[Original] solve Trojan. DL. gpigeon. A and exploit. html. MHT with rising Online Virus Detection

Author: endurer

Today, a colleague's computer experiences a blue screen crash:

Filename: vwin32 (05) + 00000bf $ error OE: 0028: C) za3e54

This computer uses Win me.

1. restart the computer to safe mode.

Second, use msconfig.exe to check the startup item. The file named "net suspicious startup Item" (as shown in) is C:/Windows/system/svch0st.exe (Note that the number between H and S in the file name is 0)

Cancel three suspicious net startup items

3. Set the system to display all files without hiding the file extension

The method is:

1. Start my computer or Windows Resource Manager.
2. Click View menu (Windows 95/98/NT) or tool menu (Windows ME/2000/XP), and then click options or folder options ".
3. Click the view tab.
4. deselect "Hide extensions of known file types ".
5. Perform one of the following operations:
Windows 95/NT. Click Show all files ".
Windows 98. In the "Hidden Files" folder in the "Advanced Settings" box, click "show all files ".
Windows ME/2000/XP: cancels the hook before "Hiding protected OS Files" and in the "hide files and folders" folder, click Show all files and folders ".
6. Click "application", and then click "OK ".

4. Use Resource Manager to open C:/Windows/system, and use menu: View -- "to arrange icons --" by date"

The suspicious files svch0st.exe and sfc2.dll are found, as shown in:
(Note: svch0st.exe uses folders as icons, which is confusing)

Attributes of Suspicious File svch0st.exe

Suspicious File sfc2.dll attributes

5. The next step is the same in C:/example. As shown in:

Suspicious File Attributes of web.exe
(Downsys.exe's file name is the same as web.exe, so it will not be uploaded)

It is estimated that there may be other folders. We decided to first use the free drug detection function of rising online.

6. Start Windows normally and go

Http://online.rising.com.cn/ravonline/RavSoft/Rav.asp

Using Rising's free online drug detection function, we found twoTrojan. DL. gpigeon.And oneExploit. html. MHT, As shown in. The svch0st.exe1_sfc2.dll1_web.exeand downsys.exe statements found earlier are not reported.

7. Use McAfee to check the virus for free online. The result is one more report than rising, as shown in.

Svch0st.exe1_sfc2.dll1_web.exeand downsys.exe found earlier are still not reported.

8. Clear virus files:

Close all browser windows
Use the "Rising Antivirus assistant" to delete all infected files.

Click here to download Rising anti-virus assistant for Win 2000/XP

Click here to download Rising anti-virus assistant for Win 95/98/me

Because all virus files are in the temporary ie folder, you can also clear the temporary ie folder.

Close all browser windows.

Start -- set -- control panel -- Internet Options -- delete files,
You can select "delete all offline content ".

9. Install the personal version of AntiVir v6.31 Personal Edition and upgrade it to the latest version. No virus is found.

10. Copy the suspicious files svch0st.exe%sfc2.dll%web.exeand downsys.exe to a floppy disk and use the latest version of Kaspersky scan.

The suspicious files svch0st.exe?sfc2.dll=web.exeand downsys.exe are probably unknown viruses.