Mobile virus removal techniques for locking viruses on the homepage

Some websites do not hesitate to bind some small game software or System Software for promotion, and bring traffic to the website by modifying the homepage of the System Browser. This example describes a virus sample that locks the home page of a foreign system.

This virus should be a foreign virus sample, which is also the same as in China, through modifying the user's computer home page for website promotion. Today, let's take a look at how foreigners lock the home page virus to change the home page and what measures have been used.

Virus symptom

The virus program is pseudo-installed as an Internet Explorer icon, and runs virus program 1.exe in double mode. A dialog box is displayed, as shown in Foreign Language 2. Click "OK" to check whether the virus has any subsequent actions.

Figure 1: virus samples disguised as IE icons

Figure 2: run a virus dialog box that combines Chinese and foreign languages

Click OK to bring up a countdown window to restart the system? It seems that the virus should use the shutdown-r command to restart the system during the countdown, as shown in 3,

Figure 3: System countdown restart window

When the system is restarted, a foreign language Dialog Box 4 is displayed. Click OK to start the system.

Figure 4: Foreign Language dialog box displayed during system restart

After entering the system, the system desktop cannot be displayed. Only the Start menu and system taskbar are displayed, as shown in Figure 5. Automatically open the IE browser and visit the website address http://www.webfmdr.com/ B /,6.

This virus should have disabled the system's assumer.exe so that the desktop cannot be displayed at startup. Second, the virus also changed the IE browser to http://www.webfmdr.com/ B /.

Figure 5: The system desktop cannot be displayed

Figure 6: Home Page changed to http://www.webfmdr.com/ B/

Try to close this IE window and find that it cannot be closed, and prompt: "this operation has been canceled due to this computer restriction. Please contact the Administrator .", As shown in figure 7, this is obviously another virus behavior that restricts the closing of the modified IE browser window.

Figure 7: The IE homepage is modified and the window cannot be closed

Try to modify the home page in the internet option. The internet option home page changes to gray and cannot be modified. The home page address points to http://www.webfmdr.com/ B /. As shown in figure 8, the use of margin pages and the use of blank pages are gray.

Figure 8: internet homepage changed to gray

The desktop displays the system desktop through the Task Manager running assumer.exe. Right-click the task manager on the taskbar and find that the virus is blocked. The task manager cannot be clicked in gray, as shown in figure 9. Then try to start-run and enter the registry, and find that the start and search are gone, as shown in 10. This virus shields all methods that can be used.

Figure 9 the Task Manager is gray

Figure 10 no menu running or search

Since the start of running is blocked, go to c: \ windows \ and Run regedit to check whether it can be run. Go to the Registry Editor and use the Registry Editor to handle the preceding exceptions. The Registry is also disabled and cannot be run, as shown in Figure 11.

Figure 11

Summary of virus behavior:

A) a foreign language dialog box appears when the system starts. Click OK to enter the system normally.

B) The virus changes the IE homepage to disabled.

C) shielding the system desktop so that the system desktop cannot be properly displayed.

D. Disable the task manager so that you cannot check whether the system has any suspicious processes.

E) You cannot access the Registry Editor by shielding the run and search and registry editors. You can use the Registry Editor to fix the preceding three exceptions.

F) disable the right-click menu

Virus Manual Handling Method

First, you have to think about restoring the Registry Editor regedit. It's easy to go to the Registry Editor to handle this virus. Click cmd at the beginning to bring up the cmd command line window and enter gpedit. msc, enter the Group Policy Editor, as shown in figure 12 and Figure 13. The system group policy can be invoked normally. It seems that this virus has not blocked the Group Policy.

Figure 12: Drop-out policy of the command line

Figure 13: the Group Policy can be enabled normally

In the local computer policy/user configuration/management template/system, find the policy blocking access to registry editor in the right-side window, as shown in figure 14, right-click and choose Properties to disable it, disable this policy. As shown in Figure 15, after setting, Run regedit directly in the c: \ windows \ directory. The Registry Editor can be opened normally, as shown in Figure 16.

Figure 14: blocked access to registry editor

Figure 15: Disable disabled Registry Editor

Figure: The registry editor is opened normally.

In the Registry Editor, find HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer. In the right window, we can see that NoRun has a Dword Value of 1, 1, which indicates true, that is, the start operation is blocked, and the value is changed to 0, that is, false, so that the start operation is displayed, as shown in figure 17.

Figure 17: The NoRun added by the virus is used not to show that it is running.

Figure 18: Change the DWORD Value of NoRun to 0

Note: after the policy is changed, you must use the gpupdate/force command to refresh the policy in the command line window to display the running status, as shown in 19 and 20.

Figure 19: gpupate/force refresh Policy

Figure 20: The running status is displayed after the policy is refreshed.

Let's take a look at HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer. There should be only one DWORD (NoDriveTypeAutoRun) in the normal right-side window ), the rest are viruses. Multiple DWORD items are added here, as shown in Figure 21. The items used to block the system, such as NoRun (run) and NoFind (search), increase the difficulty of clearing the virus. In fact, we can delete the exception policy item added to the virus and refresh the policy.

Figure 21: Multiple DWORD items added to a virus

Figure 22 Delete the abnormal registry entry added by the virus. The search result is displayed normally.

There is also a system item under Explorer, that is, HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, which is not in the normal system, the virus is written to DisableTaskMgr (disable task management) and NoDispBackGroundPage (do not display the background page), as shown in Figure 23. After you delete the system item and refresh the policy, the task manager can be used normally.

Figure 23: The Task Manager is normal after the system item is deleted to refresh the policy

Click Task Manager and find two virus processes that need to be killed, as shown in Figure 24. Run msconfig at the start and find the startup items c: \ windows \ system32 \ winsock.exe and c: \ windows \ system32 \ winkernal32.exe of the two viruses in the startup Item, as shown in Figure 25. Find winsock.exeand winkernal32.exe in the corresponding region and delete it, as shown in Figure 26.

Figure 24: Task Manager winsock.exe virus Process

Figure 25: cancel a virus startup Item

Figure 26: two hidden virus programs

Figure 27: two virus programs deleted from the recycle bin

Restore the internet option, modify the home page settings, and go to the Group Policy Editor again. In the right-side window of the Local Computer Policy, user configuration, management template, windows component, and Internert explorer, find and disable the modification of the home page settings, disable it, as shown in Figure 28. After the internet option is changed to normal, you can modify the Home Page. Figure 30 shows that the home page is changed to a blank page.

Figure 28: Disable the "Disable and change homepage Settings" Policy

Figure 29: Disable or change the homepage setting policy to take effect. The internet option homepage is normal.

Figure 30: Modify the homepage to a blank page

The IE window cannot be closed. In the registration Editor, find the HKEY_CURRENT_USER \ Software \ Policies \ Microsoft \ Internet Explorer \ Restrictions item. The virus is written into NoBrowserClose (disable the browser) and NoFavorites (Shield favorites), delete Restrictions, and then use the gpupdate/force command to refresh the policy. The browser window can be closed normally, as shown in 31.

Figure 31: Disable Internet Explorer for virus writing and disable registry entries for favorites

The Foreign Language dialog box is displayed on the logon page after the system is restarted. You can use the Registry Editor to search for the pop-up window content (see figure 4) Vous utilisez Super Winmerde, search HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Delete the string content of LegalNoticeText and LegalNoticeCaption from the string entry 32 and 33 in the right window. The Foreign Language dialog box is displayed, as shown in Figure 34.

Figure 32 search for pop-up content

Figure 33 search for registry keys LegalNoticeText and LegalNoticeCaption

Figure 34 system startup

In addition, this virus also modifies the Title of the IE browser Window. For this, you can delete the Window Title on the right of the registry key HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main, 35 and 36 are shown below:

Figure 35: The title of the IE browser window is modified.

Figure 36: delete a Window Title string

So far, we have handled the virus manually, restoring the system to normal without any auxiliary tools. This virus mainly applies the registry key function of writing an exception Group Policy to the system registry to shield important system programs, such as task manager and Registry Editor, we can use system group policies to restore them one by one. We can make good use of the windows system to provide us with some system tools, which will greatly help us with virus processing.