A public computer of the organization was connected to the Internet. Soon after, it was infected by a malicious webpage. The following symptoms were prompted: Open IE browser, the system will automatically go to a website named "www.51ili.com", open "Internet Options", and find that the home page is set to "http: // www. ** ok9.net ". When the" Search "function is used, it is found that the search is also changed to" http: // www. ** ok9.net "is annoying.
So I ran the Registry Editor and used the "Search" function to find all the content modified by malicious webpages using the keyword "www. ** ok9.net" and change all the content back to the original value. After restarting the system, I opened the IE browser and found that the malicious website was automatically opened and changed elsewhere. It seems that things are not as simple as I thought, this malicious website must have something to do when the system is started!
Enter "msconfig" in "run", open the System Configuration Utility, and search for the System item by item. ini, Win. ini and all self-start projects in the "Start" item finally found two extremely suspicious key values in the "Start" item. Although one is the default key value and the other is named "win", the key value data of both is "regedit-s c: windowswin. dll ". The Regedit-related command shows that the function of this command is to import a registry script file, and the "-s" parameter is to make it automatically imported in the background, however, "Win. dll file, How is it a dynamic link library file? Is this just a superficial phenomenon, so I opened the "Win. dll" file in notepad and found that it was a text file, but it was modified with the extension.
I analyzed this "Win. dll" file. The original system is always maliciously modified because it is working. Find the crux of the problem, of course, the solution is to delete the key value and delete "Win. dll file, but I suddenly thought that since a malicious website can use this file to add key-value data, why can't I use this file again, so that it can automatically restore the maliciously modified key value? So I modified the file as follows:
REGEDIT4
[Empty line]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
@ = ""
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"Win" =-
[HKEY_CURRENT_USERSoftwareMicrosoftInternet assumermain]
"Start Page" = ""
"First Home Page" = ""
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet assumermain]
"Start Page" = ""
"First Home Page" = ""
Rcx
Save the modified "Win. dll file, and then run the command "regedit-s c: windowswin. dll ", restart the system, you will find all the malicious modifications are all restored at once, you can also save this file, if you encounter this malicious web page again, you only need to use this file to restore it, which is very convenient.