Using Registry Repair Tool, or directly using regedit to amend the following sections
1.SYSTEM.INI (NT system in the registry: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon)
shell = Explorer.exe 1 was revised to shell = Explorer.exe
2. The HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run under the
Torjan Program ---------- C: WINNTservices.exe Delete
3. HKEY_Classes_root.exe
Changed to exefile default winfiles
4. Delete the following two keys:
HKEY_Classes_rootwinfiles
HKEY_Local_machinesoftwareclasseswinfiles
5. Open the Registry Editor, and so on were to find "rundll32.com", "finder.com", "command.pif", to find the content inside the "rundll32.com", "finder.com", "command . pif "were changed to" Rundll32.exe "
6. Find "iexplore.com" of information, the content found inside the "iexplore.com" changed to "iexplore.exe"
7. Find "explorer.com" of information, the content found inside the "explorer.com" changed to "explorer.exe"
8. Find "iexplore.pif", should be able to find similar "% ProgramFiles% Common Filesiexplore.pif" of information, this read as "C: Program FilesInternet Exploreriexplore.exe"
9. Remove a virus to add file association information and start the entry:
[HKEY_CLASSES_ROOTwinfiles]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] \
"Torjan Program" = "% Windows% services.exe"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
"Torjan Program" = "% Windows% services.exe"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"Shell" = "Explorer.exe 1"
Changed
"Shell" = "Explorer.exe"
10. These are the viruses released from a VB library file (MSWINSCK.OCX) the relevant information, do not have to delete:
HKEY_CLASSES_ROOTMSWinsock.Winsock
HKEY_CLASSES_ROOTMSWinsock.Winsock.1
HKEY_CLASSES_ROOTCLSID
HKEY_CLASSES_ROOTCLSID
HKEY_CLASSES_ROOTInterface
HKEY_CLASSES_ROOTInterface
HKEY_CLASSES_ROOTTypeLib
Note: Because the virus changes a lot of related information, so that the virus file has not been removed before, please do not do any extra operations to Mian Jihuo virus
2, delete the virus file
Reboot the system, delete the following file section, pay attention to open the partition, first open the "My Computer" after you use the right-click the partition, select "Open" to enter. Or direct the implementation of Annex Kv.bat to delete the following files
c: antorun.inf (if you have multiple partitions, please check whether there are other districts in this document, also be deleted)
% programfiles% common filesiexplore.pif
% programfiles% Internat exploreriexplore.com
% windir%. com
% windir% exeroute.exe
% windir% explorer.com
% windir% finder.com
% windir% mswinsck.ocx
% windir% services.exe
% windir% system32command.pif
% windir% system32dxdiag.com
% windir% system32finder.com
% windir% system32msconfig.com
% windir% system32regedit.com
% windir% system32rundll32.com
Delete the following folders:
% windir% debug
% windir% system32NtmsData
No comments:
Post a Comment