与3721作坚决斗争(4):看看3721对我们的电脑系统干了些什么?
(yanlb2000, 2005.11.03, yanlb2000.blogcn.com)
3721声称自己的用户群是多么广大,有多少多少比例的网民电脑都装了它。对于这一点,我是部分承认的。但,为什么有这么大的用户群?
一方面,3721通过多种手段,包括无耻手段,强行将自己安装到用户电脑中,而且,一旦安装,还赖着不走,很难删除;另一方面,3721表面是的确提供了中文实名上网的便利,让很大部分网民觉得好像是方便了。也就认可了。
但是,你是否知道,这种表面上的方便,其代价是怎么样的?
有个软件,叫"流氓软件清理助手",就是用来帮我我们清除电脑中这些流氓软件的,很不错。现在这类清除软件还是有一些的,它们的出现,本身说明了现在流氓软件越来越多了。另外,也说明,这些流氓软件,都是属于不肯、不能自己清除自己的。只能靠其他工具来清理。流氓不赶,是不会自己走的。
这个清理助手,在设计上是比较灵活的,将对各种流氓软件的清理要点,写成一个个配置文件,每个流氓一个配置文件,而且可以网上动态更新配置文件的。所以,如果流氓升级了,配置文件也能跟着升级。而如果将来有新的流氓出现了,那自动升级的时候添加个新配置文件就可以了。
目前版本的清理助手,能清理3721上网助手、360搜、百度搜霸、网络猪等10多个流氓软件。当然,也就有这10多个配置文件了。这些配置文件,小的1kb、2kb,大点的,5kb左右。唯独针对3721的配置文件,竟然有10kb。这说明了什么?说明了3721对系统的改动明显多呀。说3721是流氓中的大流氓,不为过吧?
我打开了这个配置文件:3721.rsd。真是,不看不知道,看了,触目惊心!这也太过份了,竟然对系统作了那么大的改动,塞进了这么多垃圾。下面,我将这个文件的内容贴出来,大家看一看吧。你懂点Windows知识的,特别是注册表、编程、IE扩展、COM组件知识的,基本能知道个大概了。
下面是流氓软件清理助手带的3721.rsd的内容。(该文件的版权属于其原作者,我这里仅是引用。)其中的中文部分,是我加的注释。大致看了下随便"批注"的,所以肯定有不准确、遗漏的,请谅解。
大致看看吧,如果你能容忍这样的垃圾留驻你的系统,呵呵,佩服你。
[info]
name = 3721上网助手
describe = http://www.3721.com.cn
author = tomm
version = 2.22
[indentify]
HKEY_CURRENT_USERSOFTWARE3721 = exists
[process]
assistse.exe = kill
'这是3721的进程
rundll32.exe = kill
[regsvr]
{prg}3721Notifier.dll = unregsvr
{prg}3721patch03.dll = unregsvr
{prg}3721patch05.dll = unregsvr
{prg}3721patch06.dll = unregsvr
{prg}3721scrblock.dll = unregsvr
{prg}37213721AutoLive.dll = unregsvr
{prg}3721ShellAsMenu.dll = unregsvr
{prg}3721ShellAssecblk.dll = unregsvr
{prg}3721ShellIEAngel.dll = unregsvr
{prg}3721ShellMenuInfo.dll = unregsvr
{prg}3721assistassist.dll = unregsvr
'以上是3721塞进来的,注册在系统中的COM组件,都要反注册掉;
[files]
{prg}3721= delete
{win}cnsinfo.dat = delete
{sys}cns.dat = delete
{sys}cns.exe = delete
{sys}cns.dll = delete
{sys}CnsMinKP.sys = delete
{win}Downloaded Program Filescns*.* = delete
{win}Downloaded Program Files*.ico = delete
{win}Downloaded Program Files3721 = delete
{win}Downloaded Program Fileskeepmain*.* = delete
{win}Downloaded Program Fileszsmod.dll = delete
{sys}driverscdntran.sys = delete
{uprograms}上网助手 = delete
{cprograms}上网助手 = delete
'以上是3721塞进来的各色文件,全部要删除;
[registry]
HKEY_CLASSES_ROOTCLSID{141A5E19-BDCB-4E27-A3D7-9E16503BC05B} = delete
HKEY_CLASSES_ROOTCLSID{1B0E7716-898E-48CC-9690-4E338E8DE1D3} = delete
HKEY_CLASSES_ROOTCLSID{38928D50-8A48-44C2-945F-D2F23F771410} = delete
HKEY_CLASSES_ROOTCLSID{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} = delete
HKEY_CLASSES_ROOTCLSID{9EB2B422-C9EE-46C4-A471-1E79C7517B1D} = delete
HKEY_CLASSES_ROOTCLSID{ABEC6103-F6AC-43A3-834F-FB03FBA339A2} = delete
HKEY_CLASSES_ROOTCLSID{B83FC273-3522-4CC6-92EC-75CC86678DA4} = delete
HKEY_CLASSES_ROOTCLSID{BB936323-19FA-4521-BA29-ECA6A121BC78} = delete
HKEY_CLASSES_ROOTCnsHelper.CH = delete
HKEY_CLASSES_ROOTCnsHelper.CH.1 = delete
HKEY_CLASSES_ROOTTypeLib{19069804-2CF0-4357-B696-BA6E9AAD99EF} = delete
HKEY_CLASSES_ROOTTypeLib{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} = delete
HKEY_CLASSES_ROOTTypeLib{7354662F-CAA3-448B-BC01-04F55A2DCA35} = delete
HKEY_CLASSES_ROOTTypeLib{D4839331-534D-4D0C-875F-D25AF6A10CCC} = delete
HKEY_CLASSES_ROOTTypeLib{F97E75A4-0103-4F27-A752-327B600B1130} = delete
HKEY_CLASSES_ROOTTypeLib{F9AD9D67-EFA8-480E-8291-0163F3960DE7} = delete
HKEY_CURRENT_USERSOFTWARE3721 = delete
HKEY_LOCAL_MACHINESOFTWARE3721 = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{141A5E19-BDCB-4E27-A3D7-9E16503BC05B} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{1B0E7716-898E-48CC-9690-4E338E8DE1D3} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{38928D50-8A48-44C2-945F-D2F23F771410} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{9EB2B422-C9EE-46C4-A471-1E79C7517B1D} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{ABEC6103-F6AC-43A3-834F-FB03FBA339A2} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{B83FC273-3522-4CC6-92EC-75CC86678DA4} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{BB936323-19FA-4521-BA29-ECA6A121BC78} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCnsHelper.CH = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCnsHelper.CH.1 = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{19069804-2CF0-4357-B696-BA6E9AAD99EF} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{7354662F-CAA3-448B-BC01-04F55A2DCA35} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{D4839331-534D-4D0C-875F-D25AF6A10CCC} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{F97E75A4-0103-4F27-A752-327B600B1130} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{F9AD9D67-EFA8-480E-8291-0163F3960DE7} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{00000000-0000-0001-0001-596BAEDD1289} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{507F9113-CD77-4866-BA92-0E86DA3D0B97} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{59BC54A2-56B3-44a0-93E5-432D58746E26} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{5D73EE86-05F1-49ed-B850-E423120EC338} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerExtensions{FD00D911-7529-4084-9946-A29F1BDF4FE5} = delete
' 3721居然建立了这么多的类库、接口,这么多垃圾在注册表中,不觉得恶心?
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunassistse = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunCnsMin = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunhelper.dll = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce3721C 
ROGRA~13721autolive.dll7831941 = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce3721C ROGRA~13721autolive.dll7892729 = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce3721C ROGRA~13721autolive.dll7954517 = delete
'3721将在多个系统自启动项中登录自己,保证自己运行,而且据说一度自动改换名字,让人无法确切掌握;
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall{1B0E7716-898E-48cc-9690-4E338E8DE1D3} = delete
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesCnsMinKP = delete
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCnsMinKP = delete
'将自己作为系统服务来启动,更难杀了,而对系统的损害也更大了。
HKEY_USERSS-1-5-21-1292428093-1383384898-1343024091-500SOFTWARE3721 = delete
HKEY_CLASSES_ROOTCLSID{D157330A-9EF3-49F8-9A67-4141AC41ADD4} = delete
HKEY_CLASSES_ROOTCnsMinHK.CnsHook = delete
HKEY_CLASSES_ROOTCnsMinHK.CnsHook.1 = delete
'3721注册的系统挂钩,大概是用来监测用户鼠标、键盘动作,先自己"过目"一遍的。这种挂钩,对系统运行的效率、稳定性的损害最大了。而且涉及到个人隐私问题。你运行什么软件,输入什么内容,都不保密了。
HKEY_CLASSES_ROOTTypeLib{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927} = delete
HKEY_CLASSES_ROOTTypeLib{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267} = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMenuExt!搜一搜 = delete
'这是在当前用户的ie右键菜单中添加的"!搜一搜"菜单项。
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D157330A-9EF3-49F8-9A67-4141AC41ADD4} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCnsMinHK.CnsHook = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCnsMinHK.CnsHook.1 = delete
'仍是关于系统挂钩的注册表项目
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerAdvancedOptions!CNS = delete
'这个是在IE的"Internet选项"、"高级"功能中3721为自己添加的配置项目,估计为了在众多选项中排在前面,将自己的名称用感叹号!来命名
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallCnsMin = delete
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_CNSMINKP = delete
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesCnsMinKP = delete
HKEY_LOCAL_MACHINESYSTEMControlSet002EnumRootLEGACY_CNSMINKP = delete
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_CNSMINKP = delete
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCnsMinKP = delete
HKEY_USERSS-1-5-21-1292428093-1383384898-1343024091-500SOFTWAREMicrosoftInternet ExplorerMenuExt!搜一搜 = delete
HKEY_CLASSES_ROOTAssist.EasyAssist = delete
HKEY_CLASSES_ROOTAssist.EasyAssist.1 = delete
HKEY_CLASSES_ROOTAutoLive.Live = delete
HKEY_CLASSES_ROOTAutoLive.Live.1 = delete
HKEY_CLASSES_ROOTInterface{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1} = delete
HKEY_CLASSES_ROOTInterface{924F5B3A-7A27-484A-B873-E855C9708667} = delete
HKEY_CLASSES_ROOTInterface{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} = delete
HKEY_CLASSES_ROOTInterface{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68} = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainCNSAutoUpdate = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainCNSEnable = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainCNSHint = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainCNSList = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainCNSMenu = delete
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainCNSReset = delete
'3721占用注册表中IE的表项,放置很多自己的垃圾配置
HKEY_CLASSES_ROOTADKiller.ADKillerObj = delete
HKEY_CLASSES_ROOTADKiller.ADKillerObj.1 = delete
HKEY_LOCAL_MACHINESOFTWAREClassesADKiller.ADKillerObj = delete
HKEY_LOCAL_MACHINESOFTWAREClassesADKiller.ADKillerObj.1 = delete
'3721中关于弹出窗口过滤的功能
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{1B0E7716-898E-48CC-9690-4E338E8DE1D3} = delete
HKEY_CLASSES_ROOTAngling.AntiFish = delete
HKEY_CLASSES_ROOTAngling.AntiFish.1 = delete
HKEY_LOCAL_MACHINESOFTWAREClassesAngling.AntiFish = delete
HKEY_LOCAL_MACHINESOFTWAREClassesAngling.AntiFish.1 = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{38928D50-8A48-44C2-945F-D2F23F771410} = delete
'3721将自己注册成IE的BHO组件
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} = delete
HKEY_CLASSES_ROOTFFlash.FlashObjectInterface = delete
HKEY_CLASSES_ROOTFFlash.FlashObjectInterface.1 = delete
HKEY_LOCAL_MACHINESOFTWAREClassesFFlash.FlashObjectInterface = delete
HKEY_LOCAL_MACHINESOFTWAREClassesFFlash.FlashObjectInterface.1 = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{B83FC273-3522-4CC6-92EC-75CC86678DA4} = delete
HKEY_CLASSES_ROOTCoolBar.CoolBarObj = delete
HKEY_CLASSES_ROOTCoolBar.CoolBarObj.1 = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCoolBar.CoolBarObj = delete
HKEY_LOCAL_MACHINESOFTWAREClassesCoolBar.CoolBarObj.1 = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{BB936323-19FA-4521-BA29-ECA6A121BC78} = delete
'大概是在添加在IE工具栏上的项目
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{7436DB12-1A7A-4D87-A4E0-713EC9D86050} = delete
HKEY_CLASSES_ROOTInterface{C3A9F7F8-8862-496A-B8A4-25D4140B7DBC} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{172862CD-9D35-40E7-BAF2-BA7ECF043B9C} = delete
HKEY_CLASSES_ROOTInterface{7436DB12-1A7A-4D87-A4E0-713EC9D86050} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{7436DB12-1A7A-4D87-A4E0-713EC9D86050} = delete
HKEY_CLASSES_ROOTInterface{172862CD-9D35-40E7-BAF2-BA7ECF043B9C} = delete
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{172862CD-9D35-40E7-BAF2-BA7ECF043B9C} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{D157330A-9EF3-49F8-9A67-4141AC41ADD4} = delete
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks{D157330A-9EF3-49F8-9A67-4141AC41ADD4} = delete
'注册到了这个ShellExecuteHooks挂钩下,以后你运行什么程序,3721都要先"过目"一下,然后做一定的文章,可怕不?
------------------------------------
查看我博客上本专题其他文章,请看:
专题:与3721作坚决斗争 http://www.blogcn.com/User13/yanlb2000/blog/57150502.html
