K
Kevin Caldwell
One of my clients has a problem where when they visit a
website, it attempts to add three entries to the HKLM and
HKCU run registry keys. Two of the entries contain HTML
code along the lines of:
<html><body>this site has been blocked by your
administrator</body></html>
The third has a blank pointer to system32 directory,
which results in the system32 folder displaying at each
startup, and randomly while surfing the web.
I think the site is probably being blocked by Symantec's
anti-spyware feature.
I have used the Resplendence Registry manager to
determine that iexplore.exe is what is modifying the
registry keys.
Unfortunately, whichever site is doing this does not
appear to do it each time. For example, after clearing
out those run keys on wednesday, the keys were recreated
at about noon on friday. We went through her history,
and visited each site she went to on thursday, but
nothing triggered recreating the registry keys. I have
her tracking what time she visits each site now, and
should be able to tell what site it is, eventually.
My question is this: Is there a way, via the permissions
on registry keys, to keep IE from being able to change
the run keys? If so, is there any reason why I would NOT
want to do this?
Thanks
website, it attempts to add three entries to the HKLM and
HKCU run registry keys. Two of the entries contain HTML
code along the lines of:
<html><body>this site has been blocked by your
administrator</body></html>
The third has a blank pointer to system32 directory,
which results in the system32 folder displaying at each
startup, and randomly while surfing the web.
I think the site is probably being blocked by Symantec's
anti-spyware feature.
I have used the Resplendence Registry manager to
determine that iexplore.exe is what is modifying the
registry keys.
Unfortunately, whichever site is doing this does not
appear to do it each time. For example, after clearing
out those run keys on wednesday, the keys were recreated
at about noon on friday. We went through her history,
and visited each site she went to on thursday, but
nothing triggered recreating the registry keys. I have
her tracking what time she visits each site now, and
should be able to tell what site it is, eventually.
My question is this: Is there a way, via the permissions
on registry keys, to keep IE from being able to change
the run keys? If so, is there any reason why I would NOT
want to do this?
Thanks