hao123主页劫持的解决方法一例（另求2345主页劫持解决方案）

暗影翔

昨天上网想在线看一下tbbt第五季。众所周知，著名的视频站都已经不能播放了，所以放bing搜了一下，找到了美剧天堂，里面可以提供下载以及在线观看。
点在线之后提示系统插件过低，脑残的修复电脑，下载了一个setup_a_67801135.exe，安装。发现是一个叫1905看看的软件，还常驻任务栏。依然无法在线观看，遂卸载之。
然后就发现ie和ff打开之后主页都变成了[mw_shl_code=shell,true]http://duan.fx972.com/Public/conf/conf_301page/hkhp1905.html[/mw_shl_code]，然后迅速跳转到hao123.com。
不光是ie，ff也有问题，查看tabmixplus设置无问题。全部改成启动时显示空白页，依然开始时会弹出fx972，然后迅速跳转到hao123。
上网找了一通解决方案：
1.有人说快捷方式被改     我这里没有问题
2.有人说是explorer.exe下被挂了lock_hao，进资源管理器搜索句柄无结果

只好自己找找
1.进regedit查找hao123和fx972，没有结果
2.用autoruns查看启动项，无可疑
md，当时重装电脑的心都有了
后来无意间在explorer.exe关联的模块下发现了一个很可疑的1905sd.dll，突然想起来1905sd.dll的位置正是刚才安装软件的那个路径。

然后关掉explorer.exe进程，删掉残留的文件，用regedit搜索1905sd.dll删掉残留注册表项，问题即告解决。终于可以安心的睡觉了。

今天上午重新演示了一遍以上流程，发现如果从任务管理器的新建任务中找exe启动浏览器不会中招。但是只要是从快捷方式启动，就中招，不管是原来已存在的快捷方式，还是我手动建立的快捷方式。特意用Registry Workshop在注册表里搜了一下1905sd，找到了3项：
[mw_shl_code=css,true]查找内容: '1905sd.dll'
共找到: 3

HKEY_CLASSES_ROOT\CLSID\{D19A21CB-C56B-4B78-A301-1D87B074A5A9}\InprocServer32, , D:\Program Files\KKPlayer\1905SD.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\AppCompatCache, AppCompatCache, ee 0f dc ba 00 04 00 00 78 00 00 00 9b 4d 0c 00 17 00 00 00 01 35 00 00 07 00 00 00 00 00 00 00 38 08 00 00 2d 07 00 00 eb 1d 00 00 00 00 00 00 5a 2e 0c 00 f6 1e 00 00 e6 08 00 00 e6 04 00 00 1b 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 19 00 00 00 86 1c 00 00 00 00 00 00 00 00 00 00 86 1c 00 00 19 00 00 00 00 00 00 00 00 00 00 00 b8 52 0a 00 00 00 00 00 58 00 5a 00 66 9f 03 00 30 c7 81 73 20 04 ca 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 5c 00 5e 00 08 9f 03 00 e0 c0 a0 73 20 04 ca 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 5a 00 5c 00 ac 9e 03 00 40 93 ba f1 ac 88 cb 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 48 00 64 9e 03 00 70 13 c3 de ac 88 cb 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 48 00 4a 00 1a 9e 03 00 00 b8 5d 62 96 65 cb 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 54 00 56 00 c4 9d 03 00 87 08 09 75 e4 98 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 6c 00 6e 00 56 9d 03 00 00 2c 65 52 db ba cf 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 90 00 92 00 c4 9c 03 00 00 a0 ec d2 d8 af ca 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 60 00 62 00 62 9c 03 00 00 34 a6 9d fa 8d d0 01 06 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 5c 00 5e 00 04 9c 03 00 00 f9 cc cb 81 60 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 4c 00 4e 00 b6 9b 03 00 00 3a 04 b6 6f 38 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 58 00 5a 00 5c 9b 03 00 00 d6 76 f7 97 8e cf 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 14 9b 03 00 00 d4 0c 22 11 9a cd 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 7c 00 7e 00 96 9a 03 00 bf 25 41 d7 36 5d d0 01 0f 00 00 00 01 11 00 00 c8 01 00 00 86 d6 01 00 60 00 62 00 34 9a 03 00 00 4e b7 00 3d d6 c6 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 58 00 5a 00 da 99 03 00 00 bf 68 61 73 15 ce 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 8c 00 8e 00 4c 99 03 00 80 f3 dc 2c dd 41 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 54 00 56 00 f6 98 03 00 00 3d 9e 4e 7e 5d d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 ae 98 03 00 30 a5 1c 69 20 04 ca 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 74 00 76 00 38 98 03 00 00 fb fd 7f f0 cb c8 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 f0 97 03 00 b0 44 3d 5c ad 88 cb 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 42 00 44 00 ac 97 03 00 c0 e2 c5 07 ad 88 cb 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 64 97 03 00 30 ef c2 cf 11 e5 ce 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 1c 97 03 00 f0 3c 8f 46 a3 89 ce 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 48 00 4a 00 d2 96 03 00 50 69 be 7a ad 88 cb 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 4e 00 50 00 82 96 03 00 00 2c a4 8a 20 04 ca 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 66 00 68 00 1a 96 03 00 74 42 e4 cf 11 e5 ce 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 36 00 38 00 e2 95 03 00 f0 33 e0 da ac 88 cb 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache, AppCompatCache, ee 0f dc ba 00 04 00 00 78 00 00 00 9b 4d 0c 00 17 00 00 00 01 35 00 00 07 00 00 00 00 00 00 00 38 08 00 00 2d 07 00 00 eb 1d 00 00 00 00 00 00 5a 2e 0c 00 f6 1e 00 00 e6 08 00 00 e6 04 00 00 1b 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 19 00 00 00 86 1c 00 00 00 00 00 00 00 00 00 00 86 1c 00 00 19 00 00 00 00 00 00 00 00 00 00 00 b8 52 0a 00 00 00 00 00 58 00 5a 00 66 9f 03 00 30 c7 81 73 20 04 ca 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 5c 00 5e 00 08 9f 03 00 e0 c0 a0 73 20 04 ca 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 5a 00 5c 00 ac 9e 03 00 40 93 ba f1 ac 88 cb 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 46 00 48 00 64 9e 03 00 70 13 c3 de ac 88 cb 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 48 00 4a 00 1a 9e 03 00 00 b8 5d 62 96 65 cb 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 54 00 56 00 c4 9d 03 00 87 08 09 75 e4 98 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 6c 00 6e 00 56 9d 03 00 00 2c 65 52 db ba cf 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 90 00 92 00 c4 9c 03 00 00 a0 ec d2 d8 af ca 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 60 00 62 00 62 9c 03 00 00 34 a6 9d fa 8d d0 01 06 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 5c 00 5e 00 04 9c 03 00 00 f9 cc cb 81 60 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 4c 00 4e 00 b6 9b 03 00 00 3a 04 b6 6f 38 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 58 00 5a 00 5c 9b 03 00 00 d6 76 f7 97 8e cf 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 14 9b 03 00 00 d4 0c 22 11 9a cd 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 7c 00 7e 00 96 9a 03 00 bf 25 41 d7 36 5d d0 01 0f 00 00 00 01 11 00 00 c8 01 00 00 86 d6 01 00 60 00 62 00 34 9a 03 00 00 4e b7 00 3d d6 c6 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 58 00 5a 00 da 99 03 00 00 bf 68 61 73 15 ce 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 8c 00 8e 00 4c 99 03 00 80 f3 dc 2c dd 41 d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 54 00 56 00 f6 98 03 00 00 3d 9e 4e 7e 5d d0 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 ae 98 03 00 30 a5 1c 69 20 04 ca 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 74 00 76 00 38 98 03 00 00 fb fd 7f f0 cb c8 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 f0 97 03 00 b0 44 3d 5c ad 88 cb 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 42 00 44 00 ac 97 03 00 c0 e2 c5 07 ad 88 cb 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 64 97 03 00 30 ef c2 cf 11 e5 ce 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 46 00 48 00 1c 97 03 00 f0 3c 8f 46 a3 89 ce 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 48 00 4a 00 d2 96 03 00 50 69 be 7a ad 88 cb 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 4e 00 50 00 82 96 03 00 00 2c a4 8a 20 04 ca 01 05 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 66 00 68 00 1a 96 03 00 74 42 e4 cf 11 e5 ce 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 36 00 38 00 e2 95 03 00 f0 33 e0 da ac 88 cb 01 07 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00
[/mw_shl_code]
后两项是二进制键值，在regworkshop里能看到二进制对应的字符，但是内容很长，没注意到有1905sd的内容。所以为了保险，只删除了字符串值所在的项。
上网搜了一下，HKCR\CLSID\是管理应用程序的，HKLM\...\Session Manager\是管理系统会话的。
————————————————————————
以上经历分享出来，为以后碰到类似问题提供一个思路。不知道该发在哪个版面，如果有专门版主觉得此贴放在本版不妥，劳烦挪到相应版块，谢谢。

另：在放狗搜解决hao123的问题是，进过2345联盟的网站，然后ff的打开主页就变成了2345，但是ie没有这个现象，后重启几次后，又变回了hao123。过程中未安装任何软件，也没有弹出要求修改主页的对话框。今天上午想重现此情况，成功了一次，但是进行后续hao123清除时，未再次出现2345，现在重新尝试进入2345，此情况未发生。（autoruns是从微软的官网下的，解压缩即可使用，全程浏览网页用ff，tabmixplus设置无问题）

bin0990

楼主您好，我的电脑也被劫持了，不过一直找不到原因，看您的文章，有一点不懂，能否指点一下，非常感谢。

在explorer.exe关联的模块下发现了一个很可疑的1905sd.dll，这个是用什么工具看到的！？

nttwqz

bin0990 发表于 2016-2-17 20:39
楼主您好，我的电脑也被劫持了，不过一直找不到原因，看您的文章，有一点不懂，能否指点一下，非常感谢。
...

Win7的话，运行resmon……

chānwàng

bin0990 发表于 2016-2-17 20:39
楼主您好，我的电脑也被劫持了，不过一直找不到原因，看您的文章，有一点不懂，能否指点一下，非常感谢。
...

pchunter在进程那里右键看进程模块可以看，并且能找到dll的路径也可以卸载和删除那个DLL

bin0990

chānwàng 发表于 2016-2-18 05:55
pchunter在进程那里右键看进程模块可以看，并且能找到dll的路径也可以卸载和删除那个DLL

我的是win10 64位系统，运行pchunter 64 ，32版本，均提示加载驱动失败。

bin0990

nttwqz 发表于 2016-2-18 01:21
Win7的话，运行resmon……

我的是win10系统，运行resmon后看不到与explorer.exe关联的dll文件啊！

chānwàng

bin0990 发表于 2016-2-24 17:01
我的是win10 64位系统，运行pchunter 64 ，32版本，均提示加载驱动失败。

你的系统版本号是？尝试最新版 www.xuetr.com

ELOHIM

bin0990 发表于 2016-2-24 17:03
我的是win10系统，运行resmon后看不到与explorer.exe关联的dll文件啊！

勾选explorer.exe再试试也不行？

nttwqz

bin0990 发表于 2016-2-24 17:03
我的是win10系统，运行resmon后看不到与explorer.exe关联的dll文件啊！

你这是非逼着我给你接个图？？CPU都懒的点一下，我不是Win10，不过Win10也不可能取消这个功能吧？

bin0990

ELOHIM 发表于 2016-2-24 20:08
勾选explorer.exe再试试也不行？

抱歉抱歉，是真的不懂，让您受累了！