Super IE can also be easily created by you (next) _ Registration Form

Author: 付谦

　　　

Do you have greater confidence in your browser by reading the previous article? I believe that with this kind of reinforcement, everyday browsing will no longer pose a threat to your browser. However, for those friends who often put their browsers in a dangerous environment, you will inevitably be attacked by malicious code, please do not panic, the correct treatment will bring you all the best.

　　The first part:

First, let's talk about potential threats: Typically, when you browse a site that contains malicious script, you will encounter more than one malicious script, but more than one. They have a clear division of work: one part is responsible for modifying the registry; some are responsible for adding themselves to the process and starting the program. This may happen in a minute, but it may also happen after you restart your computer. Of course, all of this is probably not done for other reasons, and all we have to do is develop some good habits so that even if we are harassed by malicious script, good habits can mitigate or even disrupt their attack process.

In fact, the so-called elimination of potential threats is nothing more than the regular removal of temporary Internet folders, history, auto completion and cookies, but there are two I think some of the requirements of my friends need to note: If you are using page mode to log in to the administrator or your mailbox is very important, For example, forum moderators or mail services, if hackers want to steal your privileges to destroy or steal personal data, then the machine will be stored in the cookie can be a hacker's successful assistant, so if necessary, you need to enter a user name and Password page into the edit cookie policy

If a page like a forum has to be supported by cookies, it is best to choose not to save the cookie each time you log on, so that the cookie will be deleted when you close the browser.

The second place to pay attention to is the Temporary Internet folder, but people who need attention are just people who are used to browsing offline or looking for things in this folder. In one case, we can select to clear the Internet temporary folder when we close the browser.

But when you need to keep the contents of this folder, this option must prohibit

　

Because opening this IFRAME function also means that unwanted programs in the cache can be executed directly, which is tantamount to increasing our risk

Part II:

The simple precaution is just the front, and the following is the real recovery trip. At the time of recovery, the use of a variety of methods will allow us to clean and completely restore the browser and system. I'll show you how to recover it with a very specific action below.

Do you remember the Web site described in the previous picture as Wudu and tasty? I've deliberately let it infect me completely.

Let's see what it does:

1, the browser has been changed beyond the appalling

The appearance of the browser has been completely changed, and the place where the picture frame is added should not have content, this is the ActiveX control dry

2, Registry Editor is locked

3, the browser automatically open some Web pages and unknown process appears

4, the unknown executable file appears on the disk

5, the startup item was changed, Rundll32.exe and IE were added shell

As for these malicious programs on the registry and browser procedures for the changes are more, but because this part of the miscellaneous, and eventually can be repaired, I do not list, anyway, the browser is indeed quite miserable.

The next step is to fix the steps:

1, disconnect the network, clear all Internet records.

The main purpose of this is to cut off two infections, we need to clear the Internet records, including temporary Internet folders, history, cookies, remember the password and AutoComplete form. It's not enough, we need to%windows% downloaded Program Files View ActiveX controls that have been installed

If you do not clear these harmful controls, no matter what modifications you have made before, the system will also make them a safe operation by default when you connect to the network again, polluting your browser again. So the final step in the cleanup is to determine which ones are useful by looking at the properties of these controls, as well as being uncertain and definitely harmful, and may be deleted, anyway, when the uncertainty section is downloaded again. The Ietoolbarcab plugin in the diagram is the toolbar that appears in the previous image at the bottom of IE, and the toolbar disappears immediately after I delete it. Like the top three plug-ins in the diagram, you'll find the mystery of the code by looking at the codebase in their properties, which is used to read harmful files every time you start and tamper with the browser, and the culprit is the bottom line of the basic code. It doesn't matter if you can't read it, just delete it and we can no longer be affected by it.

2. View suspicious system processes, services, and startup items

This section is a key step in our fight against malicious programs, and in this part of the operation is for one purpose: to eliminate anything that could cause a malicious program to not be loaded when the system is reset. To do this, even if we have some malicious program running files on our hard drive, these programs may be hidden in a very deep place, but because of the lack of means to start them, it would be difficult to infect us. Here I recommend a tool that you are familiar with but hardly used: system information.

What we see clearly in the diagram is the current process, service items, startup items, and IE file management where the red box is marked. These four parts are common to us, but we hardly use them here. You can see from the diagram that the process provided by the system information is not just a list of processes as compared to the resource manager. It also shows the path of the process, which is a great help to us, because we can easily determine which processes are malware and find where they are. Of course, there is a small drawback of system information, that is, it can only view can not be modified, but the problem is certainly difficult to us, we all know which other places can open them.

The use of IE file management in the end will be mentioned, let's start with a concrete operation to see how clean and completely cut off the malicious program.

First, let's look at what's suspicious in the process.

Obviously the red box was marked quite suspiciously, so I jotted down their path and filename to wait for a while to delete. Did you see that svch0st.exe? This is one of the most common and easiest ways for a malware program to cheat our eyes with fake filenames, in addition to changing names like this one, and the means of changing the case, using the shell (which can be judged by the path), so we must be careful when we look at suspicious programs. Some people are sure to ask the Windows process so much how do I know which is true? In fact, it's very simple, and you can find a lot of detailed process descriptions on Google.

Then there's the service.

This is an intentional infection. One regret is that I was not attacked by a service-building approach, but there was a malicious program that would create a service on your computer, usually with a malicious program that was very powerful, so it still couldn't be spared. There are really a lot of service items, and it's still possible to find out more about the service in Google.

Startup items

There's no more secrets here, it's a place where everyone is going to be the first to think about it. In the combination of what is seen here and in the process, the malicious program is dug out by us.

　　

Combined with these three observations, we can use the relevant program to operate: Kill the process, delete the source file, and then clean up the garbage in the boot------we've done half the work.

3, restore the damaged registration form

Registry recovery means diverse, can be simplified, according to the actual situation you can choose one of the methods.

(1) Last Known Good Configuration

If your damage is not very serious and you find and take action in a timely manner, you can reboot the system, press F8 before the system starts, and choose "Last Known Good Configuration", which can be very easy to recover.

(2) Group Policy recovery

Suitable for the visualization of the system with a large number of changes and users who are familiar with Group Policy, entering gpedit.msc in the Run menu can go to Group Policy Editor and locate the User Configuration-system, where the locked registry can be unlocked. In addition, there are a lot of Group Policy for IE browser and desktop settings, we are interested to find their own look. In fact, the Group Policy Editor is the editor of the registry key value, and all of the actions made here are the same as those described in many articles on the web, but one of the main purposes I use it is to unlock it.

　　(3) Third-party software recovery

Probably most people use the method, and online this aspect content is more, commonly used like 3721. In fact, the principle of their work is to modify the registry of the relevant key values, but one thing we must be clear, these procedures are dead, they can not be exhaustive, so it is used to restore the use of them, we also need to pay attention to the place has been repaired and timely processing.

4, restart the computer, check the shell that has not been killed

See this hint some people may be more cordial, in fact, when we see this hint is the first to think of the shell, the way to find it is very simple, we only need to enter in the registry in the hint of that file, and then search. I searched after found that the hint was mounted on the Explorer.exe, so I will be the key value of the extra place to change the next time the boot will not have this hint. And I want you to remember this key value

Hlmsoftwaremicrosoftinternet Explorerwinntcurrentversionwinlogon

There are a lot more shells hidden here.

5, repair the damaged documents

The article is finally nearing the end, after we have done the above operation, the malicious program has been basically driven out of the computer, the rest of the work only to clean up the damaged documents. Do you remember the dialog box that recorded IE browser file in System information?? If you find that the file is missing, you can copy a copy of it to your local computer, and if your browser doesn't start because of the modification, there is a more thorough way to uninstall the browser. Uninstall browser is not cover installation, we want to completely clear the registry of garbage must be uninstalled, but the browser can not be removed from the Add/remove, how to do? Don't worry, we can use the following methods:

First insert the Windows XP CD-ROM into the CD drive, and then click start → run to enter the Rundll32 Setupapi,installhinfsectiondefaultinstall 132 C in the Run dialog box: Windowsinfie.inf command, the system opens the Setup Process dialog box and starts reinstalling ie6.0.

　　Tip: If your Windows XP system is not installed on the C disk, please "C\windows\inf\ie". INF "modified to"%systemroot%\inf\ie.  INF ". ------Quote from ZDNet Jackma

This will allow the browser to be fully restored.

Then if we find that the system file is corrupted, such as an abnormal display or a damaged function, we can enter SFC in "Run", which is used to check for damaged system files and fix them. Through this last step, we have completely completed the killing of malicious programs and the recovery of the system.

　　Conclusion: in the end, I saw the bad news for IE browser, however, whether we use IE or Netscape or opera, the online attacks will never cease. From this point of view, we wait for Microsoft to launch a better browser, on the other hand, we should also pay attention to the day-to-day protection of the Internet, so that we can really enjoy the internet to swim.