[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchScopes{24588FA4-10F1-41D7-B19D-6E22361E47FA}]
"URL"="http://www.baidu.com/s?tn=youcome_pg&ie=UTF-8&wd={searchTerms}&cl=3"
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchScopesBaidu]
"Codepage"=dword:0000FDE9
"DisplayName"="百度搜索"
"SortIndex"=dword:FFFFFFFD
"URL"="http://www.baidu.com/s?tn=youcome_pg&ie=UTF-8&wd={searchTerms}&cl=3"
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerSearchScopesGoogle]
"Codepage"=dword:000003A8
"DisplayName"="谷歌搜索"
"SortIndex"=dword:FFFFFFFE
"URL"="http://www.google.com/search?hl=zh-CN&q={searchTerms}&lr="
[HKEY_CURRENT_USERSoftwareMicrosoftWindows]
"Verion"="0013E86C8919"
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections]
"SavedLegacySettings"=hex(03):46,00,00,00,70,01,00,00,01,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,10,c5,58,13,73,7b,c9,01,
01,00,00,00,7f,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones3]
"1803"=dword:00000001
同时中途可能会连接一些不明网址:
3、强行修改注册表并劫持COOKIES:
安装新版Windows优化大师后,会在用户电脑系统盘及优化大师安装盘根目录下生成无法删除的文件夹Software,里面都包含好几层文件夹及隐藏文件 X:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Foldersindex.dat(X代表所在盘符,下同),同时,修改注册表以下两项:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell FoldersCookies
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersCookies
为X:SoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Foldersindex.dat
此项内容的目的正是为了隐藏其在后台偷偷链接某些不明网站的行径,掩饰那些不停生成、快速增长的cookies文件,而强行将用户COOKIES劫持到新生成的Software文件夹,只不过,因为技术人员的一时马虎,忘了将最外层的Software文件夹也加上“隐藏”属性,才暴露无遗……
4、API HOOK:
安装新版优化大师后,会将系统入口点FindFirstFileExW挂钩至0xB8ED3A26模块。
此项为网友反馈,因笔者水平有限,对此不甚了解,搜索网络也未见有相关模块信息,还希望有技术高手继续研究分析出其实质。
