gergermen

又出返啲POPUP
睇啲圖又冇嘢

你之前有冇裝過啲咩SOFTWARE/ 咩TOOLBAR之類，同埋之前有冇呢種情況，幾時出現。

用HIJACKTHIS再掃一次
OR
揾下呢兩個FILE：HOST / LMHOST，用NOTEPAD打開。
host內容係唔係咁（紅色嗰度）

# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

lmhost入面啲內容最尾係唔係呢個：# end of this file.

[ Last edited by gergermen on 2006-1-15 at 05:12 PM ]

gergermen

Originally posted by 147ak477 at 2006-1-15 17:15:



hosts file starts similar to ...

就係佢，你改成我POST咁，得呢行“127.0.0.1       localhost ”就得
大功告成冇POPUP以後

嗰地址係連去一啲廣告網站.

[ Last edited by gergermen on 2006-1-15 at 05:20 PM ]

gergermen

yes

下次如果再有啲咁情況，可以睇呢個文件入面內容，咁你識搞嘞

[ Last edited by gergermen on 2006-1-15 at 05:24 PM ]

gergermen

Originally posted by 147ak477 at 2006-1-15 17:37:
edited the hosts file
hope the pop...

啲CRACK FILE 唔好亂咁DOWN，有啲可能唔係真。
你想揾CRACK FILE我俾個網址你DOWN。

有啲問題可能軟件搞唔掂，要手工先搞得掂。

改返個HOST文件，應該冇事。

gergermen

你再用HIJACKTHIS掃一次。

個LOG POST上嚟。

應該係仲有咩未清/你唔知裝咗邊個軟件，而嗰個正是根源所在。

gergermen

開始——程式集，啓動，入面有冇咩隨機開嘅程序?

清埋TEMP入面啲內容（連隱藏嗰啲一齊）

開始——執行，MSCONFIG，啓動呢項（CAP張圖）

gergermen

Originally posted by 147ak477 at 2006-1-15 23:40:
(1)
by TEMP, you mean c:\ TEMP
or C:\Documents and Settings\Administrator\Local Settings\Temp?

scan log please change to .log

[ Last edited by 147ak477 on 2006-1-15 at 11:42 PM ]

all~~~記住連隱含嗰啲一並DEL

where is log?

gergermen

睇過曬，問題係呢兩個，用HIJACKTHIS修復後，最後手工入去呢兩個位置（記住個路徑同啲數字），再CHECK一次，DEL lv0u09d9e.dll（唔係刪咗後入Recycled嗰種，係不可恢復)，順手改返HOST
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B69C40C-4719-4BCA-85F7-49A8AFC67880}: NameServer = 205.252.144.28 218.102.23.77
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\lv0u09d9e.dll

用殺毒軟件（更新咗個病毒庫先）再全機完整掃一次（用NORTON可能未必查，可以試下其他），懷疑造成呢個問題嘅代碼嵌入咗啲程序度。

gergermen

咁你入SAFE MODE度再睇搞一次
HIJACKTHIS掃一次，手工CHECK一次
NORTON掃一次
開始——執行，REGSVR32 /U lv0u09d9e.dll ，再一次相同命令REGSVR32 /U <norton 掃到有問題又DEL唔到個DLL>
再手工刪一次。

[ Last edited by gergermen on 2006-1-16 at 10:29 AM ]

gergermen

最好先唔好上網住，暫時關閉系統還原（若有開嘅話），開機時按“F5”，將隱含文件全部先顯示出嚟，等清完毒，再隱藏返。
1、先試下用殺毒軟件睇下可唔可以清除
殺毒軟件全機掃一次

2、上面方法唔得，再人手刪除佢
按 kingwong 講用HIJACKTHIS修復下面呢個同上面我講嗰兩個（竟然冇留意到呢項=.=)
O4 - HKLM\..\Run: [MS Messenger] C:\WINDOWS\msm. exe

跟住手工刪除下面呢啲（記得睇下HOST使唔使改）
DEL（呢幾個要徹底刪除，如果刪唔到，試下用上面講先regsvr32 /u 文件名，再刪）
C:\windows\system32\SSock32.dll
C:\WINDOWS\msm. exe
Regsock32. exe & ssocks5.dll: 一係 C:\windows\system32\，or 一係 C:\windows\
——開始——查找(或只有桌面冇打開窗口時按“F3”），輸入ssock32.*,msn.*,ssocks5.*,regsock32.*，位置選C：或所有分區（all driver)/我的電腦
del（入註冊表）
[quote]HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-000000000004}
　　HKEY_CLASSES_ROOT\HTMLEdit.SSocks32
　　HKEY_CLASSES_ROOT\HTMLEdit.SSocks32.1
　　HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
　　HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks32
　　HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks32.1
　　HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{000000000004}

HKEY_CLASSES_ROOT\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
HKEY_CLASSES_ROOT\HTMLEdit.SSocks5
HKEY_CLASSES_ROOT\HTMLEdit.SSocks5.1
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}
HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks5
HKEY_LOCAL_MACHINE\Software\CLASSES\HTMLEdit.SSocks5.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
Browser Helper Objects\{1E1B2879-88FF-11D2-8D96-D7ACAC95951A}[/quote]