EndurerOriginal
2006-10-15 th1Version
Last night, a colleague said that his computer was slow and he could play online games, but not browse the webpage ...... Let me check for help.
The computer uses Win XP SP2, which is equipped with Jiangmin kv2006 anti-virus software and outpost firewall.
Worker processes, terminate them, and the system returns normally.
Ping www.163.com. The network connection is normal.
If you want to download the software analysis system from the Internet, you cannot browse the webpage.
In view of the instability of Jiangmin kv2006, there is a "traditional" that often leads to Webpage Browsing failures. Therefore, Jiangmin kV real-time monitoring is disabled.
Go to the control panel and check "add or delete"Program", Found Desktop Media, mmsassist (MMS), webwork, Yahoo assistant and other rogue software.
Because Desktop Media will mount Winsock LSP (o10 items will be reported in the hijackthis log), if the anti-virus software kills the mounted file but does not fix Winsock LSP, the web page will not be available (refer: solve the pop-up window and adware. hbang (version 5th), http://endurer.bokee.com/4466883.html)
Try to uninstall Desktop Media, but it is not successful ......
If you want to log on to QQ, ask a netizen to upload the required software, but QQ login is not successful ......
Restart your computer to the safe mode with network connection,
Open the command prompt, enter and execute the command: ipconfig.exe/All> C:/net.txt, and save the current network configuration information to the file C:/net.txt.
Open the Registry Editor and go
[HKEY_LOCAL_MACHINE/system/CurrentControlSet/control/network]
First, the backup is network. Reg, and then two keys related to TCP/IP and the current network connection are deleted.
The NIC is detached from the hardware manager.
Restart the computer. The system prompts that the NIC is found, but the NIC driver cannot be found. The taskbar and desktop icons are not displayed. Press CTRL + ALT + DEL to open the task manager and use the menu: file-> new task, find the network you just backed up. reg, import the registry, and restart the computer.
You can access the desktop normally this time, but the NIC still does not work because the driver is not found. open the file C:/net.txt that previously saved the network configuration information, manually select the driver to install according to the NIC type ...... OK!
Finally, you can browse the Web page!
Download fix_ie.bat, lspfix.exe, hijackthis, icesword, Rising Antivirus assistant for Win 2000 or above from the http://endurer.ys168.com and delete the file program auto_del at next startup.
Download the file batch processor bat_do to the http://purpleendurer.ys168.com.
Download the rising registry repair tool from the rising website.
Run the rising registry Repair Tool and no abnormal project is found.
When lspfix.exe is run, no projects attached to LSP by Desktop Media are found.
Run hijackthis to scan logs and find the following suspicious items:
/------------------
Logfile of hijackthis v1.99.1
Platform: Windows XP SP2 (winnt 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running Processes:
C:/Windows/system32/rundll. exe
C:/program files/common files/update2/update.exe
O2-BHO: myiehelper class-{16b770a0-0e87-4278-b748-2460d64a8386}-C:/Documents and Settings/all users/Application Data/Microsoft/userdata/iehelper_5001.dll
O2-BHO: raobject class-{46f194eb-b7db-4b7a-bd42-5ff39fd17664}-C:/progra ~ 1/pcast/hbcast. dll
O2-BHO: Vision-{6671a431-5c3d-463d-a7cf-5587f9b7e191}-C:/progra ~ 1/mmsass ~ 1/mmsass ~ 1. dll
O2-BHO: (No Name)-{D83D38CF-77AE-4611-9EDE-72D910610236}-C:/Windows/system32/sys32version. dll
O4-HKLM/../run: [newrmtservice] C:/program files/newremotecontrol/newrmtservice.exe
O4-HKLM/../run: [update] C:/program files/common files/update2/update.exe
O4-HKLM/../run: [richmedia] C:/Windows/system32/rundll32.exe "C:/progra ~ 1/pcast/hbcast. dll ", waitwindows
O4-hkcu/../run: [bgswitch] C:/Windows/system32/bgswitch.exe
O8-extra context menu item:> MMS sending <-res: // C:/progra ~ 1/mmsass ~ 1/mmsass ~ 1. dll/mms.htm
O20-Winlogon notify: skwinlogon-C:/Windows/system32/DLL. dll
O21-ssodl: webwork-{4c611512-2c1d-44b2-a044-872ad2ad5a61}-C:/Windows/webwork. dll
-----------/
Uninstall: mmsassist (MMS), webwork, Yahoo assistant, and other rogue software.
Check C:/windows and C:/Windows/system32 with WinRAR and find the following suspicious files:
/-----------------
DLL. dll
Ie.exe (Kaspersky reportsTrojan-Spy.Win32.Agent.ct, Http://www.viruslist.com/en/find? Words = Trojan-Spy.Win32.Agent.ct)
Rundll.exe
Rundll32.exe (the icon is blank)
Sys32version. dll (Kaspersky reportsTrojan-Clicker.Win32.BHO.f, Http://www.viruslist.com/en/find? Words = Trojan-Clicker.Win32.BHO.f; risingTrojan. DL. Agent. xec)
Cnt.exe (Kaspersky reportsTrojan-Clicker.Win32.BHO.f)
Update21.exe
Update31.exe
Update41.exe
...... (All update? 1. EXE, omitted)
Update111.exe
Usercrd. dll (Kaspersky reportedNot-a-virus: adware. win32.ncast. d, Http://www.viruslist.com/en/find? Words = not-a-virus: adware. win32.ncast. d)
------------------/
Drag them to the bat_do program window and hook them in the file list.
Hook "use RAR compression", enter the decompression password, and set the location of the compressed file to D:/virus.
Hook "set attributes"
Hook up "RENAME"
Click the [generate command] button and the [Execute Command] button.
Run the Rising Antivirus assistant and use rising online to scan C:/Windows for free. C:/Windows/system32/sys32version. dll isTrojan. DL. Agent. xec
Use rising online free scan C:/Documents and Settings to find that install.exe In the IE folder isDropper. Agent. DxR(Kaspersky reportsNot-a-virus: adware. win32.softomate. u, Http://www.viruslist.com/en/find? Words = not-a-virus: adware. win32.softomate. U ).
All of them are handled by the rising anti-virus assistant.
Use hijackthis to scan and fix the items listed above.
Clear temporary ie folders