While, outsmart, malicious Web page of the despicable means is "new" ah. With some simple registry fixes, the problem is not fully resolved. If your registry is back to the same old image as it was modified, look for the following reasons. 1. Modify the registry to prohibit the form of changes to the order, the purpose is not to allow users to repair through the registry back.
The most common modification is to lock the registry and to destroy the association: for example, Reg,.vbs,.inf.
With regard to unlocking the registry, the method has been introduced earlier, and as for the modified association, as long as the association in the method of the registry modification that I mentioned earlier can be used, any one of them may be used, but if. Reg,.vbs,.inf have been modified, how to do? , do not be afraid, change the. exe suffix to. com suffix, I can edit the registry,. com has also been changed, how to do? Not so ruthless, yes, I'll change the suffix to. scr. Hey, the same can be modified.
The best of the simplest way, immediately reboot, press F8 into DOS, typing scanreg/restore, select the normal time before the registry restore can be, attention, must choose not to be modified when the registration form! If found even scanreg have been deleted (some sites are so ruthless, with a disk copy a Scanreg.exe to Comman under.
It's necessary to talk about the default values for common file associations
Normal EXE is associated with [Hkey_classes_rootexefileshellopencommand]
The default key value is: "%1%*" Change this association back to use EXE file
2. Modify the registry to leave the back door, so that you modify the registry appears to be successful, reboot and revert to the modified state.
This is mainly in the boot to leave a back door, you can open the registry to (also can use some tools such as optimization master, etc. to see)
Hkcusoftwaremicrosoftwindowscurrentversionrun hkcusoftwaremicrosoftwindowscurrentversionrunonce Hkcusoftwaremicrosoftwindowscurrentversionrunservices hkcusoftwaremicrosoftwindowscurrentversionrun-
See if there are any suspicious startup items, this point most friends ignore, which start suspicious?
I'm here to give you a few people who need attention, the key value appears in the Startup key. Hml and. htm suffixes are best removed, and there are also the boot entries for the. vbs suffix removed, and another important, if there is this startup item, there are similar key values, such as:
The System key value is Regedit-s c:windows ... Please note that this regedit-s is a backdoor parameter of the registry that is used to import the registry, so that the option must be removed
There is also a type of modification that will produce a file with a. vbs suffix in c:windows, or a. dll file, which is actually a. reg file (a malicious web virus posing as a DLL file)
At this time you want to look at the C:windowswin.ini file, look at the load=,run=, these two options should be empty, if there are other programs to modify load=,run=, will = after the program to delete, delete before the path and file name, Delete the corresponding file under system after deletion
There is also a way, if you repeatedly modify the restart and return, you can search all the. vbs files under C disk, there may be hidden, open with Notepad, see inside there are about to modify the registry to remove it or insurance to change the suffix, you can click on the malicious page of the virus time to search for files:
The following loophole is well worth noting, many friends said, you said the method I have tried, the launch item absolutely does not have any suspicious, also does not have what VBS file, hehe, everybody in started IE also has a trap, is IE main interface tool's menu advertisement, must remove, Because these will start when you start IE, so you modify the other first don't worry to open IE window, otherwise wasted effort, method: Open registry HKEY_LOCAL_MACHINE Software Microsoft Internet Explorerextensions See the advertisement to delete, don't be lenient!
A very important problem, in the malicious Web site after the trap must first empty IE all temporary files, remember!
Say so much, that how to defend this kind of malicious webpage?
A once and for all method, take f935dc22-1cf0-11d0-adb9-00c04fd58a0b this ID out of the registry path to HKEY_CLASSES_ROOT clsid{ F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
Remember, see clearly and then delete, do not delete the wrong other. The deletion of this f935dc22-1cf0-11d0-adb9-00c04fd58a0b will not affect the system.
Select "Tools" → "Internet options" in the IE menu bar. In the pop-up dialog box, switch to the "Security" tab, select "Internet" and click the "Custom Level" button, in the "Security Settings" dialog box, the "ActiveX controls and Plug-ins", "script" Select Disable or prompt for all related options in. However, if disabled is selected, some Web sites that use ActiveX and scripts normally may not be fully displayed. Recommended selection: Prompt. When you encounter a warning, look at the original code of the site, if found that there are shl.regwrite, such as code, do not go, if the original code is encrypted, not familiar with the site also do not go, if the right key can not be used, but also to be careful for the good (see what the original code is called Ah, Unless there is any good Java or malicious code.
For Windows98 users, open c:windows JAVA Packages cvlv1nbb. ZIP, put the "activexcomponent.class" out of it, for windowsme users, please open c:windowsjavapackages.nzvfpf1.zip, put the " Activexcomponent.class "deleted, these deleted does not affect the normal browsing Web page
In Windows 2000/xp, you can block some malicious scripts by disabling the Remote Registry service. In the control Panel → administrative tools → services, right-click Remote Registry Service, select Properties in the pop-up menu, open the Properties dialog box, and set "Startup ype" in "General" to "Disabled" ”。 This can also block some malicious scripting programs.
Hey, don't use IE. You can also use other browsers ... Everyone in the malicious Web site after the trap, do not immediately restart the computer, to start to see if there are any dangerous startup items, as deltree and so on