Be careful when downloading software from the website

EndurerOriginal

2006-10-17 th1Version

Yesterday, a netizen downloaded a green version of software from a website and double-clicked it for a few times without any display. The system was slow and failed to respond. After restarting the computer, the situation remained the same, so please help me.

Open the task manager and find some suspicious processes. Stop assumer.exe first, create a new task, run hijackthis to scan the log, and find the following suspicious items:

/------------
Logfile of hijackthis v1.99.1
Scan saved at 20:15:37, on
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running Processes:

C:/program files/common files/update2/update.exe

C:/docume ~ 1/y168/locals ~ 1/temp /~ NSU. tmp/au_.exe

O4-HKLM/../run: [str3] hongqt
O4-HKLM/../run: [longdata] bytes
O4-HKLM/../run: [binarydata] "3D ladder
O4-HKLM/../run: [update] C:/program files/common files/update2/update.exe

O16-DPF: {5932517a-3326-4439-a708-1c98edb5c549} (downloader class)-file: // C: /Documents and Settings/all users/Application Data/share helper/cast/GGS/d8f6fba154/JS/imopdl. cab

O21-ssodl: delayrun-{5a6f2f95-3191-433b-8533-eb0b596a7bac}-C:/Windows/464d7300. dll (file missing)
------------/

Process:

C:/program files/common files/update2/update.exe
C:/docume ~ 1/y168/locals ~ 1/temp /~ NSU. tmp/au_.exe

Terminated.

Find with WinRAR:
C:/Documents and Settings/user/Local Settings /~ NSU. tmp/au_.exe

View the properties. It's Dongdong, Khan!

Found:
C:/Documents and Settings/user/Local Settings/temp/rarsfx0/benben.exe

It is a self-extracting file and the execution script is:
/-------------------
Tempmode
Silent = 1
Overwrite = 1
Setup1_bind_40234.exe
Overwrite = 1
Setup000031.exe
Overwrite = 1
Setup1_mp56.exe
-------------------/

The following three files are released:

/-------------------
28,672 31.exe( developed by www.mmwan.com)
2006-09-04 37,648 mp56.exe (macro network super souba online installation program)
20,480 bind_40234.exe
-------------------/

C:/Windows/system32/temp. EXE is sogou express installer.

The downloaded Green Edition Software is a file named jiekshijf.exe with a length of more than 100 kb. If the software is normal, the file size should be nearly 5 MB. Obviously not. If you pay attention, you will find the problem.

This jiekshijf.exe contains:
/----------
Sys.exe (Kaspersky reportsTrojan. win32.vb. Amy)
Bo.exe (Kaspersky reportsTrojan-Clicker.Win32.VB.ms)
Ad.exe (Kaspersky reportsTrojan-Clicker.Win32.VB.lc)
Ad2.exe (Kaspersky reportsTrojan. win32.vb. Ms)
----------/

If you scan anti-virus software before running it, it will not be so easy.

All are deleted.

Use hijackthis to fix the items listed below.

Clear the IE Temporary Folder and system Temporary Folder.