The despicable means of malicious web pages can be said to be "innovating". After using some simple registry repair methods, the problem can no longer be completely solved. If your registry returns to the same old way it was modified after recovery, why not? 1. Modify the registry to prohibit the modification of the command form, with the purpose of not allowing users to repair it through the registry.
The most common modification is to lock the registry and destroy the association: such as .reg, .vbs, .inf, etc.
Regarding unlocking the registry, we have introduced the method before. As for the modified association, as long as the association in the registry modification method I mentioned earlier can still be used, you can use any of them. But if .reg, .vbs, and .inf are all modified, what should I do? , don’t be afraid. Change the .exe suffix to the .com suffix, so I can also edit the registry, and .com has also been changed. What should I do? Not that ruthless, OK, I'll change the suffix to .scr. Hehe, it can be modified.
The best and easiest way is to restart immediately, press F8 to enter DOS, type SCANREG/RESTORE, and select the registry of the previous normal time. Just restore it. Be careful, be sure to select the registry that has not been modified! If you find that even scanreg has been deleted (some websites are so cruel, just use A disk COPY to COMMAN.
It is necessary to talk about the default values of common file associations here
The normal exe association is [HKEY_CLASSES_ROOTexefileshellopencommand]
The default key value is: "%1 %*" Change this association back to use the exe file
2. Leave a backdoor after modifying the registry, so that you can modify the registry as if it was successful, and then restore it to the modified state after restarting.
This is mainly because there is a backdoor in the startup item, and you can open the registry to (you can also use some tools such as optimization masters to view it)
HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices HKCUSoftwareMicrosoftWindowsCurrentVersionRun-
See if there are any suspicious startup projects. This is the most common thing that friends ignore. Which startups are suspicious?
Here I will give you a few things you need to pay attention to. If the key values in the startup item have suffixes, it is best to remove them, and the startup items with .vbs suffixes are also removed. Another very important thing is that if there is this startup item, there are similar key values, such as:
The system key value is regedit -s c:windows... Please note that this regedit -s is a backdoor parameter of the registry and is used to import the registry. Such options must be removed
There is another type of modification that will generate .vbs suffix files in c:windows, or .dll files. In fact, .dll files are actually .reg files (malicious web virus disguised as DLL files)
At this time, you need to look at the c: file, look at load=, run=, these two options should be empty. If there are other programs, modify load=, run=, delete the subsequent program. Before deletion, look at the path and file name, and then delete the corresponding file under the system.
There is another method. If you modify and restart and restore it repeatedly, you can search for all .vbs files on the C drive. There may be hidden ones. Open them with Notepad. If you see that there are any changes to the registry, delete them or change the suffix to the safest. You can search for files based on the time of the virus on the malicious web page:)
The following vulnerability is very worth noting. Many friends said that I have tried all the methods you mentioned. There is absolutely nothing suspicious about the startup item, nor is there any vbs file. Haha, there is another trap when you start IE, that is, the advertisements in the menu of the IE main interface tool. You must remove them, because these will start when you start IE. So after modifying the others, don’t rush to open the IE window, otherwise it will be useless. Method: Open the registry HKEY_LOCAL_MACHINE Software Microsoft Internet ExplorerExtensions to delete the advertisement when you see it, don’t show mercy!
A very important question is that after being trapped in a malicious web page, you must first clear all temporary files in IE. Remember!
Having said so much, how to defend against such malicious web pages?
A one-time and for all method, delete the path of F935DC22-1CF0-11D0-ADB9-00C04FD58A0B in the registry as HKEY_CLASSES_ROOT CLSID{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
Remember, delete it after seeing it clearly, and never delete the wrong others. Delete this F935DC22-1CF0-11D0-ADB9-00C04FD58A0B and will not affect the system.
Select "Tools" → "Internet Options" in the menu bar of IE, switch to the "Security" tab in the pop-up dialog box, select "Internet" and click the "Custom Level" button. In the "Security Settings" dialog box, select "Disable" or "Prompt" all the relevant options in "ActiveX Controls and Plugins" and "Scripts". However, if "Disable" is selected, some websites that use ActiveX and scripts normally may not be fully displayed. Recommended selection: Tip. When you encounter a warning, look at the original code of the website. If you find that there are codes that are waiting for you, don’t go. If it is an encrypted original code, don’t go to the website you are familiar with. If you can’t even use the right click, be careful (see what the original code is like, unless there is any good JAVA or malicious code)
For Windows98 users, please open C:WINDOWS JAVA Packages and delete the "delete". For WindowsMe users, please open C:WINDOWSJAVAPackages. and delete the "" in it. These deletions will not affect normal browsing of web pages.
In Windows 2000/XP, some malicious scripts can be blocked by disabling the "Remote Registry Service". The specific method is: right-click "Remote Registry Service" in "Control Panel" → "Administrative Tools" → "Services", select "Properties" in the pop-up menu, open the properties dialog box, and set "Startup ype" to "Disabled" in "General". This can also intercept some malicious script programs.
Hehe, don't use IE. You can also use other browsers... After you get caught in the trap of malicious web pages, don't restart the computer immediately. Go to the startup item to see if there are any dangerous startup items, which is not as good as deltree or something.
The most common modification is to lock the registry and destroy the association: such as .reg, .vbs, .inf, etc.
Regarding unlocking the registry, we have introduced the method before. As for the modified association, as long as the association in the registry modification method I mentioned earlier can still be used, you can use any of them. But if .reg, .vbs, and .inf are all modified, what should I do? , don’t be afraid. Change the .exe suffix to the .com suffix, so I can also edit the registry, and .com has also been changed. What should I do? Not that ruthless, OK, I'll change the suffix to .scr. Hehe, it can be modified.
The best and easiest way is to restart immediately, press F8 to enter DOS, type SCANREG/RESTORE, and select the registry of the previous normal time. Just restore it. Be careful, be sure to select the registry that has not been modified! If you find that even scanreg has been deleted (some websites are so cruel, just use A disk COPY to COMMAN.
It is necessary to talk about the default values of common file associations here
The normal exe association is [HKEY_CLASSES_ROOTexefileshellopencommand]
The default key value is: "%1 %*" Change this association back to use the exe file
2. Leave a backdoor after modifying the registry, so that you can modify the registry as if it was successful, and then restore it to the modified state after restarting.
This is mainly because there is a backdoor in the startup item, and you can open the registry to (you can also use some tools such as optimization masters to view it)
HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices HKCUSoftwareMicrosoftWindowsCurrentVersionRun-
See if there are any suspicious startup projects. This is the most common thing that friends ignore. Which startups are suspicious?
Here I will give you a few things you need to pay attention to. If the key values in the startup item have suffixes, it is best to remove them, and the startup items with .vbs suffixes are also removed. Another very important thing is that if there is this startup item, there are similar key values, such as:
The system key value is regedit -s c:windows... Please note that this regedit -s is a backdoor parameter of the registry and is used to import the registry. Such options must be removed
There is another type of modification that will generate .vbs suffix files in c:windows, or .dll files. In fact, .dll files are actually .reg files (malicious web virus disguised as DLL files)
At this time, you need to look at the c: file, look at load=, run=, these two options should be empty. If there are other programs, modify load=, run=, delete the subsequent program. Before deletion, look at the path and file name, and then delete the corresponding file under the system.
There is another method. If you modify and restart and restore it repeatedly, you can search for all .vbs files on the C drive. There may be hidden ones. Open them with Notepad. If you see that there are any changes to the registry, delete them or change the suffix to the safest. You can search for files based on the time of the virus on the malicious web page:)
The following vulnerability is very worth noting. Many friends said that I have tried all the methods you mentioned. There is absolutely nothing suspicious about the startup item, nor is there any vbs file. Haha, there is another trap when you start IE, that is, the advertisements in the menu of the IE main interface tool. You must remove them, because these will start when you start IE. So after modifying the others, don’t rush to open the IE window, otherwise it will be useless. Method: Open the registry HKEY_LOCAL_MACHINE Software Microsoft Internet ExplorerExtensions to delete the advertisement when you see it, don’t show mercy!
A very important question is that after being trapped in a malicious web page, you must first clear all temporary files in IE. Remember!
Having said so much, how to defend against such malicious web pages?
A one-time and for all method, delete the path of F935DC22-1CF0-11D0-ADB9-00C04FD58A0B in the registry as HKEY_CLASSES_ROOT CLSID{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
Remember, delete it after seeing it clearly, and never delete the wrong others. Delete this F935DC22-1CF0-11D0-ADB9-00C04FD58A0B and will not affect the system.
Select "Tools" → "Internet Options" in the menu bar of IE, switch to the "Security" tab in the pop-up dialog box, select "Internet" and click the "Custom Level" button. In the "Security Settings" dialog box, select "Disable" or "Prompt" all the relevant options in "ActiveX Controls and Plugins" and "Scripts". However, if "Disable" is selected, some websites that use ActiveX and scripts normally may not be fully displayed. Recommended selection: Tip. When you encounter a warning, look at the original code of the website. If you find that there are codes that are waiting for you, don’t go. If it is an encrypted original code, don’t go to the website you are familiar with. If you can’t even use the right click, be careful (see what the original code is like, unless there is any good JAVA or malicious code)
For Windows98 users, please open C:WINDOWS JAVA Packages and delete the "delete". For WindowsMe users, please open C:WINDOWSJAVAPackages. and delete the "" in it. These deletions will not affect normal browsing of web pages.
In Windows 2000/XP, some malicious scripts can be blocked by disabling the "Remote Registry Service". The specific method is: right-click "Remote Registry Service" in "Control Panel" → "Administrative Tools" → "Services", select "Properties" in the pop-up menu, open the properties dialog box, and set "Startup ype" to "Disabled" in "General". This can also intercept some malicious script programs.
Hehe, don't use IE. You can also use other browsers... After you get caught in the trap of malicious web pages, don't restart the computer immediately. Go to the startup item to see if there are any dangerous startup items, which is not as good as deltree or something.