【轉貼】解決首頁被綁架之方法大全





阿 土
2004-02-28, 09:55 AM
很多人常問 IE 首頁被綁架怎麼解決

問之前可以先看看這位網友整理的資料 , 相當詳細

http://myweb.hinet.net/home2/nomo/teach/un-web-kidnap.htm




jerry11
2004-02-28, 01:41 PM
個人推薦一套軟體:Hijackthis

軟體資料:
----------------------------------------------------------------------------------------
軟件大小: 152 KB
軟件語言: 英文
軟件類別: 國外軟件 / 免費版 / 瀏覽安全
應用平台: Win9x/NT/2000/XP
下載:http://www2.skycn.com/soft/13334.html

首頁綁架剋星 - HijackThis,它能夠將綁架您瀏覽器的程序揪出來!並且移除之!或許您只是瀏覽某個網站、安裝了某個軟件,就發現瀏覽器設定已經被綁架了,一般常見的綁架方式莫過於強制竄改您的瀏覽器首頁設定、搜尋頁設定,現在有了這個工具,可以將所有可疑的程序全抓出來,再讓您判斷哪個程序是肇禍者!把它給殺了!

* HijackThis v1.97 *
Written by Merijn - [email protected]
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/index.html

See below version history for short info on hijack sections.

* Version history *
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* O19 (user stylesheet) now only checks for known bad filenames
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%shitbrowser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

The different sections of hijacking possibilities have been separated into these groups:

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols
O19 - User stylesheet hijack

You can get more detailed information about an item by selecting it from the list of found items or highlighting the relevant line above, and clicking 'Info on selected item'.

jerry11
2004-02-28, 01:42 PM
[Z]HijackThis 日誌分析——如何識別有害信息

在SpywareInfo的 論壇 (http://www.spywareinfo.com/forums/) 上,許多不熟悉瀏覽器綁架的人發表文章,詢問如何通過分析HijackThis的日誌來獲得幫助,因為他們不理解哪些內容是無害的,而哪些內容是有害的。

本文是一個關於日誌含義的基本指南,並包含一些有助於獨立閱讀本文的提示。本文決不能代替在SWI論壇上請求幫助的解答,而只是在某種程度上幫助您自己理解日誌的含義。

概述
HijcakThis日誌中的每一行以一個分類名稱開始。(要查看這一主題的技術信息,單擊主窗口中的“Info”按鈕,並向下滾動窗口,突出顯示某一行並單擊“More info on this item”按鈕即可。)

要查看實用信息,單擊需要獲得幫助的分類名稱:

? R0, R1, R2, R3 – IE起始頁/搜索頁 URL
? F0, F1 – 自動加載程序
? N1, N2, N3, N4 – Netscape/Mozilla 起始頁/搜索頁 URL
? O1 – 主機文件重定向
? O2 – 瀏覽器輔助對象
? O3 – IE工具欄
? O4 – 從註冊表自動加載程序
? O5 – 使IE選項的圖標在控制面板中不可見
? O6 –由管理員限制的對IE選項的訪問
? O7 –由管理員限制的對註冊表編輯器的訪問
? O8 – IE右鍵菜單中的額外項
? O9 – 主IE按鈕工具欄上的額外按鈕,或IE“工具”菜單中的額外項
? O10 – Winsock綁架程序
? O11 – IE“高級選項”窗口中的額外組
? O12 – IE插件
? O13 – IE DefaultPrefix綁架
? O14 – “重置Web設置”綁架
? O15 – 受信任區域中的有害站點
? O16 – ActiveX對象(aka 下載的程序文件)
? O17 – Lop.com域綁架程序
? O18 – 額外協議和協議綁架程序
? O19 – 用戶樣式表綁架
________________________________________
R0、R1、R2、R3-IE起始頁和搜索頁
癥狀:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.com/
R3 –Default URLSearchHook is missing

治療方案:
如果結尾的URL是您的主頁或搜索引擎,那就不用管它。如果您不認可,請檢查一下並用HijcakThis修復。
對於R3項,始終修復它們,直到它提及一個您認可的程序為止,比如Copernic。
________________________________________
F0、F1-自動加載程序
癥狀:
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

治療方案:
F0項始終是有害的,因此要修復它們。
F1項通常是存在很長時間的安全程序,因此您應該根據其文件名查找與該文件有關的更多信息,以確定它是無害的還是有害的。
________________________________________
N1、N2、N3、N4-Netscape/Mozilla起始頁和搜索頁
癥狀:
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)

治療方案:
通常情況下,Netacape和Mozilla的主頁及搜索頁是安全的。它們極少被綁架。主頁和搜索頁的URL不是您認可的,請用HilackThis修復它。
________________________________________
O1-主機文件重定向
癥狀:
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

治療方案:
這種綁架將通向正確IP地址的地址重定向到錯誤的IP地址。如果IP不屬於該地址,那麼在您每次鍵入該地址時,您將被重定向到一個錯誤的站點。始終用HilackThis修復它們,除非您故意將這些行放到主機文件中。
________________________________________
O2-瀏覽器輔助對象
癥狀:
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL

治療方案:
如果您無法直接識別某個瀏覽器輔助對象的名稱,可以使用TonyK的 BHO 列表 通過類ID(CLSID,位於大括號中的編號)進行查找,以確定它是無害的還是有害的。在BHO列表中,‘X’代表偵探軟件,‘L’代表安全。
________________________________________
O3-IE工具欄
癥狀:
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL

治療方案:
如果您不能直接識別工具欄的名稱,可以使用TonyK的 工具欄列表 通過類ID(CLSID,位於大括號中的編號)進行查找,以確定它是無害的還是有害的。在工具欄列表中,‘X’代表偵探軟件,‘L’代表安全。
如果它不在列表中,而且其名稱似乎是一個隨機的字符串,並且該文件位於一個名為‘Application Data’的文件夾中的某處(比如上述例子中的最後一個),那麼它肯定是有害的,應該用HilackThis修復它。
________________________________________
O4-從註冊表自動加載程序
癥狀:
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
治療方案:
使用PacMan的 啟動列表 來查找這些條目,以確定它們是無害的還是有害的。
________________________________________
O5-使IE選項在控制面板中不可見
癥狀:
O5 - control.ini: inetcpl.cpl=no

治療方案:
除非故意隱藏控制面板中的圖標,否則用HijackThis修復它。
________________________________________
O6-由管理員限制的對IE選項的訪問
癥狀:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

治療方案:
除非激活了 Spybot S&D 選項“Lock homepage from changes”,否則用HijackThis修復這一項。
________________________________________
O7-由管理員限制的對註冊表編輯器的訪問
癥狀:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

治療方案:
始終用HijackThis修復這一項。
________________________________________
O8-IE右鍵菜單中的額外項
癥狀:
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm

治療方案:
如果不能識別IE右鍵菜單中的項目名稱,用HijackThis修復它。
________________________________________
O9-主IE工具欄上的額外按鈕,或IE“工具”菜單中的額外項
癥狀:
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM)

治療方案:
如果不能識別按鈕或菜單項的名稱,用hijackThis修復它。
________________________________________
O10-Wincock綁架程序
癥狀:
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll

治療方案:
最好使用 Cexx.org的LSPFix或Kolla.de的Spybot S&D修復這些項。
________________________________________
O11-IE“高級選項”窗口中的額外組
癥狀:
O11 - Options group: [CommonName] CommonName

治療方案:
現在,惟一將其自身的選項組添加到IE 高級選項窗口中的綁架程序是CommonName。因此您始終可以用HijackThis修復這一項。
________________________________________
O12-IE插件
癥狀:
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

治療方案:
大部分時間內,這些項是安全的。只有OnFlow在這裡添加了一個您不想要的插件(.ofb)。
________________________________________
O13-IE DefaultPrefix綁架
癥狀:
O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?

治療方案:
這些項始終是有害的。用HijackThis修復它們。
________________________________________
O14-‘重置Web設置’綁架
癥狀:
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

治療方案:
如果該URL不是您計算機的廠商或您的ISP,用HijackThis修復它。
________________________________________
O15-受信任區域中的有害站點
癥狀:
O15 - Trusted Zone: http://free.aol.com

治療方案:
迄今為止,只有AOL傾向於將自身添加到您的受信任區域,從而允許它運行任何它想要運行的ActiveX。始終用HijackThis修復這一項。
________________________________________
O16-Active對象(aka 下載的程序文件)
癥狀:
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

治療方案:
如果您你不能識別對象名稱,或它下載文件的URL,用HijackThis修復它。如果名稱或URL中包含下列單詞,比如‘dialer’、‘casino’、‘free-pludin’等等,那麼一定要修復它。
________________________________________
O17-Lop.com域綁架
癥狀:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

治療方案:
如果域不是來自您的ISP或公司的網絡,用HijackThis修復它。
________________________________________
O18-額外協議和協議綁架程序
癥狀:
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

治療方案:
這裡只顯示了少數綁架程序。惡名昭著的還有‘cn’(CommonName),‘ayb’(Lop.com)和‘relatedlinks’(Huntbar),您應該用Hijackthis修復這些項。
顯示的其他情況要麼是未被確認為安全的,要麼是被偵探軟件綁架的。如果是後一種情況,用HijackThis修復它。
________________________________________
O19-用戶樣式表綁架
癥狀:
O19 - User style sheet: c:\WINDOWS\Java\my.css

治療方案:
在瀏覽器速度變慢並頻繁彈出各種消息的情況下,如果這一項顯示在日誌中,用HijackThis修復它。