=八面玲珑=
职务:观察员
积分:4298
贴数:4244
日期:2006-2-21 18:05:15
本文英文源自:http://www.bleepingcomputer.com/forums/topict3104.html
由 风之咏者大版主 委托我作了翻译初稿,经 风之咏者大版主 和 Qoo酷儿版主 审定完善后发布。
由于时间仓促,水平有限,所以采用英文原文+参考译文的方式。
如有翻译不当之处,请大家指正。
更新记录:
2004-11-09 第二版
2004-11-04 第一版
How to remove a-search.biz and Ssearch.biz Hijack, Self-Help Guide
怎么解除 a-search.biz 和 Ssearch.biz 劫持,自助指南
This self-help guide will walk you through the steps to remove the Ssearch.biz and a-search.biz hijacker. This only applies to XP/NT/2000 Operating Systems.
这篇自助指南将带领您通过若干步骤清除 Ssearch.biz 和 a-search.biz 浏览器劫持。这个指南只适用于XP/NT/2000操作系统。
There are currently two ways for your browser to be hijacked to A-search.biz. I have given a removal process for each method of infection.
Tools Needed for this fix:
修复时需要用到的工具:
HijackThis
http://www.bleepingcomputer.com/files/hijackthis.php
Registrar Lite
http://www.resplendence.com/download/reglite.exe
(如果下载reglite.exe时速度比较慢,你可以试试这个下载地址:http://free.efile.com.cn/endurer/tools/reglite.exe)
Killbox下载页面:
http://www.bleepingcomputer.com/files/killbox.php
Killbox下载地址:
http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Related Tutorials:
相关的教程:
《HijackThis简明教程》
http://community.rising.com.cn/forum/msg_read.asp?FmID=28&SubjectID=2525930&page=1
图解HijackThis的使用说明
http://community.rising.com.cn/Forum/msg_read.asp?FmID=28&SubjectID=3095567&page=1
HijackThis日志细解【附反劫持一般建议】
http://community.rising.com.cn/Forum/msg_read.asp?FmID=67&SubjectID=3926957&page=1
Symptoms in a HijackThis Log for method 1 of infection (Use Method 1 Removal Process):
被第1种方法感染(使用第1种解决方法)在HijackThis的Log中的症状:
O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Edited Name\qcache.exe
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll
Other symptoms are that your browser gets redirected to ssearch.biz or
其它症状是您的浏览器被转到ssearch.biz或
http://a-search.biz/?wmid=1010
homepage.
主页。
Symptoms in a HijackThis Log for method 2 of infection (Use Method 2 Removal Process):
被第2种方法感染(使用第2种解决方法)在HijackThis的Log中的症状:
F2 - REG
ystem.ini: UserInit=Userinit.exe,_huytam_
Other symptoms are that your browser gets redirected to ssearch.biz or
其它症状是您的浏览器被转到ssearch.biz或
http://a-search.biz/?wmid=1010
homepage.
主页。
If you have one of the two types of symptoms showing in your HijackThis log then use the appropriate removal process outlined blow. If you do not have any of these symptoms other than the redirection to a-search.biz then follow method 2.
如果你的HijackThis log有两种症状之一,那么使用下面列出的对应的解除方法。
Method 1 Removal Process
解除第1种劫持方式的过程
#########################################
Step 1:
第1步:
#########################################
The first thing you need to do is determine if you actually are infected with this variant. To do this click on start, then run, and type services.msc and press the OK button.
您需要做的第一件事情是判断您(的电脑)是否确实被感染了。为了确认,请单击开始按钮,然后单击“运行...”,输入:
services.msc
再点击确定按钮。
You will now see the services window with a listing of all your services. Scroll through the services and see if you have a service with the following name:
您现在将看到列有您的(电脑中的)所有服务的服务窗口,(通过拖动滚动条)滚动服务查看您是否有具有以下名字的服务:
Plug and Play svc service
If this service exists proceed to the next step.
如果存在这个服务请做下一步。
#########################################
Step 2:
第2步:
#########################################
Download and install the program Registry Lite from here:
从下面的网站下载并安装Registry Lite这个程序:
http://www.resplendence.com/download/reglite.exe
Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.
一旦它安装(好)了,请双击已经显示在您的桌面上的(Registry Lite这个程序的)图标。
如果桌面上没有(Registry Lite这个程序的)图标,请到开始菜单的程序组里查找看看。
Once it is opened, copy and paste the below line, into the address field of Registrar Lite.
一但(Registry Lite这个程序窗口)打开了,把下面这行复制粘贴到Registrar Lite的地址栏。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll
And press enter. You will now be presented with new information in the right and left sections of the program. In the right section you should see the ServiceDll value highlighted. Double-click on it and write down the name of the dll found there. This is the infection we need to remove.
然后按Enter(回车键)。您将看到左右两个窗口。在右边的窗口,您需要查看被高亮显示的ServiceDll值。双击它并写下(记下)在这发现的DLL的名字。(注:您可以打开记事本记录下来)
#########################################
Step 3:
第3步:
#########################################
Start Hijackthis and when it opens, click on Config then click on Misc Tools. Once at the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste the full path and name of the DLL found in the previous step into the file name field and press the open button.
运行Hijackthis,当程序窗口打开时,单击Config,再单击Misc Tools。在新屏幕点击"Delete a file on reboot" 按钮,会弹出资源管理器窗口,要您选择一个(要删除的)文件。将在上一步中发现并记下的dll文件的完整的路径和名字拷贝粘贴到文件名框,按下打开按钮。
When Hijackthis prompts you to reboot, please do so.
当Hijackthis提示您重新启动(计算机)时,请允许。
When the computer is back to your desktop confirm that the file from the previous step no longer exists.
当计算机(重新启动)回到桌面后,请确认前面步骤中要删除的文件已经不存在了。
If it is no longer there then do the following:
如果文件不再存在,那么做下面的工作:
Delete the file c:\windows\system32\pnpsvc.inf
删除文件c:\windows\system32\pnpsvc.inf (注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
Then launch Notepad, and copy and paste the contents of the quote box below into a new text file.
打开记事本,把下面的内容复制和粘贴到记事本:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC]
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
然后用记事本菜单:文件-->另存为,在另存为对话框中先将文件类型设为:所有文件 (*.*),将保存位置设为桌面,文件名为"fixme.reg" (不包括双引号),点击保存按钮。
endurer注:若在保存文件时若输入文件名:"fixme.reg"(包括半角双引号),则不需要修改文件类型,只需修改保存位置。
Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.
现在双击刚才保存在桌面上的fixme.reg 文件,在弹出的确认对话框点击“是”按钮。
Next start registrar lite again and enter into the address field each of these addresses:
然后再次启动registrar lite,把下列地址分别输入地址栏:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC
At each location delete the highlighted LEGACY_PNPSVC. If you have trouble deleting one of these, right click on it, and click on the properties. Then click on the permissions button and make sure everyone or users has full control set. Then try to delete it again.
在每个定位点,删除被高亮显示的LEGACY_PNPSVC.如果您在删除这些项目时遇到困难,可以右击项目,然后在properties(属性)上点击。然后点击permissions(许可)按钮,确认everyone(任何人) or users(用户)(endurer注:everyone 和 users可能是用户组)有完全控制权。再尝试删除项目。
Do not delete any other entries at all.
千万别删除其它入口项(项目)
When that is completed, Run HijackThis again and click on the Scan button. If you see any entries that start with O4 and contain the the qcache.exe or look like this:
当以上操作完成,再次运行 HijackThis 并点击 Scan 按钮,如果您看到任何项包含qcache.exe或有看起来像下面这个样子的项目:
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll
then place a checkmark next to that entry and click on the Fix button.
那么请选择这些项目,单击 Fix 按钮。
Then reboot your computer into Safe Mode using these instructions:
然后重新启动计算机进安全模式:
进入安全模式的方法:重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows。
and delete the qcache.exe file from the entry you just fixed it. If you can`t find it, search for it and then when its found delete it.
删除刚才修复的项目中指示的qcache.exe文件。如果您看不到它,可以先在文件夹选项中,显示隐藏文件和取消“隐藏受保护的操作系统文件”,再用开始菜单的搜索功能查找qcache.exe,发现它后再删除。
You should now be clean
现在世界清净点啦
Method 2 Removal Process
解除第2种劫持方式的过程
#########################################
Step 1:
第1步:
#########################################
Start HijackThis and look for an entry like the following:
启动HijackThis,查找类似下面这样的项目:
F2 - REGystem.ini: UserInit=Userinit.exe,_huytam_
The file we want to look for in this entry is the one surrounded by the _ character. In the example above, it is the _huytam_ file. We will then take that file and add .exe and .dll onto it. For example, _huytam_ corresponds to two files:
我们要查找这个项目里的以_符号括起来的文件,在上面的例子中,是_huytam_。稍后我们将处理这个文件并增加.exe或.dll扩展名。例如,_huytam_与下面两个文件匹配:
文件 1: c:\windows\system32\_huytam_.dll(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
文件 2: c:\windows\system32\_huytam_.exe(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
If the file identified in this step was _abbca_ then the files would be:
如果在这一步中的标记的文件是_abbca_,那么将与下面两个文件匹配:
文件 1: c:\windows\system32\_abbca_.dll(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
文件 2: c:\windows\system32\_abbca_.exe(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
We will delete these files in the next step.
我们将在下一步中删除这些文件。
If you do not have a F2 entry or there is no file listed and you are still getting redirected after changing your homepage to something else then you should use these files in the next step:
如果你没有F2项或者F2项没有列出文件,但你的(浏览器)主页修改后仍然被重定向,在下一步中你需要使用下面这些文件:
文件 1: C:\Windows\system32\tgbrfv_.exe(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
文件 2: C:\Windows\system32\TGBRFV_5.dll(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
#########################################
Step 2:
第二步:
#########################################
Download killbox here:
在这下载killbox
KillBox
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.
把文件包解压到你的桌面
Double-click on the Killbox.exe icon/
双击的Killbox.exe图标
Select the Delete on reboot option.
选定“Delete on reboot”(下次启动时删除)选项。
In the field labeled "Full path of file to delete" enter File 1 found in step 1
在“Full path of file to delete”区输入第1步中发现的文件1
Then press the button that looks like a red circle with a white X in it.
然后按下看起来上面像一个带有白色X的红圈的按钮。
When it asks if you would like to Reboot now, press the NO button.
当它询问你是否现在重新启动电脑时,请按下“NO”按钮。
Next In the field labeled "Full path of file to delete" enter File 2 found in step 1
接下来在“Full path of file to delete”区输入第1步中发现的文件2
Then press the button that looks like a red circle with a white X in it.
然后按下看起来上面像有一个带白色X的红圈的按钮。
When it asks if you would like to Reboot now, press the YES button.
当它询问你是否现在重新启动计算机时,请按下“YES”按钮。
Your computer will now reboot and check to see if the file is gone.
你的电脑将重新启动,(进入桌面后请)检查那两个文件是否被删除了。
#########################################
Step 3:
第三步:
#########################################
Now run HijackThis again and press the Scan button. Then place a checkmark in the F2 line identified in Step 1 and press the fix button.
现在再次运行HijackThis,并按下“Scan”按钮。然后选择第一步中发现的F2这一行,按下“fix”按钮。
Then exist HijackThis
然后退出HijackThis
#########################################
Step 4:
第四步:
#########################################
Enter the control panel and double-click on the Internet Options icon.
进入控制面板并双击Internet选项图标。
In the Home Page section in the Address field, enter the website you would like Internet Explorer to open to automatically. For example if you want google to automatically open enter www.google.com
在地址区的主页框中,输入你希望启动Internet Explorer时自动打开的网址。例如,如果你希望自动打开google,那么输入:www.google.com
Close the Internet Options screen.
关闭Internet选项屏幕(窗口)。
Your computer should now be clean
现在世界清净点啦
该帖于【2004-11-9 13:23:43】被【endurer】修改
该帖于【2004-11-17 14:19:13】被【endurer】修改
该帖于【2004-11-21 20:26:54】被【endurer】修改
由 风之咏者大版主 委托我作了翻译初稿,经 风之咏者大版主 和 Qoo酷儿版主 审定完善后发布。
由于时间仓促,水平有限,所以采用英文原文+参考译文的方式。
如有翻译不当之处,请大家指正。
更新记录:
2004-11-09 第二版
2004-11-04 第一版
How to remove a-search.biz and Ssearch.biz Hijack, Self-Help Guide
怎么解除 a-search.biz 和 Ssearch.biz 劫持,自助指南
This self-help guide will walk you through the steps to remove the Ssearch.biz and a-search.biz hijacker. This only applies to XP/NT/2000 Operating Systems.
这篇自助指南将带领您通过若干步骤清除 Ssearch.biz 和 a-search.biz 浏览器劫持。这个指南只适用于XP/NT/2000操作系统。
There are currently two ways for your browser to be hijacked to A-search.biz. I have given a removal process for each method of infection.
Tools Needed for this fix:
修复时需要用到的工具:
HijackThis
http://www.bleepingcomputer.com/files/hijackthis.php
Registrar Lite
http://www.resplendence.com/download/reglite.exe
(如果下载reglite.exe时速度比较慢,你可以试试这个下载地址:http://free.efile.com.cn/endurer/tools/reglite.exe)
Killbox下载页面:
http://www.bleepingcomputer.com/files/killbox.php
Killbox下载地址:
http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Related Tutorials:
相关的教程:
《HijackThis简明教程》
http://community.rising.com.cn/forum/msg_read.asp?FmID=28&SubjectID=2525930&page=1
图解HijackThis的使用说明
http://community.rising.com.cn/Forum/msg_read.asp?FmID=28&SubjectID=3095567&page=1
HijackThis日志细解【附反劫持一般建议】
http://community.rising.com.cn/Forum/msg_read.asp?FmID=67&SubjectID=3926957&page=1
Symptoms in a HijackThis Log for method 1 of infection (Use Method 1 Removal Process):
被第1种方法感染(使用第1种解决方法)在HijackThis的Log中的症状:
O4 - HKLM\..\Run: [Cache] C:\Documents and Settings\Edited Name\qcache.exe
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll
Other symptoms are that your browser gets redirected to ssearch.biz or
其它症状是您的浏览器被转到ssearch.biz或
http://a-search.biz/?wmid=1010
homepage.
主页。
Symptoms in a HijackThis Log for method 2 of infection (Use Method 2 Removal Process):
被第2种方法感染(使用第2种解决方法)在HijackThis的Log中的症状:
F2 - REG
ystem.ini: UserInit=Userinit.exe,_huytam_Other symptoms are that your browser gets redirected to ssearch.biz or
其它症状是您的浏览器被转到ssearch.biz或
http://a-search.biz/?wmid=1010
homepage.
主页。
If you have one of the two types of symptoms showing in your HijackThis log then use the appropriate removal process outlined blow. If you do not have any of these symptoms other than the redirection to a-search.biz then follow method 2.
如果你的HijackThis log有两种症状之一,那么使用下面列出的对应的解除方法。
Method 1 Removal Process
解除第1种劫持方式的过程
#########################################
Step 1:
第1步:
#########################################
The first thing you need to do is determine if you actually are infected with this variant. To do this click on start, then run, and type services.msc and press the OK button.
您需要做的第一件事情是判断您(的电脑)是否确实被感染了。为了确认,请单击开始按钮,然后单击“运行...”,输入:
services.msc
再点击确定按钮。
You will now see the services window with a listing of all your services. Scroll through the services and see if you have a service with the following name:
您现在将看到列有您的(电脑中的)所有服务的服务窗口,(通过拖动滚动条)滚动服务查看您是否有具有以下名字的服务:
Plug and Play svc service
If this service exists proceed to the next step.
如果存在这个服务请做下一步。
#########################################
Step 2:
第2步:
#########################################
Download and install the program Registry Lite from here:
从下面的网站下载并安装Registry Lite这个程序:
http://www.resplendence.com/download/reglite.exe
Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.
一旦它安装(好)了,请双击已经显示在您的桌面上的(Registry Lite这个程序的)图标。
如果桌面上没有(Registry Lite这个程序的)图标,请到开始菜单的程序组里查找看看。
Once it is opened, copy and paste the below line, into the address field of Registrar Lite.
一但(Registry Lite这个程序窗口)打开了,把下面这行复制粘贴到Registrar Lite的地址栏。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll
And press enter. You will now be presented with new information in the right and left sections of the program. In the right section you should see the ServiceDll value highlighted. Double-click on it and write down the name of the dll found there. This is the infection we need to remove.
然后按Enter(回车键)。您将看到左右两个窗口。在右边的窗口,您需要查看被高亮显示的ServiceDll值。双击它并写下(记下)在这发现的DLL的名字。(注:您可以打开记事本记录下来)
#########################################
Step 3:
第3步:
#########################################
Start Hijackthis and when it opens, click on Config then click on Misc Tools. Once at the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste the full path and name of the DLL found in the previous step into the file name field and press the open button.
运行Hijackthis,当程序窗口打开时,单击Config,再单击Misc Tools。在新屏幕点击"Delete a file on reboot" 按钮,会弹出资源管理器窗口,要您选择一个(要删除的)文件。将在上一步中发现并记下的dll文件的完整的路径和名字拷贝粘贴到文件名框,按下打开按钮。
When Hijackthis prompts you to reboot, please do so.
当Hijackthis提示您重新启动(计算机)时,请允许。
When the computer is back to your desktop confirm that the file from the previous step no longer exists.
当计算机(重新启动)回到桌面后,请确认前面步骤中要删除的文件已经不存在了。
If it is no longer there then do the following:
如果文件不再存在,那么做下面的工作:
Delete the file c:\windows\system32\pnpsvc.inf
删除文件c:\windows\system32\pnpsvc.inf (注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
Then launch Notepad, and copy and paste the contents of the quote box below into a new text file.
打开记事本,把下面的内容复制和粘贴到记事本:
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC]
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
然后用记事本菜单:文件-->另存为,在另存为对话框中先将文件类型设为:所有文件 (*.*),将保存位置设为桌面,文件名为"fixme.reg" (不包括双引号),点击保存按钮。
endurer注:若在保存文件时若输入文件名:"fixme.reg"(包括半角双引号),则不需要修改文件类型,只需修改保存位置。
Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.
现在双击刚才保存在桌面上的fixme.reg 文件,在弹出的确认对话框点击“是”按钮。
Next start registrar lite again and enter into the address field each of these addresses:
然后再次启动registrar lite,把下列地址分别输入地址栏:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC
At each location delete the highlighted LEGACY_PNPSVC. If you have trouble deleting one of these, right click on it, and click on the properties. Then click on the permissions button and make sure everyone or users has full control set. Then try to delete it again.
在每个定位点,删除被高亮显示的LEGACY_PNPSVC.如果您在删除这些项目时遇到困难,可以右击项目,然后在properties(属性)上点击。然后点击permissions(许可)按钮,确认everyone(任何人) or users(用户)(endurer注:everyone 和 users可能是用户组)有完全控制权。再尝试删除项目。
Do not delete any other entries at all.
千万别删除其它入口项(项目)
When that is completed, Run HijackThis again and click on the Scan button. If you see any entries that start with O4 and contain the the qcache.exe or look like this:
当以上操作完成,再次运行 HijackThis 并点击 Scan 按钮,如果您看到任何项包含qcache.exe或有看起来像下面这个样子的项目:
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\KNQTWZ]`.dll
then place a checkmark next to that entry and click on the Fix button.
那么请选择这些项目,单击 Fix 按钮。
Then reboot your computer into Safe Mode using these instructions:
然后重新启动计算机进安全模式:
进入安全模式的方法:重新启动电脑, 开机检测完后, 按[F8]键(可以一直按到启动菜单出来为止), 选择安全模式进入Windows。
and delete the qcache.exe file from the entry you just fixed it. If you can`t find it, search for it and then when its found delete it.
删除刚才修复的项目中指示的qcache.exe文件。如果您看不到它,可以先在文件夹选项中,显示隐藏文件和取消“隐藏受保护的操作系统文件”,再用开始菜单的搜索功能查找qcache.exe,发现它后再删除。
You should now be clean
现在世界清净点啦
Method 2 Removal Process
解除第2种劫持方式的过程
#########################################
Step 1:
第1步:
#########################################
Start HijackThis and look for an entry like the following:
启动HijackThis,查找类似下面这样的项目:
F2 - REG
ystem.ini: UserInit=Userinit.exe,_huytam_The file we want to look for in this entry is the one surrounded by the _ character. In the example above, it is the _huytam_ file. We will then take that file and add .exe and .dll onto it. For example, _huytam_ corresponds to two files:
我们要查找这个项目里的以_符号括起来的文件,在上面的例子中,是_huytam_。稍后我们将处理这个文件并增加.exe或.dll扩展名。例如,_huytam_与下面两个文件匹配:
文件 1: c:\windows\system32\_huytam_.dll(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
文件 2: c:\windows\system32\_huytam_.exe(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
If the file identified in this step was _abbca_ then the files would be:
如果在这一步中的标记的文件是_abbca_,那么将与下面两个文件匹配:
文件 1: c:\windows\system32\_abbca_.dll(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
文件 2: c:\windows\system32\_abbca_.exe(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
We will delete these files in the next step.
我们将在下一步中删除这些文件。
If you do not have a F2 entry or there is no file listed and you are still getting redirected after changing your homepage to something else then you should use these files in the next step:
如果你没有F2项或者F2项没有列出文件,但你的(浏览器)主页修改后仍然被重定向,在下一步中你需要使用下面这些文件:
文件 1: C:\Windows\system32\tgbrfv_.exe(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
文件 2: C:\Windows\system32\TGBRFV_5.dll(注:如果您的系统安装在其它分区或其它名称的目录,请处理相应文件)
#########################################
Step 2:
第二步:
#########################################
Download killbox here:
在这下载killbox
KillBox
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.
把文件包解压到你的桌面
Double-click on the Killbox.exe icon/
双击的Killbox.exe图标
Select the Delete on reboot option.
选定“Delete on reboot”(下次启动时删除)选项。
In the field labeled "Full path of file to delete" enter File 1 found in step 1
在“Full path of file to delete”区输入第1步中发现的文件1
Then press the button that looks like a red circle with a white X in it.
然后按下看起来上面像一个带有白色X的红圈的按钮。
When it asks if you would like to Reboot now, press the NO button.
当它询问你是否现在重新启动电脑时,请按下“NO”按钮。
Next In the field labeled "Full path of file to delete" enter File 2 found in step 1
接下来在“Full path of file to delete”区输入第1步中发现的文件2
Then press the button that looks like a red circle with a white X in it.
然后按下看起来上面像有一个带白色X的红圈的按钮。
When it asks if you would like to Reboot now, press the YES button.
当它询问你是否现在重新启动计算机时,请按下“YES”按钮。
Your computer will now reboot and check to see if the file is gone.
你的电脑将重新启动,(进入桌面后请)检查那两个文件是否被删除了。
#########################################
Step 3:
第三步:
#########################################
Now run HijackThis again and press the Scan button. Then place a checkmark in the F2 line identified in Step 1 and press the fix button.
现在再次运行HijackThis,并按下“Scan”按钮。然后选择第一步中发现的F2这一行,按下“fix”按钮。
Then exist HijackThis
然后退出HijackThis
#########################################
Step 4:
第四步:
#########################################
Enter the control panel and double-click on the Internet Options icon.
进入控制面板并双击Internet选项图标。
In the Home Page section in the Address field, enter the website you would like Internet Explorer to open to automatically. For example if you want google to automatically open enter www.google.com
在地址区的主页框中,输入你希望启动Internet Explorer时自动打开的网址。例如,如果你希望自动打开google,那么输入:www.google.com
Close the Internet Options screen.
关闭Internet选项屏幕(窗口)。
Your computer should now be clean
现在世界清净点啦
该帖于【2004-11-9 13:23:43】被【endurer】修改
该帖于【2004-11-17 14:19:13】被【endurer】修改
该帖于【2004-11-21 20:26:54】被【endurer】修改
IE不断爆出漏洞,使用FireFox浏览器,会更安全一些: