Solutions to be hit by a malicious website - Sixth full guide to using the registry
1. Reasons and solutions for the registry modification
Malicious web pages are ActiveX web page files containing harmful codes. These advertising information appears because of malicious changes to the browser's registry.
1. The IE default connection homepage has been modified
The title bar above IE browser has been changed to the style of "Welcome to...Website", and the registry items that have been changed are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
By modifying the key value of "Start Page", the purpose of modifying the default connection homepage of IE
① After Windows starts, click the "Start" → "Run" menu, type regedit in the "Open" column, and then press the "OK" key;
② Expand the registry to
Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main,
Find the string value "Start Page" in the right half of the window, and change the key value to "about:blank";
③Similarly, expand the registry to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Find the string value "Start Page" in the right half of the window, and then process it as described in ②.
④ Exit the Registry Editor, restart the computer, everything is OK!
Special example: When the IE start page becomes some URL, even if you modify it through the option settings, it will become their URL after restarting, which is very difficult. In fact, they added a self-running program to your machine, which will set your IE start page to their website when the system starts.
Solution: Run the Registry Editor and expand
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run primary key, then delete the subkey under it, then delete the self-run program c:\Program Files\, and finally reset the start page from the IE options.
2. Tamper with IE's default page
After some IEs have been changed to the start page, even if "Use Default Page" is set, it is still invalid. This is because the default page of the IE start page has been tampered with. The following registry keys are modified:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
The key value of the "Default_Page_URL" subkey is the default page of the start page.
Solution:
Change the URLs of the tampered websites in the "Default_Page_UR" key value.
3. Modify the default homepage of IE browser, lock the settings item, and prohibit the user from changing it back.
The main purpose is to modify the following key values set by IE in the registry (if the DWORD value is 1 is not optional):
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Settings"=dword:1
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"Links"=dword:1
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"SecAddSites"=dword:1
Solution: Change the above DWORD values to "0" to restore the function.
4. The default homepage gray button of IE is not optional
Because the key value of the DWORD value "homepage" under HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel is modified. The original key value is "0" and is modified to "1" (that is, it is a gray-in-selectable state).
Solution: Change the key value of "homepage" to "0".
5. The IE title bar has been modified
By default, the application itself provides the title bar information, but also allows users to fill in the above registry items by themselves. Some malicious websites take advantage of this to succeed: they change the key value under the string value Window Title to their website name or more advertising information, thereby achieving the purpose of changing the IE title bar of the viewer.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title
Solution:
① After Windows starts, click the "Start" → "Run" menu item, type regedit in the "Open" column, and then press the "OK" key;
② Expand the registry to
Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main, find the string value "Window Title" in the right half of the window, delete the string value, or change the key value of the Window Title to "IE browser" and wait for your favorite name;
③Similarly, expand the registry to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main, process according to the method described in ②.
④ Exit the Registry Editor, restart the computer, and run IE.
6. The IE right-click menu has been modified
The modified registry items are:
The advertising information of the web page has been newly created under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt, and it appears in the IE right-click menu!
Solution: Open the Registration Standard Editor and find
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt, delete the relevant advertising clauses, be careful not to delete the download software FlashGet and Netants, these two are normal.
7. The default search engine of IE has been modified
There is a search engine tool button in the toolbar of IE browser, which can realize online search. After being tampered with, just click the search tool button and will link to the tampered website. This phenomenon occurs because the following registry is modified:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Solution:
Run the Registry Editor, expand the above subkeys, and change the key values of "CustomizeSearch" and "SearchAssistant" to the URL of a certain search engine.
8. The dialog box pops up when the system starts
The registry items that have been changed are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon Under it, the strings "LegalNoticeCaption" and "LegalNoticeText" are created, where "LegalNoticeCaption" is the title of the prompt box and "LegalNoticeText" is the text content of the prompt box. Their existence requires that every time we log in to the Windwos desktop, a prompt window appears to display the advertising information of those web pages.
Solution: Open the Registry Editor and find
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon primary keys, find the two strings "LegalNoticeCaption" and "LegalNoticeText" in the right window, and just delete it.
9. Browsing the web registry is disabled
This is due to the registry
Because the DWORD value "DisableRegistryTools" under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System is changed to "1", just restore its key value to "0".
Solution: Use Notepad program to create a file with REG as the suffix, and copy the following contents into it:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
10. The web browsing start menu has been modified
1) Disable "Shut down the system" 2) Disable "running"
3) Prohibit "Login" 4) Hide C drive--Your C drive cannot be found!
5) Prohibit the use of the registry editor regedit 6) Prohibit the use of DOS programs
7) Make the system unable to enter "real mode" 8) Disable any program running
Note: The following are the tricks used to modify the victim's registry keys on this page
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion
\\Policies\\Explorer\\NoRun", 01, "REG_BINARY");
Note: Make the victim system without the "Run" item so that the user cannot modify the system registry through the registry editor.
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\Policies\\Explorer\\NoClose", 01, "REG_BINARY");
Note: Make the victim system without the "Set System" item
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\Policies\\Explorer\\NoLogOff", 01, "REG_BINARY");
Note: Make the victim system without the "logout" item
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\Policies\\Explorer\\NoDrives", "00000004", "REG_DWORD");
Note: Make the victim system have no logical drive C
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\Policies\\WinOldApp\\ Disabled","REG_BINARY");
Note: All DOS applications are prohibited;
("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\Policies\ \WinOldApp\\NoRealMode","REG_BINARY");
Note: Make the system unable to boot into "real mode" (traditional DOS mode);
Note: Entering this web page, it will also modify the following registry keys to display a login window when logging in to the WINDOWS system (before the Microsoft network user login)
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\Winlogon\\LegalNoticeCaption", "Woolala...");
Note: These codes will make the window title "Woolala..."
("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\Winlogon\\LegalNoticeText", ""Woolala..."
Note: The above line is the text that will be displayed in the window
Note: The following two lines of code modify the registry so that all the victims' IE windows are given the following title: "Woolala..."
("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\Window Title", "Woolala...");
("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\Window Title", "Woolala...");
Note: By the above behavior, all modifications to the victim's registry have been completed!
Note: The following code is used to add its web page to the victim's favorites
var WF, Shor, loc;
WF = (0);
loc = WF + "\\Favorites";
if(!(loc))
{
loc = (WF) + "\\Documents and Settings\" + + "\\Favorites";
if(!(loc))
{
return;
}
}
Note: The following is the specific code for adding its web page to your favorites
AddFavLnk(loc, "find feeling", "")
How to fix the victim user:
1: For Win9x users, it is recommended to press F8 when the computer is started, select MS-DOS mode, and use the Scanreg/restore command to restore the previously backed-up normal registry.
2: For Win2000 users, copy the following content, save it as a file, select a safe mode with command line, and import it with the command regedit. It is OK to restart the machine.
The file contents are as follows:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoRun"=hex:
"NoLogOff"=hex:
"NoDrives"=dword:00000000
"RestrictRun"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\System]
"DisableRegistryTools"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\WinOldApp]
"Disabled"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionPolicies\WinOldApp]
"NoRealMode"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersionWinlogon]
"LegalNoticeCaption"=""
"LegalNoticeText"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Window Title"="IE Browser"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window Title"="IE Browser"
11. The right mouse button in IE is invalid
After browsing the web page, the right mouse button in IE is invalid, and the right mouse button will not respond!
12. View the "Source File" menu is disabled
Click "View" → "Source File" in the IE window, and the "Source File" menu has been disabled. The specific location is: in the registration form
Create the subkey "Restrictions" under HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer, and then create two DWORD values under "Restrictions": "NoViewSource" and "NoBrowserContextMenu", and assign the two DWORD values to "1".
In the Registration
Under HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions, change the key values of the two DWORD values: "NoViewSource" and "NoBrowserContextMenu" to "1".
Solution:
Save the following content as a registry file with the suffix name reg. For example, double-click to import the registry and re-run IE will return to normal.
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoViewSource"=dword:00000000
"NoBrowserContextMenu"=dword:00000000
[HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions]
"NoViewSource"=dword:00000000
"NoBrowserContextMenu"=dword:00000000
It should be noted that in the registry file you compiled, "REGEDIT4" must be capitalized, and there must be an empty line after it. Also, there must be no space between "4" and "T" in "REGEDIT4", otherwise all previous efforts will be wasted! Note If you are a Win2000 or WinXP user, please change "REGEDIT4" to Windows Registry Editor Version 5.00.
>
(Source: Hot Network)