Unit of a public computer access to the Internet Internet, not long, was a malicious web virus infection, the following symptoms: Open IE Browser, will automatically enter a "Long good URL home" URL Daquan Web site, open "Internet Options", found that the home page is set to " Www.ok9.net "(1), when using the" search "function, found that the search was also modified to point to" www.ok9.net "is really annoying.
Figure 1 A malicious webpage modifies the home page address
So I run the Registry Editor, using the "Find" function, "www.ok9.net" as the keyword to find all the content that was modified by malicious Web pages, and all changed back to the original value. Who knows, after restarting the system, open IE browser, found and automatically opened the malicious site, and other places have been modified, it seems that things are not as simple as imagined, this malicious site must still be in the system when the startup did what hands and feet!
Figure 2 The key values that were modified
Then enter "msconfig" in "Run", open the System Configuration Utility, look up all the System.ini, Win.ini and "startup" items in all the self-startup items, finally found in "Start" item two extremely suspicious key value. Although one is the default key value, a key value name is "Win", but both of the key value data are "Regedit-s C:\windows\win.dll" (2). By finding the relevant command in Regedit, the function of this command is to import a registry script file, "-S" parameter is to let it automatically import, but after this import is "Win.dll" file, how can be a dynamic link library file it? Is this only a superficial phenomenon, so use Notepad to open the "Win.dll" file, found that this is a text format of the file (3), but has been modified only the extension.
Figure 3 The mysterious file
I analyzed this "Win.dll" file, the original system is always automatically modified by malicious or it is in effect. Found the crux of the problem, of course, the solution is to delete the key value, and delete the "Win.dll" file, but I suddenly thought that since the malicious website can use this file to add key value data, why I no longer use this file, an eye for an eye, let it also automatically restore the malicious modified key value it? So I modified the file as follows:
REGEDIT4
[Empty line]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Win" =-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start page" = ""
"First Home page" = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start page" = ""
"First Home page" = ""
Rcx
Save the modified "Win.dll" file, and then run the command "Regedit-s c:\windows\win.dll", restart the system, you will find all the malicious changes will be restored all at once, you can also save this file, if you encounter this malicious Web page, just need to use this file to restore a bit, very convenient. For more information, please contact Mei qq:2881064157
Teaches you how to skillfully deal with web viruses