声明:
Declaration:
由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况,本文所针对的处理方法仅针对本次样本负责,个人如有误操作,后果自负。如需帮助,请在WeChat(微信)搜索公众号“我在全球村”,关注后给我留言“加好友”获取微信号,或通过知乎(苹果福利社)关注后私信我吧。
Because the virus/malware in the network is mutated at any time or corresponds to multiple infection methods, the processing method targeted in this paper is only responsible for this sample. If the individual has misoperation, the consequences are at your own risk. If you need help, Please search for "Myglobalvillage" on WeChat (WeChat), leave a message "add friends" after following me.
现象
Phenomenon:
这几天收到了两个网友加微信,感染了malware,浏览器被劫持,希望能提供帮助进行移除,大致的表现情况是:使用Google搜索内容时,默认的是Gsearch搜索,很明显搜索引擎发生了被修改和劫持,向对方获取了一些基本的文件和浏览器信息,发给解决问题的脚本,对方答复运行后目前解决了这个问题,现将这个问题的相关可疑文件和路径公布出来,以给有同样问题的读者参考。
In the past few days, I received two netizens plus WeChat, infected with malware, and the browser was hijacked. I hope to provide help to remove it. The general performance is: when using Google to search for content, the default is Gsearch search. Obviously, the search engine has been modified and hijacked, obtained some basic files and browser information from the other party, and sent it to the problem-solving script. After the other party replies and runs, the problem is currently solved. The relevant suspicious files and The route is published for the readers who have the same problem.
分析
Analysis:
根据用户反馈提供的信息,收集如下:
Based on the information provided by user feedback, the collection is as follows:
经过对上述文件的分析和出现问题的时间点,初步怀疑跟下述路径及其关联的程序有关:
After analysis of the above documents, initial doubts are related to the following paths and their associated procedures:
还有些比如:
~/Library/LaunchAgents/com.SearchUp.plist
/Library/LaunchDaemons/com.TimeTestDaemon.plist
~/Library/Application\ Support/com.SearchUp
......需要自己找下,不一定一模一样的路径
如果你有发现近期出现问题前后才生成的上述文件,请将其通过terminal终端运行进行移除。
If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .
处理方法:
Approach:
移除上述路径下的配置文件,如果有。检查是否还存在相关的其他配置文件,杀掉该进程,再重启电脑。
实际上,上述文件对当前Mac系统的影响微乎其微,即使有误删,后期根据需要可以重新安装,所以删除不会影响系统的正常运行。
可疑文件全部移除完成后,最好重置浏览器,或者移除之前保存的状态数据
Remove the configuration file under the above path, if any. Check if there are other related configuration files, kill the process, and restart the computer.
In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.
After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.
再启动查看是否恢复正常。
Restart to see if it returns to normal.
帮大家移除后,都非常感激,真的很开心!
忠告:
Advice:
1,苹果电脑要更新和下载软件尽量去App Store,其他浏览器突然弹出的说电脑有问题或者软件需要更新,都尽量不要点!!!!
2,电脑设置中安全设置,选项选择只安装认证过的软件!!!
1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !
2, the security settings in the computer settings, the option to choose only installed certified software! ! !
附:
样本下载,喜欢研究的人拿去研究吧:
Mac安全分析恶意配置文件com.SearchUp样本-系统安全文档类资源-CSDN下载
非专业人士没事千万不要去运行!
如果觉得本文对你有帮助,那就赞一个或者评论一个吧!
If you feel that this article is helpful to you, then praise or comment one!
本文来自博客园,作者:{Julius},转载请注明原文链接:https://www.cnblogs.com/bestechshare/p/16447624.html
可微信加我,了解更多,WeChat:{KingisOK}
