Thoroughly cracking malicious web pages that threaten you

1. Computer prohibited
Symptom Description: although the network hooligans do not use this trick much, once you make a move, the consequences are really unimaginable! The consequence of browsing a webpage containing such malicious code is: "Shut down the system", "run", "deregister", Registry Editor, DOS program, and running of any program is prohibited, the system cannot enter "real mode" and the drive is hidden.

Solution: In general, if you encounter all the above eight phenomena, the system will basically give "waste". We recommend that you reinstall it.

2. format the hard disk

Symptom Description: This type of malicious code is characterized by the use of IE to execute ActiveX functions, allowing you to accidentally format your hard disk. As long as you browse the webpage that contains it, the browser will pop up a warning saying "the current page contains insecure ctiveX, which may cause harm to you" and ask if you want to execute it. If you choose "yes", the hard disk will be quickly formatted, because the window is minimized during formatting, and you may not pay attention to it at all. You may regret it when you find it.

Solution: Do not answer "yes" unless you know what you are doing ". This prompt information can also be modified, such as "Windows is deleting the temporary files of the Local Machine, whether to continue", so please note! In addition, it is also a way to rename the format.comw.fdisk.exe?del.exe=deltree.exe command on the computer.

3. download and run the trojan program

Symptom: will the web page contain Trojans? Of course, due to the vulnerability in IE5.0, this new intrusion method is possible by exploiting Microsoft's eml file vulnerability that can embed exe files and placing Trojans in eml files, then point to it with a piece of malicious code. When a netman browses this malicious webpage, he or she downloads and executes the trojan without any prompt or warning!

Solution: the first solution is to upgrade your IE5.0 and IE5.0 or later versions. In addition, install Kingsoft drug overlord and Norton.

Virus firewall, which uses webpage Trojans as viruses to quickly detect and intercept viruses.

4. Registry locking

Symptom Description: Sometimes the system is modified after a malicious webpage is browsed. If you want to use Regedit to change the webpage, the system prompts you that you do not have the permission to run the program and asks you to contact the administrator. Dizzy! I won't change my things. What's the truth!

Solution: Find a Registry Editor, such as Reghance, that can modify more than Regedit. You can restore the Registry by restoring the DWORD Value "DisableRegistryTools" in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem to "0.

5. Modify the default homepage

Symptom Description: some websites use the IE vulnerability to modify the visitor's IE in order to increase their access traffic and publicize advertisements. In general, you can get rid of your start page and default homepage. In order not to let you go back, you can even change the default homepage button in the IE option to invalid gray. It is a habit of network hooligans.

Solution:

(1) modify the start page. Expand the Registry to HKEY_LOCAL_MACHINESoftwareMicrosoftInternet assumermain. In the right pane, change the key value of "Start Page" to "about: blank. Similarly, expand the Registry to HKEY_CURRENT_USERSoftwareMicrosoftInternet assumermain, and change the "Start Page" key value to "about: blank" in the right window.

Note: Sometimes the above steps still do not take effect. It is estimated that the program is loaded to the startup Item, even if it is modified, it will automatically run at the next startup, the solution is as follows:

Run the Registration Table editor regedit.exe, expand the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun primary key, delete the following "registry.exe" sub-Key (the name is not fixed), and finally Delete the executable program with the same name in the hard disk. Exit the registration editor and restart the computer. The problem is solved.

(2) modify the default homepage. Run the Registry Editor, expand HKEY_LOCAL_MACHINESoftwareMicrosoftInternet assumermain, correct the URLs of malicious websites in the key value of the Default-Page-URL subkey, or set it to the Default value of IE.

(3) The. IE Option Button is invalid. Run the Registry Editor and change the DWORD Value "Settings" = dword: 1, "Links" = dword: 1, "SecAddSites" = dword: 1 in the HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet assumercontrol Panel to "0 ", change the key value of "homepage" in the hkey_users.defasoftsoftwarepoliciesmicrosoftinternet assumercontrol Panel to "0 ".

6. tamper with the IE title bar

Symptom: by default, the application itself provides information about the title bar. However, some network hooligans change the key value under the string value "Windows Title" to its website name or more advertisement information for advertising purposes, to change the title bar of IE. It is necessary for others to look at his things, and through illegal modification means, except for the word "Shameless", there are no other adjectives.

Solution: Expand the Registry to HKEY_LOCAL_MACHINESoftwareMicrosoftInternet assumermain, find the string value "Windows Title" in the right pane, and delete the string value. Restart the computer.

7. Modify the default search engine

Symptom Description: There is a search engine tool button in the toolbar of IE browser to implement network search, after being tampered with, you only need to click the search tool button to link to the website you want to go.

Solution.

8. Right-click IE to modify

Symptom description: Some network hooligans modify the function menu that you pop up by right-clicking for the purpose of promotion, and add some messy things, or even prevent downloading, blocks all the right-click functions in the IE window.

Solution:

(1). the right-click menu is modified. Open the Registry Editor, find HKEY_CURRENT_USERSoftwareMicrosoftInternet assumermenuext, and delete the relevant advertisement.

(2) The right-click function is invalid. Open the Registry Editor, expand HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerRestrictions, and change the value of DWORD "NoBrowserContextMenu" to 0.

9. tamper with the text in the address bar

Symptom Description: some inexplicable text and icons appear under the IE Address Bar of the recruiter. There are also a large number of addresses in the drop-down box in the address bar, which you have not visited before.

Solution:

(1) text in the address bar. Find the key value LinksFolderName under HKEY_CURRENT_USERSoftwareMicrosoftInternet assumertoolbar and delete the content.

(2) useless addresses in the address bar. Delete unnecessary key values in HKEY_CURRENT_USERSoftwareMicrosoftInternet assumertypeurls.

10. A dialog box is displayed at startup.

Symptom Description: 1. A dialog box pops up when the system is started. It usually contains some advertisement information, such as welcome to a website. 2. the pop-up page is usually displayed on the boot page, so that you are caught off guard. If it is a bit vicious, you can repeat the pop-up window until the machine crashes.

Solution:

(1). the dialog box is displayed. Open the Registry Editor, find the primary key of HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWinlogon, and find the strings "LegalNoticeCaption" and "LegalNoticeText" in the right window, deleting these two strings can solve the problem of prompt boxes at startup.

(2). the webpage is displayed. Click "start-run-input msconfig" and select "start" to remove all url files suffixed with url, html, and htm.

11. timed pop-up of IE window

Symptom Description: the attacker's machine pops up the IE window every time. The address points to the personal homepage of the network injection platform. I don't know if this is the way network hooligans think that you will often patronize it?

Solution: click "start-run-input msconfig" and select "start" to remove all the files with the suffix hta and restart them.