12 phenomena of the most malicious web page modify

  • Detail

12 phenomena of malicious page modifying the registry

recently, it has occurred frequently that when browsing the page, the registry has been modified, making the default connection home page, title bar and right-click menu of IE changed to the address when browsing the page (mostly advertising information). What's more, the browser's computer appears a prompt window to display its own advertising at startup, and it has a growing trend. What should we do in this situation

I. reasons for registry modification and solutions

in fact, the malicious page is an ActiveX page file containing harmful code, and the appearance of these advertising information is the result of the malicious change of the browser's registry

1. The default connection home page of IE has been modified

the title bar at the top of IE browser has been changed to the style of "welcome to... Station", which is the most common means of tampering and has many victims

the registry entries that have been changed are:

hkey_ LOCAL_ MACHINESOFTWAREMicrosoftInternet ExplorerMainStart Page

HKEY_ CURRENT_ Usersoftwaremicrosoftinternet explorermainstart page

by modifying the key value of "start page", you can achieve the purpose of modifying the browser's IE default connection home page. For example, browsing "Wanhua Valley" will change your IE default connection home page to "" and even for the purpose of advertising your own home page, it seems too overbearing, which is also the reason why such pages are annoying


① after Windows starts, click the "start" → "run" menu item, type regedit in the "open" column, and then press the "OK" key

② expand the registry bite strength tester to

hkey_ LOCAL_ Under machinesoftwaremicrosoftinternet explorermain, find the string value "start page" in the right half of the window, double-click it, and change the key value of start page to "about:blank"

③ similarly, expand the registry to

hkey_ CURRENT_ Usersoftwaremicrosoftinternet explorermain find the string value "start page" in the right half of the window, and then deal with it as described in ②

④ exit the registry and restart the computer. Everything is OK

special example: when the starting page of IE becomes some address, even if you modify it through the option settings, it will become their address again after restarting, which is very difficult. In fact, they added a self running program to your machine, which will set your IE start page as their station when the system starts

solution: run registry e, and then expand

hkey in turn_ LOCAL_ Machinesoftwaremicrosoftwindowscurrent versionrun primary key, then delete the e subkey under it, then delete the self running program c:program filese, and finally reset the start page from the IE option

2. Tamper with the default page of IE

after the start page of some ie is changed, even if "use default page" is set, it is still invalid, because the default page of IE start page has also been tampered with. Specifically, the following registry entries have been modified:

hkey_ LOCAL_ MACHINESoftwareMicrosoftInternet ExplorerMainDefault_ Page_ Url

"default_page_url" is the default page of the start page


run the registry, then expand the above sub key, and change the address of those tampering stations in the key value of the "default_page_ur" sub key, or set it to the default value of IE

3. Modify the default homepage of IE browser, and lock the setting items to prevent users from changing back

it mainly modifies the following key values of IE settings in the registry (not optional when DWORD value is 1):

[hkey_currentu usersoftwarepoliciesmicrosoftinternet explorercontrol panel] "Settings" =dword:1

[hkeyu currentusersoftwarepolicies microsoftinternet explorercontrol panel] "links" =dword:1

[hkeyu currentusersoftwarepoliciesmicrosoftinternet explorercontrol panel] "Secaddsites" =dword:1


change these DWORD values above to "0" to restore the function

4. The gray button of the default homepage of IE is not optional

this is due to the registry HKEY_ USERS. The key value of DWORD value "homepage" under defaultsoftwarepoliciesmicrosoftinternet explorercontrol panel has been modified. The original key value is "0", which is modified to "1" (that is, it is gray and not selectable)


change the key value of "home" to "0"

5. The IE title bar has been modified

in the default state of the system, the application itself provides the information of the title bar, but it also allows users to fill in the above registry items by themselves. Some malicious stations take advantage of this: they change the key value under the string value window title to their station name or more advertising information, so as to achieve the purpose of changing the browser's IE title bar

specifically, the registry entries that have been changed are:

hkey_ LOCAL_ MACHINESOFTWAREMicrosoftInternet ExplorerMainWindow Title

HKEY_ CURRENT_ Usersoftwaremicrosoftinternet explorermainwindow Title


① after Windows starts, click the "start" → "run" menu item, type regedit in the "open" column, and then press the "OK" key

② expand the registry to

hkey_ LOCAL_ Under machinesoftwaremicrosoftinternet explorermain, find the string value "window title" in the right half of the window, and delete the string value, or change the key value of window title to your favorite name such as "IE browser"

③ similarly, expand the registry to HKEY_ CURRENT_ Usersoftwaremicrosoftinternet explorermain then proceed as described in ②

④ exit the registry, restart the computer, run ie, and you will find that the problem that bothers you has been solved

6. The IE right-click menu is modified

the modified registry entry is:

hkey_ CURRENT_ Usersoftwaremicrosoftinternet explorermenuext has created a new page of advertising information, which appears in the IE right-click menu


open the label reader and find HKEY_ CURRENT_ Usersoftwaremicrosoftinternet explorermenuext

delete the relevant advertising provisions. Be careful not to delete the downloaded software FlashGet and NetAnts. These two are "normal", unless you don't want to see them in the right-click menu of IE

7. The default search engine of IE has been modified

there is a tool button of search engine in the toolbar of IE browser, which can realize network search. After being tampered, just click the search tool button to link to the tampering station. The reason for this phenomenon is that the following registry has been modified:

hkey_ LOCAL_ MACHINESoftwareMicrosoftInternet ExplorerSearchCustomizeSearch

HKEY_ LOCAL_ Machinesoftwaremicrosoftinternet explorersearchsearchassistant


run the registry, expand the above subkeys in turn, and change the key values of "customizesearch" and "searchassistant" to the address of a search engine

8. The dialog box

pops up when the system starts. The registry entries that have been changed are:

hkey_ LOCAL_ Machinesoftwaremicrosoftwindowscurrentversionwinlogon

the strings "legalnotecaption" and "legalnotetext" are created under it, where "legalnotecaption" is the title of the prompt box and "legalnotetext" is the text content of the prompt box. Because of their existence, every time we log in to the windwis desktop, a prompt window appears, displaying the advertising information of those pages! You see, how annoying


open the registry and find HKEY_ LOCAL_ Machinesoftwaremicrosoftwindowscurrentversionwinlogon

this is a primary key, and then find the two strings "legalnotecaption" and "legalnotetext" in the right window. Deleting these two strings can solve the problem of prompt box appearing during login

9. Browsing the page registry is disabled

this is due to the registry HKEY_ CURRENT_ Because the DWORD value "disableregistrytools" under usersoftwaremicrosoftwindowscurrentversionpoliciessystem is modified to "1", restore its key value to "0" to restore the use of the registry


create a file with reg as the suffix with Notepad program, and copy the following contents in it:


[hkey_current_usersoftwaremicrosoftwindowscurrentversionpoliciessystem] "disableregistrytools" = dword:

10. The start menu of browsing page is modified

this is the most "cruel" one, which makes browsers feel like they are dying. After browsing, there are not only symptoms like those mentioned above, but also the following more tragic experiences:

1) prohibit "turning off the system"

2) prohibit "running"

3) prohibit "logging off"

4) hide the C drive - your C drive can't be found

5) prohibit the use of registry regedit

6) prohibit the use of DOS programs

7) make the system unable to enter "real mode"

8) prohibit the operation of any programs

for specific reasons and solutions, please see this article in the safety road column of Tianji e enterprise: "the mystery and solutions of registry modification on the browse page"

the above is a relatively common phenomenon of modifying the browser registry. Today, when browsing the page, I came to a personal station inadvertently and encountered problems I had not encountered before:

11. The right mouse button in IE is invalid

after browsing the page, the right mouse button in IE is invalid, and clicking the right mouse button has no reaction

12. View that the "source file" menu is disabled

click "view" → "source file" in the IE window and find that the "source file" menu has been disabled

I didn't notice the above two problems when browsing the page, because at that time, my friend asked me to be busy, so I quit the computer. After dinner in the evening, I turned on the computer connection, and found that the right mouse button in ie failed, and the "source file" in the "view" menu was disabled. It's just that you can't view the source file, but it's too inconvenient to use the right mouse button. We have to find a way

find out the latest version of super rabbit magic settings and try it, ah! Can't solve! It seems to be a new problem, but at least I'm also an "old revolution", which should not be difficult for me. So I searched the registry and finally figured out the problem

originally, the malicious page modified my registry. The specific location is:

in the registry HKEY_ CURRENT_ Users can make the solar car lighter and faster. Under softwarepoliciesmicrosoftinternet explorer, create the sub key "restrictions", and then create two DWORD values under "restrictions": "noviewsource" and "nobrowsercontextmenu", and assign these two DWORD values to "1"

in the registry HKEY_ USERS. Under defaultsoftwarepoliciesmicrosoftinternet explorerrestrictions, change the key values of two DWORD values: "noviewsource" and "nobrowsercontextmenu" to "1"

through the modification of these key values above, the right mouse button is disabled in IE and the "view" menu is enabled1769-if4xof2

Copyright © 2011 JIN SHI