The road is one foot high, and the magic height is one foot. The mean means of malicious web pages can be described as "selling new". After using some simple registry repair methods, the problem can not be completely solved. If your registry is back to the old one after being restored, may you look at the following reasons?
1. Modify the registry to prohibit the modification of the command form, the purpose is not to let the user repair back through the registry.
The most common modification is to lock the registry and destroy associations: eg .reg, .vbs, .inf, etc.
About unlocking the registry, the method has been introduced in the previous section. As for the association being modified, as long as the association in the registry modification method I mentioned earlier can be used, any one of them can be used, but if .reg, .vbs, .inf have been modified, what should I do? Don't be afraid, change the .exe suffix to the .com suffix. I can edit the registry as well. .com has also been changed. What should I do? Not so embarrassing, OK, I changed the suffix to .scr. Oh, it can be modified as well.
The best and easiest way is to restart immediately, press F8 to enter DOS, type SCANREG/RESTORE, select the previous normal registry restore, you should pay attention, you must choose not to be Modified the registry! If you find that even scanreg has been deleted (some websites are so embarrassing, use a disk COPY a scanreg.exe to COMMAN.
It is necessary to talk about the default value associated with common file < Br>
The normal exe association is [HKEY_CLASSES_ROOT\\exefile\\shell\\opencommand]
The default key value is: "%1 %*" Change this association back to use the exe file< Br>
2. After modifying the registry, leave the back door, the purpose is to make you modify the registry seems to be successful, and then resume to the modified state after restarting.
This is mainly to leave the back door in the startup item. , you can open the registry to (you can also use some tools such as optimization masters to view)
HKCUSoftware\\Microsoft\\Windows\\CurrentVersion\\Run
HKCUSoftware\\Microsoft\\Windows\\CurrentVersion\\RunOnce
HKCUSoftware\\Microsoft\\Windows\\CurrentVersion\\RunServices
HKCUSoftware\\Microsoft\\Windows\\CurrentVersion\\Run-
See if there are any suspicious startup projects, this is the most friends Ignore, which startup can be Here?
I will give you a few points to note here. The key values in the startup items are .hml and .htm suffixes. It is best to remove them. Also, the startup items with the .vbs suffix are also removed. There is also a very important, if there is this startup item, there are similar key values, such as:
system key value is regedit -sc:\\windows…… Please note that this regedit -s Is a backdoor parameter of the registry, is used to import the registry, such options must be removed
There is also a type of modification will be generated in c:\\windows.vbs suffix file, or .dll file In fact, the .dll file is actually a .reg file (a malicious web page virus disguised as a DLL file)
At this point you have to look at the c:\\windows\\win.ini file and see load=, run=, These two options should be empty afterwards. If there are other programs that modify load=, run=, the following program will be deleted. Look at the path and file name before deleting. Delete the corresponding file in the system after deletion
There is another way, if you repeatedly modify the restart and then go back, you can search under the C drive Some .vbs files may be hidden. Open them with Notepad. If you see the changes to the registry, delete them or change the suffix. You can search for files by the time of the virus in the malicious webpage. :)
The following vulnerability is very noteworthy. Many friends said that I have tried all the methods you mentioned. There is absolutely no suspiciousness in the startup items, and there is no vbs file. Oh, everyone is starting. There is also a trap in IE, that is, the advertisement in the menu of the tool of IE main interface must be removed, because these will start when you start IE, so you don't have to worry about opening the IE window after modifying other things, otherwise it will be exhausted. Method: Open the registry HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Extensions to see the ad deleted, don't be merciful!
A very important question, in the trap of malicious web pages, you must first clear all temporary files of IE, remember!
Having said that, how do you defend against such malicious web pages?
One way to do it once and for all, delete the ID of F935DC22-1CF0-11D0-ADB9-00C04FD58A0B in the registry as HKEY_CLASSES_ROOT\\CLSID{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
Remember, read it clearly and delete it, don't delete the other one. Deleting this F935DC22-1CF0-11D0-ADB9-00C04FD58A0B will have no effect on the system.
In the IE menu bar, select “Tools”→“Internet Options", in the pop-up dialog box, switch to the "Security" tab, select "Internet" and click &ldquo ; Custom level & rdquo; button, in the "Security Settings" dialog box, select all the relevant options in the "ActiveX Controls and Plugins", "Script" “ disable & rdquo; or & ldquo; prompt & rdquo ; However, if you select “Disable", some websites that normally use ActiveX and scripts may not be fully displayed. Suggested choice: prompt. When you encounter a warning, look at the original code of the website. If you find that there is a code such as Shl.RegWrite, don't go. If it is an encrypted original code, don't go to a website that you are familiar with. No, be careful as well (look at what the original code is, unless there is any good JAVA or malicious code)
For Windows98 users, please open C:\\WINDOWS\\JAVA Packages\\ CVLV1NBB .ZIP, delete the "ActiveXComponent.class", for WindowsMe users, please open C:\\WINDOWS\\JAVAPackages.NZVFPF1.ZIP, delete the "ActiveXComponent.class", which will not affect the normal Browsing the web
On Windows 2000/XP, you can block some malicious scripts by disabling "remote registry service". The specific method is: right-click "Remote Registry Service" in the "Control Panel" & rdquo; & rarquo; & ldquo; Management Tools & rdquo; & rarquo; " Service & rdquo;, select “ Properties & rdquo; in the pop-up menu, open the properties Dialog box, set “Startup ype” to “Disabled” in “General”. This can also block some malicious scripts.
Hey, no IE. You can also use other browsers …… after you have caught the trap of a malicious webpage, don't restart the computer immediately. Go to the startup item and see if there are any dangerous startup items, such as deltree.
There are many factors about the black screen of xp computer, but users have thought that the high r
When Windows XP searches for files on the hard disk, it is really slow and takes up system resources
Temporary things to leave the computer, do not want to shut down, but also afraid of data leakage, t
From Windows XP, Windows provides a feature called Security Center, including automatic updates, ant
Share how to solve winXP, Win7 files can not visit each other
How to manage the fonts in the system to share a few big methods
Recycle bin to play hide and seek How to find him out?
Maintaining the computer does not let the love machine "early death"
Master share: computer protection coup not to be ignored
Repair Windows XP system does not start properly
Issues related to XP system virus protection enabled
20 special execution commands under Windows
Thoroughly remove the "undercover" Trojan killer
XP is sometimes safer without a password
How to divide the disk partitions of the pre-installed Win7 system
What if the CentOS 5.5 system does not recognize the Atheros AR8151 NIC?
How to restore, restore or initialize your computer with Win 8
Use Partition Magic to deal with hard disk physical bad sectors
Why is the recycle bin on the desktop missing? How do I get back to the recycle bin?
How to use the recovery code to retrieve the account under the Win10 system
Win7 task manager has disappeared recovery method
Win 8 system: IE10 can not open the flash settings tutorial
Window xp IE also implements multi-threaded breakpoint retransmission