Malicious web pages' registry backdoor - 19th full guide to using the registry
The browser is stubborn and the registry is modified successfully. After restarting, it will return to the modified state.
The main purpose is to modify the registry and leave a backdoor, so that you can modify the registry as if it was successful, and then restore it to the modified state after restarting. This is mainly because there is a backdoor in the startup item, and everyone can open the registry to
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersionRun-
Delete the subkey under it, and then delete the self-running program c:\Program Files\
2. The following are important tips: Check if there are any other suspicious startup projects. This point is ignored by friends at most. Which startups are suspicious?
If the key values in the startup item have suffixes, it is best to remove them, and if they have suffixes, they also have suffixes.
Another very important thing is that if there is this startup item, there are similar key values, such as:
The system key value is regedit -s c:\windows... Please note that this regedit -s is a backdoor parameter of the registry
Numbers are used to import the registry, and such options must be removed.
There is another type of modification that will generate .vbs suffix files in c:\windows\, or .dll files, you need to take a look at it.
c:\windows\file, look at load=, run=, these two options should be empty after it, if there are other programs
Sequence Modify load=, run=, delete the following program, look at the path and file name before deletion, and then go to
Delete the corresponding file under the system
There is another way. If you modify and restart and restore it repeatedly, you can search for all .vbs files under the C drive, which may be
If there is hidden one, open it with Notepad. If you see any changes to the registry, delete it or change the suffix for safety.
You can search for files by the time of the virus on the malicious web page.
The following vulnerability is very worth noting. When starting IE, you must be able to advertise in the menu of the tool of the main interface.
Go away, because these will start when you start IE, so don't rush to open the IE window after modifying the others
Or else it will be useless. Method: Open the registry
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ExtensionsDo not show mercy
A very important question is that after being trapped in a malicious web page, you must first clear all temporary files in IE. Remember
(Source: Hot Network)