I am free from Internet Explorer

Author: Gu Jian
Copyright 2004 alonesword

This morning, I have prepared some homework. I just opened IE and it will show up.Http://7mao.com (the web site is good for everyone to enter ).I wonder how refreshing the white-white stuff is when my machine does not set up the homepage again! How can this happen! I immediately felt wrong. Otherwise, ie was hijacked!

All the IE startup pages are pushed to this website. Although there is no major obstacle, I still like the refreshing ie interface, I don't like who arranged it (this may be related to my personality), So I scanned ie from hijackthis and found an unknown process.
C:/Windows/hws.exe
What is this! I have never seen it!
As a result, Google found that it was a zombie.
(Drug overlord announcement on the virus: http://db.kingsoft.com/c/2004/04/05/110530.shtml)
Hey! This is good. I am still worried that my work is boring today. Now I have something to do! Hws.exe is available on the fly!

Symptoms:
1. The Skynet fire wall was killed by hws.exe (which can be seen later );
2. The IE homepage is modified. Normally, you are not allowed to change it back;
3. When you edit the homepage table, the system prompts: "The Registry has been locked by the Administrator"
I have found that there may be other symptoms. Since there is a job that has not been carefully studied at hand, who can study it carefully.

Not mentioned:

1. Procexp is used (recommended tool, function: worker's local hometown is: % SystemRoot %/system32/, there is nothing to say. Kill HWS processing and Delete % SystemRoot %/system32/hws.exe

2. Unlock the registry. There are many ways to unlock the Registry. You can write a registry file and import it into the registry to unlock the Registry. You can also find a tool. Due to the special situation today, you can use the duba_regsolve tool to unlock the Registry. (use this tool, IE attribute status can be normalized );
(PS: You can edit a registry file and import it to the Registry. The content is as follows:
Regedit4

[HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/policies/system]
"Disableregistrytools" = DWORD: 00000000
)

3. Start> RUN> regedit
Registration Table wanted hws.exe and bundled IE homepage content (http://7mao.com), no harm!

4. Scan IE with hijackthis 1.98, hey! Everything is back to normal!

Hey! It seems that I have gained some confidence today!

Summary:
1. You cannot completely trust anti-virus software. During this period, I used Norton Antivirus 2004 to scan hws.exe IN THE SYSTEM. No virus was found! Dizzy! Obviously it modified my ie without notifying me!
Therefore, you cannot completely trust anti-virus software. However, when surfing the Internet, this product and the firewall cannot or must provide two security measures. For anti-virus software, it is like treating books: you cannot have no books, you cannot write your letter.
2. When a system exception occurs, check the system at any time to prevent black hands;
3. Depending on the learning status, I used uedit32.exe to check hws.exe.zip and found that some common anti-virus software processes will be killed by it. Let's see it!

4. The Registry is still the core of windows, and there is something more to look at in it! This time, hws.exe should also get something in it. You can read something in the Registry and learn it.

4. We recommend some common software:

Software name	Program name	Function
Hijack this 1.98	Hijackthis.exe	Check required ie tools (highly recommended)
Process Explorer	Procexp.exe	View process and related information (GUI)
Duba_regsolve	Resolve.exe	Fix ie tools and view startup Projects