Record the cancellation process of the browser home page being hijacked to 3456!

The cause of the matter

After using a lot of video players always feel potplayer is the most practical, small, ffmpeg kernel, hardware decoding strong, yesterday re-installed WIN10 system, to re-install Potplayer, Baidu, and then into the http://www.potplayer.org/, Give is a network disk, download, decompression, found a browser icon Setup.exe, I stumbled on the point! Then prompt to admin permissions, I click Yes! The installation interface has not appeared for half a day .....

Then, you understand, my browser opens directly is 3456.com!!

First of all, based on previous experience, this is usually a shortcut! Properties View shortcut, shortcut and no parameters! Directly double-click EXE to open the browser, also 3456.com! The process is normal, no exceptions! The browser configuration is also normal!

Is there DLL module injection?

Open Process Hacker 2 and view the DLL module! The discovery is basically normal dll!

But found beginning, is the discovery process started when the command line has parameters! !!

Double-click EXE to start, the following unexpectedly have parameters??

Did you invade the kernel? ╮(╯▽╰)╭

http://a.virscan.org/

Not much to say, first use http://a.virscan.org/to see just click of setup.exe exactly what to do,

Record page: http://a.virscan.org/f77c649f2664663bbc53037226017129

Partial results

Description of the key behavior behavior: Write permission mapping file detail information: Cicerosharedmemdefaults-*local\urlzonessm_administrator dfsharedheap3d484a \windows\system32\zh-Cn\wshext.dll.mui MSCTF. MarshalInterface.FileMap.MLJ. JEDHH MSCTF. MARSHALINTERFACE.FILEMAP.MLJ.B.JFDHH MSCTF. MARSHALINTERFACE.FILEMAP.MLJ.C.JFDHH MSCTF. MARSHALINTERFACE.FILEMAP.MLJ.D.JFDHH MSCTF. MARSHALINTERFACE.FILEMAP.MLJ.E.JFDHH MSCTF. MARSHALINTERFACE.FILEMAP.MLJ.F.JFDHH MSCTF. MARSHALINTERFACE.FILEMAP.MLJ.G.JFDHH \windows\setupapi.log Behavior Description: General Load driver Detail information: System32\drivers\mslmedia.sys Behavior Description: Set special folder properties details information: C:\Documents and settings\administrator\local settings\temporary Internet Files C:\Documents and Setting S\administrator\local settings\temporary Internet files\content.ie5 C:\Documents and Settings\Administrator\Local Settings\History C:\Documents and Settings\Administrator\Local settings\history\history.ie5 C:\Documents and Settings \administrator\cookies Behavior Description: Create system service Detail information: [Service creation succeeded]: Mslmedia, System32\drivers\mslmedia.sys

The whole setup.exe right after just done two things, plus a drive and a service!!

We all know that the drive is running with the system, in the task Manager can not see!! and Mslmedia This service in the service management can not see!! It's a pit!

Closure

The next thing to do is a single room, according to the a.virscan.org record, delete the created registry value, delete the System32\drivers\mslmedia.sys file, delete the Mslmedia service! Restart, OK, of course, the removal process is a bit cumbersome, service uninstall needs tools, SYS file deletion requires permission!

Reboot, browser open normal!

Record the cancellation process of the browser home page being hijacked to 3456!