup.dll) 木马手工清除方法

关机的时候会告诉你QQJDDEXE没有响应


一、病毒行为分析
这是一个盗Q木马，运行后复制自身到：
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.dll
释放动态链接库文件注入进程：
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.sys
在当前目录生成_xiaran.bat删除主程序原文件：
:try
del "exe"
if exist "exe" goto try
del %0
创建ShellExecuteHooks启动项：
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}"=""

[HKEY_CLASSES_ROOT\CLSID\{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}\InProcServer32]
@="%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.sys"

创建注册表信息：
[HKEY_CURRENT_USER\Software\Microsoft\qqjdd]
"DL"="2"

二、手工清除步骤

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}"

[HKEY_CLASSES_ROOT\CLSID\{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}]

2. 重新启动计算机

3.删除病毒文件：
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.sys
%ProgramFiles%\Internet Explorer\Connection Wizard\isignup.dll
4. 删除病毒创建的注册表信息：
[HKEY_CURRENT_USER\Software\Microsoft\qqjdd]

去这里下载杀毒软件http://safe.qq.com/product/