Home > OS >  Questions about the rogue software, monitoring the task bar to add browser shortcuts?
Questions about the rogue software, monitoring the task bar to add browser shortcuts?

Time:09-30

Downloaded from civilization 4 got infected, "http://www.yxdown.com/SoftView/SoftView_13771.html" to download the file name "yxdown.com _Civilization4_chs. Rar"

Now it is a procedure to monitor "C: \ Users \ Leon \ AppData \ Roaming \ Microsoft \ Internet Explorer \ Quick Launch \ User Pinned \ TaskBar" folder, as long as the Chrome and fixed to the TaskBar, behind the shortcut to automatically add this "http://hao. * * * * * * * * *. Com", this string is random, random redirection website, add shortcuts permissions is modified,

Jinshan guards DuBa can only lock home page
Modify the file permissions restrict access
These two methods can find monitor, not solve thoroughly, a master to help me think about how to save out the wretch!

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
"C: \ Program Files \ (x86) Google, Chrome, Application, Chrome. Exe" http://hao.970353.com/

CodePudding user response:

You use the Sysinternals ProcessExplorer check the handle, see which processes in the grab handle to this path,

CodePudding user response:

ProcessExplorer no matter; Can try Procmon. Exe to monitor the Path containing the Quick Launch operations, see which process have a write operation

CodePudding user response:

Use Process Monitor to Monitor contains "Quick Launch \ User Pinned \ TaskBar" path, for "will this program from the task bar to unlock" and "to fix this program task bar" operation, only exolorer. Exe, MsMpEng. Exe, System three Process of its operation,
Process Monitor saved file
https://pan.baidu.com/s/1npcWDNY-VYczTZGXfphoUQ
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
To copy a Chrome shortcut directly to path, don't add website suffixes,
Only in the use of "will this program from the task bar to unlock" and "to fix this program task bar" operation, will add website suffixes, should be seized the two operations, how to find it?

CodePudding user response:

Under Windows 7 tried, whether it is fixed to the taskbar, or to modify has fixed "attributes" add similar parameters, what all have no the process of the System, only explorer. Exe in working; MsMpEng. Exe is mse program, normal,
Original 2 KB LNK document on the System spread to the appearance of 4 KB, it also conforms to add the tail, so, should be this operation at work, in this process, is some driver/kernel service item, therefore, should from which aspects; With the above mentioned ProcessExplorer chose the System process, see the following window display module, what's the suspicious, especially the problem of company name, such as watching the puzzling or clearly not Microsoft company, or a few large drivers

CodePudding user response:

 dump_dumpfve. Sys xfffff8800196b000 0 0 x13000 C: \ Windows \ System32 \ Drivers \ dump_dumpfve sys 1970/1/1 8:00 
Kmodurl64. Sys xfffff88002fd4000 0 0 x22000 c: \ program files \ ksafe \ kmodurl64 (x86). The sys 1970/1/1 8:00
Kisknl. Sys xfffff88003640000 0 0 x52000 C: \ Windows \ system32 \ drivers \ kisknl sys 1970/1/1 8:00
PROCMON23. SYS xfffff880036b0000 0 0 x1a000 C: \ Windows \ system32 \ Drivers \ PROCMON23 SYS 1970/1/1 8:00
Ksfmonsys64. Sys xfffff88003d84000 0 0 x8000 c: \ program files \ ksafe \ ksfmonsys64 (x86). The sys 1970/1/1 8:00
Ksapi64. Sys xfffff88003dea000 0 0 x12000 C: \ Windows \ system32 \ drivers \ ksapi64 sys 1970/1/1 8:00
PROCEXP152. SYS xfffff8800bbf0000 0 0 xc000 C: \ Windows \ System32 \ Drivers \ PROCEXP152 SYS 1970/1/1 8:00


Above for the System under suspicious module, the file does not exist!

But I feel very much like https://bbs.kafan.cn/thread-2041256-1-1.html here ever navigation variants, but the harm is not so big it, located on the taskbar is only steal to Chrome and IE shortcuts,

Under the System of module list
https://pan.baidu.com/s/1bUEZRs7evcJFeUd1EnGPXw

CodePudding user response:

Two of heading proc is the use of the above mentioned to the procmon and procexp, there should be no problem,
Several of heading k is ksafe, kingsoft antivirus? The above information, you look mse is enabled in the system, this, jinshan or cleared,
Dump_... What of, look at you with post, is it, may be to encapsulate the; Driver files deleted it into the recycle bin, or drive boot mode to "disabled" try? If still there will be a driver file, or restore normal boot mode, there is other protection,

CodePudding user response:

The jinshan after unloading,
"Dump_ *" there are two files in the beginning, "dump_dumpfve. Sys," "dump_dumpata. Sys" are located in "C: \ Windows \ System32 \ Drivers ", but the two file does not exist actually, created the two empty file and to prohibit, all permissions to restart,
System still has located in "C: \ Windows \ System32 \ Drivers \ dump_dumpata sys" module is loaded, the timestamp is still "1970/1/1 8:00:00", but "dump_dumpfve. Sys" have no, shortcut suffix behavior still exists, create two empty files are in "C: \ Windows \ System32 \ Drivers " directory,

Drive boot mode???

CodePudding user response:

Network security mode

CodePudding user response:

Above the post practice is to create the directory with the same name to prevent it from generating file, the total looked at seems to be very troublesome

CodePudding user response:

See 7th floor, still can't find the problem, is there any way to this mission fixed bar under the interruption of the operation? Step by step to check?

CodePudding user response:

About this question, I have a similar problem, today just solve myself!! You can try the,
https://bbs.csdn.net/topics/392392987
  • Related