Recently, the computer has tricks, I don't know when it is. When opening the Maxthon new window, each time you type the URL or select a favorite page, you will open 1 or 2 pop-up IE windows. They are baby.aoe88.com and www.139love.com. Check the Host file below the Winnt / System32 / Drivers / etc subdirectory and found that there is no exception. The startup group is searched, and the method of responding can also be found. So I can only go to Google's search, I found that there are many people on the Internet and I have attacked I am in the same malicious website. Under the search, I found some solutions to the law, the present is as follows:
Run regedit.exe, switch to:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Explorer / BrowserHelperObjects
I found that there are three BHOs (description: Browser Helper Objects, referring to the ID number of the browser's auxiliary module):
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - This is a module that Adobe Acrobat Reader (for processing PDF files).
{3e422f49-1566-40d3-b43d-077ef739ac32} - unknown
{A5366673-E8CA-11D3-9CD9-0090271D075B} - This is a module of the Internet Express (Flashget).
Copy the ID number of the unknown module, switch the key value to: HKEY_CLASSES_ROOT, click Edit -> Find, enter {3E422F49- 1566-40D3-B43D-077EF739AC32}, will find the CLSID item exhibition in the Find item (select item only) In the inprocserver32 of the left, the CLSID file location and name corresponding to the CLSID will be displayed in the right by default. After looking for, only one DLL file: navihelper.dll, so getting on WinNT / System 32, find the file, see the name and copyright in its properties, and initial determination is the ghost that is this DLL. Open this DLL with UltraEdit, discover a string of /host.dat, and under WinNT / System 32, you can find host.dat, the most suspicious thing is that this file is just modified today!
Use UltraEdit to open host.dat, http://baby.aoe88.com/ad.html in column! There is also http://www.qu123.com/aoyu1.html and other URLs. At this point, it is possible to sufficiently determine the NaviHelper.dll is the culprit! Http://baby.aoe88.com/ad.html is in column! There is also http://www.qu123.com/aoyu1.html and other URLs. At this point, it is possible to sufficiently determine the NaviHelper.dll is the culprit!
Viral principle analysis: This NaviHelper.dll uses BHO's method to register in IE, open IE, automatically download the advertisement you need to display from the website, and save it in host.dat (database: thisfilecontainsansqlite2.1Database), according to database settings Make display.
The next job is very simple. First look up all the key values of NaviHelper in the registry and delete it.
Then, start - run, enter: regsvr32 navihelper.dll -u final restart your computer, then remove NaviHelper.dll and Host.dat files under System32.
Using this method, I did find Host.dat and NaviHelper.dll. After the above operation, when opening a new web page, there is still a pop-up window of Baby.aoe88.com this website! Helpless ... There is no means to use it. Hate people who die these malicious websites!
