DWQA QuestionsCategory: ServerWhy does the explorer.exe process request the player.uusee.com domain name
Bai Yi Zi asked 2 months ago

I passedfiddlerIt is found that the explorer.exe process of windows will request from time to timehttp://player.uusee.com/transformer/client_2011/daoshi/browseControllerEncrypt.iniThis address, I looked at the binary data returned, I felt that this was a rogue software, but I didn’t know where to find it out.
Attached request package:

GET http://player.uusee.com/transformer/client_2011/daoshi/browseControllerEncrypt.ini HTTP/1.1
User-Agent: downloadSession
Host: player.uusee.com
Pragma: no-cache


HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 729
Cache-Control: max-age=600
Content-Length: 1910
Content-Type: text/plain
Date: Fri, 17 Jun 2016 07:04:57 GMT
Etag: "5099d1e-776-51d315a87b740"
Expires: Fri, 17 Jun 2016 07:04:44 GMT
Last-Modified: Thu, 13 Aug 2015 13:31:33 GMT
Server: Apache
Via: CNC-TJSX-19-24 (DLC-3.0), XNOP013-CT-JXJJ-C-234-57 (DLC-3.0)

m<[Gl_n8JPAO    ;[email protected]#
[email protected]]KCpE [email protected]<]K;-FxzqM`[email protected]_;EL p0!C,EJ\]5PLY^+Ln $. f8"1HO;Jw=#Q+IW9nY(2n^D-g$^n$"I;TrNPHW(9VF?X6D_
:JHS,MZ#,'_% kOM<IEM 2+}TM%IU1D%:U ;TP}9n&LVOPg|9YE[HdFK*PK#,&_% Ij,)&C"#u`&J\[email protected]^UKBR;FJDR#J^
W=F<_D7GDS,MZ#,'^% kOM<IEM 2+}GC)AE.FZD^ZGpJGT zKp(9Z    a^:[email protected]:h%`[T2GDUP,ANVa#E*}M8 M`Wh%:v[BS2Md zFG,ZR]*H0_D)S]n+?QWi+esLYLH=|.E5X+M1nTZ)[U1D%:U ;[email protected]>?CZFX7=#Q+I<SR]DMH*PAKD=#\d,)6}pHJJfM)BBot%:XOG3    ^PZ-(9[    c,>*
k(/@\MJl{b"_BEka#D3i#S&J;TP
&<OA\A(9VF?B:TLKwo[@GpE ESG)S]BJSzApp0!OTG+LMCp0![?[[email protected]@U]>Ui(/3GGYKC-yG_^Mk(+N.2[2"3bX4ZSEc%:@\YG+LMJrCQ!QV|@:LQnT/~O[A)CB+eeC^@g4Ab-C)gbU_4    .EIIHOC+ZM\XoHZM]#@S6DM7LnZK2    1vb'M+7)SL8bUkS#XYCZ~D2[[email protected]\N9YzY*QYT*x(TKLI^y.IwYDHP,VBJG>70bM)]Ri.FXoYTFSc     z^L!UC|U&U[SEK*@z*OXMWS,[email protected]{1LFK*3^ (0bE5;TDQQ]MtF1YwPCVG6D_c,>>IHT)zU1Vj^]O*yF^U[R8Ip'M>!M[AVi+[D
EI_FdIAJP2FVG6D0_D-WD0USGCC,    DCUGP~oN&4([email protected] 7pP7LD]Dn8JPAO    %E"JK4(/&%`Wo_% kOM<IEz'M5, ]nXp^D[S#P}9L}9YzR:[email protected],[email protected];Hu':QmCHO*O5MvnnYo$"H    [email protected]     oA\TZ?NU7\Q*@@pEZEE^[email protected]@ .tCvoYN3ZIF7JG^[email protected]'&L_Fb6S    bwi%`Vhs=dX]P)+/])(!Y5]CSpJG]MDFlL\^GZ0LPLZ|bMA*NQ1V\[email protected][email protected]$.`OD&.O!/`&J/@[email protected])IVPh&[email protected];kPLOe;HMXL\<(+j!4O5&, q\;T]A]HN S#sZBU\'x>)][email protected]:]Ljn+?mIp;Twas'M+-5P[5BUkS#[email protected]^D2QYCo
DTC}MQ'FG6H
.RC^[email protected]% XHW    [email protected]/N"@zq0!$HVZ?PE_IXn$"[email protected]\'UDiS.R(K#,6GxFQPi6ADrq'M"&MG!CIR; 7AC3Y]KAB]4QC|UB}\LP/F1K8"OUJQg_MAk.E$O! +!Df/Kn$"ZXP[C,EEGEz
P[}MQ'FG6H(TNT[:BG'k LOT/EF)F&    
/YNsW+<4\[email protected]\M]J3U\[email protected] A&[email protected]]v2GeETLd,)+%L&9pD$S#[email protected]^D2QYCo
E
_&0_D)SMD-vYIcI:CZ=#@<CqO.9g("u M`
4 Answers
Best Answer
Darkseid answered 2 months ago

There are many possible reasons:
Hook, remote thread injection, DLL hijacking and so on can be done. All possibilities point to one reason: “you are poisoned (in rogue software)”
The best solution is to reinstall the system. Pay attention to the safety of the reinstallation process:

  • Use official image
  • In case of piracy, find or set up a kms server to activate the activation system with KMS command. Never use Baidu search and crack tool

If you want to challenge these questions head-on, here are some ideas:

  • Use AutoRuns to check whether various startup items and add ins have exceptions

clipboard.png

  • Use process explorer to check whether the DLL module of explorer.exe is abnormal, but this requires that you are familiar with the DLL environment of windows, otherwise you can only check by path.

clipboard.png

  • If you’re sure you can’t find the cause of the Explorer problem, congratulations. You may have the rootkit Trojan. Please reinstall it.
ivanilla answered 2 months ago

First shield the domain name with hosts, and then scan it with anti-virus software.

xialeistudio answered 2 months ago

Is the owner’s system genuine?
I used a ghost system and changed my hosts every time I reboot.
Localhost has been changed to a public IP address.
It’s a ghost system problem

Memories of time replied 2 months ago

The genuine system is supported by Microsoft after-sales service. Security issues are lifelong.

suiteki answered 2 months ago

Uuse Internet TV?