电脑被植入了恶意广告弹窗 popAD.exe 求各位大佬帮忙

电脑会随机启动一个恶意广告弹窗程序 位置在 C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\popAD.exe

是伪装搜狗输入法的广告，点击会跳转到 iii3.net 的网址 截图为 http://101.132.115.120/?explorer/share/file&hash=2abfSrDDx20YrPISmYnueseOuCpeHrhLUBpae7AILuXpQoDJUhRte31e_jzJRnciKQKV 这个是我买的阿里云的 es 搭的简易网盘，不放心可以不点击 另外这个程序还有签名 是 深圳市聚点互娱文化传媒有限公司

以为是搜狗的广告，就把搜狗输入法卸载了还是会有

把这个程序删除了，还是会随机生成并启动

用 Process Explorer 分析了下 调用链是 PerceptionSimulationService.exe->backgroundTaskHost.exe ->popAD.exe

然后 popAD.exe 的 dlls 全是 C:\Windows\System32 和 C:\Windows\SysWOW64 这两个目录的

该怎么揪出这个凶手，先谢谢各位了， 如果需要其他截图我再附上

popAD.exe 的 dlls

Process: PopAD.exe Pid: 12244

Name Description Company Name Path advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\Windows\SysWOW64\advapi32.dll bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\Windows\SysWOW64\bcrypt.dll bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\Windows\SysWOW64\bcryptprimitives.dll C_1252.NLS C:\Windows\System32\C_1252.NLS C_20127.NLS C:\Windows\System32\C_20127.NLS clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\Windows\SysWOW64\clbcatq.dll combase.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\combase.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.6926_none_a862dc10867520ec\comctl32.dll CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\Windows\SysWOW64\CoreMessaging.dll CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\Windows\SysWOW64\CoreUIComponents.dll crypt32.dll Crypto API32 Microsoft Corporation C:\Windows\SysWOW64\crypt32.dll crypt32.dll.mui 加密 API32 Microsoft Corporation C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_19041.81.277.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\crypt32.dll.mui cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\Windows\SysWOW64\cryptbase.dll cryptnet.dll Crypto Network Related API Microsoft Corporation C:\Windows\SysWOW64\cryptnet.dll cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\Windows\SysWOW64\cryptsp.dll d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\Windows\SysWOW64\d3d11.dll DataExchange.dll Data exchange Microsoft Corporation C:\Windows\SysWOW64\DataExchange.dll dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\Windows\SysWOW64\dcomp.dll dhcpcsvc.dll DHCP Client Service Microsoft Corporation C:\Windows\SysWOW64\dhcpcsvc.dll dnsapi.dll DNS Client API DLL Microsoft Corporation C:\Windows\SysWOW64\dnsapi.dll dpapi.dll Data Protection API Microsoft Corporation C:\Windows\SysWOW64\dpapi.dll dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\Windows\SysWOW64\dxgi.dll FWPUCLNT.DLL FWP/IPsec 用户模式 API Microsoft Corporation C:\Windows\SysWOW64\FWPUCLNT.DLL gdi32.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32.dll gdi32full.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32full.dll GdiPlus.dll Microsoft GDI+ Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.7291_none_d95545c5e100c6e6\GdiPlus.dll iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\Windows\SysWOW64\iertutil.dll imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\Windows\SysWOW64\imm32.dll IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\Windows\SysWOW64\IPHLPAPI.DLL kernel.appcore.dll AppModel API Host Microsoft Corporation C:\Windows\SysWOW64\kernel.appcore.dll kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\kernel32.dll KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\KernelBase.dll locale.nls C:\Windows\System32\locale.nls msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\Windows\SysWOW64\msasn1.dll msctf.dll MSCTF Server DLL Microsoft Corporation C:\Windows\SysWOW64\msctf.dll msimg32.dll GDIEXT Client DLL Microsoft Corporation C:\Windows\SysWOW64\msimg32.dll mskeyprotect.dll Microsoft Key Protection Provider Microsoft Corporation C:\Windows\SysWOW64\mskeyprotect.dll msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\msvcp_win.dll msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\Windows\SysWOW64\msvcrt.dll mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\Windows\SysWOW64\mswsock.dll mswsock.dll.mui Microsoft Windows Sockets 2.0 服务提供程序 Microsoft Corporation C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_19041.81.277.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\mswsock.dll.mui ncrypt.dll Windows NCrypt Router Microsoft Corporation C:\Windows\SysWOW64\ncrypt.dll ncryptsslp.dll Microsoft SChannel Provider Microsoft Corporation C:\Windows\SysWOW64\ncryptsslp.dll netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\Windows\SysWOW64\netutils.dll nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\Windows\SysWOW64\nsi.dll ntasn1.dll Microsoft ASN.1 API Microsoft Corporation C:\Windows\SysWOW64\ntasn1.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\SysWOW64\ntdll.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\System32\ntdll.dll ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\Windows\SysWOW64\ntmarta.dll ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\Windows\SysWOW64\ole32.dll oleacc.dll Active Accessibility Core Component Microsoft Corporation C:\Windows\SysWOW64\oleacc.dll oleaccrc.dll Active Accessibility Resource DLL Microsoft Corporation C:\Windows\SysWOW64\oleaccrc.dll oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\Windows\SysWOW64\oleaut32.dll OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll PopAD.exe C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\PopAD.exe profapi.dll User Profile Basic API Microsoft Corporation C:\Windows\SysWOW64\profapi.dll rasadhlp.dll Remote Access AutoDial Helper Microsoft Corporation C:\Windows\SysWOW64\rasadhlp.dll rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation C:\Windows\SysWOW64\rpcrt4.dll rsaenh.dll Microsoft Enhanced Cryptographic Provider Microsoft Corporation C:\Windows\SysWOW64\rsaenh.dll schannel.dll TLS / SSL Security Provider Microsoft Corporation C:\Windows\SysWOW64\schannel.dll sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\Windows\SysWOW64\sechost.dll SHCore.dll SHCORE Microsoft Corporation C:\Windows\SysWOW64\SHCore.dll shell32.dll Windows Shell Common Dll Microsoft Corporation C:\Windows\SysWOW64\shell32.dll shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation C:\Windows\SysWOW64\shlwapi.dll SortDefault.nls C:\Windows\Globalization\Sorting\SortDefault.nls srvcli.dll Server Service Client DLL Microsoft Corporation C:\Windows\SysWOW64\srvcli.dll sspicli.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\sspicli.dll TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\Windows\SysWOW64\TextInputFramework.dll twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\Windows\SysWOW64\twinapi.appcore.dll ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\ucrtbase.dll urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\SysWOW64\urlmon.dll user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\Windows\SysWOW64\user32.dll uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\Windows\SysWOW64\uxtheme.dll webio.dll Web Transfer Protocols API Microsoft Corporation C:\Windows\SysWOW64\webio.dll win32u.dll Win32u Microsoft Corporation C:\Windows\SysWOW64\win32u.dll windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\Windows\SysWOW64\windows.storage.dll WindowsCodecs.dll Microsoft Windows Codecs Library Microsoft Corporation C:\Windows\SysWOW64\WindowsCodecs.dll winhttp.dll Windows HTTP Services Microsoft Corporation C:\Windows\SysWOW64\winhttp.dll wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\Windows\SysWOW64\wininet.dll winmm.dll MCI API DLL Microsoft Corporation C:\Windows\SysWOW64\winmm.dll winnlsres.dll NLSBuild resource DLL Microsoft Corporation C:\Windows\SysWOW64\winnlsres.dll winnlsres.dll.mui NLSBuild 资源 DLL Microsoft Corporation C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackzh-CN_19041.81.277.0_neutral__8wekyb3d8bbwe\Windows\System32\zh-CN\winnlsres.dll.mui winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\Windows\SysWOW64\winnsi.dll winspool.drv Windows Spooler Driver Microsoft Corporation C:\Windows\SysWOW64\winspool.drv wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\Windows\SysWOW64\wintrust.dll WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\Windows\SysWOW64\WinTypes.dll wldp.dll Windows Lockdown Policy Microsoft Corporation C:\Windows\SysWOW64\wldp.dll wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\Windows\System32\wow64.dll wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\Windows\System32\wow64cpu.dll wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\Windows\System32\wow64win.dll ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\Windows\SysWOW64\ws2_32.dll