paip. everything exe 文件不能启动的解决
作者Attilax , EMAIL:1466519819@qq.com
来源:attilax的专栏
地址:http://blog.csdn.net/attilax
现象:
--------------------
everything不能双击运行。。。icesword的也不能双击运行,,其他exe都可以运行...奇怪..
不个文件名字更改了还是不能运行..换成com,bat还是不行..
不过在CMD下却能运行了.....奇怪..
分析:
-------------------
估计十哪个软件监视这个exe,要不就不个系统HOOT兰....
先查进程..路径:C:WINDOWSsystem32ftct5.exe...结束不了,,只好用ntsd -c q -p PID不个它结束类k...在使用360不个它粉碎兰...扎实
马奇怪的,陌生的软件兰...
三,还是弄个..估计是HOOT兰
解除hook
---------------------
下载超级巡警(解决各种木马 启动方式等) v2.0 专业版 AstZYB,能查看隐藏驱动了,功能不弄全面....删除垒砌,还是弄个..
下载A盾电脑防护LE2012-0.4.3 (A-Protect-LE2012-0.4.3.rar),就是原来的3600safe..这个功能全面,icesword雅十..不个HOOK恢复,复
原,归还孪不少..还是弄个..
下载360杀毒软件,浏览,细察,扫描,还是弄个..
查看EXE运行原理,双击的时候,exploree.exe获得文件名称,在调用createprocess函数开始,着手,发动...
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
shell==Explorer.exe
运行processmonitor... 监视exeplorer..果然有效果了..
查看到调用C:WINDOWSsystem32ftct5.exe这里,,,,这个健康上网专家5的文件阿...
右键,stack, 查看调用顺序,看到个C:WINDOWSsystem32ftcomdll5.dll...
A-Protect能查看到了,就是卸载不了,,ICESWORD还是看不见..这个dll利害阿..肯定十hook兰..拿360不个哪粉碎兰..在结束explorer..扎
实ok兰...能正常运行EVERYTHING,ICESWORD兰...
后记:ftcomdll5.dll是如何挂载上k的??
----------------------------------------------
[HKEY_CLASSES_ROOTCLSID{25B7458A-04D4-4F6A-A182-BA0F360076DD}InprocServer32]
@="C:\WINDOWS\system32\ftcomdll5.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOTCLSID{D47B4CE7-E795-49C7-B4CA-770E35BF6261}InprocServer32]
@="C:\WINDOWS\system32\ftcomdll5.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOTTypeLib{E158932E-BAB1-4207-B617-E1F7B39FC0DB}1.0�win32]
@="C:\WINDOWS\system32\ftcomdll5.dll"
[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{25B7458A-04D4-4F6A-A182-BA0F360076DD}InprocServer32]
@="C:\WINDOWS\system32\ftcomdll5.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D47B4CE7-E795-49C7-B4CA-770E35BF6261}InprocServer32]
@="C:\WINDOWS\system32\ftcomdll5.dll"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{E158932E-BAB1-4207-B617-E1F7B39FC0DB}1.0�win32]
@="C:\WINDOWS\system32\ftcomdll5.dll"
健康上网专家5是如何识别everything的..??
--------------------------------------
根据processmonitor... 监视exeplorer.的结果,效果,后果...
C:Program Filesd2Feiteng5pgkl.cab ,这是个txtfile,里面就是表,名单....原来中个阿...
[safesoft]
System Repair Engineer
XueTr
SuperKill
endoscope
Wang6071@sina.com.cn
DelDos
wsyscheck.exe
icesword.exe
unlocker.exe
PESetup.EXE
SnipeSword.exe
TuneUp Utilities
gmer.exe
ATool
IERepair
48bcabcfd7ef65a6575d9cd11a33b820
7644e1478137384f5c151ad4c5f69f39
Everything
Finder
光速搜索
240d43a5795207a3b86340c67385b1a2
SuperCare.exe
68fc34ff46ac68fdd26f9ec0ac8a941f
KusoDesktop.exe
7d77d9613e4c3917362191ffeb34b889
0c368d8e53517060d73e0899908cebad
LookDisk
9bf2a4d14bf55b8802083b1531331008
KeyboardSpy.exe
RunPCSC
41977d276dc014995c207f705517ea85
pcsc.exe
iPCSC.exe
6e66730605d312cb3ae6eda377631e19
c1da9c4c39d35b8a6176a13deb40aa0b
MouseKeyRecord
76336e91d4002d81ce765913ecea1132
a3162fa1f10bf90d573e8b1386271d6e
6d907ff8192cd32975a7f176d1f3ba99
9d14b1fb7214ff7520f9b9884bf95c5b
c41d858b416882d07cfc0e01d217ad64
MT Digital Co.,Ltd.
8bced5cedac1ae30d32ddcea30b7744a
1da9d802d957d3dc175e6d80f9dee415
57effc7e660eb3d84216f1b00982ace3
e446cb7dc2d368777eaed5dd2250cb89
4aaabe7188289acfc25168741072906c
Macro Service Desktop Wnd
Macro Service
f26c67a54f334bdd73fdc08f331519a5
KeyboardPrier.exe
kszz.exe
参考:
一个exe可执行文件的生与死(运行原理) - 豆丁网.htm