EndurerOriginal
3Add an instance
2Added Kaspersky's response
No.1Version
Some netizens encountered the hijacking of the 71791.com browser, which was different from the analysis and solution I wrote earlier (see the question about www.71791.com) and sent the log scanned by hijackthis.
The following suspicious items are found in the log:
Operating System: Windows XP SP1 (winnt 5.01.2600)
Browser: Internet Explorer v6.00 SP1 (6.00.2800.1106)
O3-IE Toolbar addition: practical search-{15adf205-4c54-4cfe-ac88-1ea0ba6d06a0}-C:/program files/scantoolbar/scanbar. dll
O4-startup Item HKLM // run: [msservice] winnt.exe
O6-hkcu/software/policies/Microsoft/Internet Explorer/Control Panel present
O23-NT Service: gray_pigeon_server (graypigeonserver)-unknown owner-C:/Windows/g_server1.2.exe (file missing)
O23-NT Service: remote Internet Service (msisvr)-unknown owner-C:/Windows/system32/intasks.exe (file missing)
O23-NT Service: System managements instrumenta (msym_ser)-unknown owner-C:/Windows/system32/lsas.exe
O23-NT Service: Windows (Windows server program)-unknown owner-C:/Windows/crsm.exe (file missing)
Suggestion:
You can refer to the following repair methods:
[System repair series] basic operation index
Http://endurer.blogchina.com/2591241.html
Start -- set -- control panel -- add and delete programs -- unmount: Yahoo assistant and scantoolbar)
Restart to safe Mode
Start -- set -- control panel -- Management Tools -- service
Stop and disable the service:
Gray_pigeon_server (graypigeonserver)
Remote Internet Service (msisvr)
System managements instrumenta (msym_ser)
Windows (Windows server program)
Set the system to display all files and folders without hiding the known file type extension.
Find the following files:
C:/Windows/crsm.exe
C:/Windows/crsm. dll
C:/Windows/crsm_key.dll
C:/Windows/crsm_hook.dll
C:/Windows/g_server1.2.exe
C:/Windows/g_server1.2.dll
C:/Windows/g_server1.2_key.dll
C:/Windows/g_server1.2_hook.dll
C:/Windows/system32/intasks.exe
C:/Windows/system32/lsas.exe
C:/Windows/LSAs. dll
C:/Windows/lsas_key.dll
C:/Windows/lsas_hook.dll
Winnt.exe (search by the Start menu)
The files found with compression software (such as WinRAR, WinZip) Packaging backup, after all the repair work is completed, the compressed package as an e-mail attachment to the endurer@163.com
Close all browser windows and folder windows, use hijackthis scan again, check the suspicious items listed above, and click [Fix] (fix) (If you know that something is safe, you can leave it alone ).
Patch the system with SP2
Two files sent from the user:Winnt.exeAndLsas.exe, Kspersky reports:Trojan-Downloader.Win32.Delf.amh
Another user sent a log and found the following suspicious items:
C:/guest.exe
R3-default urlsearchhook is missing
O4-HKLM/../run: [msservice] winnt.exe
O6-hkcu/software/policies/Microsoft/Internet Explorer/restrictions present
O6-HKLM/software/policies/Microsoft/Internet Explorer/restrictions present
O23-service: System managements instrumenta (msym_ser)-unknown owner-C:/winnt/system32/lsas.exe
My proposed repair suggestions:
Start -- set -- control panel -- add and delete programs -- uninstall: Baidu super souba
You can refer to the following repair methods:
[System repair series] basic operation index
Http://endurer.blogchina.com/2591241.html
Restart to safe Mode
Stop and disable the service: System managements instrumenta (msym_ser)
Set the system to display all files and folders without hiding the known file type extension.
Find the following files:
C:/guest.exe
C:/winnt/system32/lsas.exe
C:/winnt/system32/LSAs. dll
C:/winnt/system32/lsas_dll.dll
C:/winnt/system32/lsas_key.dll
C:/winnt/system32/lsas_hook.dll
The files found with compression software (such as WinRAR, WinZip) Packaging backup, after all the repair work is completed, the compressed package as an e-mail attachment to the endurer@163.com, please indicate in the email the web site
Close all browser windows and folder windows and use hijackthis scan again to fix the suspicious items listed above.