概述
别名
Trojan.Win32.StartPage.ar[Kaspersky],
类别
Hijacker : 重新设置您的浏览器,使其指向其他站点的任何软件。 劫持时可能会将您的信息及您请求的地址改变路径发送,使其经由一个不可见的站点,以便捕获那些信息。 在这样的劫持中,您的浏览器可能仍能正常运行,只是稍微慢一些。 Homepage Hijacker: 将您的浏览器主页更改为其他某个站点的任何软件。 劫持时可能会将您的信息及您请求的地址改变路径发送,使其经由一个不可见的站点,以便捕获这些信息。 在这样的劫持中,您的浏览器可能仍能正常运行,只是稍微慢一些。 Search Hijacker: 执行搜索时将您的浏览器设置为指向其他站点的任何软件 劫持时可能会将您的信息及您请求的地址改变路径发送,使其经由一个不可见的站点,以便捕获这些信息。 在这样的劫持中,您的浏览器可能仍能正常运行,只是稍微慢一些。 这样的劫持程序运行时的搜索结果有时会和没有被劫持时的结果不同。 Browser Helper Object: (BHO)。 无论 Internet Explorer 何时启动都会加载的组件,它分享 IE 的内存上下文并能在可用窗口和模块执行任何操作。 BHO 可以检测事件、创建窗口显示查看页面的附加信息、监控消息和操作。 Microsoft 将其称为“我们送去渗透浏览器国土的间谍”。BHO 不会被个人防火墙拦截,因为防火墙将其看作您的浏览器自身。 有些使用这种技术的 exploit 程序会搜索您在 IE 里浏览的所有页面并将标志 (banner) 广告替换成其他广告。 有些会监视并报告您的操作。 有些则会更改您的主页。 Toolbar: 执行常用任务的一组按钮。 Internet Explorer 的工具栏一般位于窗体顶部的菜单栏之下。 工具栏可以由浏览器助手创建。 保留的理由
在没有用户允许的情况下更改主页 发源
作者
Various 该作者的其他作品
Browser Hijacker · Cracking Tool · Nuker · FrontPage 2002 Key Generator · Unknown Password Cracker · Word List · Unknown KeyLogger · Port Scanner · Multidropper · Back Orifice Plugin Source · Unpacker · File Scavenger · Crypter · CaesarCrypt 1.0 · GIMP Toolkit · LinkMaker · Usenet Trojan · ICQ Pest · IRC War · Virus Creation Tool · PWLView 2 · Annoyance · Exploit · Dialer · ANSI Bomb · Encryption Tool · Virus Tutorial · Mailer · Phreaking Tool · Sparc Exploit · WinPWL Millennium Edition 3.5 · Trojan Source · Unix Exploit · Unknown Dialer · Key Generator · Steganos Hacker Tools · PHP.PhishingTools · Disassembler · Misc RAT Server Patcher · Worm Creation Tool · 发源日期
各种版本从2003年5月到2005年2月 检测和删除
手工删除
按照以下步骤从您的机器删除Unknown Hijacker。先备份您的注册表和系统,并设置一个还原点,防止发生错误。
停止运行进程:
利用任务管理器停止以下运行进程:
my2ns.exe
ovfm.exe
reg32.exe
cpcfjmps.exe
eilo.exe 撤消 DLL 的注册:
使用 Regsvr32 撤销以下 DLLs 的注册,然后重启:
%system%\bho1.dll
ip.dll
drmv2iclt.dll
bpv1a.dll
%windows%\system\zestyfind.dll
%windows%\system\wstart.dll
%windows%\system\pwrsc037.dll
%windows%\system\mshtmpre.dll
%windows%\system\gamhelper.dll
%windows%\system\e2bho.dll
%windows%\system\bho1.dll
%system%\zestyfind.dll
%system%\pwrsc037.dll
%system%\mshtmpre.dll
%system%\gamhelper.dll
%system%\e2bho.dll
toolbar.dll
mybar.dll
mswsc10.dll 删除自动运行的引用:
访问 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
如果找到值 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run host,立即删除并重启机器 清除注册表:
使用注册表编辑器清除以下注册项(如果存在):
HKEY_CLASSES_ROOT\clsid\{29a38549-af6f-11d4-89d6-bc1dfd912b00}
HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a58d-8f6fa787ad2d}
HKEY_CLASSES_ROOT\clsid\{5cf8a355-f8c6-4883-9c25-49d01a7d25be}
HKEY_CLASSES_ROOT\clsid\{f36c1198-fc6b-4012-9928-dfa76fb56cc3}
HKEY_CLASSES_ROOT\clsid\{fc4c5eae-66ee-11d4-bc67-0000e8e582d2}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{29a38549-af6f-11d4-89d6-bc1dfd912b00}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-a58d-8f6fa787ad2d}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{9896231a-c487-43a5-8369-6ec9b0a96cc0}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{d879a0f1-2b3b-4409-8879-fad6e49e1ea9}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{f36c1198-fc6b-4012-9928-dfa76fb56cc3}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{fc4c5eae-66ee-11d4-bc67-0000e8e582d2}
HKEY_CURRENT_USER\software\bssgglgllllfrie
HKEY_CURRENT_USER\software\srng
HKEY_CURRENT_USER\software\uckgrsgryvyieoa
HKEY_LOCAL_MACHINE\software\classes\clsid\{29a38549-af6f-11d4-89d6-bc1dfd912b00}
HKEY_LOCAL_MACHINE\software\classes\clsid\{4e7bd74f-2b8d-469e-a58d-8f6fa787ad2d}
HKEY_LOCAL_MACHINE\software\classes\clsid\{5cf8a355-f8c6-4883-9c25-49d01a7d25be}
HKEY_LOCAL_MACHINE\software\classes\clsid\{d879a0f1-2b3b-4409-8879-fad6e49e1ea9}
HKEY_LOCAL_MACHINE\software\classes\clsid\{f36c1198-fc6b-4012-9928-dfa76fb56cc3}
HKEY_LOCAL_MACHINE\software\classes\clsid\{fc4c5eae-66ee-11d4-bc67-0000e8e582d2}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{00000ef1-0786-4633-87c6-1aa7a44296da}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{9c691a33-7dda-4c2f-be4c-c176083f35cf}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{bd11a280-2e73-11cf-b6cf-00aa00a74daf}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{d61570b1-61e1-6851-cbf7-b7915cbdfa4e}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{ef86873f-04c2-4a95-a373-5703c08efc7b}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{f7adcfe3-aa28-f99e-e665-b13ac332d249}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar {4e7bd74f-2b8d-469e-a58d-8f6fa787ad2d}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar {5cf8a355-f8c6-4883-9c25-49d01a7d25be}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{29a38549-af6f-11d4-89d6-bc1dfd912b00}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4e7bd74f-2b8d-469e-a58d-8f6fa787ad2d}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{d879a0f1-2b3b-4409-8879-fad6e49e1ea9}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{f36c1198-fc6b-4012-9928-dfa76fb56cc3}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{fc4c5eae-66ee-11d4-bc67-0000e8e582d2}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run host 删除文件:
使用资源管理器删除以下文件(如果存在):
ip.dll
mswsc10.dll
my2ns.exe
mybar.dll
ovfm.exe
partner.dat
prevcfg.htm
reg32.exe
rw.wzg
%system%\bho1.dll
%system%\e2bho.dll
%system%\gamhelper.dll
%system%\hosts.vbs
%system%\mshtmpre.dll
%system%\pwrsc037.dll
%system%\zestyfind.dll
%windows%\favorites\ games.url
%windows%\favorites\links\aol search.url
%windows%\system\bho1.dll
%windows%\system\e2bho.dll
%windows%\system\zestyfind.dll
%windows%\system\gamhelper.dll
%windows%\system\mshtmpre.dll
%windows%\system\pwrsc037.dll
%windows%\system\wstart.dll
bpv1a.dll
cpcfjmps.exe
drmv2iclt.dll
eilo.exe
files.ini
hijackthis.log
toolbar.dll
uninstall.inf
xzxsv.wzg
yildhvi.olt
%favorites%\90. general\links\free aol & unlimited internet.url
%favorites%\asgo\adtactics login.url
%favorites%\asgo\regnow control panel.url
%favorites%\boner stuff\bignaturals.com - sexual content warning.url
%favorites%\channels\whatsnew.com channel\computers and technology\bonzi voice email.url
%favorites%\channels\whatsnew.com channel\search\looksmart.url
%favorites%\comic stuff\top 100 batman sites.url
%favorites%\computers and technology\bonzi voice email.url
%favorites%\cuba\msn search result for - cuba.url
%favorites%\flight\worldwide flight sim top sites.url
%favorites%\free strip poker.url
%favorites%\i-lookup favorites\black planet love.url
%favorites%\i-lookup favorites\college recruiter.url
%favorites%\i-lookup favorites\dating direct.url
%favorites%\i-lookup favorites\email psychic.url
%favorites%\i-lookup favorites\for sale by owner.url
%favorites%\i-lookup favorites\foreclosure free search.url
%favorites%\i-lookup favorites\gay.com.url
%favorites%\i-lookup favorites\hot jobs.url
%favorites%\i-lookup favorites\i connect here.url
%favorites%\i-lookup favorites\i-lookup.url
%favorites%\i-lookup favorites\life-answers.url
%favorites%\i-lookup favorites\move out.url
%favorites%\i-lookup favorites\music 123.url
%favorites%\i-lookup favorites\phone shark.url
%favorites%\i-lookup favorites\planet out.url
%favorites%\i-lookup favorites\private for sale.url
%favorites%\i-lookup favorites\room mate menu.url
%favorites%\i-lookup favorites\roommate.url
%favorites%\i-lookup favorites\tel 3.url
%favorites%\i-lookup favorites\the online psychic.url
%favorites%\links\like music - try aol!.url
%favorites%\links\search the web.url
%favorites%\links\searchnow.ws-the search portal.url
%favorites%\links\web search.url
%favorites%\mystuff\misc\ft.com.url
%favorites%\net search\looksmart.url
%favorites%\new stuff\free detergent.url
%favorites%\new stuff\free nokia cell phone.url
%favorites%\new stuff\free razors.url
%favorites%\new stuff\like music - try aol!.url
%favorites%\news\apbnews.com.url
%favorites%\search\looksmart.url
%favorites%\sex drugs - free!.url
%favorites%\stuff\affiliate program software.url
%favorites%\stuff\canadian topsites.url
%favorites%\web building stuff\products\affiliate program software.url
%favorites%\web building stuff\promotion and services\looksmart clicks - member login.url
%favorites%\web building stuff\promotion and services\looksmart shops looksmart backoffice.url
%favorites%\weight loss! new.url
%favorites%\writing link lists\looksmart - search results for writing.url
%favorites%\writing link lists\msn search result for - journalism jobs.url
%favorites%\writing link lists\screenwriting.com top sites.url
%favorites%\writing links\writers resources directory.url 调查
文件分析
Unknown Hijacker 调查方式
间谍软件研究中心 |
