Repair computers with viruses and N + rogue software (version 3rd)

EndurerOriginal

2, 3Anti-Virus Software supplement
1Version

According to a netizen, the IE window on his computer somehow ran out of many tool bars, and Jiang minkv automatically scanned for viruses. Let me help you clean it up.

This user's computer uses Windows 2000 pro SP4. Let's take a look at Jiang Min's automatic scanning records:

VirusTrojandownloader. Agent. AEG(Http://virusinfo.jiangmin.com/infomation/200672495427.html) corresponds to the file name C:/winnt/system32/viptray.exe.

Rising reported "C:/winnt/system32/viptray.exe":Trojan. DL. adload. Mismatch.

Open the C:/winnt/system32 folder, and the Jiangmin kV file Monitoring Report: C:/winnt/system32/cns.exe is infected with a virus.Trojan/agent. VFHttp://virusinfo.jiangmin.com/infomation/200672111928.html ).

Dizzy! Why didn't Jiang minkv automatically scan upon startup be reported now?

Disable all monitoring functions of jiangminkv. Otherwise, problems may occur when packaging virus files.

Back up the C:/winnt/system32/cns.exe and C:/winnt/system32/viptray.exe packages and delete them.

Start --> control panel --> add and delete a program

More than N rogue software exists here, such as Yahoo assistant, global search, desktop, Baidu souba, Baidu search, Chinese Internet access, and yihu .......

All are removed.

Restart Jiangmin kV monitoring.

Scan logs with hijackis and find the following suspicious items:

-----------
F2-Reg: system. ini: userinit = C:/winnt/system32/userinit.exe, C:/Documents and Settings/all users/Application Data/Microsoft/crypto/lbjadcn.exe

O2-BHO: monitorurl class-{08a312bb-5409-49fc-9347-54bb7d069ac6}-C:/progra ~ 1/AD ~ 1/javasipn. dll (file missing)

O2-BHO: browserhelper class-{2d99e8f4-56b7-457b-9a92-61b5d247d263}-C:/winnt/system32/windefendor. dll

O2-BHO: Network acceleration-{5673a7c0-95cc-4646-bb07-3bd71234cef9}-C:/winnt/system32/wuwebex. dll

O2-BHO: BG-{7bdaf75a-0d6f-4f50-afe9-333d08df4005}-(no file)

O2-BHO: downloadbho t2bho-{B1D147E7-873E-4909-8127-695D9BB78728}-C:/winnt/Downloaded Program Files/conflict.1/barhelp24.0.dll

O4-startup Item hkcu // run: [syss] C:/docume ~ 1/admini ~ 1. HCN/locals ~ 1/temp/ehuupdate.exe

O4-startup Item hkcu // run: [myshares] C:/program files/yihu/myshares.exe/Tray

O4-startup Item hkcu // run: [msnnt] C:/winnt/mcupdate.exe

O4-Global startup: IE-BAR.lnk = C:/winnt/system32/rundll32.exe

O9-Additional buttons in the browser: test3-{1fba04ee-3024-11d2-8f1f-440f87abd38}-D:/Windows-KB886590-ENU-V1.1.exe (file missing)

O16-DPF: {56a7dc70-e102-4408-a34a-ae06fef01586} (World search)-http://iebar.t2t2.com/iebar.cab
-----------

Files:
-----------
C:/Documents and Settings/all users/Application Data/Microsoft/crypto/lbjadcn.exe

C:/winnt/mcupdate.exe

D:/Windows-KB886590-ENU-V1.1.exe
-----------
It does not exist.

But in the C:/winnt/system32/Drivers/MCQ folder, we found:
-----------
0 adout. dat
20,480 adout.exe
40,960 mcupdate.exe
46 up. dat
2006-04-18 169 verx. dat
61,655 bytes for five files
-----------

Kaspersky reports mcupdate.exeTrojan-Downloader.Win32.Agent.apu

Rising reported mcupdate.exeTrojan. DL. Agent. kbp

Jiang minkv reports mcupdate.exeTrojandownloader. Agent. AECHttp://virusinfo.jiangmin.com/infomation/2006721101151.html ).

Note: In the McAfee Network security package, the program file used to connect to the mcupdate.exe server to upgrade the virus repository is also mcupdate.exe. Do not confuse it.

Find the file with WinRAR:
-----------
C:/winnt/system32/windefendor. dll
C:/winnt/system32/wuwebex. dll
C:/docume ~ 1/admini ~ 1. HCN/locals ~ 1/temp/ehuupdate.exe
-----------
The backup package can only be deleted: C:/docume ~ 1/admini ~ 1. HCN/locals ~ 1/temp/ehuupdate.exe

Kaspersky reports C:/winnt/system32/windefendor. dll:Not-a-virus: adware. win32.dm. m
Kaspersky reports C:/winnt/system32/wuwebex. dll:Not-a-virus: adware. win32.accelerator. e

While
-----------
C:/winnt/system32/windefendor. dll
C:/winnt/system32/wuwebex. dll
-----------
It cannot be deleted or renamed.

Fortunately, icesword 1.12 is still in use.

Run icesword 1.12and find that the two dllsns are added to the assumer.exe process. Move wuwebex. dllunload to the C:/Temp folder for analysis.

However, when unload windefendor. dll, the system prompts that the assumer.exe process has an error. Icesword1.12 can no longer view the module information of the assumer.exe process and restart icesword 1.12. the DLL is still being injected into the assumer.exe process and transferred to wuwebex in the C:/Temp folder. DLL is also injected into the assumer.exe process. Dizzy!

Uload windefendor. dll errors occur several times.

To the http://endurer.ys168.com download the next boot automatically delete file program auto_del.rar, decompress and run auto_del.exe, C:/winnt/system32/windefendor. dll from WinRAR program window to auto_del.exe program window, then click the next boot delete button.

Then, use NotePad to edit the BAT file generated by auto_del.exe and change the DELETE command del to rename the command Ren.

Close all browser windows and folder windows and use hijackthis to fix the suspicious items listed above.

In the C:/Program Files folder, folders such as huaci, searchnet, and IE-bar are also uninstalled and deleted.

I want to report several suspicious files to rising, but cannot open the webpage! However, if you can ping www.163.com or other websites, the network connection is normal. Dizzy!

After restarting the computer, you can open the webpage normally. It is suspected that the web page cannot be opened just now, which is caused by Jiang minkv's web page monitoring.