1. Ask a question
C:\WINDOWS\system32\: * horse program detected *-PSW.
C:\WINDOWS\system32\: * horse program detected *-PSW.
I followed the method of some posts in your space. Although Kaba did not show the above prompt, there was new trouble. Every time I turned on the computer, Kaba would first prompt me:
C:\WINDOWS\system32\: New variant detected Risk software Hidden object
Then it is:
C:\WINDOWS\system32\: New variant detected Risk software Hidden object
Then various *.EXE files detected this risk software Hidden object..... Kaba couldn't find out the poison, and every once in a while, a prompt about this Hidden object popped up. Is it because I didn't handle the last virus completely or I got a new trick. I have no choice but to ask Teacher Cui to give a solution.
Added: For a long time, the network often inexplicably disconnected the network connection and it was indeed connected. However, no matter whether the web page or network program was found, the network could not be found. I could only disconnect. I was a Tietong at first thought that the network quality was not good. But this problem had never occurred to me next door.
SREng's scan log sketch
2. Analysis
1. Turn off system restore before antivirus (can be ignored by Win2000 system): Right-click My computer, properties, system restore, turn off system restore on all drives and check it.
Clear IE's temporary files: Open IE Click Tools --> Internet Options: Temporary Internet files, click the "Delete File" button, and delete all offline content, and click OK to delete.
Close applications such as QQ. Please do not double-click to open the disk before performing the following operations. All downloaded tools are placed directly on the desktop.
2. Use the forced deletion tool XDelBox (File Deletion Terminator) to delete the files listed below.
[When deleting, copy all the paths to delete the files. Right-click in the list of files to be deleted and select Import from the clipboard. After importing, right-click the file to be deleted and select Restart and delete immediately. The computer will restart and enter the DOS interface for deletion. After the deletion is completed, it will automatically restart and enter the operating system you installed. Before operation, pay attention to saving the documents that are being opened on the computer. For detailed instructions on XDelBox, please refer to the xdelbox1.2 directory. 】
Code:
D:\
D:\
e:\
e:\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
C:\WINDOWS\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
~~~Note that GLG in the article is the user name of the helper, and it may also be Wang Ya/Administrator, etc. It depends on the specific user name of the poisoned person. .
3. Use tool SREng to delete the following items
[After opening SREng, please ignore the error that reminds "The content of the function does not match the expected value and they may be modified by some malicious software". Please ignore the error after pretending to kill the soft-soft. 】
==================================
Code:
Start the project --> The following keys for the registry are deleted [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<wu1jz><C:\DOCUME~1\GLG\LOCALS~1\Temp\> [N/A]
<dlf67keir><C:\DOCUME~1\GLG\LOCALS~1\Temp\> [N/A]
<64qq0fg020gw7><C:\DOCUME~1\GLG\LOCALS~1\Temp\> [N/A]
<uewhqm4x8><C:\WINDOWS\> [N/A]
==================================
Start the project --> Services --> Delete the following items of Win32 service application
[sadsaads / afdsfsgg][Stopped/Auto Start]
<C:\WINDOWS\system32\><Microsoft Corporation>
[Remote Procedure Call System(RPCSDDOS) / RpcSDDOS][Stopped/Auto Start]
<C:\WINDOWS\system32\><N/A>
[Windows RPCS / WINRPCS][Stopped/Auto Start]
<C:\WINDOWS\system32\><N/A>
==================================
Start the project --> Services --> Delete the following items of the driver (if it cannot be deleted, set the type to disabled!)
[king001 / king001][Stopped/Manual Start]
<\??\C:\DOCUME~1\GLG\LOCALS~1\Temp\><N/A>
C:\WINDOWS\system32\: * horse program detected *-PSW.
C:\WINDOWS\system32\: * horse program detected *-PSW.
I followed the method of some posts in your space. Although Kaba did not show the above prompt, there was new trouble. Every time I turned on the computer, Kaba would first prompt me:
C:\WINDOWS\system32\: New variant detected Risk software Hidden object
Then it is:
C:\WINDOWS\system32\: New variant detected Risk software Hidden object
Then various *.EXE files detected this risk software Hidden object..... Kaba couldn't find out the poison, and every once in a while, a prompt about this Hidden object popped up. Is it because I didn't handle the last virus completely or I got a new trick. I have no choice but to ask Teacher Cui to give a solution.
Added: For a long time, the network often inexplicably disconnected the network connection and it was indeed connected. However, no matter whether the web page or network program was found, the network could not be found. I could only disconnect. I was a Tietong at first thought that the network quality was not good. But this problem had never occurred to me next door.
SREng's scan log sketch
2. Analysis
1. Turn off system restore before antivirus (can be ignored by Win2000 system): Right-click My computer, properties, system restore, turn off system restore on all drives and check it.
Clear IE's temporary files: Open IE Click Tools --> Internet Options: Temporary Internet files, click the "Delete File" button, and delete all offline content, and click OK to delete.
Close applications such as QQ. Please do not double-click to open the disk before performing the following operations. All downloaded tools are placed directly on the desktop.
2. Use the forced deletion tool XDelBox (File Deletion Terminator) to delete the files listed below.
[When deleting, copy all the paths to delete the files. Right-click in the list of files to be deleted and select Import from the clipboard. After importing, right-click the file to be deleted and select Restart and delete immediately. The computer will restart and enter the DOS interface for deletion. After the deletion is completed, it will automatically restart and enter the operating system you installed. Before operation, pay attention to saving the documents that are being opened on the computer. For detailed instructions on XDelBox, please refer to the xdelbox1.2 directory. 】
Code:
D:\
D:\
e:\
e:\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
C:\WINDOWS\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\DOCUME~1\GLG\LOCALS~1\Temp\
~~~Note that GLG in the article is the user name of the helper, and it may also be Wang Ya/Administrator, etc. It depends on the specific user name of the poisoned person. .
3. Use tool SREng to delete the following items
[After opening SREng, please ignore the error that reminds "The content of the function does not match the expected value and they may be modified by some malicious software". Please ignore the error after pretending to kill the soft-soft. 】
==================================
Code:
Start the project --> The following keys for the registry are deleted [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<wu1jz><C:\DOCUME~1\GLG\LOCALS~1\Temp\> [N/A]
<dlf67keir><C:\DOCUME~1\GLG\LOCALS~1\Temp\> [N/A]
<64qq0fg020gw7><C:\DOCUME~1\GLG\LOCALS~1\Temp\> [N/A]
<uewhqm4x8><C:\WINDOWS\> [N/A]
==================================
Start the project --> Services --> Delete the following items of Win32 service application
[sadsaads / afdsfsgg][Stopped/Auto Start]
<C:\WINDOWS\system32\><Microsoft Corporation>
[Remote Procedure Call System(RPCSDDOS) / RpcSDDOS][Stopped/Auto Start]
<C:\WINDOWS\system32\><N/A>
[Windows RPCS / WINRPCS][Stopped/Auto Start]
<C:\WINDOWS\system32\><N/A>
==================================
Start the project --> Services --> Delete the following items of the driver (if it cannot be deleted, set the type to disabled!)
[king001 / king001][Stopped/Manual Start]
<\??\C:\DOCUME~1\GLG\LOCALS~1\Temp\><N/A>