前言:
Foreword:
最近一段時間很久沒有收到網友的求助了,不知道是因爲覺得尋求幫助麻煩,還是因爲最近疫情的原因,惡意軟件活動的少了。我還是希望是後者導致的吧,如果是前者,那我只能說自己加個好友這麼簡單的事都不爭取下,還期望別人犧牲寶貴的時間幫您看問題嗎?願意繼續接受惡意軟件的騷擾?何況我的幫助都沒有強制要求任何人收費!
I haven't received help from netizens for a long time recently. I don't know if it's because of the trouble of asking for help, or because of the recent epidemic, and the malware activity is less. I still hope it is caused by the latter. If it is the former, then I can only say that I am not as simple as adding a friend. Do you expect others to sacrifice precious time to help you see the problem? Willing to continue to be harassed by malware? What's more, my help does not force anyone to charge!
還是來說說這兩天遇到的一個網友,她非常有耐心,寫了很多感染的過程細節,對我非常有幫助。
Still speaking about a netizen I met in the past two days, she was very patient and wrote a lot of details of the infection process, which was very helpful to me.
但是,當我看到她按我要求運行腳本後,發給我收集到的信息時,我傻眼了,怎麼這麼多可疑配置,我忍不住還說了她幾句,你都是寫程序的(因爲安裝了一些編程工具),還真是能忍,不曉得有沒有傷着她。
However, when I saw her running the script as I requested, and sent me the information I collected, I was dumbfounded. I could n’t help saying a few words about her because of so many suspicious configurations. (Because some programming tools are installed), it is really bearable, I do not know if it hurt her.
不過,還好我因爲對她安裝的那幾個惡意配置已經瞭如指掌,直接就被我抓出來了。
最後,當然是完美解決啦,滿滿的幸福感!非常感謝該同學的認可和紅包啦!
Fortunately, though, I knew everything about the malicious configurations that she had installed, and I was caught directly.
Finally, of course, the perfect solution, full of happiness! Thank you very much for your recognition and red envelope!
下面還是老套路,分析下哪些文件該刪除。
The following is the old routine, analyze which files should be deleted.
聲明:
Declaration:
由於網絡中的病毒virus/malware等存在隨時變異或者對應多種感染方式等情況,本文所針對的處理方法僅針對本次樣本負責,個人如有誤操作,後果自負(一般沒啥問題的,別被嚇着了)。如需幫助,可以關注微信公衆號(我在全球村)給我留言,或回覆加好友!
Because the virus / malware in the network mutates at any time or corresponds to multiple infection modes, the processing method targeted in this article is only responsible for this sample. If you personally misuse it, you will be at your own risk. Scared). If you need help, you can follow the WeChat public account (MyGlobalVillage) to leave a message for me, or add me on WeChat !
現象
Phenomenon:
首先她請求的幫助也是:瀏覽器被惡意軟件劫持了,即SearchMine 劫持了他的瀏覽器,修改了其主頁,而且主頁再也不能被還原成默認值,是不可用狀態。他已經看見了我前面的某篇文章,處理過,但是過一段時間又回來了。
看到這裏,我首先意識到肯定是SearchMine出現了變種或者根本就沒有刪除乾淨,我發給其腳本運行,讓他把收集到的信息提供給我分析,最後仔細查找後得出的惡意配置基本都佔全了,主要有下面那些。
First of all, she asked for help: the browser was hijacked by malware, that is, SearchMine hijacked his browser, modified its homepage, and the homepage can no longer be restored to the default value, which is unusable. He has seen an article in front of me, processed it, but came back after a while.
Seeing this, I first realized that there must be a variant of SearchMine or that it was not deleted at all. I sent it to the script to run and let him provide me with the collected information for analysis. Finally, the malicious configuration obtained after careful search is basically All accounted for, mainly the following.
分析
Analysis:
根據用戶反饋提供的信息,收集如下:
Based on the information provided by user feedback, the collection is as follows:
1)經過對上述文件的分析,初步懷疑跟下述路徑及其關聯的程序有關:
Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/Preferences/com.pcv.hlprmcp.plist
~/Library/Application\ Support/.MyShopMate
~/Library/Application\ Support/Advanced Mac Cleaner
~/Library/Application\ Support/Mac File Opener
~/Library/Application\ Support/ChumSearch
/Library/LaunchDaemons/com.vix.cron.plist
~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.updXXXX 很多個
~/Library/Application\ Support/.MyCouponsmart
2)相關插件配置:MyCouponsmart
Related plug-in configuration: MyCouponsmart
Chrome/Default/Extensions/lfbenaabfliihodeianphjhhhcjgddlh 這個她自己已經移除
3)但是有兩個插件是在Application目錄下,仍然活的好好的,仔細看path字段的路徑,這個是主程序啊,必須得移除才行。
However, there are two plug-ins in the Application directory, and they are still alive and well. Look at the path of the path field carefully. This is the main program and must be removed.
net.searchmine.SearchMine.AnySearch(1.0)
Path = /Users/Shared/SearchMine.app/Contents/PlugIns/AnySearch.appex
UUID = 77C63A59-94CD-46B6-9D27-5B42C239D741
Timestamp = 2020-05-10 20:03:03 +0000
SDK = com.apple.Safari.extension
Parent Bundle = /Users/Shared/SearchMine.app
Display Name = AnySearch
Short Name = AnySearch
Parent Name = SearchMine
com.shopsmart.MyCouponsmart.MyCouponsmart-ext(1.0)
Path = /Users/Shared/MyCouponsmart.app/Contents/PlugIns/MyCouponsmart-ext.appex
UUID = 0BE3EC9E-788C-40C4-B4E9-FC66135D2152
Timestamp = 2020-05-10 20:03:02 +0000
SDK = com.apple.Safari.extension
Parent Bundle = /Users/Shared/MyCouponsmart.app
Display Name = MyCouponsmart-ext
Short Name = MyCouponsmart-ext
Parent Name = MyCouponsmart
4)其次還有一個不確定的系統配置,反正我最終還是一起給他清理了
Secondly, there is an uncertain system configuration, anyway, I eventually cleaned it up together for she。
profileIdentifier: com.securew2.eduroam
There are 1 configuration profiles installed
5)然後她反饋回來的Chrome policy是下面這樣的:
Then the Chrome policy that she returned is like this:
天啊,怎麼這裏也有問題,你說怎麼可能輕易移除乾淨!
所以我說她中毒很深,一共6個地方,她全都佔完了,其它網友一般在3個左右。
Oh my god, there is a problem here, how can you easily remove it cleanly!
So I said that she was very poisoned. She had totally taken up 6 places, and other netizens were generally around 3.
以上這些就是用戶問題出現的最終原因,因爲安裝了上述惡意插件,導致系統瀏覽器被人爲修改,這個插件的配置位置很特別,導致用戶無法尋找,甚至有些殺毒軟件都沒有掃描到這個路徑下的文件,恰好惡意插件的配置就安裝在這個位置。
由於用戶自己根據我以前的文章,已經移除了一部分惡意配置,所以上述配置路徑可能並不全面。
In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.
Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.
如果你有發現近期出現問題前後才生成的上述文件,請將其通過terminal終端運行進行移除。
If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .
處理方法:
Approach:
1)首先,移除步驟3中即下述截圖中的profiles文件下的所有配置,恢復成空白默認值。
First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.
2)其次,移除上述路徑下的配置文件(根據自己發現的實際路徑進行引用),如果有。檢查是否還存在相關的其他配置文件,殺掉該進程,再重啓電腦。
Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.
但針對本次的樣本,在本地文件夾還可能有其它的一些惡意配置存在,需要一併移除,以免死灰復燃!
But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/Preferences/com.pcv.hlprmcp.plist
~/Library/Application\ Support/.MyShopMate
~/Library/Application\ Support/Advanced Mac Cleaner
~/Library/Application\ Support/Mac File Opener
~/Library/Application\ Support/ChumSearch
/Library/LaunchDaemons/com.vix.cron.plist
~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.updXXXX 很多個
~/Library/Application\ Support/.MyCouponsmart
3)移除上面Chrome所對應的插件,可能會以其他名稱顯示。
Remove the plug-in corresponding to Chrome above, it may be displayed under another name.
Chrome/Default/Extensions/lfbenaabfliihodeianphjhhhcjgddlh
4)移除User shares目錄下的插件主程序
Remove the main plug-in program in the User shares directory
/Users/Shared/SearchMine.app
/Users/Shared/MyCouponsmart.app
5)清除掉截圖Chrome policy中的Chrome配置
Clear the Chrome configuration in the screenshot Chrome policy
com.google.Chrome HomepageIsNewTabPage -bool false
com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
com.google.Chrome HomepageLocation -string "https://www.google.com/"
com.google.Chrome DefaultSearchProviderSearchURL
com.google.Chrome DefaultSearchProviderNewTabURL
com.google.Chrome DefaultSearchProviderName
實際上,上述所有移除文件對當前Mac系統的影響微乎其微,即使有誤刪,後期根據需要可以重新安裝,所以刪除不會影響系統的正常運行。
In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.
可疑文件全部移除完成後,最好重置瀏覽器,或者移除之前保存的狀態數據
After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.
~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState
再啓動查看是否恢復正常。
Restart to see if it returns to normal.
忠告:
Advice:
1,蘋果電腦要更新和下載軟件儘量去App Store,其他瀏覽器突然彈出的說電腦有問題或者軟件需要更新,都儘量不要點!!!!
2,電腦設置中安全設置,選項選擇只安裝認證過的軟件!!!
3,要使用破解版軟件,就必須做好被安裝廣告和惡意插件的心理準備!
1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !
2, the security settings in the computer settings, the option to choose only installed certified software! ! !
3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!
如果覺得本文對你有幫助,那就贊一個或者關注我吧,您的支持是我繼續前進的動力!
If this article is helpful to you, please click like or comment on it.
Your support is my motivation to move forward!
以上內容均爲原創,如需轉載請微信聯繫授權或註明出處!