Ordering: WANGYUGANG Date: 25-OCT-2004 Source: http://blog.9cbs.net/wangyugang version: 0.01
Open Sharpreader this morning, I want to see if there is a new article. Suddenly jump out of a "search for" word page, then open a page, tell me Spyware on the machine, turn off and go to a query On the website. At this time, I realized: I am trick!!
Viral characteristics:
Start IE The Search FOR page IE address bar appears: About: Blank pop-up page tells the machine to have n spysware or machine efficiency without high content Close the above, automatically jump to: http: //searchx.cc/search.php
As long as it is a web page or closing some programs, it will pop up, a word: annoying !! Let's kill!
Killing method:
Method 1: [WIN98 / 2000 / XP, untested] Download CWSINSTALL.EXE to enter the security mode directly to kill, no one, come again, remove Internet temporary files. Method 2: [Win98 / 2000 / XP, unspecified] The registry recovered to a problem (but other operations made to the registry during this period) or the system is restored to the problem. Method 3: [WIN9X / ME, Unstected] Start to security mode, use HijachThis to find a .dll file to start in O4: ... Runservices, fix the item. (Using msconfig.exe) or directly changing the registry can then find and delete this.dll file (may need to remove its read only, system, hidden properties, this is also open "display hidden files in the folder option "I can see it). Restart to normal mode. Method 4: [WIN9X / ME, no test] 1. Download Reglite, this is a free registry editor, which is enhanced from Windows. Also, please download the latest version of CWSHREDDER.EXE standby. Download Reglite.exe Download CWShredder.exe Download CWShredder.exe Download CWShredder.exe Download CWShredder.exe Download CWShredder.exe2. Install and run Reglite, enter the following line in the top address (Address) (you can copy it from here), point right Go HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CURRENTVERSION / Windows // Appinit_dlls 3. Double-click Appinit_DLLS in the lower right window to pop up a window called "Data Editor". At the bottom of the bottom Value, you will see the path and file name of a.dll file. This is the "hidden" file. Remember its path name and the size value of the previous line. This file should generally be in the system folder, here is convenient to describe, assuming it is C: /Windows/system32/dllname.dll. 4. At this time, the left window is selected should be a Windows. Please use the mouse to point it to make the selected to activate it (the color is the color is purple, please confirm it is right, is hkey_local_machine / Software / Microsoft / Windows NT / CurrentVersion / Windows, don't make a mistake), click on the EDIT on the top toolbar, then click Rename on the pop-up menu. You can change your name to Windows, please change to Notwindows. (Change to NotWindows is mainly for ease of narrative, in fact, it can also be changed to other, it is important to rename the Windows item to this action itself removed some protection of the.dll file.) 5. Back to the right window again Double-click Appinit_dlls, delete the entire project that I just saw on that .dll file in Value. In the example I assume, I delete this C: /Windows/system32/dllname.dll in Value. Click on the third button "Apply" to click on the first button "OK". 6. Repeat the above step 4, but this time it is the original Windows that will be renamed (changed to Notwindows, right.). 7. Run CWSHREDDER.EXE, first click on Chech for update to upgrade it to the latest version (requires network), then point FIX to let it automatically fix the problem. This step will clear the rest of the .dll file. 8. Let's ask the "hidden" .dll file out.
The above is said, here I assume that it is C: /Windows/system32/dllname.dll, pay attention, you encountered .DLL should have its own name and path, you may not be C. First we have to remove the properties of the file, start - run - enter command - press "OK" - In the pop-up DOS window, enter CD C: / Windows / System32 - press "Enter" (Enter " - Enter attrib -r -s -h dllname.dll - press "Enter" - Enter Exit - press "Enter", the DOS window is turned off. There are several ways to go down, and it should be possible. (1) If you are using the FAT / FAT32 format, you can try to change the .dll file to change the rename (even the extension together), then try to delete it after restarting. If you can't do it, you may wish to change much a few times. (2) If the above method is not, if you are a dual system or a multi-system, including 9x or ME, you can also boot to the 9X or ME security mode, delete the .dll file. (It is best to display system files in folder options, hide files, otherwise it may not be found). (3) If you do not use the NTFS format, you can also boot the DOS mode with a startup disc or a boot floppy disk, and delete the file. I hope you have a certain DOS operation experience. Example of operation (note each entry, follow "Enter" Enter) CD C: / Windows / System32 Attrib -r -S -h Dllname.dll (note, plus this step is for insurance) DEL / F DLLNAME .dll restarts, restore from the hard disk in the BIOS to enter Windows. (4) If you use the NTFS format, since the NTFS format can set some permissions (this Trojan does it, the problem is troublesome. You can try to refer to this .dll file change (you can use a third-party tool such as Copylock), use a different name (especially the extension to change to Windows, such as DGEWSC.DAFHF or 342234.5346), repeated Rename it several times, maybe you can delete it. If you don't do it, set it from the disc to start, insert the 2000 / XP disc, enter the recovery console (let you choose to press R), and then refer to the DOS clearance method above (3). Method 5: [WIN98 / 2000 / XP, Test] Delete the Internet temporary file, download cwsinstall.exe to kill, to sort in SYSTEM32, find the nearest DLL file, delete. Viral disappear. Virus introduction:
This problem is caused by the new variant of the famous Trojan family Coolwebsearch. This variety has two .dll files, one of which can be cleared by the latest version of CWShredder or Ad-Aware, can also be discovered by HijackThis, but another .dll file uses special encryption, anti-tracking means, making itself escape Most software monitoring. It is this file that repeatedly generates another .dll file that can be cleared, causing this disease to overcome.
http://www.spywareinfo.com/~merijn/cwschronicles.htmlhttp://www.spywareinfo.com/forums/index.php?showtopic=43492 http://www.computercops.biz/postp164255.html&highlight=#164255 http://www.spywareinfo.com/forums/index.php?showtopic=43492&st 6try220826 Killing
Reference Information
Method 1, method 2, method 3, method 4 is transferred from http://community.rising.com.cn/forum/msg_read.asp?fmid=28&subjectid=3932477&page=1 method 5, I understand the principle after the above The method used, is relatively saved
Letter author
WANGYUGANG, domestic large software company engineer, all year round, is engaged in developing with the database, the self-sensitive level is insufficient, and it is modest to study! Personal technology site:
http://blog.9cbs.neet/wangyugang/
. You can contact him by email yugang.wang@gmail.com.
