boot into winflp safe mode
usb device, c: is filled with pagefile.exe and autorun.inf
yl177.com is popup in internet explorer
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]
"DisableRegistryTools"=dword:00000000
dont work
it means
regedit.exe fucked up so i "copy regedit.exe regedit.com"
del the registry under
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] the debugger value
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
"Debugger"="C:\\Windows\\system32\\pagefile.exe"
i exported the *.reg and use microsoft sysinternals' reg.exe
reg delete [path] /v debugger /f , using notepad++ portable to make a .bat file
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
delete "Window Title" to restore default title name
[HKEY_CURRENT_USER Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000000
enable changing ie homepage
"Show Hidden Files and Folders" always points to "Do not show hidden files and folders" in "Folder options" , so
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"hidden" change it to 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" , DWORD=1
del c: d: e: f: autorun.inf pagefile.exe in root
del c:\windows\system32\pagefile.exe
search registry for yl177
like [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "searchpage"
del it
also
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Connection Wizard]
and more
added 13/11
also the service and file
IE_WinServerName,Windows CreaterIE,c:\windows\webthund.exe
search it in regedit
and del the service
then attrib -s -h to the file and del it
useful tools , sysinternals , regjump , reg , procexp
regedit, attrib -s -h, dir /a:sh, ....... and more
"Show Hidden Files and Folders" problem - do not work
repaire regedit.exe registry
internet explorer homepage hijacked
No comments:
Post a Comment