An Analysis of the file temp1.plt caused by adware. hbang. E (version 1st)

EndurerOriginal

1Version

Today, a colleague said that the computer is not working properly. Could you please help me.

The machine is a Tcl brand machine, and the operating system is Windows XP SP2 (5.1.2600 ). After the IE browser is opened, ie stops responding. I have opened several ie instances. If you disable the Internet Explorer, assumer.exe is automatically terminated. After the system automatically re-runs assumer.exe, the system response is slow.

Using hijackthis scan, we found the files and projects of adware. hbang. E:

 

O2-BHO: hbobject class-{AE22AFE5-1EF4-4D25-9E23-D2825FB17DA1}-C:/progra ~ 1/hbclient/tbhelper. dll

 

O4-HKLM/../run: [richmedia] C:/Windows/system32/rundll32.exe "C:/progra ~ 1/hbclient/tbhelper. dll ", waitwindows

O10-unknown file in Winsock LSP: C:/Windows/system32/hbmter. dll
O10-unknown file in Winsock LSP: C:/Windows/system32/hbmter. dll

In addition, due to the previous forced shutdown of the program, the system has multiple program processes C:/Windows/system32/dumprep.exe and C: the/Windows/system32/dwwin.exe process is running.

 

 

Refer:

Scan more than 100 viruses and 3 stealth Processes

Solve the pop-up window and adware. hbang

First, uninstall richmedia in "add and delete programs" on the control panel. Then restart the security mode with network connection and use Rising's free online scan to find dozens of adware. hbang. e files:

 

 

16:14:36 Rising anti-virus Assistant
Windows XP Service Pack 2 (5.1.2600)
File Name virus name
C:/Windows/system32/temp/temp1.plt adware. hbang. e
C:/Windows/hhelp. dll adware. hbang. e
C:/program files/hbclient/tbhelper. dll adware. hbang. c
C:/system volume information/_ restore {1f034afa-4c43-49f7-ac54-375a02ef3410}/rp41/a0019971.dll adware. hbang. e
... (All in c:/system volume information, omitted ).

 

 

Solved With Rising Antivirus Assistant (you can download to http://endurer.blogchina.com. Restart the computer, and then open the IE stream generator. ie no longer stops responding, and then uses free online scanning. No adware. hbang. e is found.

Analysis of temp1.plt

C:/Windows/system32/temp/temp1.pltthis file is actually a file in peformat. change its extension name to .dllor .exe. You can see the file description, version, and other information in the file attributes. The original file name is hbmter. dll.

This file will check whether the virus file exists.

Hxxp: // 59.36.96.8/download/updatelist (this has expired)

And

Hxxp: // download.henbang.net/download/updatelist

(The IP address of download.henbang.net is 59.36.98.155)

Download and install hbhelper. dll.

Starts the advertising service.

Worker and other processes have corresponding processing.