1. Ask a question:
IE was hijacked and changed (log omitted)
2. Analysis
1. Turn off system restore before antivirus (can be ignored by Win2000 system): Right-click My computer, properties, system restore, turn off system restore on all drives and check it.
Clear IE's temporary files: Open IE Click Tools --> Internet Options: Temporary Internet files, click the "Delete File" button, and delete all offline content, and click OK to delete.
Close applications such as QQ. Please do not double-click to open the disk before performing the following operations. All downloaded tools are placed directly on the desktop.
2. Use the forced deletion tool XDelBox (File Deletion Terminator) to delete the files listed below.
[When deleting, copy all the paths to delete the files. Right-click in the list of files to be deleted and select Import from the clipboard. After importing, right-click the file to be deleted and select Restart and delete immediately. The computer will restart and enter the DOS interface for deletion. After the deletion is completed, it will automatically restart and enter the operating system you installed. Before operation, pay attention to saving the documents that are being opened on the computer. For detailed instructions on XDelBox, please refer to the xdelbox1.2 directory. 】
[If there is a prompt that cannot be found, please enter the "File Path" of each file, and ignore it if it does not exist]
C:\WINDOWS\system32\winsys16_070307.dll
g:\program files\tencent\qq\
c:\program files\internet explorer\
C:\WINDOWS\
3. After restarting the computer, use tool SRENG to perform the following operations
[After opening SRENG, reminding "The content of the function does not match the expected value, they may be modified by some malicious software." Please ignore the error of reminding you that "the content of the function does not match the expected value." Please ignore the error and modify it after pretending to kill the software. 】
In addition: Please pay special attention to some of the items mentioned in the link above that are editable and cannot be deleted.
==================================
(1) Start the project --> Edit the following keys of the registry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINDOWS\System32\, C:\WINDOWS\system32\winsys16_070307.dll start> [N/A]
For the initial reference, <Userinit><C:\WINDOWS\System32\,> Note that commas cannot be omitted
(2) Start the project --> The following items of the registry are deleted
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}><g:\program files\tencent\qq\> [N/A]
<{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}><c:\program files\internet explorer\> [N/A]
==================================
Start the project --> Services --> Win32 service application Delete the following items
[WindowsUpdate / WindowsUpdate][Stopped/Auto Start]
<C:\WINDOWS\><N/A>
It is best to uninstall QQ and reinstall it. Pay attention to modifying QQ password, etc.
IE was hijacked and changed (log omitted)
2. Analysis
1. Turn off system restore before antivirus (can be ignored by Win2000 system): Right-click My computer, properties, system restore, turn off system restore on all drives and check it.
Clear IE's temporary files: Open IE Click Tools --> Internet Options: Temporary Internet files, click the "Delete File" button, and delete all offline content, and click OK to delete.
Close applications such as QQ. Please do not double-click to open the disk before performing the following operations. All downloaded tools are placed directly on the desktop.
2. Use the forced deletion tool XDelBox (File Deletion Terminator) to delete the files listed below.
[When deleting, copy all the paths to delete the files. Right-click in the list of files to be deleted and select Import from the clipboard. After importing, right-click the file to be deleted and select Restart and delete immediately. The computer will restart and enter the DOS interface for deletion. After the deletion is completed, it will automatically restart and enter the operating system you installed. Before operation, pay attention to saving the documents that are being opened on the computer. For detailed instructions on XDelBox, please refer to the xdelbox1.2 directory. 】
[If there is a prompt that cannot be found, please enter the "File Path" of each file, and ignore it if it does not exist]
C:\WINDOWS\system32\winsys16_070307.dll
g:\program files\tencent\qq\
c:\program files\internet explorer\
C:\WINDOWS\
3. After restarting the computer, use tool SRENG to perform the following operations
[After opening SRENG, reminding "The content of the function does not match the expected value, they may be modified by some malicious software." Please ignore the error of reminding you that "the content of the function does not match the expected value." Please ignore the error and modify it after pretending to kill the software. 】
In addition: Please pay special attention to some of the items mentioned in the link above that are editable and cannot be deleted.
==================================
(1) Start the project --> Edit the following keys of the registry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<Userinit><C:\WINDOWS\System32\, C:\WINDOWS\system32\winsys16_070307.dll start> [N/A]
For the initial reference, <Userinit><C:\WINDOWS\System32\,> Note that commas cannot be omitted
(2) Start the project --> The following items of the registry are deleted
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}><g:\program files\tencent\qq\> [N/A]
<{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}><c:\program files\internet explorer\> [N/A]
==================================
Start the project --> Services --> Win32 service application Delete the following items
[WindowsUpdate / WindowsUpdate][Stopped/Auto Start]
<C:\WINDOWS\><N/A>
It is best to uninstall QQ and reinstall it. Pay attention to modifying QQ password, etc.