Solve the problem that the browser is hijacked by web.9983.com and the ad window pops up occasionally (version 3rd)

EndurerOriginal

Version 2005.11.08 3rd supplemented kaspersky's response to suspicious service files, such as distfsv.exe.

Version 2005.11.07 2nd added a reply to the file distfsv.exe, which was related to suspicious services by rising.

Created in 1st 5.11.04

* Note: for the sake of security, "http: //" for malicious URLs in the text are replaced by "hxxp.

Last night, I helped my colleagues solve the problem of web.9983.com hijacking and occasionally pop-up Advertisement Windows. Here I will record the symptoms, analysis and repair processes, and provide some suggestions.

My colleague's computer uses Window XP and has Kingsoft drug overlord 2005 installed.

I. Symptoms

The IE homepage is changed to web.9983.com and cannot be reset.
Registry Editor unavailable
Multiple advertisement webpages, such as www.uu500.com, are occasionally displayed when the instance is started.
Malicious web pages on the desktop

Ii. Analysis and repair

1. download and run the rising registry. It is used to check whether the EXE or TXT file association has been modified. If it is modified, you can use it to fix it.

2. Go to the control panel, open "add and delete programs", and uninstall plug-ins such as yisearch and Yahoo assistant.

3. Use hijackthis scan (you can download hijackthis in http://endurer.ys168.com's tools/system analysis and fixes) to discover and fix the following items:

O4-hkcu/../run: [iexplore. EXE] iexplore. EXE hxxp: // www.uu500.com
O6-hkcu/software/policies/Microsoft/Internet Explorer/restrictions present
O6-HKLM/software/policies/Microsoft/Internet Explorer/restrictions present
O7-hkcusoftwaremicrosoftwindowscurrentversionpoliciessystem, disableregedit = 1

Two suspicious services are also found:

Distributed File System services: C:/Windows/system32/distfsv.exe-Service

Windows Audio services: C:/Windows/system32/winms.exe-Service

Stop and disable them.

With rising online scanning, found the following virus ("Rising Antivirus assistant" saved scan records, you can go to the http://endurer.ys168.com tools/antivirus tools to download "Rising Antivirus assistant "):

20:53:49 Rising anti-virus Assistant
Windows XP (5.1.2600)
File Name virus name
C:/$ ntuninstallq1494 $/3721.bat Trojan. winreg. startpage. d
C:/found000055/file0010.chk exploit. html. MHT
C:/Windows/system32/nt_g_dll.dll Trojan. DL. Agent. DQA
C:/Windows/system32/winms.exe Trojan. DL. Agent. dpy
C:/Windows/system32/nt_plus_dll.dll Trojan. DL. Agent. dpz
C:/Windows/system. HTA script. adware. yobous. d

(For Analysis on C:/Windows/system. HTA, see some analysis and suggestions on virus script. adware. yobous. D)
(Apart from C:/Windows/system. HTA, Kaspersky can scan and kill other virus files .)

5. Use the "Rising Antivirus assistant" to delete the file:

C:/$ ntuninstallq1494 $/3721.bat
C:/found000055/file0010.chk
C:/Windows/system32/winms.exe
C:/Windows/system. HTA

However

C:/Windows/system32/nt_g_dll.dll
C:/Windows/system32/nt_plus_dll.dll

Cannot be deleted.

Use the "change all file names" and "delete at next startup" functions of "Rising Antivirus assistant" to solve this problem.

6. Find the suspicious service file:

C:/Windows/system32/distfsv.exe
C:/Windows/system32/distfsv1.dll
C:/Windows/system32/distfsv2.dll

However, backup cannot be packaged or deleted.

In addition, the file C:/Windows/system32/autoup. t is found to be:

[Update]
Ver = 51016
Update = 2005.9.20 08:37:24
Filecount = 1
File1 = hxxp: // web.9983.com/autodown/20051016.exe
Filename1=sdt_auto_v51016.exe
Fileexc1 = 1
Meexit = 1

[Hosts]
File = hxxp: // web.9983.com/autodown/host.htm
Hosts = 1

Download hxxp: // web.9983.com/autodown/20051016.exeand find that this file is exactly the same as winms.exe.

7. disable the system restoration function. For more information, see [System Recovery series] how to disable or enable Windows XP System Restoration

8. Clear the temporary ie folder. For more information, see [System Recovery series] how to clear temporary ie folders

9. To obtain suspicious files

C:/Windows/system32/distfsv.exe
C:/Windows/system32/distfsv1.dll
C:/Windows/system32/distfsv2.dll

Restart the computer to safe mode (for more information, see [System Recovery series] how to start it in safe mode), package and back up the three files, and then delete them.

10. restart the computer to normal mode, and the system works normally.

Iii. Suggestions:

1. Access to malicious websites is denied.

You can take the following content:

127.0.0.1 web.9983.com
127.0.0.1 www.uu500.com

Add the hosts file. For more information, see [System Recovery series] how to repair and use the hosts file ).

Or

Web.9983.com
Www.uu500.com

Add the Access Denied list (For details, refer to [system repair series] How to Use the hierarchical review function in IE ).

　　2. Select and install the anti-virus software and enable real-time monitoring.Some anti-virus software is really useless.

　　3. Enable the automatic system update function and patch the system in a timely manner (if you are using Windows XP, consider carefully ).For details, refer to [system repair series] how to update and patch the system.

　　4. Use Maxthon or greenbrowser to browse webpages.

* Supplement: 2005.11.07

Rising's reply to suspicious service files, such as distfsv.exe:

Subject:	Rising customer service center_reply to virus questions
Sender:	Send@rising.net.cn	Sent at: 13:12:51

Dear customer!
Your email has been received. Thank you for your support for rising.

We have analyzed your problems and files in detail. The following are the analysis results of the files you uploaded:
1. File Name: autoup. t
Not a virus

2. File Name: distfsv.exe
:) Virus name: Trojan. DL. Small. BDI

3. File Name: distfsv1.dll
:) Virus name: Trojan. DL. Small. BDI

4. File Name: distfsv2.dll
:) Virus name: Trojan. DL. Small. BDI

We will solve the problem in the newer 17.52.0 version. Please upgrade your rising software to 17.52.0 and enable the monitoring center to completely eliminate the virus. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.

* Supplement: 2005.11.08

Kasperskyreports distfsv.exe, distfsv1.dll, distfsv2.dll as Trojan-Downloader.Win32.Agent.yo