On one of my computers I have a stupid bugger in my system32 directory. With a quick view using the attrib command in DOS I can see that its attributes are SHR this is why I don't see it when viewing it in explorer. Now it also put itself in my RunOnce registry key, with data set 'c:\windows\system32\ksd1uc.exe \k' allowing it to startup. However if I remove the attributes and delete the file and remove the key from the registry it still starts up again with the computer only it renames itself to something else .exe. It only uses 6 characters. Apperantly random at that sine at one point it was named 'ksd1uc.exe'. Tis the one I am using in this explaination.
So my first guess was there is a hidden task running in the background that checks that the key is set in the registry and the file exists in system32. But no my guess was wrong. Kind of I think, I noticed iexplorer.exe writes the key to the registry. I found this using Regmon. Whenever I delete the startup of this pest from the runonce key in the registry it will remain gone until I open Internet Explorer. So what the hell?? Is it hiding inside iexplorer.exe?
Once Internet Explorer is running once in awhile when switching from site to site a Popup will appear, along with this will appear a new running task with random characters as a name, different from the task name in the Runonce key. The popup is not started from iexplorer something in the background brings this up only when Internet Exporer is running. I can't figure this one out usually I'm good at removing these mother f*ckers without needing virus scanner or adaware. But neither seem to work either. Help!
So my first guess was there is a hidden task running in the background that checks that the key is set in the registry and the file exists in system32. But no my guess was wrong. Kind of I think, I noticed iexplorer.exe writes the key to the registry. I found this using Regmon. Whenever I delete the startup of this pest from the runonce key in the registry it will remain gone until I open Internet Explorer. So what the hell?? Is it hiding inside iexplorer.exe?
Once Internet Explorer is running once in awhile when switching from site to site a Popup will appear, along with this will appear a new running task with random characters as a name, different from the task name in the Runonce key. The popup is not started from iexplorer something in the background brings this up only when Internet Exporer is running. I can't figure this one out usually I'm good at removing these mother f*ckers without needing virus scanner or adaware. But neither seem to work either. Help!
