[研究] 再遇 hao123 首頁綁架

[研究] 再遇 hao123 首頁綁架

2017-10-01

某天，瀏覽器開起來看到了 hao123 首頁

照以前的經驗進行處理，發現綁架手法不同了，瀏覽器的預設首頁並沒有被改變。

[研究] 解決 hao123 首頁綁架
http://shaurong.blogspot.com/2016/05/hao123-2016-05-17-windows-7-with-sp1.html

(下圖) Google 找了一下，原來這次變成修改 捷徑  ShortCut 了。

(下圖) 這次綁架變成 捷徑的設定中，程式後方直接加上網址

(下圖) 為了方便快速找出電腦中所有 IE (Internet Explorer) , FireFox, Google Chrome 捷徑，小弟用了一套快速搜尋軟體 Everything

Everything
http://www.voidtools.com/

但是捷徑修正完畢，重新開機，用沒多久又發生。
可能比網路上某些人碰到的綁架手法，又再更進化，或者對方根本沒有清除乾淨。

(下圖)於是只好 Google 找工具來解決。(一開始不想用這些小工具，怕是後門、木馬)

adwcleaner_7.0.2.1.exe

(下圖) 有一個就是清除不掉

# AdwCleaner 7.0.2.1 - Logfile created on Sat Sep 09 04:30:47 2017 # Updated on 2017/29/08 by Malwarebytes # Database: 09-08-2017.1 # Running on Windows 7 Ultimate (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** PUP.Optional.Legacy, C:\Windows\System32\config\systemprofile\AppData\Local\YSearchUtil PUP.Optional.Legacy, C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil PUP.Optional.Legacy, C:\Users\Fendy\AppData\Local\YSearchUtil PUP.Optional.Legacy, C:\Program Files (x86)\YouKu PUP.Optional.Legacy, C:\Users\Lu\AppData\Roaming\YouKu ***** [ Files ] ***** PUP.Optional.DriverAgent, C:\Windows\System32\drivers\DRVAGENT64.SYS ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hao123.com PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.hao123.com PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{458AB1DC-E95E-402C-972F-5DE4528E6BCD}F:\bitcomet\百度乾淨雲 (純淨版) v2.0\ganjingyun_2.0 verson.1\ganjingyun.exe PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{30F1FA70-1180-4B87-BBEC-4905077E9B1F}F:\bitcomet\百度乾淨雲 (純淨版) v2.0\ganjingyun_2.0 verson.1\ganjingyun.exe PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{41D05D96-B582-417C-9252-A03AC08EF0C8}F:\baiduyundownload\support.exe PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{23539C90-F1CD-4590-8E72-5669101408BB}F:\baiduyundownload\support.exe PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F0EF92AF-672D-4F34-ADB3-EAFC3FE86358}D:\免費軟體\網路工具\百度雲限速破解 v5.4.0穩定版(百度乾淨雲v2.0)\2016bdwpxspj\xx\baiduyunguanjia.exe PUP.Optional.Legacy, [Value] - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A8C130C1-A845-4D82-A9EB-D8AC0A20FB1B}D:\免費軟體\網路工具\百度雲限速破解 v5.4.0穩定版(百度乾淨雲v2.0)\2016bdwpxspj\xx\baiduyunguanjia.exe ***** [ Firefox (and derivatives) ] ***** PUP.Optional.Legacy, Plugin found: Search and New Tab by Yahoo - Yahoo ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.1.4 (07.09.2017) Operating System: Windows 7 Ultimate x64  Ran by Lu (Administrator) on 2017/09/08 週五 at 22:56:24.11 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 29  Successfully deleted: C:\ProgramData\thunder network (Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\esupport.com (Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\ysearchutil (Folder)  Successfully deleted: C:\Users\Public\thunder network (Folder)  Successfully deleted: C:\Program Files (x86)\esupport.com (Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SCFRU3Z (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\88YAQ7R4 (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6CD9O2N (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ISD13SOR (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVAFI81X (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJ341HMJ (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCAXA2WM (Temporary Internet Files Folder)  Successfully deleted: C:\Users\Lu\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U7P3G92O (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4SCFRU3Z (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\88YAQ7R4 (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E6CD9O2N (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ISD13SOR (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NVAFI81X (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJ341HMJ (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TCAXA2WM (Temporary Internet Files Folder)  Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U7P3G92O (Temporary Internet Files Folder)  Deleted the following from C:\Users\Lu\AppData\Roaming\Mozilla\Firefox\Profiles\ypl459mw.default\prefs.js user_pref(browser.urlbar.suggest.searches, false); Registry: 0  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on 2017/09/08 週五 at 22:58:06.12 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

後來綁架狀況依然發生，最後把 C: 磁碟格式化，重新安裝 Windows 作業系統，目前用了快一個月，一切正常。

(待續)

相關

[研究] 再遇 hao123 首頁綁架
http://shaurong.blogspot.com/2017/10/hao123.html

[研究] 解決 hao123 首頁綁架
http://shaurong.blogspot.com/2016/05/hao123-2016-05-17-windows-7-with-sp1.html