具体反应出现在Firefox 3.6.13 身上。
表现症状是 Google 服务启动极慢,搜索结果被转向 (Google redirect)
具体来说,当点击除 iGoogle 之外的任何Google 服务时(Gmail, Doc, Blogger, Bookmark, dashboard, etc) 显示加载到一半,而后则无反应,可能良久之后对应的页面才会出现 (Gmail,Doc),而有时则干脆 stuck 在登录的页面完全没有反应 (dashboard).
同时,在用 Google 搜索时奇怪的事情也发生:当点击响应的搜索结果时,有一大半时间打开的页面是一个不相关的页面(例如,会被转到 pcspeedmaximizer.s3.amazonaws.com 这样一个看起来就不是好东西的站点。
看到这些结果,心里清清楚楚,中毒了!于是 AntiVirus 登场。
经过一次全系统扫描 (Full Scan),Symantec 倒是找出几个木马,在 sun - java 的 cache 下。隔离,删除,再试,问题依然。。。
只好继续google, 中文似乎找不到合适的解决方案,那试英文:
Google service stop / slow -- No luck
Google search redirect -- Bingo, lots of people claim the issue
仔细查看,发现一个站点 : http://www.bleepingcomputer.com/ 给出了一个号称很牛X的工具:ComboFix. Some persons even claim it is not appropriate for fresh user....
看来是猛药啊,那估计能治病!而且Google上这么多讨论结果,估计这也不是另一个病毒软件的钓鱼宣传了。下来试试看!
下载位置在这里: http://www.bleepingcomputer.com/download/anti-virus/combofix
具体链接: http://download.bleepingcomputer.com/protected/c0d3e3bda3ecbf158f3d4028da15dc51/4d6c1ba0/ComboFix.exe
运行,第一次,提示有 Norton 在运行,要求禁用。本着用人不疑的原则,听从!(这回系统可真的是大门敞开,这个玩意要不是好东西,就是想格式化我硬盘也只能随他便了....)
还好,毕竟世上还是光明多于黑暗,我那阴谋论的观点不是总是成立的。这个 Dos-like 的软件还是挺专业的,先要求下载 Microsoft 的控制台回复工具,并声称不安装这个它就不干活!很拽的样子嘛。。。。(BTW,它用的语言还是中文,估计探测了我的系统区域跟语言设置,这也是让我放心的因素之一:即使是病毒,这编写的也够专业跟费心思了,就让人家得逞了吧。。。。)
剩下的就是等待了,这软件惜言如金,大部分时间是蓝屏沉默,不过从硬盘的狂闪还是可以知道它在干活的(或者是在忙着格式化硬盘。。。哈哈,还是阴谋论)
基本的过程在 http://www.bleepingcomputer.com/combofix/how-to-use-combofix 这个 tutorial 里说的挺详细了,除了具体的文件名,剩下的步骤基本一致,它的检测步骤似乎很多,一直到 stage 50。 中间有两次重启,并提示清除了 c:\windows\system32\drivers\xnuwkos.sys 这个鸟东西(估计就是那该死的恶意程序了,damn it!)
所有的重启都是它自己进行,还很严厉的命令我:不得自己重启机器!!
最后一次重启成功后,它继续发令:我在生成最终报告,完成前,不要启动任何程序!
在这么严厉软件面前,我当然很乖,什么都不敢动;可是 XP 也很有性格,自顾自的启动了 MSN messenger 跟 GoldenDict (在启动项里)。我心里说:大哥,这可不是我要启动它们的,您别介意。不仅如此,为了表示讨好,我还快手脚的关闭了这两个程序。。。。(有点谄媚,我承认)
最后的报告放在 C:\ 下面,贴上来供各位参观:
ComboFix 11-02-28.02 - VISC5 8/2011 Mon 16:21:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.2559.1867 [GMT -5:00]
执行位置: c:\documents and settings\VISC5\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\xnuwkos.sys
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_xnuwkos
-------\Service_xnuwkos
((((((((((((((((((((((((( 2011-01-28 至 2011-02-28 的新的档案 )))))))))))))))))))))))))))))))
.
2011-02-26 07:02 . 2011-02-26 07:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-02-25 15:06 . 2011-02-25 15:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-25 15:04 . 2011-02-25 15:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-02-25 14:32 . 2011-02-25 14:32 -------- d-----w- c:\documents and settings\VISC5\Application Data\LibreOffice
2011-02-25 14:28 . 2011-02-25 14:30 -------- d-----w- c:\program files\LibreOffice 3
2011-02-24 19:37 . 2011-02-24 19:37 -------- d-----r- C:\MSOCache
2011-02-22 01:13 . 2011-02-22 01:13 -------- d-----w- c:\documents and settings\VISC5\Application Data\OpenOffice.org
2011-02-22 01:10 . 2011-02-22 01:10 -------- d-----w- c:\program files\JRE
2011-02-22 01:10 . 2011-02-22 01:10 -------- d-----w- c:\program files\OpenOffice.org 3
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-22 00:33 . 2008-11-07 17:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-21 21:26 . 2010-06-15 15:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 17:13 . 2011-01-19 17:13 0 ----a-w- c:\windows\system32\nsc4D6.tmp
2011-01-11 11:03 . 2011-01-11 11:03 3234672 ----a-w- c:\windows\system32\SogouPY.ime
2011-01-07 14:09 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2006-02-28 12:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2006-02-28 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2006-02-28 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2006-02-28 12:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2006-02-28 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-03 22:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-08 18:12 . 2010-04-05 15:20 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 18:11 . 2010-04-05 15:20 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 18:11 . 2010-04-05 15:20 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 18:11 . 2010-04-05 15:20 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\VISC5\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\VISC5\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\VISC5\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"GoldenDict"="c:\program files\GoldenDict\GoldenDict.exe" [2009-05-24 2684416]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"nwiz"="nwiz.exe" [2008-05-03 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
c:\documents and settings\VISC5\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\VISC5\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-08 18:11 87424 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ SOGOUPY.IME
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programs\\Tencent\\QQ\\QQ.exe"=
"d:\\Programs\\Tencent\\QQ\\Qzone\\Qzone.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Mine\\Develop\\RepastSimphony-1.2.0\\eclipse\\RePast.exe"=
"d:\\Mine\\Develop\\Eclipse-3.5.1\\eclipse.exe"=
"c:\\Documents and Settings\\VISC5\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\SogouInput\\5.1.1.4954\\PinyinUp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [8/4/2005 4:51 AM 26112]
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 2:04 AM 116264]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [3/19/2010 10:45 AM 123280]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [3/19/2010 10:45 AM 41680]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 1:55 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/9/2010 3:46 PM 102448]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2/12/2010 7:34 PM 99152]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2/12/2010 7:34 PM 110096]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/11/2010 12:20 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/11/2010 12:20 PM 8456]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 6:48 PM 116416]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [6/5/2008 9:25 AM 11520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
‘计划任务’ 文件夹 里的内容
2011-02-28 c:\windows\Tasks\SogouImeMgr.job
- c:\progra~1\SOGOUI~1\511~1.495\SGTool.exe [2010-12-06 11:09]
2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{28638918-E4BC-4C4F-8879-83EA62DCF2FB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- 而外的扫描 -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\VISC5\Application Data\Mozilla\Firefox\Profiles\febeprof.wy\
FF - prefs.js: browser.startup.homepage - file:///D:/Mine/Net/linkto.htm
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
FF - Ext: Zotero OpenOffice Integration: zoteroOpenOfficeIntegration@zotero.org - %profile%\extensions\zoteroOpenOfficeIntegration@zotero.org
FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre1.6.0_18\lib\deploy\jqs\ff
.
.
------- 文件类型 -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-KingSoft PowerWord PE - c:\program files\Kingsoft\PowerWord PE\CBTray.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 16:33
Windows 5.1.2600 Service Pack 3 NTFS
扫描被隐藏的进程 。。。
扫描被隐藏的启动组 。。。
扫描被隐藏的文件 。。。
扫描完成
被隐藏的档案: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-764733703-839522115-1003\Software\MiniOcr\IlW[M*i*n*i* *O*C*R*\Recent File List]
"File1"="c:\\Documents and Settings\\VISC5\\Desktop\\lib.bmp"
.
--------------------- 运行进程下的动态链接库 ---------------------
- - - - - - - > 'winlogon.exe'(312)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'explorer.exe'(2932)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\documents and settings\VISC5\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\locator.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\conime.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
完成时间: 2011-02-28 16:41:07 - 电脑已重新启动
ComboFix-quarantined-files.txt 2011-02-28 21:41
Pre-Run: 15,671,996,416 bytes free
Post-Run: 16,419,397,632 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
- - End Of File - - A7315A1B0EDD7BD56A4006C27BF65A42
终于,这个严厉的软件干完了它的事,一声不吭的离开了(nnd,走的时候你倒是说个话啊,比如:报告生成完毕,现在你可以干你的事了。。。之类的:好歹给个安民告示啊。。。还是那个字儿:拽!)
测试看吧,嗯,FF 似乎恢复正常了 ,至少:
1. Google 各服务启动速度快了(正常了);
2. 搜索似乎不被 re-direct了(目前为止)。
记录备案,以供参考,是为记。
check here: http://googlesearchredirect.com
回复删除