Desktop Malicious shortcuts Repair Tips

Rising experts to a typical case to everyone a superficial analysis, will deal with the experience with you to share, to the actual problem of everyone to do a "model lead" role.

Viral phenomena

A) The desktop has a number of "stubborn" shortcuts, such as "Free movie", "Taobao shopping", "beautiful pictures" and so on, some of which are counterfeit "fake IE browser icon-inteenet explooer", the above "stubborn icon" can not be deleted manually, delete prompt file is being used by another user or program.

b) The Internet Explorer homepage is changed to Http://www.bubu888.com/ie122-JB every time, even if the IE homepage is set to blank, it will still be "accessed" after opening ie, the navigation site called "My URL navigation".

c) An exception process with the same name as the system process "Explorer.exe" and "Smss.exe" appears in the system.

Analysis and thinking

When users try to remove shortcuts to these exceptions, the prompt that pops up is the default prompt for Windows. This hint is not strange, obviously, these shortcuts are actually being used by other programs when they are deleted, which is probably a malicious way to protect the virus, for such cases can try to from the exception of the process or the exception of the dynamic link library, the exception item check more reasonable.

Although the IE has been explicitly set to use "blank page", but the page is still the default access to an address, and this action seems to invoke some of the features of IE itself, forcing IE to access some of the addresses. This should try to comb from IE's registry add-on.

Detection and manual processing methods

Detection Tool: Wsyscheck

1. Delete exception process

Using Wsyscheck, the directory in which the exception process "Explorer.exe" and "Smss.exe" is located differs from the directory where the normal "Explorer.exe" and "Smss.exe" system processes are located.

After using Wsyscheck to select the exception process, right-click on "End Process and delete file" in the menu.

2. Delete Exception registry load

Using Wsyscheck, switch to "security check"-"IE secure" item, you can find three exceptions registry loading information, right click on the menu "repair the selected" to clear the exception of IE browser loading project.

3. Delete exception "Start Menu"-"Start" item

Using Wsyscheck, you can switch to the "Security check"-"Active Files" item and find the exception shortcut in the "All user[Start" menu program startup directory of the system. Right-click on "Repair Selected" in the menu to clear the exception shortcut to start loading the project.

Summarize

After doing this, try to manually remove the desktop a few annoying shortcuts will find that these annoying shortcuts can finally be successfully deleted! Then open IE browser to see, now also not "be visited" that "URL navigation Station", the default is to stay in the author set "Blank Page" on.

At this point, for the user encountered this "desktop malicious shortcut" is treated as clean, nothing more than the default browser loading project from the registry, exception files and the start of the exception, the beginning of the project, layers of cobwebs-like processing.