今天打开电脑，扫描后发现
Logfile of HijackThis v1.99.1
Scan saved at 12:02:35, on 2005-11-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\陆子乾\桌面\反病毒\HijackThis.exe

O2 - BHO: ThunderIEHelper Class - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\System32\xunleibho_v8.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\geturl.htm
O8 - Extra context menu item: &使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\getallurl.htm
O8 - Extra context menu item: Google 搜索(&G) - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: 反向链接 - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\qq\SendMMS.htm
O8 - Extra context menu item: 类似网页 - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: 缓存的网页快照 - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: 翻译英文字词(&T) - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O9 - Extra button: 浩方对战平台 - {0A155D3C-68E2-4215-A47A-E800A446447A} - C:\Program Files\浩方对战平台\GameClient.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

其中多了
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
不知道是什么东西，请大家帮帮忙看一下，

还有就是点过IE上标准按钮上的搜索后，居然出现3721网络实名带给您。。。。。恶心死了，怎么除掉，希望大家告诉我

【回复“悲魔剑”的帖子】



请楼主使用下面的两个多引擎扫描器扫描下列文件：
C:\WINDOWS\System32\hgqhp.exe
多引擎扫描之Virustotal：

http://www.virustotal.com/
多引擎扫描之Jotti：

http://virusscan.jotti.org/


请务必将报告贴全。
而O17项是一些与DNS解析相关的改变。

重新启动到安全模式（进入安全模式的方法:重新启动电脑, 开机自动检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式(Safe Mode)进入Windows。）

请关闭所有IE界面，重新使用HijackThis扫描一次，选中下面建议修复的项目，让HijackThis修复，修复前请允许HijackThis保留备份。（如果楼主知道是安全的可以不必勾选）
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe

然后打开我的电脑→再点工具→打开文件夹选项→查看→把隐藏受保护的系统文件（推荐）和隐藏已知文件类型的扩展名的勾去掉→再显示所有文件→找到以下文件并删除：(如果有的话)
C:\WINDOWS\System32\hgqhp.exe

This is a report processed by VirusTotal on 11/29/2005 at 05:25:20 (CET) after scanning the file "__38470" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.28.2005 Heuristic/Trojan.Downloader
Avast 4.6.695.0 11.26.2005 no virus found
AVG 718 11.28.2005 no virus found
Avira 6.32.0.6 11.28.2005 Heuristic/Trojan.Downloader
BitDefender 7.2 11.29.2005 Trojan.DNSChanger.R
CAT-QuickHeal 8.00 11.28.2005 (Suspicious) - DNAScan
ClamAV devel-20051108 11.28.2005 no virus found
DrWeb 4.33 11.28.2005 no virus found
eTrust-Iris 7.1.194.0 11.29.2005 no virus found
eTrust-Vet 11.9.1.0 11.28.2005 no virus found
Fortinet 2.48.0.0 11.29.2005 suspicious
F-Prot 3.16c 11.28.2005 no virus found
Ikarus 0.2.59.0 11.28.2005 no virus found
Kaspersky 4.0.2.24 11.29.2005 no virus found
McAfee 4638 11.28.2005 no virus found
NOD32v2 1.1307 11.28.2005 a variant of Win32/DNSChanger
Norman 5.70.10 11.28.2005 no virus found
Panda 8.02.00 11.28.2005 Trj/DNSChanger.BD
Sophos 4.00.0 11.28.2005 no virus found
Symantec 8.0 11.29.2005 no virus found
TheHacker 5.9.1.045 11.28.2005 no virus found
VBA32 3.10.5 11.28.2005 suspected of Trojan-Downloader.Agent.31



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com

Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:         
Service 
Service load:  0%        100% 

File:  hgqhp.exe 
Status:  INFECTED/MALWARE 
MD5  2aa00930a7d48237bab13de162b38f53 
Packers detected:  -
Scanner results 
AntiVir  Found Heuristic/Trojan.Downloader (probable variant) 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found Trojan.DNSChanger.R 
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found a variant of Win32/DNSChanger 
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found Trojan-Downloader.Agent.31 (probable variant) 
 
Powered by 
             
Disclaimer 
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all! 
 
Statistics 
Last file scanned at least one scanner reported something about: mydoom.scr.bu, detected by:

Scanner  Malware name 
AntiVir  Worm/Mytob.DZ 
ArcaVir  Worm.Mytob.Ba 
Avast  JS:BumChang 
AVG Antivirus  I-Worm/Mytob.FT 
BitDefender  Win32.Worm.Mytob.BX 
ClamAV  Worm.Mytob.CA 
Dr.Web  Win32.HLLM.MyDoom.based 
F-Prot Antivirus  W32/Mytob.DY@mm 
Fortinet  W32/MyTob.DY-mm 
Kaspersky Anti-Virus  Net-Worm.Win32.Mytob.ba 
NOD32  Win32/Mytob.CY 
Norman Virus Control  W32/Mytob.EU 
UNA  Worm.Win32.Mytob.ba 
VBA32  Net-Worm.Win32.Mytob.ba 


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback

   

Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>

【回复“悲魔剑”的帖子】



谢谢楼主的配合。
请先参考飞跃版主的意见进行修复。
另外，这个木马会更改DNS设置，故O17项也请全部修复：
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5379E9-D231-4DFA-B931-13DA0C97C602}: NameServer = 85.255.113.107,85.255.112.75
待修复完成，如果问题依旧，请继续跟帖说明情况。
以上建议仅供参考，如果您认识其中的一些设置抑或是您的手动设置，就不必执行。

【回复“悲魔剑”的帖子】



楼主没有使用杀毒软件和防火墙吧……这样是很危险的。