rogue software tampering with ie homepage

1. Infosec By G666h05t & AnonGhost Indonesia
2.  
3.  
4.  
5.  
6.  
7. rogue software tampering with ie homepage
8.  
9. 1) The registry value corresponding to the internet option:
10.  
11. 　　HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
12.  
13. 　　The value of this item is synchronized with the home page in the ie option, you can try it first.
14.  
15. 2) Bind the operating parameters of the ie main program:
16.  
17. 　　HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
18.  
19.  
20. ie main program operating parameters
21.  
22. 　　The normal value of this item is "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1. The rogue software appends its own website address as a running parameter, then it will automatically jump to when opening the main program of ie The website, this trick is ruthless.
23.  
24. 3) Bind the ieframe.dll home page command of the ie form control:
25.  
26. 　　HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
27.  
28. Home page command of ie form control
29.  
30. 　　The default value of this item is "C:\Program Files\Internet Explorer\iexplore.exe". Similarly, rogue URLs may be appended to block the homepage.
31.  
32. 4) Bind ie shortcut operation target:
33.  
34. 　　There is also a method that can't be searched in the registry, but is far away in front of you, is to modify the run target in the ie shortcut properties. Note that it is a shortcut, not the ie icon displayed by default on the desktop. There are four normal ie shortcuts:
35. ie shortcut
36.  
37. 　　It can be seen that the above three ie shortcuts are created by the desktop ie icon, by the ie icon at the top of the start menu, and by the system disk ie main program (Of course, if you hide the extension, the third shortcut will not be available. exe suffix), the fourth is the "Start Internet Explorer" icon on the quick launch bar to the right of the start button. Right-click to view these shortcut properties:
38.  
39. Ie shortcut created from the start menu ie icon
40.  
41. Shortcut created by the ie icon in the quick launch bar
42. 6) 　The author has deleted the icon to start IE in the quick launch bar. I put a pen to memorialize, and come from afar, so the window above is slightly foreign. For these two shortcuts, the target default value is "C:\Program Files\Internet Explorer\iexplore.exe". Now the virus is free to drill. As long as you append your own URL to the back, then you can use this icon When you open IE, you will immediately jump to its web site, which is extremely versatile.
43.  
44. 7)Therefore, I suggest that if the homepage is tampered with and cannot be changed back, please right-click the shortcut opened when you start IE, and see if there is an additional URL after the property "Target", delete it if there is any; if not, go to the registry Check out those possible locations:
45.  
46. 　　HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
47. 　　HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
48. 　　HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
49.  
50. Find US in telegram : t.me/AnonGhostid