Analysis of the 12 phenomena of the malicious web and modify the registry recently, repeated users have changed when browsing the web, making the IE default connection home, the title bar, and IE right-click menu to change the address when browsing the web page (more Advertising information), even more make the viewer's computer appears in a prompt window to display its own advertisement, and have more intensive potential, what should we do?
I. Reasons and solutions for registry modified
In fact, the malicious web page is an ActiveX web file containing harmful code that the appearance of these advertising information is because the viewer's registry was maliciously changed.
1, IE default connection home page modified
The title bar above the IE browser is changed to "Welcome to Access ... Website" style, which is the most common tampering means, and there are many victims.
The registry project by the change is:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Main / Start Page
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main / Start Page
By modifying the key value of "Start Page" to achieve the purpose of modifying the viewer IE default connection home page, if you browse "Wanhua Valley" will modify your IE default connection home page to "http: //on888.home.chinaren. COM, even if it is for the purpose of advertising to your homepage, it is too overbearing, which is why this type of web page is disgusted.
Solution:
1 After Windows is started, click the "Start" → "Run" menu item, type regedit in the "Open", then press the "OK" button;
2 Expand the registry to
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Main
Next, find the string value "start page" in the right half window, change the key value of the start page to "About: blank";
3 Similarly, expand the registry to
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main
Find the string value "start page" in the right half window, then press the method described in 2.
4 Exit Registry Editor, restart your computer, everything is OK!
Special example: After the IE start page turns into some URLs, even if you have changed it through the option settings, it will turn into their URL after restarting, it is very difficult. In fact, they add a self-running program in your machine, which will set your IE start page to their website when the system starts.
Workaround: Run the registry editor regedit.exe, then expand
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / Current Version / RUN
Primary key, then remove the registry.exe sub-key below, then delete the runner C: / Program files / registry.exe, and finally reset the start page from the IE option.
2, tampering with the default page of IE
Some IE is changed after the start page, even if the "Using the Default page" is still invalid, this is because the default page of the IE start page is also tampered. Specifically, the following registration items are modified:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer /
Main / default_page_URL
"Default_page_url" The key value of this subkey is the default page of the start page.
Solution:
Run the registry editor, then expand the above subkey, change the URL of those who tamper with the name of the website in the key value of the "default_page_ur" subkey, or set to the default value of IE. 3. Modify the IE browser default home page, and lock the settings, prohibiting the user from changing back.
Mainly, the following key values (DWORD values are 1 when the DWORD value is 1):
[HKEY_CURRENT_USER / SOFTWARE / Policies / Microsoft / Internet Explorer / Control Panel]
"Settings" = DWORD: 1
[HKEY_CURRENT_USER / SOFTWARE / Policies / Microsoft / Internet Explorer / Control Panel]
"Links" = dword: 1
[HKEY_CURRENT_USER / SOFTWARE / Policies / Microsoft / Internet Explorer / Control Panel]
"SECADDSITES" = DWORD: 1
Solution:
Recovered the above DWORD value to "0".
4, IE's default home page gray button is not available
This is due to the registry hkey_users / .default / Software / Policies / Microsoft / Internet Explorer / Control Panel
The button value of the DWORD value "HomePage" is modified. The original key value is "0", and is modified to "1" (ie, a gray is unbalanced state).
Solution:
Change the key value of "homepage" to "0".
5, IE title column is modified
In the system default, it is information provided by the application itself to provide the title bar, but it is also allowed to fill in the information in the above registry project, and some malicious websites are using this to succeed: they will The key value under the string value Window Title is changed to its website name or more advertising information to change the purpose of changing the viewer IE title bar.
Specifically, the registry project that is changed is:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Main / Window Title
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main / Window Title
Solution:
1 After Windows is started, click the "Start" → "Run" menu item, type regedit in the "Open", then press the "OK" button;
2 Expand the registry to
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Main
Next, find the string value "Window Title" in the right half window, delete the string value, or change the key value of the Window Title to "IE Browser", etc. What you like;
3 Similarly, expand the registry to
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main
Then press the method described in 2.
4 Exit the registry editor, restart your computer, run IE, you will find that you have solved your problem!
6, IE Right-click Menu is modified
Amended registry project is:
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Menuext
Under the new web page, the advertisement information is created, and thereby appears in the IE right-click menu!
Solution:
Open the registration editor, find
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Menuext Delete the relevant advertising provisions, be careful not to delete the download software flashget and Netants, these two but "normal", unless you don't want to be in IE See them.
7, IE default search engine is modified
There is a search engine tool button in the toolbar of the IE browser, you can implement network search. After being tampered with, just click on that search tool button, you will link to that tamper. This phenomenon is that the following registry is modified:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / Customizesearch
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / Searchassistant
Solution:
Run the registry editor, expand the subkey in turn, change the key value of "CustomizeSearch" and "Searchassistant" to a SEO website.
8, pop up dialog box when the system starts
The registry project by the change is:
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Winlogon
The string "LegalNoticeCaption" and "LegalnoticeTiceText" are established under it, where "LegalNoticeCaption" is the title of the prompt box, "LegalNoticeText" is the text content of the prompt box. Because of their existence, we have a prompt window every time you log in to the Windwos desktop, showing the advertisement information of those webpages! You are, hate more!
Solution:
Open the registry editor, find
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Winlogon
This primary key, then find "LEGALNOTICECAPTION" and "LegalNoticetext" in the right window, and delete these two strings can solve the phenomenon of the prompt box when landing.
9. Browsing web registration table is disabled
This is due to the registry
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / System
The DWORD value "disableregistryTrytools" is modified to "1", and the key value is restored to "0" to recover the use of the registry.
Solution
Use the Notepad to establish a file with REG for the name, copy the following:
Regedit4
[HKEY_CURRENT_USER / Software / Microsoft / Windows / CurrentVersion / Policies / System]
"DisableregistryTools" = dword: 00000000
10. Browse the web start menu is modified
This is the most "embarrassment", so that the viewer is not as good as death. After browsing, there is not only those symptoms mentioned above, but there will be the following more tragic encounters:
1) Prohibition "Close System"
2) Prohibition of "running"
3) Prohibition "cancellation"
4) Hide C Dish - Your C is not found!
5) Prohibit the use of registry editor regedit
6) Prohibit the use of DOS programs
7) Make the system unable to enter "real mode"
8) Prohibition of running any procedure
Specific reasons and solutions, please see this article of the roadbraft of the Heavenly Net E Enterprise: "Browse web registry is modified fans solution".
The above is a relatively commonly modified viewer's registry, today when browsing the webpage, there is no intention to come to a person website, and encountered problems that have not been encountered before: 11, IE mouse is right-click failure
After browsing the web, right-click failure, click Right click without any reaction!
12. View "Source File" menu is disabled
Click "View" → "Source File" in the IE window, discover the Source File menu has been disabled.
I didn't pay attention to the two questions above when I browsed the web, because I was trying out of my computer, so I took it out of the computer, I have to go online online, I found that IE mouse is right-click failure, "View "The" source file "in the menu is disabled. You can't view the source file, but you can't use the right button, it is too inconvenient. I have a way!
Find the latest version of the super rabbit magic setting, yeah! Can't solve! It seems to be a new problem, but you are also "old revolution", this problem should be hard to live. So searching in the registry, after some findings finally understand the problem.
It turned out that the malicious web page modified my registry, the specific location is:
In the registry
HKEY_CURRENT_USER / SOFTWARE / Policies / Microsoft / Internet Explorer
Create a sub-key "Restrictions", then build two DWORD values under "Restrictions": "NoviewSource" and "NobrowserContextMenu" and assign these two DWORD values to "1".
In the registry
HKEY_USERS / .DEFAULT / SOFTWARE / Policies / Microsoft / Internet Explorer / Restrictions
Next, both DWORD values: "NoviewSource" and "NobrowserContextMenu" are changed to "1".
With the modification of these key values, the "source file" that is right-click in IE, so that the "source file" in the "View" menu is disabled. To explain to you is that the registry mentioned in Point 2 is actually equivalent to the branch of the registry mentioned in the 1st, modify the registry key value mentioned in Section 1, the registry key in the second point Value changes with it.
Solution:
Understand the truth, the problem solves more, the specific solution is: Save the following as the registry file named REG, for example, unlock.reg, double click unlock.reg import registry, do not restart your computer, re-re- Running IE will find that IE's function is constant.
Regedit4
[HKEY_CURRENT_USER / SOFTWARE / Policies / Microsoft / Internet Explorer / Restrictions]
"Noviewsource" = dword: 00000000
"NobrowserContextMenu" = dword: 00000000
[HKEY_USERS / .DEFAULT / SOFTWARE / Policies / Microsoft / Internet Explorer / Restrictions]
"Noviewsource" = dword: 00000000
"NobrowserContextMenu" = dword: 00000000
Special attention is that in the registry file unlock.reg you compiled, "regedit4" must be capitalized, and it must be empty, and "4" and "T" in "regedit4". There must be a space, otherwise it will give up! Many friends write registry documents are unsuccessful, because they did not pay attention to what they mentioned above, this time this time it attention. Please note that if you are Win2000 or WinXP users, "regedit4" is changed to Windows Registry Editor Version 5.00. Second, the prevention
1. To avoid the tricks, the key is to easily go to some sites that you don't understand, especially those who look beautiful and attractive URLs, otherwise it is often you.
2. Because this page is an ActiveX web file containing a harmful code, you can avoid the tricks in the IE settings.
The specific method is: Click "Tools → Internet Options in the IE window, select the" Security "tab in the pop-up dialog box, then click the" Custom Level "button, will pop up the Security Settings dialog box, put all of the ActiveX All plugins and controls and Java are all selected. However, doing this may cause some website that can make some normal use of ActiveX in the future web browsing process. Hey, if you are beneficial, you still look at it. Bar.
3. For Windows98 users, open C: /Windows/java/packages/cvlv1nbb.zip, deleted "activeXComponent.class"; for WindowsMe users, please open
C: /Windows/java/packages/5nzvfpf1.zip, deleted it "ActiveXComponent.class". Please rest assured that deleting this component will not affect you normally browse.
4. For all users, it is recommended to install Norton AntiVirus 2002 V8.0 anti-virus software. This software has defined the code that modifies the registry through the IE to Trojan.offensive, adds the script blocking function, which will monitor such pranks. And intercepted.
In addition, downloading Super Rabbit Magic Settings software installation, if there is a problem, you can use it to recover. However, "Rabbit" is made by the malicious web page we mentioned above, and the "Source File" in the "View" menu is disabled. These two phenomena cannot be recovered.
5, since this type of page is to destroy our system by modifying the registry, then we can lock the registry in advance: to modify the registry, so that the purpose of preventing the prevention. However, what should I do with the registry editor regedit.exe? So we have to prepare a "key" in advance before you can open this "lock"!
The locking method is as follows:
(1) Run the registry editor regedit.exe;
(2) Expand the registry to
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / SYSTEM
Next, create a DWORD value called DisableRegistryTryTools and change its value to "1" to disable usage of registry editor regedit.exe.
The unlocking method is as follows:
Edited an arbitrary name .reg file, such as UNLOCK.REG, as follows:
Regedit4
[HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / System] "DisablereGistryTryTools" = DWord: 00000000
The storage disk, you have a key to unlock! If you want to use a registry editor, double click unlock.reg. Please note that if you are Win2000 or WinXP users, write "regedit4" as Windows Registry Editor Version 5.00.
6. For WIN2000 users, you can also deal with the page of the page by disabling the Remote Registry Service "Remote Registry Service" in Win2000. The specific method is: Click "Administrative Tools → Services → Remote Registry Service" to disable this.
7. If you feel that manually modify the registration table is too dangerous, you can download the following REG file, double-click to recover the modified registry.
8. Although a hard work is modified back to the title and the default connection home, if you accidentally enter the station, you have to trouble. In fact, you can do some settings in IE to never enter the site:
Open IE, click "Tool" → "Internet Options" → "Content" → "Hierarchical Review", click the "Enable" button, will call the "Hierarchical Review" dialog box, then click "License Site" tab, enter you don't want to go Website URL, if you enter:
Http://on888.home.chinaren.com, press the "Never" button, then click "OK" to tell me!
9. Upgrade your IE is version 6.0, which can effectively prevent the above symptoms.
