前言:
Foreword:
最近因为疫情,一直闭门在家,下周就要闭关一个月了,还好周围空旷,可以转一转,还有网友的求救,也不算无聊啊!前几天又帮几个网友解决了浏览器被重定向的问题,有些人有些网络的基础知识,有些完全是小白,术业有专攻嘛,实在不会弄也就只有一步步指导啦!
Recently, because of the epidemic situation, I have been closed at home, and I will be closed for one month next week. Fortunately, the surrounding area is empty and you can turn around. There are also netizens asking for help. It is not boring! A few days ago, I helped a few netizens to solve the problem of browser redirection. Some people have some basic knowledge of the network, some are completely white, and they have a specialization in the surgery industry. There is only step-by-step guidance if they don't get it!
另外有些人反馈,根据我的文章移除了一部分,有些直接就是有点洁癖,残留了一些修改的设置需要重置干净,有些是有遗漏,根本没有移除完全,病毒嘛,随时在变异和伪装,严重怀疑这些可恶的卖杀毒产品的商家或者广告商,就是他们在制造这源源不断伪装的恶意插件!
In addition, some people reported that according to my article, some of them were removed. Some of them are a bit clean. Some of the modified settings need to be reset. Some are missing. They are not completely removed. The virus is always mutating and disguising Seriously suspecting that these abominable sellers of anti-virus products or advertisers are creating malicious plug-ins that are constantly disguised!
最后,最重要的是下次要找我帮忙的小伙伴,一定要保留好你被感染时的安装包或者链接哦,把傀儡留给我,我这样才容易找出他们的七经八脉,帮你彻底赶走恶魔,让他不再附体别人,哈哈。
In the end, the most important thing is to find my companion next time. Be sure to keep the installation package or link when you were infected. Leave it to me so that I can easily find out their merits Help you get rid of the devil completely, so that he no longer possesses others, haha.
其中某些网友的反馈截图如下:
Screenshots of feedback from some of these netizens are as follows:
当然是完美解决啦,满满的幸福感!
Of course it is the perfect solution, full of happiness!
声明:
Declaration:
由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况,本文所针对的处理方法仅针对本次样本负责,个人如有误操作,后果自负(一般没啥问题的,别被吓着了)。如需帮助,可以关注微信公众号(我在全球村)给我留言,或加我微信(KingisOK)或通过文末二维码添加messager联系我!
Because the virus / malware in the network mutates at any time or corresponds to multiple infection modes, the processing method targeted in this article is only responsible for this sample. If you personally misuse it, you will be at your own risk. Scared). If you need help, you can follow the WeChat public account (MyGlobalVillage) to leave a message for me, or add me on WeChat (KingisOK) or add messager through the QR code at the end of the text to contact me!
现象
Phenomenon:
前些天收到某些网友抱怨安装了某些恶意软件,虽然根据文章进行了清理,但是并没有清理干净,并请求帮助:浏览器被恶意软件劫持了,即SearchMine 劫持了他的浏览器,修改了其主页,而且主页再也不能被还原成默认值,是不可用状态。他已经看见了我前面的某篇文章,但是找不到对应的处理方法,有些说自己是一个外行。
看到这里,我首先意识到肯定是SearchMine出现了变种,所以他找不到相应的配置,我发给其脚本运行,让他把收集到的信息提供给我分析,还好周末在家休息,有时间处理,很快经过仔细筛查后,发现了他是九月中旬感染的相应恶意配置,并提供给其解决方法。终于经过一些指导处理后他成功移除了相应的恶意插件,浏览器的主页也恢复了正常,但可惜的是他记不住当时安装的恶意软件包了,没有样本可以分析了。
A few days ago I received a complaint from a netizen that some malicious software was installed. Although it was cleaned according to the article, it was not cleaned up and asked for help: the browser was hijacked by the malware, that is, SearchMine hijacked his browser and modified it. Its home page, and the home page can no longer be restored to the default value, is unavailable. He has seen one of my previous articles, but couldn't find a corresponding solution, saying that he is a layman.
Seeing this, I first realized that there must be a variant of SearchMine, so he could not find the corresponding configuration. I sent his script to run and let him provide the collected information to me for analysis. Fortunately, I had to rest at home on weekends. Time processing, and soon after careful screening, it was found that he was the corresponding malicious configuration infected in mid-September and provided a solution to it. Finally, after some guidance, he successfully removed the corresponding malicious plug-in, and the homepage of the browser returned to normal, but unfortunately he couldn't remember the malicious software package installed at that time, and there were no samples to analyze.
分析
Analysis:
根据用户反馈提供的信息,收集如下:
Based on the information provided by user feedback, the collection is as follows:
经过对上述文件的分析,初步怀疑跟下述路径及其关联的程序有关:
Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/Preferences/com.pcv.hlprmcp.plist
~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.upd2006
~/Library/Application\ Support/.MyCouponsmart
~/Library/Application\ Support/mcpnw相关插件配置:MyCouponsmart
Related plug-in configuration: MyCouponsmart
Chrome/Default/Extensions/lfbenaabfliihodeianphjhhhcjgddlh实际上这个就是用户问题出现的最终原因,因为安装了上述恶意插件,导致系统浏览器被人为修改,这个插件的配置位置很特别,导致用户无法寻找,甚至有些杀毒软件都没有扫描到这个路径下的文件,恰好恶意插件的配置就安装在这个位置。
由于用户自己根据我以前的文章,已经移除了一部分恶意配置,所以上述配置路径可能并不全面。
In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.
Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.
如果你有发现近期出现问题前后才生成的上述文件,请将其通过terminal终端运行进行移除。
If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .
处理方法:
Approach:
首先,移除上述截图中的profiles文件下的所有配置,恢复成空白默认值。
First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.
其次,移除上述路径下的配置文件(根据自己发现的实际路径进行引用),如果有。检查是否还存在相关的其他配置文件,杀掉该进程,再重启电脑。
Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.
但针对本次的样本,在本地文件夹还可能有其它的一些恶意配置存在,需要一并移除,以免死灰复燃!
But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/Preferences/com.pcv.hlprmcp.plist
~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.upd2006
~/Library/Application\ Support/.MyCouponsmart
~/Library/Application\ Support/mcpnwChrome/Default/Extensions/lfbenaabfliihodeianphjhhhcjgddlh移除上面Chrome所对应的插件,可能会以其他名称显示。
Remove the plug-in corresponding to Chrome above, it may be displayed under another name.
实际上,上述文件对当前Mac系统的影响微乎其微,即使有误删,后期根据需要可以重新安装,所以删除不会影响系统的正常运行。
In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.
可疑文件全部移除完成后,最好重置浏览器,或者移除之前保存的状态数据
After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.
~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState
再启动查看是否恢复正常。
Restart to see if it returns to normal.
此外还有反馈最后移除后,有些浏览器配置没有改回来,比如下面第一个截图:
In addition, after the feedback was finally removed, some browser configurations did not change back, such as the first screenshot below:
由于主页被恶意插件默认设置为了默认首页,当然没有从列表中移除这个选项啦,你得首先换一个默认主页,然后下面的这个searchmine当然就可以有右键从列表中移除的选项啦,如上图所示!
Since the homepage is set as the default homepage by the malicious plugin by default, of course, this option is not removed from the list. You must first change the default homepage, and then the searchmine below can of course have the option to remove it from the list by right-clicking, as above Picture.
忠告:
Advice:
1,苹果电脑要更新和下载软件尽量去App Store,其他浏览器突然弹出的说电脑有问题或者软件需要更新,都尽量不要点!!!!
2,电脑设置中安全设置,选项选择只安装认证过的软件!!!
3,要使用破解版软件,就必须做好被安装广告和恶意插件的心理准备!
1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !
2, the security settings in the computer settings, the option to choose only installed certified software! ! !
3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!
如果觉得本文对你有帮助,那就赞一个或者关注我吧,您的支持是我继续前进的动力!
If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!
本文来自博客园,作者:{Julius},转载请注明原文链接:https://www.cnblogs.com/bestechshare/p/16447649.html
可微信加我,了解更多,WeChat:{KingisOK}
