Another question about browser hijacking at www.71791.com (version 3rd)

EndurerOriginal

3Add an instance
2Added Kaspersky's response
No.1Version

Some netizens encountered the hijacking of the 71791.com browser, which was different from the analysis and solution I wrote earlier (see the question about www.71791.com) and sent the log scanned by hijackthis.

The following suspicious items are found in the log:

 

 

Operating System: Windows XP SP1 (winnt 5.01.2600)
Browser: Internet Explorer v6.00 SP1 (6.00.2800.1106)

O3-IE Toolbar addition: practical search-{15adf205-4c54-4cfe-ac88-1ea0ba6d06a0}-C:/program files/scantoolbar/scanbar. dll

O4-startup Item HKLM // run: [msservice] winnt.exe

O6-hkcu/software/policies/Microsoft/Internet Explorer/Control Panel present

O23-NT Service: gray_pigeon_server (graypigeonserver)-unknown owner-C:/Windows/g_server1.2.exe (file missing)

O23-NT Service: remote Internet Service (msisvr)-unknown owner-C:/Windows/system32/intasks.exe (file missing)

O23-NT Service: System managements instrumenta (msym_ser)-unknown owner-C:/Windows/system32/lsas.exe

O23-NT Service: Windows (Windows server program)-unknown owner-C:/Windows/crsm.exe (file missing)

 

Suggestion:

 

You can refer to the following repair methods:
[System repair series] basic operation index
Http://endurer.blogchina.com/2591241.html

Start -- set -- control panel -- add and delete programs -- unmount: Yahoo assistant and scantoolbar)

Restart to safe Mode

Start -- set -- control panel -- Management Tools -- service
Stop and disable the service:
Gray_pigeon_server (graypigeonserver)
Remote Internet Service (msisvr)
System managements instrumenta (msym_ser)
Windows (Windows server program)

Set the system to display all files and folders without hiding the known file type extension.

Find the following files:

C:/Windows/crsm.exe
C:/Windows/crsm. dll
C:/Windows/crsm_key.dll
C:/Windows/crsm_hook.dll

C:/Windows/g_server1.2.exe
C:/Windows/g_server1.2.dll
C:/Windows/g_server1.2_key.dll
C:/Windows/g_server1.2_hook.dll

C:/Windows/system32/intasks.exe

C:/Windows/system32/lsas.exe
C:/Windows/LSAs. dll
C:/Windows/lsas_key.dll
C:/Windows/lsas_hook.dll

Winnt.exe (search by the Start menu)

The files found with compression software (such as WinRAR, WinZip) Packaging backup, after all the repair work is completed, the compressed package as an e-mail attachment to the endurer@163.com

Close all browser windows and folder windows, use hijackthis scan again, check the suspicious items listed above, and click [Fix] (fix) (If you know that something is safe, you can leave it alone ).

Patch the system with SP2

Two files sent from the user:Winnt.exeAndLsas.exe, Kspersky reports:Trojan-Downloader.Win32.Delf.amh

Another user sent a log and found the following suspicious items:

 

 

C:/guest.exe

R3-default urlsearchhook is missing

O4-HKLM/../run: [msservice] winnt.exe

O6-hkcu/software/policies/Microsoft/Internet Explorer/restrictions present

O6-HKLM/software/policies/Microsoft/Internet Explorer/restrictions present

O23-service: System managements instrumenta (msym_ser)-unknown owner-C:/winnt/system32/lsas.exe

 

 

My proposed repair suggestions:

Start -- set -- control panel -- add and delete programs -- uninstall: Baidu super souba

You can refer to the following repair methods:
[System repair series] basic operation index
Http://endurer.blogchina.com/2591241.html

Restart to safe Mode

Stop and disable the service: System managements instrumenta (msym_ser)

Set the system to display all files and folders without hiding the known file type extension.

Find the following files:

C:/guest.exe
C:/winnt/system32/lsas.exe
C:/winnt/system32/LSAs. dll
C:/winnt/system32/lsas_dll.dll
C:/winnt/system32/lsas_key.dll
C:/winnt/system32/lsas_hook.dll

The files found with compression software (such as WinRAR, WinZip) Packaging backup, after all the repair work is completed, the compressed package as an e-mail attachment to the endurer@163.com, please indicate in the email the web site

Close all browser windows and folder windows and use hijackthis scan again to fix the suspicious items listed above.