2017年10月1日 星期日

[研究] 再遇 hao123 首頁綁架

[研究] 再遇 hao123 首頁綁架

2017-10-01

某天,瀏覽器開起來看到了 hao123 首頁

照以前的經驗進行處理,發現綁架手法不同了,瀏覽器的預設首頁並沒有被改變。

[研究] 解決 hao123 首頁綁架
http://shaurong.blogspot.com/2016/05/hao123-2016-05-17-windows-7-with-sp1.html


(下圖) Google 找了一下,原來這次變成修改 捷徑  ShortCut 了。


(下圖) 這次綁架變成 捷徑的設定中,程式後方直接加上網址


(下圖) 為了方便快速找出電腦中所有 IE (Internet Explorer) , FireFox, Google Chrome 捷徑,小弟用了一套快速搜尋軟體 Everything

Everything
http://www.voidtools.com/




但是捷徑修正完畢,重新開機,用沒多久又發生。
可能比網路上某些人碰到的綁架手法,又再更進化,或者對方根本沒有清除乾淨。

(下圖)於是只好 Google 找工具來解決。(一開始不想用這些小工具,怕是後門、木馬)

adwcleaner_7.0.2.1.exe


(下圖) 有一個就是清除不掉










# AdwCleaner 7.0.2.1 - Logfile created on Sat Sep 09 04:30:47 2017
# Updated on 2017/29/08 by Malwarebytes
# Database: 09-08-2017.1
# Running on Windows 7 Ultimate (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Windows\System32\config\systemprofile\AppData\Local\YSearchUtil
PUP.Optional.Legacy, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil
PUP.Optional.Legacy, C:\Users\Fendy\AppData\Local\YSearchUtil
PUP.Optional.Legacy, C:\Program Files (x86)\YouKu
PUP.Optional.Legacy, C:\Users\Lu\AppData\Roaming\YouKu


***** [ Files ] *****

PUP.Optional.DriverAgent, C:\Windows\System32\drivers\DRVAGENT64.SYS


***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com
PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{458AB1DC-E95E-402C-972F-5DE4528E6BCD}F:\bitcomet\百度乾淨雲 (純淨版) v2.0\ganjingyun_2.0 verson.1\ganjingyun.exe
PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{30F1FA70-1180-4B87-BBEC-4905077E9B1F}F:\bitcomet\百度乾淨雲 (純淨版) v2.0\ganjingyun_2.0 verson.1\ganjingyun.exe
PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{41D05D96-B582-417C-9252-A03AC08EF0C8}F:\baiduyundownload\support.exe
PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{23539C90-F1CD-4590-8E72-5669101408BB}F:\baiduyundownload\support.exe
PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F0EF92AF-672D-4F34-ADB3-EAFC3FE86358}D:\免費軟體\網路工具\百度雲限速破解 v5.4.0穩定版(百度乾淨雲v2.0)\2016bdwpxspj\xx\baiduyunguanjia.exe
PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A8C130C1-A845-4D82-A9EB-D8AC0A20FB1B}D:\免費軟體\網路工具\百度雲限速破解 v5.4.0穩定版(百度乾淨雲v2.0)\2016bdwpxspj\xx\baiduyunguanjia.exe


***** [ Firefox (and derivatives) ] *****

PUP.Optional.Legacy, Plugin found: Search and New Tab by Yahoo - Yahoo


***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************



########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Ultimate x64 
Ran by Lu (Administrator) on 2017/09/08 週五 at 22:56:24.11
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 29 

Successfully deleted: C:\ProgramData\thunder network (Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\esupport.com (Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\ysearchutil (Folder) 
Successfully deleted: C:\Users\Public\thunder network (Folder) 
Successfully deleted: C:\Program Files (x86)\esupport.com (Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SCFRU3Z (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\88YAQ7R4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6CD9O2N (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ISD13SOR (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVAFI81X (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJ341HMJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCAXA2WM (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U7P3G92O (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SCFRU3Z (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\88YAQ7R4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6CD9O2N (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ISD13SOR (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVAFI81X (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJ341HMJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCAXA2WM (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U7P3G92O (Temporary Internet Files Folder) 

Deleted the following from C:\Users\Lu\AppData\Roaming\Mozilla\Firefox\Profiles\ypl459mw.default\prefs.js
user_pref(browser.urlbar.suggest.searches, false);



Registry: 0 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2017/09/08 週五 at 22:58:06.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


後來綁架狀況依然發生,最後把 C: 磁碟格式化,重新安裝 Windows 作業系統,目前用了快一個月,一切正常。

(待續)

相關

[研究] 再遇 hao123 首頁綁架
http://shaurong.blogspot.com/2017/10/hao123.html

[研究] 解決 hao123 首頁綁架
http://shaurong.blogspot.com/2016/05/hao123-2016-05-17-windows-7-with-sp1.html


沒有留言:

張貼留言