itellyou.cn是出了名的文件分发存在病毒吗?
下载的镜像通过:mac版迅雷下载
安装通过:win10pe解压install.wim恢复
安装完毕后啥都没干,就立即安装火绒杀毒,在还没安装的时候,就已弹出各类流氓:
流氓清单有:
360全家桶:360安全卫士、360安全浏览器
智能云输入法
串改了ie首页
http://hao.360.cn/?src=lm&ls=n5a04abfd9e
火绒检查一个未知的启动项
思考:
其实这2个环境都可能中毒感染,需要逐一排查,并非就是itellyou问题
itellyou的镜像需要md5 、sha1、sha256校验排查是否和线上文件一致,从而排除迅雷的下载植入篡改
win10pe的恢复工具可能存在恢复完毕后写入流氓
附带日志信息:
C:\Windows\PFRO
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\SysWOW64\IME\SmartCloud\SCImeBroker.exe.bak, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\SysWOW64\IME\SmartCloud\SCImeBrokerPS.dll.bak, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\SmartCloudInput\1.1.6.1129\SCService.exe.bak, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Users\zWIN\AppData\Local\Temp\{7D04ADC9-0E5B-400e-BE45-DE8D85DB835C}.tmp, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Users\zWIN\AppData\LocalLow\SmartCloudIME.users\Dict\4174.zncel.bak, |delete operation|, 0xc000003a
10/28/2021 13:50:59 - PFRO Error: \??\C:\Users\zWIN\AppData\LocalLow\SmartCloudIME.users\DictTemp\4174.dcel, |delete operation|, 0xc000003a
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\SysWOW64\drivers\360SelfProtection.sys.557, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\SysWOW64\drivers\hookport.sys.656, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\SysWOW64\drivers\efimon.sys.134, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Users\zWIN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pppagaglfkmlpgobnlenhknilehpmcbo, |delete operation|, 0xc000003a
10/28/2021 13:50:59 - PFRO Error: \??\C:\Users\zWIN\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Extensions\pppagaglfkmlpgobnlenhknilehpmcbo, |delete operation|, 0xc000003a
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\SysWOW64\drivers\qutmipc.sys.153, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Windows\system32\drivers\360Sensor64.sys, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\SmartCloudInput\1.1.6.1129\Uninst.ini, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Users\zWIN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\智能云输入法\, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\360\360Safe\safemon\7z.dll, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\360\360Safe\MiniUI.dll, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\360\360Safe\safemon\7z.dll, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\360\360Safe\MiniUI.dll, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\360\360Safe\safemon\7z.dll, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - PFRO Error: \??\C:\Program Files (x86)\360\360Safe\MiniUI.dll, |delete operation|, 0xc0000034
10/28/2021 13:50:59 - 80 Successful PFRO operations其他文件:C:\Windows\OH6Ov0W
---处理:
先删除文件,禁用启动,观察
退回mac系统,win10仅作为备用。
新技能get:在一块硬盘同时安装:mac+win10,先装的mac,留了40G,装win10
如果你能看完全篇,分享一个技能:win10无需开QQ或微信了,直接截图,开始菜单搜:截图或者按快捷键win+shift+S
发表评论