macOS下malware移除之anysearch劫持(Remove hijacking of anysearch)
声明:
Declaration:
由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况,本文所针对的处理方法仅针对本次样本负责,个人如有误操作,后果自负。如需帮助,可以关注微信公众号(我在全球村)给我留言,或回复加好友!
Because the virus/malware in the network is mutated at any time or corresponds to multiple infection methods, the processing method targeted in this paper is only responsible for this sample. If the individual has misoperation, the consequences are at your own risk.If you need help, you can pay attention to WeChat official account (MyGlobalVillage), leave a message to me, or reply to your friend!
现象
Phenomenon:
上周末突然收到备注为CSDN,身处澳洲的网友加微信,抱怨并请求帮助:浏览器被恶意软件劫持了,即anysearch 劫持了他的浏览器,修改了其主页,而且主页再也不能被还原成默认值,是不可用状态。他已经按照我前面的某篇文章进行了移除,但是过段时间,这个问题又会出现。
看到这里,我首先意识到他没有处理干净,所以只是治标不治本。后来他又重新装了一次那个恶意插件,把信息提供给我分析,经过仔细筛查后,提供给其解决方法。终于经过简单处理后他成功移除了相应的恶意插件,浏览器的主页也恢复了正常。
At the end of last week, I suddenly received the comment CSDN. The netizens in Australia added wechat, complained and asked for help: the browser was hijacked by malware, that is, anysearch hijacked his browser, modified his homepage, and the homepage can no longer be restored to the default value, which is unavailable. He has been removed according to one of my previous articles, but after a while, this problem will appear again.
Seeing this, I first realized that he didn't deal with it thoroughly, so he just treated the symptoms rather than the root cause. Later, he reinstalled the malicious plug-in, provided me with information for analysis, after careful screening, and provided solutions. Finally, after simple processing, he successfully removed the corresponding malicious plug-ins, and the browser's home page also returned to normal.
分析
Analysis:
根据用户反馈提供的信息,收集如下:
Based on the information provided by user feedback, the collection is as follows:
经过对上述文件的分析,初步怀疑跟下述路径及其关联的程序有关:
nmmhkkegccagdldgiimedpiccmgmieda和pkedcjkdefgpdelpbcmbmeomcjbeemfm 命名所对应的Chrome插件
Library/Application Support目录下的Macromedia和ResearchSoft 文件目录
~/Library/Application Support目录下的com.Aphrodite.Results文件目录
Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:
The corresponding chrome plug-in named by nmmhkegccagdldgiimedpiccmgmieda and pkedcjkdefgpdelpbcmbmeomcjbeemfm
Macromedia and researchsoft file directories under the library/application support directory
~/com.aphrodite.results under the library/application support directory
相关插件配置:Profiles
Related plug-in configuration: Profiles
实际上这个就是用户问题出现的最终原因,因为安装了上述恶意插件,导致系统浏览器被人为修改,这个插件的配置位置很特别,导致用户无法寻找,甚至有些杀毒软件都没有扫描到这个路径下的文件,恰好恶意插件的配置就安装在这个位置。
由于用户自己根据我以前的文章,已经移除了一部分恶意配置,所以上述配置路径可能并不全面。
In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.
Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.
如果你有发现近期出现问题前后才生成的上述文件,请将其通过terminal终端运行进行移除。
If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .
处理方法:
Approach:
首先,移除上述截图中的profiles文件下的所有配置,恢复成空白默认值。
First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.
其次,移除上述路径下的配置文件(根据自己发现的实际路径进行引用),如果有。检查是否还存在相关的其他配置文件,杀掉该进程,再重启电脑。
Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.
但针对本次的样本,在本地文件夹还可能有其它的一些恶意配置存在,需要一并移除,以免死灰复燃!
But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!
rm -rf ~/Library/Application\\ Support/ResearchSoft
rm -rf ~/Library/Application\\ Support/Macromedia
rm -rf ~/Library/LaunchAgents/AphroditeResults dldr.adload.cfjcc*
rm -rf ~/Library/LaunchAgents/com.pcv.hlprmcp.plist
rm -rf /Library/LaunchAgents/AphroditeResults dldr.adload.dmrct.plist
rm -rf /Library/LaunchDaemons/com.Aphrodite.Results
rm -rf ~/Library/Application\\ Support/Google/Chrome/Default/Extensions/nmmhkkegccagdldgiimedpiccmgmieda
rm -rf ~/Library/Application\\ Support/Google/Chrome/Default/Extensions/pkedcjkdefgpdelpbcmbmeomcjbeemfm实际上,上述文件对当前Mac系统的影响微乎其微,即使有误删,后期根据需要可以重新安装,所以删除不会影响系统的正常运行。
In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.
可疑文件全部移除完成后,最好重置浏览器,或者移除之前保存的状态数据
After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.
~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState再启动查看是否恢复正常。
Restart to see if it returns to normal.
忠告:
Advice:
1,苹果电脑要更新和下载软件尽量去App Store,其他浏览器突然弹出的说电脑有问题或者软件需要更新,都尽量不要点!!!!
2,电脑设置中安全设置,选项选择只安装认证过的软件!!!
3,要使用破解版软件,就必须做好被安装广告和恶意插件的心理准备!
1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !
2, the security settings in the computer settings, the option to choose only installed certified software! ! !
3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!
如果觉得本文对你有帮助,那就赞一个或者评论一个吧,您的支持是我继续前进的动力!
If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!
macOS下malware移除之anysearch劫持(Remove hijacking of anysearch)相关推荐
- macOS下malware移除实战之Qsearch浏览器劫持的移除
声明: 由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况,本文所针对的处理方法仅针对本次样本负责,个人如有误操作,后果自负.如需帮助,请在WeChat(微信)搜索&q ...
- macOS下malware移除实战之搜索引擎Google劫持为trovi的移除(Remove Google hijacking for trovi removal under macOS)
声明: Declaration: 由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况,本文所针对的处理方法仅针对本次样本负责,个人如有误操作,后果自负.如需帮助,请在W ...
- 遇到一个macOS下malware中毒很深的网友,安装的恶意软件MyCouponsmart、SearchMine.AnySearch、Advanced Mac Cleaner等真多!
前言: Foreword: 最近一段时间很久没有收到网友的求助了,不知道是因为觉得寻求帮助麻烦,还是因为最近疫情的原因,恶意软件活动的少了.我还是希望是后者导致的吧,如果是前者,那我只能说自己加个好友 ...
- MIT6.828课程JOS在macOS下的环境配置
本文将介绍如何在macOS下配置MIT6.828 JOS实验的环境. 写JOS之前,在网上搜寻JOS的开发环境,很多博客和文章都提到"不是32位linux就不好配置,会浪费大量时间在配置环境 ...
- macOS必备APP macOS 下那些鲜为人知的使用技巧
为了方便各位同学掌握Mac! 我把买来Mac后的一系列操作都给你准备好了! 目录 macOS必备APP Mac常用快捷键 macOS 下那些鲜为人知的使用技巧 macOS必备APP 1.Clean m ...
- 51单片机在Ubuntu和MacOS下程序开发和下载
这学期有51单片机课程,平时调试代码不用windows,查阅了一些资料,不太能用,现在将51单片机在ubuntu下(Linux通用)开发和下载说明一下:需要用到SDCC和stcgal. 推荐使用HML ...
- macOS下蓝牙键盘(Keychron K2)连接被拒绝问题
macOS下蓝牙键盘(Keychron K2)连接被拒绝问题 ##键盘突然连接不上,重启电脑,重连都不能解决 搜了下网上也没有太有用的解法 先移除键盘 长按fn键然后再按j+z 这一步启到重置键盘的作 ...
- MacOS下打包Python应用
在MacOS下开发的Python应用,不是Web Application,开发好以后,如何给用户使用呢?用户的操作系统也是MacOS 使用py2app打包 一.软件环境 ...
- 适用于 macOS 下 2K 显示器开启 HiDPI 的简便解决方案
适用于 macOS 下 2K 显示器开启 HiDPI 的简便解决方案 参考文章: (1)适用于 macOS 下 2K 显示器开启 HiDPI 的简便解决方案 (2)https://www.cnblog ...
最新文章
- inside java security_Inside The JVM Part2: java如何实现安全性
- 海南大学2020年申请考核博士研究生招生工作办法
- java 详解 搭建 框架_在Eclipse中搭建Struts框架过程详解
- AB1601低功耗注意事项
- sonar 匿名内部类写法不推荐
- elementui常用知识点总结
- 使用Vitamio打造自己的Android万能播放器(7)——在线播放(下载视频)
- Sentinel流控规则_线程数失败_分布式系统集群限流_线程数隔离_削峰填谷_流量控制_速率控制_服务熔断_服务降级---微服务升级_SpringCloud Alibaba工作笔记0034
- Destroying The Graph 最小点权集--最小割--最大流
- 使用alias简化命令输入
- CIO:节省IT部门开支十招
- 高并发来袭,如何搭建微服务架构?
- js生成1~100个随机不重复数
- JS基础-下拉菜单案例
- OpenCASCADE6.8.0 Reference Manual Serach Problem
- linux超线程问题
- Win10 chm文件无法打开解决方案
- 独立院校转设,高考新生何去何从|转设对新生有哪些影响
- BCDEDIT - 启动配置数据存储编辑器
- python中最小公倍数函数_Python 最小公倍数算法