360主页急救箱单品发布，助您轻松解决主页问题

桑德尔

245867683 发表于 2018-4-26 23:22
不错不错，公司电脑是eset，总是报病毒，但杀不到。冒着违规的风险下了360急救箱，几分钟就搞定了，然 ...

本来ESET的带毒清毒能力就是出了名的差

pal家族

桑德尔 发表于 2018-4-28 14:43
这位是……火绒的……官人？

火绒论坛的大水笔

wowocock

www-tekeze 发表于 2018-4-28 13:55
感谢！ 已加。。

急救箱检测不到问题的话，基本ROOTKIT和BOOTKIT的可能性就不大了，让同事远程看了下，貌似是注册表的设置问题。下载GHOUST装系统后，也能再现这个问题。可能和注册表的加密配置有关，删除相关键后就可以了。
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP]
"BackupHomePage"=hex:01,00,00,00,1a,00,00,00,c0,a3,a1,f1,eb,c7,74,76,00,7f,73,4f,\
  62,61,21,ff,b7,c4,20,bc,5c,f3,30,61,73,8c,02,00,00,00,00,01,\
  00,00,fd,c8,0a,09,46,89,59,38,66,59,ca,69,4f,ab,f2,e2,68,86,\
  de,2c,60,0f,7e,52,1b,b8,16,e8,48,c9,cd,03,0c,d5,c6,02,3e,c8,\
  b3,fb,f5,60,48,2e,9e,45,fa,89,03,b9,0e,ca,81,80,ea,11,ad,65,\
  c0,94,10,62,14,21,4f,e0,d4,43,ea,51,fc,20,1b,8d,cc,f0,b6,7b,\
  90,78,ad,2c,b7,2d,41,4e,f0,cc,a1,65,15,d1,6c,98,fd,e8,95,e9,\
  76,e4,68,cf,60,e9,a4,e1,07,c0,13,af,13,66,eb,ee,8b,f4,09,39,\
  a3,e4,2b,07,4a,60,b2,c2,46,f4,b7,12,c8,7c,3a,ea,2f,99,42,82,\
  66,ad,6d,d3,e6,23,89,96,37,a4,c0,49,77,0f,58,f6,a7,ae,c2,d0,\
  73,57,ee,46,5a,63,7a,f4,e3,5b,93,62,19,0b,9b,64,32,a7,4c,0a,\
  4f,c9,ef,40,f2,c1,b5,9e,89,e7,bc,a7,c2,02,3a,a2,c3,7d,97,fe,\
  ee,3b,44,cd,0e,18,b0,fe,1b,77,c2,57,1d,8a,a9,62,96,c1,b2,68,\
  07,7e,6c,63,05,0b,b8,a2,f0,93,4f,1b,d5,5f,52,fd,4a,45,6b,3d,\
  be,67,c3,6d,d3,b4,0c,8d,80,bb,24,41,30,be,31,02,e4,66,03,00,\
  00,00,14,00,00,00,3d,ff,37,0a,f3,d8,83,7c,60,41,d2,c9,a2,86,\
  8e,5a,63,f4,dd,c2
"ChangeNotice"=dword:00000002
"RId"="{F9B504D2-1571-406E-BD83-CA51E076D14F}"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP\DSP]
"BackupDefaultSearchScope"=hex:00,00,00,00,2c,08,00,00,2d,54,45,b1,3d,96,39,53,05,cc,15,15,\
  d4,36,2f,ef,6f,d3,f2,7c,c0,69,77,cf,83,61,60,bb,3a,46,5d,8d,\
  61,34,a8,51,f4,96,9c,24,18,eb,96,95,69,79,6f,63,1e,2b,4d,c2,\
  ea,00,a9,92,45,bd,c5,49,6c,d3,9d,94,92,ac,60,6b,e3,cb,81,67,\
  3e,6b,83,bd,cf,98,8b,38,be,ec,84,e7,7e,5c,a9,75,b0,c9,35,cc,\
  4a,4d,2e,16,e5,5e,4a,26,14,56,83,6b,f3,ec,09,41,5e,b5,2f,74,\
  16,b7,a0,87,6f,9d,ba,bb,0c,27,ee,41,30,d4,ba,bb,a3,e9,61,8e,\
  72,55,f0,e9,c0,0e,40,66,99,ee,f4,f1,c0,2a,8e,fe,89,e2,10,6e,\
  4c,76,c0,25,74,88,8c,48,d6,ed,d4,b6,a4,e9,3d,90,d7,71,ce,5e,\
  3e,65,1c,58,39,e7,b8,9d,9b,4d,c0,d1,8e,55,a0,13,5b,89,92,b0,\
  b0,0a,a2,72,db,32,2a,e2,c9,b5,34,b4,f2,38,19,da,43,8c,64,63,\
  5d,fd,fe,29,43,66,ce,7a,2c,f7,31,ff,c0,e0,f4,9a,00,51,36,61,\
  11,7b,7c,c2,76,89,d4,c3,eb,ba,80,4d,0b,12,43,cd,66,48,9f,5c,\
  79,f2,c0,11,69,0f,a0,e2,7d,64,a6,0a,5e,61,58,40,94,77,e3,dc,\
  29,12,fb,39,74,ac,65,8b,f9,9a,ba,24,55,9a,ab,1f,25,37,54,41,\
  ea,8c,42,25,1e,08,1b,dc,39,21,42,9a,ca,32,b6,4d,a5,ea,25,60,\
  1a,fe,c9,86,ef,0f,a7,12,13,f8,08,e6,7f,ea,ff,5b,e7,10,f9,e5,\
  97,a8,6e,1d,74,bc,10,fc,e9,ee,18,79,68,13,b0,73,ef,71,46,af,\
  57,f2,15,c1,3c,9c,d6,2a,a2,19,53,07,03,2d,82,02,04,4e,88,8f,\
  35,d7,3f,89,c3,78,32,1b,fb,e0,fc,8c,79,c5,d0,97,a1,c3,01,9c,\
  86,c3,1a,11,cc,ce,12,07,80,89,fa,49,77,c5,88,6d,07,cf,49,fe,\
  f2,7c,d1,de,d3,10,7a,ab,8b,7f,19,56,7f,af,1a,d6,17,ad,09,74,\
  21,0e,1e,11,d5,d7,f5,22,62,b7,ee,11,98,65,31,0d,b2,75,36,f0,\
  64,f1,22,f4,56,7b,85,12,6e,e9,8c,61,cc,7b,15,b3,c3,2f,1f,06,\
  d0,cf,06,f0,c3,bb,7d,1d,ab,93,8d,d5,11,37,0c,b5,00,c8,65,69,\
  fa,a1,50,c7,62,72,18,ad,1d,ec,51,70,28,b9,7f,1f,d1,9e,57,e8,\
  c4,0a,96,99,d2,72,50,79,ea,36,e2,6b,71,f7,c7,5b,f5,91,87,8f,\
  66,2e,26,93,4c,14,5d,5d,f7,2e,6e,26,dc,7a,81,31,57,c3,74,0b,\
  87,65,ba,b7,b8,09,da,45,88,79,1b,ea,63,15,62,b3,df,7f,82,07,\
  b9,8b,be,45,1c,83,7a,bf,2b,48,38,c0,be,f5,31,1f,43,f9,70,9d,\
  51,cb,8e,ca,d0,c0,06,a9,53,9c,97,8c,be,d5,d2,13,15,c5,63,97,\
  bb,22,98,62,66,87,9c,e4,c7,e5,7d,ba,db,25,5e,cb,f6,51,d6,b5,\
  d5,09,e4,ed,bd,2c,44,34,62,e0,79,da,af,71,ea,6e,43,b9,4c,04,\
  57,ef,c8,57,51,29,67,b2,5f,e7,69,ac,d6,68,14,4f,a8,b0,ff,6b,\
  08,74,61,97,57,56,31,9e,36,2c,05,8e,dd,35,e5,81,dd,75,9a,9e,\
  5a,a2,96,5e,38,58,c3,a0,c4,81,2d,b6,7c,21,f3,85,1b,ef,ce,c7,\
  1b,80,7f,13,2e,d9,9f,56,8a,aa,af,c9,95,a1,37,69,9e,78,b0,49,\
  92,bf,fc,31,6c,87,bf,49,c0,5d,e8,07,da,55,83,1b,bc,f9,84,98,\
  2e,69,4f,d1,dd,06,de,40,fc,6a,9a,ef,86,8a,4c,d4,96,45,f9,4c,\
  99,c0,f5,3e,bd,4b,81,b5,21,b7,a3,0d,a4,50,71,99,e7,f0,fb,9c,\
  37,cd,b1,47,dc,02,7c,f7,b0,fd,d2,20,30,39,95,de,98,02,5a,0e,\
  96,31,5c,af,40,01,33,b9,20,7f,80,27,d6,40,8b,f7,6b,48,30,ac,\
  87,4e,3e,7a,e9,e6,3c,06,6b,1b,81,19,09,89,91,aa,d9,1a,bc,7b,\
  79,d3,3b,87,fb,65,24,8b,77,7a,cf,e9,e3,d8,bd,b4,86,e8,85,ec,\
  7a,34,69,52,ab,dd,2e,34,aa,3c,5a,6b,ea,0b,23,ad,56,db,a5,73,\
  60,b9,af,80,e8,3b,43,ea,21,60,82,9f,03,ee,74,7e,18,4f,e0,24,\
  14,08,6f,72,c7,49,3c,7d,9e,41,89,1c,0a,25,b4,e5,e5,17,33,98,\
  0c,6c,53,10,e3,e9,d6,8d,c4,fd,2d,6a,e6,1c,f8,87,1f,ac,0e,c3,\
  a5,39,df,0c,4b,de,b6,c9,3a,0c,2d,d8,cf,2d,12,6c,d2,c5,fb,83,\
  f5,09,09,4a,50,1a,8e,ef,53,54,d2,75,0c,62,95,19,17,04,53,83,\
  36,ba,22,24,95,c3,ea,cf,84,22,2d,71,5a,92,34,72,eb,a0,4a,0a,\
  8b,60,5e,4a,fd,5b,15,aa,40,b7,89,44,10,c1,ec,af,79,4f,21,3c,\
  5c,a1,a4,7e,f7,b7,a4,d5,62,50,40,ae,82,f2,9f,9a,fb,c6,28,08,\
  7c,17,71,28,47,c1,08,4b,b9,ef,94,e8,72,e0,e4,07,4c,9a,02,61,\
  5b,c8,d8,1b,9b,29,13,9b,bb,42,8d,c2,2a,44,e7,04,89,59,24,dd,\
  f6,c4,28,de,70,80,ce,c4,d1,59,47,79,ff,a9,35,79,39,25,c0,da,\
  b4,6e,db,21,29,5e,40,18,88,2b,ad,67,67,ef,92,e0,e6,21,8e,05,\
  4d,16,c7,4b,06,94,f6,e1,25,06,e1,1b,08,ec,5b,a9,33,85,d9,80,\
  ae,d6,eb,9d,08,8e,75,b1,dd,63,b4,fd,c5,ef,5c,f0,87,27,fc,02,\
  92,eb,81,75,1e,5b,8c,a8,1f,d9,59,83,e6,fa,f4,0b,c5,c2,55,94,\
  b4,e6,26,1b,7c,06,7f,58,71,04,7f,4c,ee,f6,07,cc,99,5a,85,e0,\
  5f,7a,05,a6,d8,37,a7,cc,b8,ab,54,33,ad,4a,7e,74,d2,79,94,0f,\
  e1,c9,13,af,18,46,b4,90,07,8b,9b,33,50,88,e8,97,aa,2d,3d,d2,\
  43,6a,99,c5,09,30,4f,41,27,6a,b0,cd,be,17,9c,e9,5b,fb,9f,d8,\
  76,8d,99,69,01,23,aa,e7,0c,7c,0b,b8,1f,1d,66,91,70,36,34,65,\
  eb,f7,cb,d5,32,8f,0f,68,61,35,c5,c2,a0,ff,7c,01,2e,6b,45,90,\
  27,c4,d2,2e,b7,e5,71,b1,51,fd,20,0b,2c,42,80,25,94,cf,7e,b3,\
  8d,13,8e,28,38,83,b3,12,e3,80,be,4c,5e,a5,01,ed,4e,e3,eb,37,\
  e7,25,2d,4f,a0,69,af,79,43,79,15,6c,ad,b7,31,a6,56,b8,60,44,\
  de,82,ec,c4,77,bf,47,3c,41,35,84,97,85,4f,c0,f7,06,8e,53,1a,\
  0d,2b,bf,de,62,40,9f,ed,94,3d,54,c9,e2,91,74,82,23,b2,4c,09,\
  f5,fc,62,62,88,18,c3,42,95,cf,a4,7c,8c,86,cd,1c,51,ce,86,69,\
  0e,b4,09,77,b4,cd,69,bb,86,1d,07,8e,9c,58,aa,52,66,24,da,be,\
  1b,4e,86,b5,30,2b,a0,ae,93,80,da,35,6e,bc,7e,e8,d0,56,b8,e9,\
  b5,a2,29,89,49,6a,f5,ab,52,10,3b,34,7b,2a,7a,b8,dc,b8,2c,d0,\
  c2,78,34,5e,d6,f4,52,ab,97,4c,b1,35,a9,e0,43,01,1a,50,a6,e2,\
  12,7d,fc,a2,e9,82,b7,65,64,cf,20,41,15,d5,3e,79,23,fe,55,89,\
  db,cf,3a,ab,d9,77,23,9c,81,2b,6e,9e,e6,0b,dc,48,2c,78,d7,6f,\
  e0,0e,67,a1,17,b7,4f,88,67,79,6b,d6,d2,ff,88,44,b3,07,12,88,\
  6b,1c,be,ff,df,5a,2d,c0,f7,2a,ec,07,81,16,c5,60,35,3e,9f,2c,\
  c2,04,69,d4,f8,fc,32,c3,12,30,ba,ef,04,41,72,43,b6,0a,7a,28,\
  4e,ba,3b,5f,2c,88,3d,3e,a3,89,99,2e,30,41,48,25,a3,e6,ab,55,\
  0b,92,cb,00,f1,bb,c4,a8,60,bc,c4,5e,da,46,1a,fa,c2,02,e8,54,\
  fd,ba,bd,4f,88,ce,82,4e,b1,dd,2e,13,24,cd,18,82,b2,aa,66,b3,\
  4a,0e,f8,4c,51,f0,ac,cc,55,26,35,ba,46,f0,97,6d,ec,4d,f8,4b,\
  97,01,8d,42,7c,81,67,fe,6a,2f,e4,b3,04,a1,54,3f,be,d6,f9,2d,\
  89,92,07,af,28,4b,98,fb,71,5d,5f,2e,b7,72,b6,72,78,4e,72,73,\
  1f,68,60,a6,3e,15,16,52,2b,1a,6a,97,9f,e7,80,5c,83,ea,a3,c2,\
  81,9d,b7,d2,9e,50,1f,63,77,d4,4d,9e,f5,76,21,5e,d7,0a,92,ec,\
  af,da,19,34,38,c6,39,21,f4,ef,c0,f7,f8,af,8a,a3,9e,bb,95,bd,\
  82,b2,2c,d0,a0,79,2c,03,a6,20,3e,48,24,38,5c,46,b2,cd,ea,71,\
  e6,79,0b,9f,1f,32,27,6a,94,d3,8a,9c,b0,8a,14,55,2a,92,37,dd,\
  83,f7,f4,0d,9b,52,12,50,59,9e,e8,45,27,a8,64,44,8e,c5,1f,31,\
  5e,b9,63,e6,d8,fb,cc,69,fa,df,97,70,7c,30,4a,ff,15,4a,e2,1b,\
  91,d7,f7,17,10,9c,ab,f8,93,0a,36,38,7e,8b,e0,71,d5,a5,4f,c1,\
  fb,81,9b,ec,20,69,6e,b2,c0,3e,83,85,90,19,be,73,aa,74,0f,ad,\
  48,a0,f9,f5,74,6a,d7,02,a3,28,fc,9e,73,99,d8,e4,40,43,63,5a,\
  01,50,21,22,08,05,6e,14,cb,52,98,d5,dc,26,9f,28,73,76,c4,10,\
  1e,24,9d,77,20,45,85,5f,a3,5e,a8,a3,cd,9e,7a,aa,fc,39,a2,90,\
  4e,55,72,5b,ea,3e,dd,fd,45,cf,3f,5f,3c,39,d6,2e,c9,a6,5b,33,\
  c4,5a,50,9e,e7,4a,a7,3d,56,57,5d,9e,51,9d,0e,e2,56,87,47,3e,\
  0c,95,8a,66,26,07,36,d6,98,dc,bb,b0,da,d7,6d,b7,7d,73,93,73,\
  f8,fd,62,dc,9d,49,4d,60,be,a0,26,95,57,e8,13,8d,50,2e,cc,09,\
  5f,08,5c,a1,61,76,05,c3,e4,38,3a,3b,72,cd,aa,32,fd,7b,7a,fd,\
  e0,2b,2e,e1,54,e8,0e,2e,67,4e,72,d3,f7,48,9d,91,4a,d5,39,1b,\
  01,00,00,00,00,01,00,00,d1,42,77,05,26,05,a3,9b,ec,a4,4c,f8,\
  92,ab,1e,7b,d6,59,83,9c,a9,46,56,f2,29,c4,f6,5c,f3,ef,8d,d5,\
  2c,17,8d,ea,4a,5c,78,70,c2,48,fc,b3,f3,0e,66,e1,86,0b,5b,81,\
  90,98,13,0d,00,76,74,c5,42,3c,da,24,7b,ce,22,e1,e0,bf,ed,e2,\
  ee,46,25,70,c5,24,a1,6e,e3,c1,a4,9d,a5,72,2a,bd,8e,e9,b3,c0,\
  dd,cd,d9,e8,25,97,e6,3b,9e,39,4d,ac,dc,c0,dd,55,99,b6,9f,98,\
  ff,b9,2f,57,21,10,7f,ae,b2,2b,6b,c4,2a,f5,1a,96,56,84,dc,37,\
  0b,0f,37,08,dc,85,4e,3c,53,be,60,16,9f,29,78,25,1b,82,10,d7,\
  11,6c,19,e9,92,ea,53,c7,46,27,13,b2,57,de,06,ec,89,4e,ac,96,\
  b5,89,6f,47,8b,b9,76,09,58,36,c2,8b,8b,d3,f8,10,3e,c4,97,ad,\
  12,35,10,6d,21,71,40,41,2b,55,84,1a,74,d4,58,a3,fb,92,70,98,\
  a4,9f,3e,5c,29,e9,37,9d,21,5a,df,58,d7,62,67,0c,c4,c2,f5,d4,\
  29,d7,34,3a,69,cf,54,73,75,d4,bd,9b,c6,8b,b5,61,86,cd,f4,a9,\
  62,14,48,2c,02,00,00,00,14,00,00,00,3d,ff,37,0a,f3,d8,83,7c,\
  60,41,d2,c9,a2,86,8e,5a,63,f4,dd,c2
"ChangeNotice"=dword:00000002

www-tekeze

pal家族 发表于 2018-4-28 14:21
你终究还是来了

呵呵，pal大？ 头像换了？ 看来你也逛火绒论坛，以后多照顾哈！

www-tekeze

桑德尔 发表于 2018-4-28 14:43
这位是……火绒的……官人？

火绒坛子的水王，唯一的不灭之火。。

www-tekeze

pal家族 发表于 2018-4-28 14:52
火绒论坛的大水笔

哈哈哈。。。不会是专业挑刺儿吧。。

www-tekeze

wowocock 发表于 2018-4-28 17:38
急救箱检测不到问题的话，基本ROOTKIT和BOOTKIT的可能性就不大了，让同事远程看了下，貌似是注册表的设置 ...

感谢！花了三个半小时，辛苦了。。。现在还在上传系统镜像，这速度实在太慢。。。

百度BackupHomePage都没消息，这个键值通常没有的吧？怎么会被利用了，注册表里的0day？

www-tekeze

wowocock 发表于 2018-4-28 17:38
急救箱检测不到问题的话，基本ROOTKIT和BOOTKIT的可能性就不大了，让同事远程看了下，貌似是注册表的设置 ...

您给的路径不对吧？ 是这个，看图。。     补充：我搞错了，应该是HCU主键下也有。

245867683

辛巴影子卫士 发表于 2018-4-27 21:12
为什么不让装360和腾讯？

我也不知道，公司规定是这样的，难道是我们公司某些部门在研究控制芯片

www-tekeze

www-tekeze 发表于 2018-4-28 21:15
您给的路径不对吧？ 是这个，看图。。     补充：我搞错了，应该是HCU主键下也有。

进PE用Ghost还原系统，删除自建的First Home Page，同时用火绒加了两条注册表规则，IE主程序iexplore.exe会读取\HKEY_USERS\......主项下的BackupHomePage，但不会读取HKEY_CURRENT_USER项下的。 原因应该是“HKEY_CURRENT_USER”需要使用“HKEY_USERS\>”进行替换，因为这个才是当前用户注册表的真实路径，应该是这样吧？      补充：刚试，如果点阻止，打开的就是自己设定的主页，不会发生劫持！


操作类型：读取
操作注册表：HKEY_USERS\S-1-5-21-1570832261-1929120174-2727846889-500\Software\Microsoft\Internet Explorer\EUPP\BackupHomePage
用户操作：已允许

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

【3】2018-04-28 22:24:58,系统防御,自定义防护,iexplore.exe触犯自定义注册表防护规则, 已允许

操作者：C:\Program Files\internet explorer\iexplore.exe
命令行："C:\Program Files\internet explorer\iexplore.exe"
触犯规则：Group1
操作类型：读取
操作注册表：HKEY_USERS\S-1-5-21-1570832261-1929120174-2727846889-500\Software\Microsoft\Internet Explorer\EUPP\BackupHomePage
用户操作：已允许

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

【4】2018-04-28 22:24:57,系统防御,自定义防护,iexplore.exe触犯自定义注册表防护规则, 已允许

操作者：C:\Program Files\internet explorer\iexplore.exe
命令行："C:\Program Files\internet explorer\iexplore.exe"
触犯规则：Group1
操作类型：读取
操作注册表：HKEY_USERS\S-1-5-21-1570832261-1929120174-2727846889-500\Software\Microsoft\Internet Explorer\EUPP\BackupHomePage
用户操作：已允许

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

【5】2018-04-28 22:24:57,系统防御,自定义防护,iexplore.exe触犯自定义注册表防护规则, 已允许

操作者：C:\Program Files\internet explorer\iexplore.exe
命令行："C:\Program Files\internet explorer\iexplore.exe"
触犯规则：Group1
操作类型：读取
操作注册表：HKEY_USERS\S-1-5-21-1570832261-1929120174-2727846889-500\Software\Microsoft\Internet Explorer\EUPP\BackupHomePage
用户操作：已允许

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

【6】2018-04-28 22:24:56,系统防御,自定义防护,iexplore.exe触犯自定义注册表防护规则, 已允许

操作者：C:\Program Files\internet explorer\iexplore.exe
命令行："C:\Program Files\internet explorer\iexplore.exe"
触犯规则：Group1
操作类型：读取
操作注册表：HKEY_USERS\S-1-5-21-1570832261-1929120174-2727846889-500\Software\Microsoft\Internet Explorer\EUPP\BackupHomePage
用户操作：已允许

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>