Introduction to internat.exe System Processes

[Internat.exe]
Process file: internat or internat.exe
Process name: Input Locales
Description: This input control icon is used to change settings similar to country, keyboard type, and date format. Internat.exe starts running at startup. It loads different input points specified by the user. The Input Point is from the Registry location HKEY_USERS \. DEFAULT \ Keyboard Layout \ Preload to load the content. Internat.exe loads the "EN" icon into the system's icon area, allowing users to easily convert different input points. When the process is stopped, the icon disappears, but the input point can still be changed through the control panel.
Introduction: many people may mistakenly think that internat is related to the network. In fact, it is not because it is a word different from the internet. Here, internat is a tool for the input method icon, generally, only one input method in the local machine does not need to be run. (The En icon in the taskbar). If your task column does not have an enable icon, and the system has an internat.exe process, stop the process and run the internat command.
Internat.exe error message appears when Riprep.exe is run on a computer with Multiple Input Method settings
Http://support.microsoft.com/default.aspx? Scid = kb; zh-cn; 245264
Qq password detection 1.1The Trojan program will pretend to be an internat.exe Process
Listening principle: the monitoring program is pseudo-installed as the windows Startup File internat.exe, and the file with the same name in the original system directory is copied to the windows directory. Then, the directory file is renamed as SMAXINTE. EXE to start the stealth background operation. Sqwin. ini in the windows directory is its running record file. Create three primary keys in the Registry
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ask
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ ask
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ ask
Put the email address, number of passwords, and other information in
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ ask \ Software \ Services \ Security \ Common \ SoftWare \ ControlsFolder \ Reconciliation \ Policies \ Retriction \ Adspopware \ Connection Wizard Explorer \ ShellServiceObjectDelayLoad \ Windows Messaging subsystem \ ProtectedStorage
Start: runs in the background as the system starts.
External representation: contains a file with a length of about 37 KB.
Countermeasure: Delete the internat.exe and sqwin. ini files in the Windows directory. Because the listening program in the system is running, it cannot be deleted directly. You can delete the files in the following ways:
Bytes
2. Change the system attribute of INTERNAT. EXE to normal, return to pure DOS, delete INTERNAT. EXE in system, change smaxinte.exeto internat.exe to understand the Registry, and then delete
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ ask
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ ask
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ ask three key
Summary: It is highly concealed, and the disguise is very good. There are basically no obvious vulnerabilities. It is a professional-level theft program.