"Editor's note: For security reasons," http "temporarily changed to" Hxxp ", please pay attention! "When we surf the web, we find that our browser homepage has been changed to" hxxp://hao123.union123.***/index.htm ", and it's even more strange that when you open IE, it automatically turns to the home page (" hxxp://**.kuaiso.com/"). It seems likely that the domain name was hijacked by malicious software. Once again, we will find that the two links to the "ringtones download" and "Entertainment interactive portal" are added to the system favorites, with the address "hxxp://u.7town.***/pub/mms/7/index.html?uid=19612" and "hxxp:/ /***.eqibbs.com/". With System Repair Engineer scan found some clues: [Jsefusf/jsefusf][stopped/auto Start] still playing under the banner of Microsoft! [pid:700] [\?? \c:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)][c:\windows\ System32\jsefusf.dll] [Microsoft Corporation, N/A] This malware automatically deletes itself after it is run, and automatically copies the copy to the%system% directory,%system%\jsefusf.exe at the same time System%\killme.bat This malware batch file is copied to%system% and automatically deletes itself,%system%\jsefusf.dll while in the registry, the service items are created: hkey_local_machine\ File created in SYSTEM\CURRENTCONTROLSET\SERVICES\JSEFUSF system:%system%\jsefusf.exe in Release%system%\ After Jsefusf.dll, the Winlogon.exe process is also inserted. Knowing its mechanism, the removal method is roughly out. First delete the service items in the registry, select Start-〉 run-〉 enter-〉 regedit, and then expand: hkey_local_machine\system\currentcontrolset\services\, Remove the JSEFUSF inside. In IE browser's "Properties" option to change the home page back. Then, restart the computer. After entering the system, locate and delete the following two files%system%\jsefusf.exe%system%\jsefusf.dll this "%system%" refers to the directory of your system folder, you can also search directly, find and delete. Responsible Editor: Snowflake (TEL: (010) 68476636-8008) to force (0 votes) (0 votes) of nonsense (0 Votes) Professional (0 Votes) The title of the party (0 Votes) passed (0 votes) by the original: Homepage was changed to Union123 and quick Search solution return to the Network security home page
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
