Analysis of rogue software tampering with ie homepage Tactics

Comments: Some friends often tamper with the IE homepage after installing a small software. After you change it back in the ie option, the homepage becomes another Web site. This shows that this rogue software has other secrets in the registry. What are the possible locations? Based on my limited experience, I will first list the most important items and look forward to adding more discoveries to my netizens. Click Start-run-enter regedit and press enter to find the following position in sequence. Of course, we recommend using the Registry Workshop software. You can directly paste the following address and press enter to add the address to favorites, you do not need to find the old ones in the future. The new ones are also visible to favorites.

　　1. registry value corresponding to internet Options:

HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main \ Start Page

The value of this item is synchronized with the homepage of the ie option. You can try it first.

　　2. Bind the ie main program running parameters:

HKEY_CLASSES_ROOT \ Applications \ iexplore.exe \ shell \ open \ command

Main program running parameters of ie

The normal value of this item is "C: \ Program Files \ Internet Explorer \ iw.e. EXE "% 1. When the rogue software attaches its website to the back end as a running parameter, it will automatically jump to the website when the main program of ie is opened.

　3. Bind the ie Form Control ieframe. dll homepage command:

HKEY_CLASSES_ROOT \ CLSID \ {871c5316-42a0-1069-a2ea-08002b30309d} \ shell \ OpenHomePage \ Command

Ie Form Control home page command

The default value is "C: \ Program Files \ Internet Explorer \ ipolice.exe". Similarly, a rogue website may be appended to the website to block the homepage.

　4. Bind the ie shortcut to the running target:

There is also a way to search in the registry, but it is close at the corner of the sky, that is, to modify the running target in the ie shortcut attribute. Note that the shortcut is not the ie icon displayed by default on the desktop. There are four normal ie shortcuts:

Ie shortcut

Suffix). The fourth option is the "Start Internet Explorer" icon in the "Quick Start" column on the right of the start button. Right-click to view the shortcut attributes:

Ie shortcut created by the desktop ie icon

Ie shortcut created by the ie icon in the Start Menu

The two targets and start positions are empty by default, and the last two are different:

Shortcuts created by the ie main program

Shortcut created by ie icon in the Quick Start bar

In the Quick Start column, I deleted the ie startup icon and tried to find it. Therefore, the above window is somewhat exotic. The default values of the two shortcuts are "C: \ Program Files \ Internet Explorer \ iexplore.exe". The virus is free to drill down. You only need to append your website to the end, then, when you open ie through this icon, it will jump to its URL immediately.

Therefore, the author suggests that if the home page is tampered with and cannot be changed back, right-click the shortcut you opened when you started ie and check whether there is an additional URL after the attribute "target". If yes, delete it; if not, go to the Registry to view the possible locations:

HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ Main \ Start Page
HKEY_CLASSES_ROOT \ Applications \ iexplore.exe \ shell \ open \ command
HKEY_CLASSES_ROOT \ CLSID \ {871c5316-42a0-1069-a2ea-08002b30309d} \ shell \ OpenHomePage \ Command

Check whether there is a "tail" behind the value. These URLs may sometimes be garbled, all are cut off, reply to the default value, and the homepage will be changed back. This is only temporary blocking. If you want to completely eliminate it, uninstall the newly installed rogue software first, in the future, do not go around the website or accept the recommendations to download and install those that you think are new to the world may already be notorious. Of course, if you are familiar with more home page tampering tricks, you don't have to worry about these concerns. I once again recommended Registry Workshop, a Registry management software. I usually accumulate my findings to maintain "virus sharing" and eliminate virus rogue tricks.