Analysis and Handling of frequent kidnapping of the Internet Explorer Homepage

The web page of IE browser was inexplicably modified. After opening the page you want to see, it automatically jumps to other pages after a while. How did this happen? The security expert Li tiejun will explain the secrets of frequent kidnapping on the IE browser homepage.
Strange: the home page is forcibly modified.

User A: I changed my homepage to 930930.com;

User B: Double-click IE to go to a navigation page. After modifying it to a custom homepage, restart IE and find that the modification is completely invalid;

User C: after the home page is changed, I search for this address in the registry. After the address is deleted, I restart my computer. Then I turn on IE and navigate to the malicious website.

Editor: you are not alone. The Kingsoft system first aid kit's feedback system collects more than 23 thousand cases of modifying the IE homepage. The following table lists the top 10 malicious websites.

Top 10 malicious URLs

Why is the IE homepage forcibly modified?

The IE homepage is a window for browsing the Internet. Not all users will set their own homepages. The success of hao123 proves that there are huge business opportunities for navigation websites. on this page, each link and search window can be a product, as long as the home page has a high access volume. These visits will benefit the author of the home page. Only hao123 cannot be copied. More and more people attempt to use malware to make themselves hao123.

The vast majority of pirated systems will change the IE homepage to their own navigation websites, such as the depth and rain forest and wood wind. The default homepage of the rain forest and wood version is www.114la.com, with a daily independent access volume of up to 5 million-6 million; the default homepage of the deep version is www.1616.net, and the number of independent daily users reaches millions.

In addition, there are a lot of shared software, because there is almost no license to issue Shared Software in China, and the registration fee is quite limited, so software developers can only make profits from third parties. This practice is also known as rogue. Shared Software obtained using this method will naturally be put on the hat of rogue software.

What do I do to kidnap IE?

1. General method-the DIY homepage provided by IE browser

You can directly add the home page in the options of IE to open the website that is frequently accessed by IE.

(1) manual setting

Method 1: Right-click the desktop Internet Explorer icon -- properties -- Home Page

Method 2: Open IE browser-tools-Internet Options-Home Page

(2) how a malicious program modifies the Home Page

Generally, malicious programs modify the IE homepage Settings Project in the Registry to change the homepage to their own website.

Corresponding registry project (you can modify it through Registry Editor: Start-run-enter regedit.exe and press enter to open it in sequence)

Primary key:

HKEY_CURRENT_USERSoftwareMicrosoftInternet assumermain
HKEY_LOCAL_MACHINESoftwareMicrosoftInternet assumermain
Hkey_users.defasoftsoftwaremicrosoftinternet assumermain
 

Key name: "Start Page" REG_SZ

2. the IE browser shortcut is maliciously modified

Modify the shortcut of IE browser on the desktop and Quick Start bar.

Step 1: Hide or delete the default IE shortcut on the desktop.

Malware usually hides or deletes IE shortcuts by modifying the registry.

Primary Key: hkcusoftwaremicrosoftwindowscurrentversionpolicerhidemo-topicons

Subkey NewStartPanel

Key Value: {871c5316-42a0-1069-a2ea-08002b30309d} is set to 0 or deleted directly.

Step 2: Create an IE shortcut, modify the target attributes, and add malicious websites after the normal IE shortcut.

3. Deep Mining skills-modifying IE associated projects

Regular modifications are easily repaired by some software, and the malware author finds another method to modify the Registry to lock the IE homepage.

Primary Key: HKEY_CLASSES_ROOTCLSID {871c5316-42a0-1069-a2ea-08002b30309d}

Sub-key: shellOpenHomePageCommand

Key Value: "% Programfiles % Internet your eriexplore.exe"

Add a malicious website address after iexplore.exe.

Case of modifying the IE homepage

The IE homepage is modified and locked based on the methods described above. Now let's take a look at how malware writers spread malware and how to kidnap the IE homepage.

1. Software bundling, usually for games, cracking patches, plug-ins, etc.

When downloading Warcraft, a netizen found that the modification of the IE homepage to www.2345.com had no effect. it was best to find that the MB Warcraft was a curse. The following descriptions are found on the dout download page:

Reminder: This software can be installed only after the home page is www.2345.com. Do not download this software if you are not willing to support dout.
 

2. Use the rootkit Driver technology to protect the registry key value. Normal methods cannot be modified.

Just like anti-virus software protecting itself from being damaged by viruses, virus writers also use rootkit to build a solid wall between computers and users to prevent users from modifying IE homepage settings. Recently, the popular homepage is changed to 9348.cn. this is the case with ku530.com. At present, the Kingsoft first aid kit can be cleared by secondary cleanup.

Solution after the IE homepage is modified

Step 1: Use the Kingsoft system first aid kit to scan for malware from the kidnapping IE homepage.

Before you try to manually edit the IE homepage, check whether the system has malware. If you do not clear the malware that has kidnapped the IE homepage, all other repair operations will be ineffective.

 

Scan to clear malware from the kidnapping IE homepage
Step 2: After the first aid kit is repaired, check the IE shortcut and find it has been modified. You can directly Delete the IE shortcut on the desktop and recreate it.

Operation Method:

Double-click my computer, browse to c: Program FilesInternet ‑eriexplore. EXE, right-click IEXPLORE. EXE, and send it to the desktop shortcut.

You can also edit the Registry to fix the IE shortcut displayed on the desktop. (It is not recommended that you edit the Registry. Creating a New shortcut is easier and safer ).

Check the primary key: hkcusoftwaremicrosoftwindowscurrentversionpolicerhidemo-topicons

Subkey NewStartPanel

Check the value of the sub-key {871c5316-42a0-1069-a2ea-08002b30309d} and change 0 to 1. If the sub-key does not exist, create a new one.

Step 3: The repair module of the Kingsoft system first aid kit only supports Windows XP. If you are using another Windows operating system, check and modify the following registry key.

Click Start and enter regedit to start the Registry Editor.

Check the primary key:

HKEY_CURRENT_USERSoftwareMicrosoftInternet assumermain
HKEY_LOCAL_MACHINESoftwareMicrosoftInternet assumermain
Hkey_users.defasoftsoftwaremicrosoftinternet assumermain
 

Key name: "Start Page" REG_SZ

Change the value of Start Page to blank or custom URL.

Check the primary key: HKEY_CLASSES_ROOTCLSID {871c5316-42a0-1069-a2ea-08002b30309d}

Sub-key: shellOpenHomePageCommand

Key Value: "% Programfiles % Internet your eriexplore.exe"

Check whether a malicious website is added to iexplore.exe. If yes, delete the malicious website.