聲明:
Declaration:
由於網絡中的病毒virus/malware等存在隨時變異或者對應多種感染方式等情況,本文所針對的處理方法僅針對本次樣本負責,個人如有誤操作,後果自負。如需幫助,可以掃我頭像加我微信(KingisOK)或者郵件(julius.luck001#mail.com 請將#換成@)或通過文末二維碼添加messager聯繫我!
Because the virus/malware in the network is mutated at any time or corresponds to multiple infection methods, the processing method targeted in this paper is only responsible for this sample. If the individual has misoperation, the consequences are at your own risk. If you need help, you can scan my picture plus my WeChat (KingisOK) or email (julius.luck001#mail.com please #change to @) or add messeger by scan the end QR code contact me !
現象
Phenomenon:
今天週末突然收到備註爲CSDN,身處上海的網友加微信,抱怨並請求幫助:瀏覽器被惡意軟件劫持了,即anysearch 劫持了他的瀏覽器,修改了其主頁,而且主頁再也不能被還原成默認值,是不可用狀態。他已經看見了我前面的某篇文章,但是找不到對應的處理方法,說自己是一個外行。
看到這裏,我首先意識到肯定是AnySearch出現了變種,所以他找不到相應的配置,我發給其腳本運行,讓他把收集到的信息提供給我分析,還好週末在家休息,有時間處理,很快經過仔細篩查後,發現了他是九月中旬感染的相應惡意配置,並提供給其解決方法。終於經過一些指導處理後他成功移除了相應的惡意插件,瀏覽器的主頁也恢復了正常,但可惜的是他記不住當時安裝的惡意軟件包了,沒有樣本可以分析了。
This weekend, I suddenly received a note as CSDN, and a netizen in Shanghai added WeChat, complained and asked for help: the browser was hijacked by malware, that is, anysearch hijacked his browser, modified his homepage, and the homepage could no longer be Reverted to the default value, it is unavailable. He has seen one of my previous articles, but couldn't find a corresponding solution, saying that he is a layman.
Seeing here, I first realized that there must be a variant of AnySearch, so he could not find the corresponding configuration. I sent it a script to run, and let him provide the collected information to me for analysis. Fortunately, I rested at home on the weekend. Time processing, and soon after careful screening, it was found that he was the corresponding malicious configuration infected in mid-September and provided a solution to it. Finally, after some guidance, he successfully removed the corresponding malicious plug-in, and the homepage of the browser returned to normal, but unfortunately he couldn't remember the malicious software package installed at that time, and there were no samples to analyze.
分析
Analysis:
根據用戶反饋提供的信息,收集如下:
Based on the information provided by user feedback, the collection is as follows:
經過對上述文件的分析,初步懷疑跟下述路徑及其關聯的程序有關:
Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:
~/Library/LaunchAgents/com.SimpleCharacterSearch.plist
/Library/LaunchDaemons/com.SimpleCharacterSearchP.plist
/Library/LaunchDaemons/SimpleCharacterSearchDaemon.plist
~/Library/Application Support目錄下的 com.18059968022215572110文件目錄
~/Library/Application Support目錄下的Transmission文件目錄
相關插件配置:Profiles
Related plug-in configuration: Profiles
實際上這個就是用戶問題出現的最終原因,因爲安裝了上述惡意插件,導致系統瀏覽器被人爲修改,這個插件的配置位置很特別,導致用戶無法尋找,甚至有些殺毒軟件都沒有掃描到這個路徑下的文件,恰好惡意插件的配置就安裝在這個位置。
由於用戶自己根據我以前的文章,已經移除了一部分惡意配置,所以上述配置路徑可能並不全面。
In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.
Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.
如果你有發現近期出現問題前後才生成的上述文件,請將其通過terminal終端運行進行移除。
If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .
處理方法:
Approach:
首先,移除上述截圖中的profiles文件下的所有配置,恢復成空白默認值。
First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.
其次,移除上述路徑下的配置文件(根據自己發現的實際路徑進行引用),如果有。檢查是否還存在相關的其他配置文件,殺掉該進程,再重啓電腦。
Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.
但針對本次的樣本,在本地文件夾還可能有其它的一些惡意配置存在,需要一併移除,以免死灰復燃!
But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!
~/Library/LaunchAgents/com.SimpleCharacterSearch.plist
/Library/LaunchDaemons/com.SimpleCharacterSearchP.plist
/Library/LaunchDaemons/SimpleCharacterSearchDaemon.plist
~/Library/Application Support目錄下的 com.18059968022215572110文件目錄
~/Library/Application Support目錄下的Transmission文件目錄
實際上,上述文件對當前Mac系統的影響微乎其微,即使有誤刪,後期根據需要可以重新安裝,所以刪除不會影響系統的正常運行。
In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.
可疑文件全部移除完成後,最好重置瀏覽器,或者移除之前保存的狀態數據
After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.
~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState
再啓動查看是否恢復正常。
Restart to see if it returns to normal.
忠告:
Advice:
1,蘋果電腦要更新和下載軟件儘量去App Store,其他瀏覽器突然彈出的說電腦有問題或者軟件需要更新,都儘量不要點!!!!
2,電腦設置中安全設置,選項選擇只安裝認證過的軟件!!!
3,要使用破解版軟件,就必須做好被安裝廣告和惡意插件的心理準備!
1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !
2, the security settings in the computer settings, the option to choose only installed certified software! ! !
3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!
如果覺得本文對你有幫助,那就贊一個或者評論一個吧,您的支持是我繼續前進的動力!
If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!
