总算解决了~
不深入了解 真tm觉得这个世界很美好~仔细看一下 尼玛各种陷阱 看来还是回linux安全点
大致说一下处理结果
1. 修改dns
2. 查看可疑进程,尽可能关闭正常进程
3. 注册表排查
4. WMI排查
5. bat vbs ini txt各种配置文件排查
发现c:\Users\MyUserName\AppData\Roaming下面有很多看上去不太正常的文件夹
>
update_1231.exe=1420148229
Browser_V4.0.3214.0_r_4332_(Build14122211)_1419958802.exe=1420161108
hkyl_yls_hk2014_201lm.exe=1420161121
install1557915.exe=1420161125
jKAVSETUPS_60_307927.exe=1420161149
ksimekusu_zhim_012.exe=1420161155
setup_13b4.exe=1420161169
zhezi_setup_ZFBE.exe=1420161178
setup_90_34533.exe=1420176913
[config]
land=1420148229
last=lnk=1;44=1;img=1;ins=1;mh=1;
类似这种,期间还看到36x sox x狗 x度的安装文件和部署文件,事实上根本就不是我下载的 就算下载也不会下载在这种目录
清理干净后,重启之前在打开浏览器还是没有改变 于是考虑加载驱动注入.重新开始dll排查.
google得到
http://dicky-programmingjoy.blogspot.mx 的经历:
> It is definitely something related to the issue that I am facing. In fact, looking at all these weird naming .exe, it seems very suspicious the computer is infected with malwares. Not sure how this configuration file is access, but it is likely being use when the input keyboard is initialized. So removed the Chinese input.
尼玛 速度删除感染的dll 重启~ 世界清静