2015年1月2日星期五

关于浏览器首页被hao123劫持的解决方法

1、如果有预装快播,快播-设置-选项-其他-不要勾选“设置快播网址导航作为主页”


2.检查拓展,很可能一些恶意拓展将你的主页锁定了


3.检查chrome图标,右键属性-快捷方式- 目标 如果是这样的"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" www.hao123.com 把后面的删除就可以了


4。注册表搜索www.hao123.com键及键值,一律删除


5.如果你的主页打开是这个网址
http://www.hao123.com/?tn=75021049_1_hao_pg(注册表搜索 home.cafestv.net/homepage.asp 删之)


6、打开C:\Windows\System32\drivers\etc,
找到host文件用写字板打开,
查看是否有hao123,如果有,删之,
找到host文件用写字板打开,在最后空白处粘贴以下字段
0.0.0.0 www.hao123.com
0.0.0.0 hao123.com
0.0.0.0 www.hao123.hu
0.0.0.0 hao123.hu




到天空等下载realone等软件安装,不小心勾选了设置hao123为导航等

快捷方式右键找到chrome.exe, 把chorme.exe修改成别的名字例如 chromeFuckHao123.exe 就OK了。 hao123是用病毒的形式查找chrome.exe然后进程注入的。

7.检查注册表以下键值是否正常
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  以上的键值会出现在msconfig的“启动”项中。
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  以上的键值比较隐蔽
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "Shell"="EXPLORER.EXE,*.exe"
  以上的键值比较隐蔽
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  "Shell"="EXPLORER.EXE,*.exe"
*.exe为陌生程序,很可能就是它锁定主页的。
其实还有以下键值,基本上是病毒光顾的键值,不排除锁定主页的东东也光顾它们
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx



8复制以下另存为.vbs,可以解决,另外,prep.js后缀文件在c盘,删除即

'delete hao123's registery info'tests with win7-ultimate platform'code by coo_boiConst HKUS=&H80000003'HKEY_USERSConst HKLM=&H80000002'HEKY_LOCAL_MACHINEConst HKCU=&H80000001'HEKY_CURRENT_USERSet objStdRegProv=GetObject("winmgmts:{impersonationlevel=impersonate}!\\.\root\default:StdRegProv")'which allow ADs in hao123.com,how shameless!objStdRegProv.DeleteValue HKUS,"S-1-5-21-3779709853-619144274-2004743327-1000\Software\AppDataLow\Software\baidu\BaiduToolbar\NoAD\Page_Allow","30"objStdRegProv.DeleteValue HKUS,"S-1-5-21-3779709853-619144274-2004743327-1000\Software\Baidu\BaiduBrowser\UserData\0A73B7929C9546628F097CEEACA6E07977007700\ClosedItemRegister","e615108c1a9cc44184e09b512f3669f9"objStdRegProv.DeleteValue HKCU,"Software\AppDataLow\Software\baidu\BaiduToolbar\NoAD\Page_Allow","30"objStdRegProv.DeleteValue HKCU,"Software\DBank\Hao123","date"objStdRegProv.DeleteValue HKCU,"Software\DBank\Hao123","from"objStdRegProv.DeleteValue HKCU,"Software\DBank\Hao123","ip"objStdRegProv.DeleteValue HKCU,"Software\DBank\Hao123","SetSuccess"objStdRegProv.Deletekey HKCU,"Software\DBank\Hao123"objStdRegProv.Deletekey HKCU,"Software\Microsoft\Internet Explorer\DOMStorage\hao123.com"objStdRegProv.DeleteValue HKCU,"Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites","Hao123"objStdRegProv.DeleteValue HKCU,"Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites","hao123.com"objStdRegProv.SetStringValue HKLM,"SOFTWARE\Microsoft\Internet Explorer\MAIN","Default_Page_URL","about:blank"objStdRegProv.SetStringValue HKLM,"SOFTWARE\Microsoft\Internet Explorer\MAIN","Start Page","about:blank"objStdRegProv.SetStringValue HKCU,"SOFTWARE\Microsoft\Internet Explorer\MAIN","Default_Page_URL","about:blank"objStdRegProv.SetStringValue HKCU,"SOFTWARE\Microsoft\Internet Explorer\MAIN","Start Page","about:blank"WScript.Echo "Deleted hao123.info from PC!"





发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)