用户工具

站点工具


jaysnote:2345_com



2345.com

浏览器被污,所有主页均设置为2345.com,日狗,按照网上方法依次尝试,无果。自己着手解决。

网上的一些方法

尝试自己解决

怀疑是有一个守护进程,以上更改生效后立即被重新更改,导致无效。尝试在任务管理器->性能->资源监视器->CPU 选项卡中搜索2345,出现以下句柄。

映像  PID 类型  句柄名称
explorer.exe    9484    Mutant  \Sessions\1\BaseNamedObjects\http://www.2345.com/
explorer.exe    9484    File    C:\Users\JaysThinkPad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4IR8LS1\2345_160926[1].eot
explorer.exe    9484    File    C:\Users\JaysThinkPad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFB0GG7W\2345_com[1].htm

不难看出这里主要是资源管理器相关,怀疑是有程序直接注入了explorer.exe,尝试删除以上关联句柄的注册表和本地文件。但是在启动浏览器时候又马上被生成。

我们尝试按照一线方法结束资源管理器进程的这些Mutex。
Kill mutex (mutant) of an other process
下载handle.exe

Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。

C:\Users\JaysThinkPad>cd /d H:\Program Files\Handle

H:\Program Files\Handle>handle64.exe -p 9300 -a 2345
H:\Program Files\Handle>handle64.exe -p 1480 -a 2345

Nthandle v4.1 - Handle viewer
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

explorer.exe       pid: 1480   type: File           F88: C:\Users\JaysThinkPad\A
ppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4IR8LS1\234
5_160926[1].eot
explorer.exe       pid: 1480   type: Mutant         FA8: \Sessions\1\BaseNamedOb
jects\http://www.2345.com/
explorer.exe       pid: 1480   type: File          1228: C:\Users\JaysThinkPad\A
ppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UN36B2RC\234
5_com[1].htm
explorer.exe       pid: 1480   type: File          16EC: G:\MyProject\2016-12-14
-2345.com
explorer.exe       pid: 1480   type: File          16F4: G:\MyProject\2016-12-14
-2345.com
>handle64.exe -p 9300 -c F88

按照以上方法结束了所有的2345句柄,同时尝试删除注册表和本地文件,问题依然。
但是这里发现一个问题,就是explorer中的句柄并不是一直存在的,是启动浏览器后被主动注入的。
但是启动搜狗浏览器的时候却没有改句柄,说明是浏览器程序本身被污染了。
同时不难看出IE浏览器也是同样的方式被注入了句柄。

映像  PID 类型  句柄名称
iexplore.exe    4744    File    C:\Users\JaysThinkPad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I4IR8LS1\2345_160926[1].eot
iexplore.exe    4744    File    C:\Users\JaysThinkPad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UN36B2RC\2345_com[1].htm
iexplore.exe    4744    Mutant  \Sessions\1\BaseNamedObjects\http://www.2345.com/

Handles and Objects

Pushing the Limits of Windows: Handles
The kernel-mode core of Windows, which is implemented in the %SystemRoot%\System32\Ntoskrnl.exe image, consists of various subsystems such as the Memory Manager, Process Manager, I/O Manager, Configuration Manager (registry), which are all parts of the Executive. Each of these subsystems defines one or more types with the Object Manager to represent the resources they expose to applications. For example, the Configuration Manager defines the key object to represent an open registry key; the memory manager defines the Section object for shared memory; the Executive defines Semaphore, Mutant (the internal name for a mutex), and Event synchronization objects (these objects wrap fundamental data structures defined by the operating system’s Kernel subsystem); the I/O Manager defines the File object to represent open instances of device driver resources, which include file system files; and the Process Manager the creates Thread and Process objects I discussed in my last Pushing the Limits post. Every release of Windows introduces new object types with Windows 7 defining a total of 42. You can see the objects defined by running the Sysinternals Winobj utility with administrative rights and navigating to the ObjectTypes directory in the Object Manager namespace:

Hunting Malware with Memory Analysis

H:\Program Files\volatility_2.4.win.standalone>volatility-2.4.standalone.exe -f memory_images/example.vmem --profie=Win7SP1x64 handles -p 3488  -t Mutant -s
H:\Program Files\volatility_2.4.win.standalone>volatility-2.4.standalone.exe -f memory_images/example.vmem imageinfo
H:\Program Files\volatility_2.4.win.standalone>volatility-2.4.standalone.exe -f memory_images/example.vmem --profie=Win7SP1x64  pslist
H:\Program Files\volatility_2.4.win.standalone>volatility-2.4.standalone.exe -f memory_images/example.vmem --profie=Win7SP1x64 vaddump -p 1752 -D memory_images/procdump/

360 系统急救箱

12/17/2016 3:47:47 PM
最后还是通过360系统急救箱扫描解决问题,有些异常可能和2345.com有关系。安装过程发现根本没有办法安装系统急救箱工具,因为在不能在 资源管理器中新建 “SuperKiller.exe”,怀疑其和Explorer启动项有关系。将360压缩包中的SuperKiller.exe 重命名后解压正常。



jaysnote/2345_com.txt · 最后更改: 2019/07/29 14:15 由 jaylee