API HOOK 新病毒？-软件逆向-看雪-安全社区|安全招聘|kanxue.com

API HOOK 新病毒？

发表于: 2005-9-20 09:28 9892

API HOOK 新病毒？

skyXnet

2005-9-20 09:28

9892

搜索一些国外软件时,当时杀毒软件就发出警告,提示有网页病毒. 只是似乎杀毒软件并未来得及处理就已经大面积感染了..(后来一扫描时发现的结果)

系统自动安装SPYWARE软件,和一些不良信息网内容!

现象:
电脑中的显示属性被修改! 注册表被禁! 背景面被修改成SPYWARE的广告页! 注册表被监视!...

清除一些杀毒软件能识别的病毒倒是没有问题. 问题在于注册表被监视,修复的值随即被更改.而该病毒采用远程线程注入到多个系统进程中,如svchost.exe \ lsass.exe \ explorer.exe等多个进程中,可疑的DLL为: %system32%\flsmngr.dll)

检测并修复:

由于当时并不清楚是那个进程向注册表循环监视并写入键值,所以,这里采用 RegMon v4.32 监视注册表操作情况,以特征NoDispBackgroundPage(等于1时表示背景属性页被禁止,防止用户修改背景页面)(注:这里直接修改是没有效果的.随即亦会被撰改成原样!这里不再做无功之作,发现源,清除源才是根本!)

我们来看看 RegMon v4.32 监视注册表操作的一特征:

序号时间       进程:ID       操作类型(设置值)
11307 42.76107913 svchost.exe:656 SetValue

                        具体注册表位置                                  键值                结果    写入值
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage SUCCESS 0x1

重点在于进程及其ID,OK, 我们知道是那个进程写入了. svchost.exe 进程属于服务级进程,其权限为SYSTEM,!

接下来,我们拿出 IceSword v1.12

在 IceSword 主界面中选择"进程"查看系统中的运行进程, 我们可以看到"可疑"进程的详细信息:

进程映像名称    进程ID       程序名称
svchost.exe 656 C:\WINDOWS\system32\svchost.exe    (其他的信息略过....)

再来看看这个属于那个服务... 点击左边工具栏"服务",打开服务列表...

我们可以看到这是个多个服务共享单个进程的服务程序.(相关SVCHOST.EXE进程的相关信息,可以通过搜索网络找到更详细的说明)

这些都是系统所需要的服务,我们不能通过停止服务来终止病毒对注册表的监视,只能通过其他的方式解除...

PS: 其实 IceSword 作者早就为广大的反病毒及系统安全爱好者考虑周到了. 开发了 IsHelp.exe 辅助工具!

在"进程模块"框中,亦有详细的进程列表信息,更为详细的是其中包含了每个进程的模块信息.这对于监测采用"远程线程注入DLL"是很有帮助的!

不过. 初学者也许会问,这么多的DLL,如何判断那个是病毒DLL呢? 这确实也是,不过,对于系统的安全检测,相关的一些进程模块就需要有个大概的了解.排除可靠的DLL(可靠的路径),剩余的就需要着重分析了...

有了 IsHelp.exe ,检测的工作就简单多了..因为,都有作者为您考虑好了...

选中进程列表中"进程ID"为:656 的进程,右键弹出功能菜单,选择"线程分析",嗯... 结果出来啦...

线程ID 线程状态       入口                         分析
716    StateWait 0x1000A450    C:\WINDOWS\system32\flsmngr.dll --可疑***

点击关闭后,返回主界面中.其入口基址为0x1000A450,简单的从此点判断,可以认为该DLL是可疑(作者的判断因素也许会考虑到更多,更详细..这点我就不清楚了.)

那我们再次来判断该DLL是否为可疑!

点击主界面的"查找模块",输入 flsmngr.dll 然后搜索...

   模块路径名                      所在进程    (再通过核对当时的进程列表,我们可知以下的进程ID所对应的进程名称)
C:\WINDOWS\system32\flsmngr.dll       448          lsass.exe
C:\WINDOWS\system32\flsmngr.dll       612          svchost.exe
C:\WINDOWS\system32\flsmngr.dll       656          svchost.exe
C:\WINDOWS\system32\flsmngr.dll       724          svchost.exe
C:\WINDOWS\system32\flsmngr.dll       1132          explorer.exe

这里也只是确实了其他进程中亦含有此DLL,但现在还不能完全确认这就是病毒DLL...

这时,我们运行"PEiD v0.93"查询壳类型,搜索C:\WINDOWS\system32\flsmngr.dll的壳特征: UPX 0.80 - 1.24 DLL

（注：　大部分正常的应用程序都不会采用加壳处理．）

在 IceSword 主界面中找到相应的进程ID, 如 448 ,点击右键选择菜单功能"模块信息",然后找到flsmngr.dll,按"卸除"　　（结果出错．系统被关机了．．．）

最后，　通过系统的＂故障恢复控制台＂将该可疑ＤＬＬ删除！
重新进入，却发现注册表仍然被监视．　而现在还不能上网了．．．
（经电信部门核实，网络状态正常，在恢复系统后也证明了确实非网络问题而无法上网）

那么．　这是不是表示ＷＯＣＫＳ被ＨＯＯＫ了呢？？？

在网上找不到相关的解决方法．．．　

[课程]Linux pwn 探索篇！

收藏・0

免费・0

支持

最新回复 (14)
busy 雪币： 39 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 78 粉丝 0 关注私信	busy 2 楼呵呵把那个网站贴出来大家去看看 2005-9-20 09:56 0
auser 雪币： 234 活跃值： (104) 能力值： ( LV2，RANK：10 ) 在线值：发帖 35 回帖 568 粉丝 1 关注私信	auser 3 楼啥网站，这么厉害！快贴出网址来！ 2005-9-20 10:05 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 4 楼有提取的样本．．　没问题的话，请直接运行．．． 2005-9-20 11:00 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 5 楼这里的问题是，处理了flsmngr.dll之后，即无法上网．．这个问题说明，病毒并未清除完全．．．另外，　随便点击的网站．　我没有留下来．． 2005-9-20 11:05 0
busy 雪币： 39 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 78 粉丝 0 关注私信	busy 6 楼呵呵你把 flsmngr.dll作为关键字 Google 一下会有发现 2005-9-20 11:26 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 7 楼谢谢　busy 早前就搜索过了．．．有什么更好的方法吗？？ 2005-9-20 11:29 0
henryouly 雪币： 270 活跃值： (312) 能力值： ( LV9，RANK：330 ) 在线值：发帖 17 回帖 103 粉丝 0 关注私信	henryouly 8 8 楼 http://forums.spywareinfo.com/lofiversion/index.php/t47872.html 看看这里是否有帮助～ 2005-9-20 13:09 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 9 楼问题清楚了： O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll 是这个flsmngr.dll文件替换了原有的网络驱动．删除它的话，将导致无法驱动上网！ 2005-9-20 13:19 0
nOpnOp 雪币： 236 活跃值： (155) 能力值： ( LV6，RANK：90 ) 在线值：发帖 6 回帖 69 粉丝 0 关注私信	nOpnOp 2 10 楼你可以使用instlsp.exe这个工具,用-p参数查看flsmngr.dll安装的层序号,然后用-r 参数加上序号卸载掉,然后重新启动机器就可以了. Winsock SPI方式的木马很有隐蔽性,首先没有进程,因为作为SPI组件系统在加载任何需要Winsock的程序时自动加载这个动态库,而且可以依付在其他进程上进行网络传输从而躲开防火墙. 2005-9-20 14:13 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 11 楼哦．　Winsock LSP 木马？？？　是不是可能会隐藏在注册表以下位置： HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries 由于当时没有备份感染病毒时的注册表文件．现在无法验证：（谢谢　nOpnOp 提供新思路及方法．　 2005-9-20 16:29 0
仙剑太郎雪币： 214 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 9 回帖 242 粉丝 0 关注私信	仙剑太郎 2 12 楼汗..天下又要大乱了.. 2005-9-21 08:32 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 13 楼以下帖是一些相关的信息帖．　希望对大家以后分析此类病毒带来帮助．．． Winsock LSP(Layered Service Provider)“浏览器劫持”。某些间谍软件会修改Winsock 2的设置，进行LSP“浏览器劫持”，所有与网络交换的信息都要通过这些间谍软件，从而使得它们可以监控使用者的信息。关于spi滤包技术的研究 http://dev.csdn.net/develop/article/69/69004.shtm T-Sporder.exe T-Sporder.exe是一个辅助工具，用来查看当前系统中所有已经安装的传输服务提供者的属性。 totalprotocols=WSCEnumProtocols(NULL,protoinfo,&protoinfosize,&errorcode)； //获得系统中的所有传输服务提供者，然后根据参数输出它们的各项属性。基于SPI的数据报过滤原理与实现 http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1863 与间谍软件作斗争 http://www.zdnet.com.cn/techupdate/security_protect/skill/story/0,3800081011,39315908,00.htm 2005-9-21 10:28 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 14 楼 Winsock Fix 工具的帮助说明中提到： To Repair Winsock/Tcp in Win9x - Me manually do this: open Network settings 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter 2.) Click Apply Close the Properties box, but on reboot notice, hit Cancel...do not reboot! 3.) Open Regedit and delete these keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2 also ..scroll down delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2 close regedit 4.) Open Network Properties again, and Click ADD - PROTOCOL - MicroSoft/TCPIP should Add Client for MS Networks Automatically Have your Windows CD ready or the CAB files, Reboot and Should be good. NOTE: Simply removing the Protocols in Network settings will not work because those registry entries stay, even if you have no network at all. Once deleted, putting the TCP/IP protocol back in , basically rebuilds the TCP from scratch, it is the same as when Windows was first installed clean. Also any speed patches to TcpRWin values MTU will be reset back to Windows defaults. Windows 95 may not have all these keys available, just delete whichever ones are matching this desciption. Additional Windows 95 info for Trouble Repairing Tcp: __________________________________________________________________________ With the Winsock2 update installed, you may need to have the Update uninstalled first, if the above process does not work, and you get errors such as "Tcp not installed" or running "Winipcfg.exe" brings up "Fatal Error" look for the folder "C:\Windows\ws2bakup". if it exists, From Run Box type "C:\Windows\ws2bakup\delw2reg.exe addafvxd" Next Reboot to Dos mode, at C:\> prompt type "cd Windows\ws2bakup" once at that Directory type "ws2bakup.bat". When the process is finished, reboot normally and you should be restored to original winsock/Tcp files. Check for IP and internet Connection, If need be try the manual fix from this stage. You would then reinstall the Winsock2 upgrade, once everything is back up and running. Windows 2000/XP __________________________________________________________________________ With Windows 2000 and XP, this was not possible, due to the fact that TCP could not be removed or uninstalled, and even if the Winsock keys in the registry were deleted, they will recreate themselves, but with no relevant data, therefore making them useless. Some research in this matter, it was found, that these Winsock Registry keys were not unique to any particular machine.... meaning they could be transplanted from a working computer, to a broken one. Other factors can play a part in successfully restoring these winsock values, such as disabling the network adapter before the import of the new Registry keys. Also with Windows XP came the very handy "netsh.exe" with the commandline to Reset TCP. Although this will reset TCP settings, also removing any tweaks and other modifications done, it does not touch the registry Winsock keys. The most common symptom would be a Valid IP address, but no ability to view any Web pages, as well as the "0.0.0.0" IP address symptom and Various Socket Errors. Manually Fix: 1.) From the commandline enter the following: Netsh ip int reset resetlog.txt 2.) These 2 Registry keys will need to be replaced with known good ones. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2 The "Hosts" file. This file (having no extension) and residing in "C:\Windows\Hosts" for Windows 95 - Me versions and "WINDOWS\system32\drivers\etc\Hosts" for Windows XP. Often this file (blank by default) can become littered with entries, and again, after the removal of Third Party Advertising Clients, that were installed as bundled software with many P2P file Sharing programs, this "Hosts" file retains entries that may be no longer valid. Generally resulting in some web pages and Domains coming up "Blank". ____________________________________________________________________________ The Winsockfix Utility will: 1.) Detect your current Operating System 2.) Release the IP address, taking you "Offline" 3.) Reset the TCP stack using Netsh.exe (Windows XP only) 4.) Delete the current Registry TCP and Winsock Values 5.) Import new "Working" Registry Values 6.) Backup any Current "Hosts" file 7.) Replace the "Hosts" file with a default one 8.) Reboot the Computer ____________________________________________________________________________ No one should rely on "Quick Fixes" to resolve their connection issues, only by taking responsibilty for the software you allow to be installed, can you protect yourself from re-occurring problems. A Google search for information relating to "SpyWare" can usually point you in the right direction to get information on the Program you wish to install or Try. Chances are there will be many reviews of it, and you get a feel for the type of program it is,and what some of the issues with it will be from other peoples opinions. An understanding of why some programs are "Free" in cost,but you end up paying with damage to your system settings, Background running Programs, whose only purpose is to plaque the User with non-stop Pop-up advertising, and an overall drain on system resources. ____________________________________________________________________________ WinsockFix was written and designed by: Option^Explicit Software Solutions cc Theron Skryba Winnipeg, Manitoba Canada Comments email techcd@shaw.ca ____________________________________________________________________________ Additional ERD backup Utilities not written or supported by myself are 1.)ERUNT - The Emergency Recovery Utility NT FreeWare Written by Lars Hederer http://home.t-online.de/home/lars.hederer/erunt 2.)ERU - Emergency Recovery Utility by Microsoft Microsoft Corporation 2005-9-21 10:29 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 15 楼 HijackThis日志细解正文（十四）：组别――O10 http://it.rising.com.cn/newSite/Channels/Safety/SafetyResourse/Safe_Foundation/200408/05-170016274.htm 1. 项目说明 O10项提示Winsock LSP(Layered Service Provider)“浏览器劫持”。某些间谍软件会修改Winsock 2的设置，进行LSP“浏览器劫持”，所有与网络交换的信息都要通过这些间谍软件，从而使得它们可以监控使用者的信息。著名的如New.Net插件或WebHancer组件，它们是安装一些软件时带来的你不想要的东西。相关的中文信息可参考―― http://tech.sina.com.cn/c/2001-11-19/7274.html 2. 举例 O10 - Hijacked Internet access by New.Net 这是被广告程序New.Net劫持的症状（可以通过“控制面板――添加删除”来卸载）。 O10 - Broken Internet access because of LSP provider `c:\progra~1\common~2\toolbar\cnmib.dll` missing 这一般出现在已清除间谍软件但没有恢复LSP正常状态的情况下。此时，网络连接可能丢失。 O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll 这是被广告程序newtonknows劫持的症状，相关信息可参考http://www.pestpatrol.com/PestInfo/n/newtonknows.asp 3. 一般建议一定要注意，由于LSP的特殊性，单单清除间谍软件而不恢复LSP的正常状态很可能会导致无法连通网络！如果您使用杀毒软件清除间谍程序，可能遇到如上面第二个例子的情况，此时可能无法上网。有时HijackThis在O10项报告网络连接破坏，但其实仍旧可以连通，不过无论如何，修复O10项时一定要小心。遇到O10项需要修复时，建议使用专门工具修复。（1）LSPFix http://www.cexx.org/lspfix.htm （2）Spybot-Search&Destroy（上面提到过，但一定要使用最新版）这两个工具都可以修复此问题，请进一步参考相关教程。 4. 疑难解析某些正常合法程序（特别是一些杀毒软件）也会在Winsock水平工作。比如 O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwsp.dll 这一项就属于国产杀毒软件KV。所以，在O10项遇到“Unknown file in Winsock LSP”一定要先查询一下，不要一概修复。 2005-9-21 10:33 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

skyXnet

发帖

回帖

130

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (14)
busy 雪币： 39 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 78 粉丝 0 关注私信	busy 2 楼呵呵把那个网站贴出来大家去看看 2005-9-20 09:56 0
auser 雪币： 234 活跃值： (104) 能力值： ( LV2，RANK：10 ) 在线值：发帖 35 回帖 568 粉丝 1 关注私信	auser 3 楼啥网站，这么厉害！快贴出网址来！ 2005-9-20 10:05 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 4 楼有提取的样本．．　没问题的话，请直接运行．．． 2005-9-20 11:00 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 5 楼这里的问题是，处理了flsmngr.dll之后，即无法上网．．这个问题说明，病毒并未清除完全．．．另外，　随便点击的网站．　我没有留下来．． 2005-9-20 11:05 0
busy 雪币： 39 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 78 粉丝 0 关注私信	busy 6 楼呵呵你把 flsmngr.dll作为关键字 Google 一下会有发现 2005-9-20 11:26 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 7 楼谢谢　busy 早前就搜索过了．．．有什么更好的方法吗？？ 2005-9-20 11:29 0
henryouly 雪币： 270 活跃值： (312) 能力值： ( LV9，RANK：330 ) 在线值：发帖 17 回帖 103 粉丝 0 关注私信	henryouly 8 8 楼 http://forums.spywareinfo.com/lofiversion/index.php/t47872.html 看看这里是否有帮助～ 2005-9-20 13:09 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 9 楼问题清楚了： O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll 是这个flsmngr.dll文件替换了原有的网络驱动．删除它的话，将导致无法驱动上网！ 2005-9-20 13:19 0
nOpnOp 雪币： 236 活跃值： (155) 能力值： ( LV6，RANK：90 ) 在线值：发帖 6 回帖 69 粉丝 0 关注私信	nOpnOp 2 10 楼你可以使用instlsp.exe这个工具,用-p参数查看flsmngr.dll安装的层序号,然后用-r 参数加上序号卸载掉,然后重新启动机器就可以了. Winsock SPI方式的木马很有隐蔽性,首先没有进程,因为作为SPI组件系统在加载任何需要Winsock的程序时自动加载这个动态库,而且可以依付在其他进程上进行网络传输从而躲开防火墙. 2005-9-20 14:13 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 11 楼哦．　Winsock LSP 木马？？？　是不是可能会隐藏在注册表以下位置： HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries 由于当时没有备份感染病毒时的注册表文件．现在无法验证：（谢谢　nOpnOp 提供新思路及方法．　 2005-9-20 16:29 0
仙剑太郎雪币： 214 活跃值： (70) 能力值： ( LV6，RANK：90 ) 在线值：发帖 9 回帖 242 粉丝 0 关注私信	仙剑太郎 2 12 楼汗..天下又要大乱了.. 2005-9-21 08:32 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 13 楼以下帖是一些相关的信息帖．　希望对大家以后分析此类病毒带来帮助．．． Winsock LSP(Layered Service Provider)“浏览器劫持”。某些间谍软件会修改Winsock 2的设置，进行LSP“浏览器劫持”，所有与网络交换的信息都要通过这些间谍软件，从而使得它们可以监控使用者的信息。关于spi滤包技术的研究 http://dev.csdn.net/develop/article/69/69004.shtm T-Sporder.exe T-Sporder.exe是一个辅助工具，用来查看当前系统中所有已经安装的传输服务提供者的属性。 totalprotocols=WSCEnumProtocols(NULL,protoinfo,&protoinfosize,&errorcode)； //获得系统中的所有传输服务提供者，然后根据参数输出它们的各项属性。基于SPI的数据报过滤原理与实现 http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1863 与间谍软件作斗争 http://www.zdnet.com.cn/techupdate/security_protect/skill/story/0,3800081011,39315908,00.htm 2005-9-21 10:28 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 14 楼 Winsock Fix 工具的帮助说明中提到： To Repair Winsock/Tcp in Win9x - Me manually do this: open Network settings 1.) Remove all protocols or everything EXCEPT leave the NIC Adapter 2.) Click Apply Close the Properties box, but on reboot notice, hit Cancel...do not reboot! 3.) Open Regedit and delete these keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2 also ..scroll down delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2 close regedit 4.) Open Network Properties again, and Click ADD - PROTOCOL - MicroSoft/TCPIP should Add Client for MS Networks Automatically Have your Windows CD ready or the CAB files, Reboot and Should be good. NOTE: Simply removing the Protocols in Network settings will not work because those registry entries stay, even if you have no network at all. Once deleted, putting the TCP/IP protocol back in , basically rebuilds the TCP from scratch, it is the same as when Windows was first installed clean. Also any speed patches to TcpRWin values MTU will be reset back to Windows defaults. Windows 95 may not have all these keys available, just delete whichever ones are matching this desciption. Additional Windows 95 info for Trouble Repairing Tcp: __________________________________________________________________________ With the Winsock2 update installed, you may need to have the Update uninstalled first, if the above process does not work, and you get errors such as "Tcp not installed" or running "Winipcfg.exe" brings up "Fatal Error" look for the folder "C:\Windows\ws2bakup". if it exists, From Run Box type "C:\Windows\ws2bakup\delw2reg.exe addafvxd" Next Reboot to Dos mode, at C:\> prompt type "cd Windows\ws2bakup" once at that Directory type "ws2bakup.bat". When the process is finished, reboot normally and you should be restored to original winsock/Tcp files. Check for IP and internet Connection, If need be try the manual fix from this stage. You would then reinstall the Winsock2 upgrade, once everything is back up and running. Windows 2000/XP __________________________________________________________________________ With Windows 2000 and XP, this was not possible, due to the fact that TCP could not be removed or uninstalled, and even if the Winsock keys in the registry were deleted, they will recreate themselves, but with no relevant data, therefore making them useless. Some research in this matter, it was found, that these Winsock Registry keys were not unique to any particular machine.... meaning they could be transplanted from a working computer, to a broken one. Other factors can play a part in successfully restoring these winsock values, such as disabling the network adapter before the import of the new Registry keys. Also with Windows XP came the very handy "netsh.exe" with the commandline to Reset TCP. Although this will reset TCP settings, also removing any tweaks and other modifications done, it does not touch the registry Winsock keys. The most common symptom would be a Valid IP address, but no ability to view any Web pages, as well as the "0.0.0.0" IP address symptom and Various Socket Errors. Manually Fix: 1.) From the commandline enter the following: Netsh ip int reset resetlog.txt 2.) These 2 Registry keys will need to be replaced with known good ones. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2 The "Hosts" file. This file (having no extension) and residing in "C:\Windows\Hosts" for Windows 95 - Me versions and "WINDOWS\system32\drivers\etc\Hosts" for Windows XP. Often this file (blank by default) can become littered with entries, and again, after the removal of Third Party Advertising Clients, that were installed as bundled software with many P2P file Sharing programs, this "Hosts" file retains entries that may be no longer valid. Generally resulting in some web pages and Domains coming up "Blank". ____________________________________________________________________________ The Winsockfix Utility will: 1.) Detect your current Operating System 2.) Release the IP address, taking you "Offline" 3.) Reset the TCP stack using Netsh.exe (Windows XP only) 4.) Delete the current Registry TCP and Winsock Values 5.) Import new "Working" Registry Values 6.) Backup any Current "Hosts" file 7.) Replace the "Hosts" file with a default one 8.) Reboot the Computer ____________________________________________________________________________ No one should rely on "Quick Fixes" to resolve their connection issues, only by taking responsibilty for the software you allow to be installed, can you protect yourself from re-occurring problems. A Google search for information relating to "SpyWare" can usually point you in the right direction to get information on the Program you wish to install or Try. Chances are there will be many reviews of it, and you get a feel for the type of program it is,and what some of the issues with it will be from other peoples opinions. An understanding of why some programs are "Free" in cost,but you end up paying with damage to your system settings, Background running Programs, whose only purpose is to plaque the User with non-stop Pop-up advertising, and an overall drain on system resources. ____________________________________________________________________________ WinsockFix was written and designed by: Option^Explicit Software Solutions cc Theron Skryba Winnipeg, Manitoba Canada Comments email techcd@shaw.ca ____________________________________________________________________________ Additional ERD backup Utilities not written or supported by myself are 1.)ERUNT - The Emergency Recovery Utility NT FreeWare Written by Lars Hederer http://home.t-online.de/home/lars.hederer/erunt 2.)ERU - Emergency Recovery Utility by Microsoft Microsoft Corporation 2005-9-21 10:29 0
skyXnet 雪币： 226 活跃值： (115) 能力值： ( LV8，RANK：130 ) 在线值：发帖 12 回帖 84 粉丝 0 关注私信	skyXnet 3 15 楼 HijackThis日志细解正文（十四）：组别――O10 http://it.rising.com.cn/newSite/Channels/Safety/SafetyResourse/Safe_Foundation/200408/05-170016274.htm 1. 项目说明 O10项提示Winsock LSP(Layered Service Provider)“浏览器劫持”。某些间谍软件会修改Winsock 2的设置，进行LSP“浏览器劫持”，所有与网络交换的信息都要通过这些间谍软件，从而使得它们可以监控使用者的信息。著名的如New.Net插件或WebHancer组件，它们是安装一些软件时带来的你不想要的东西。相关的中文信息可参考―― http://tech.sina.com.cn/c/2001-11-19/7274.html 2. 举例 O10 - Hijacked Internet access by New.Net 这是被广告程序New.Net劫持的症状（可以通过“控制面板――添加删除”来卸载）。 O10 - Broken Internet access because of LSP provider `c:\progra~1\common~2\toolbar\cnmib.dll` missing 这一般出现在已清除间谍软件但没有恢复LSP正常状态的情况下。此时，网络连接可能丢失。 O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll 这是被广告程序newtonknows劫持的症状，相关信息可参考http://www.pestpatrol.com/PestInfo/n/newtonknows.asp 3. 一般建议一定要注意，由于LSP的特殊性，单单清除间谍软件而不恢复LSP的正常状态很可能会导致无法连通网络！如果您使用杀毒软件清除间谍程序，可能遇到如上面第二个例子的情况，此时可能无法上网。有时HijackThis在O10项报告网络连接破坏，但其实仍旧可以连通，不过无论如何，修复O10项时一定要小心。遇到O10项需要修复时，建议使用专门工具修复。（1）LSPFix http://www.cexx.org/lspfix.htm （2）Spybot-Search&Destroy（上面提到过，但一定要使用最新版）这两个工具都可以修复此问题，请进一步参考相关教程。 4. 疑难解析某些正常合法程序（特别是一些杀毒软件）也会在Winsock水平工作。比如 O10 - Unknown file in Winsock LSP: c:\windows\system32\kvwsp.dll 这一项就属于国产杀毒软件KV。所以，在O10项遇到“Unknown file in Winsock LSP”一定要先查询一下，不要一概修复。 2005-9-21 10:33 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复