Auto autorun.inf desktop.ini sxs.exe auto.exe virus-like manual processing complete technique _ virus killing

Special finishing a auto Autorun.inf desktop.ini sxs.exe auto.exe virus Manual processing complete skills, you can see the image set method, let auto Autorun.inf desktop.ini Auto.exe Virus Nowhere to hide

Recently, a number of viruses, the performance of:

1, under each partition will have three files, the property is hidden, file name is: autorun.inf,desktop.in,sxs.exe, which EXE file is a virus file!

2, can not double-click to open the partition, such as D disk, double-click will appear after a choice of open way tips!

3, the right button menu has an auto item, no way to clean out.

4, the "Show All Files and folders" option cannot be selected, (this is the most serious case).

Online already have relevant information (attached), but some more trouble, some can not really useful, here give a personal commonly used manual treatment method, for everyone's reference.

If your system has only one or two of the above four cases, it's easier to handle.

1, into the safe mode, you must not double click on a disk, but use the right button or the left click of the resource Manager to open. Enter Folder Options, as shown below:

2, open (must not double) C: Disk, D: disk, etc., to see if there are the above three files or one or two of them, if so, delete it, (certainly do not double-click to any one of the files, otherwise the virus will be executed immediately.)

3, if not, then, again open the dialog box above, to see if the option is also the same as above, if not the same, and then changed back to the following figure, then, the current virus is already running. into 4 processing.

4, if the virus is already running, then we can only force the end of the virus process, can modify the above location, forced to end the virus is a lot of methods, the following reference a method.

============= the way to end the virus process a =====================

Many people find that their computer has a virus, the direct deletion, is not deleted, because the virus is running, so there is no way.
Many people like to use third-party tools to end the virus process and then to killing, in fact, I do not agree with always relying on third-party tools, because this is what people do out of things, they will only use, never know its principle, then, they are always just a rookie.

Here are two ways to end a process without using a third-party tool.

First: This method is used in XP, for example, we want to end aaa.exe This process, then press Start/Run/input cmd, at the command prompt, input taskkill/im aaa.exe, then you can forcibly kill the process

Second: The above methods, for some of the virus is effective, but for some more "old stubborn", there may be no way. This time, Win 2000 above the system's built-in command NTSD, to forcibly kill all virus processes, because the command in addition to system Smss.exe Csrss.exe not Can end, other basic can
Enter three keys: ALT + CTRL + DELETE, go into Windows Task Manager, click "View" in the menu above the Task Manager, and select the "pid" option. Click OK, and then select Process, and you can see the "pid" number of the virus process.

For example, the virus "pid" is 123, then, at just the command prompt, enter "Ntsd-c q-p 123" to end the virus process.
If you want to see what the NTSD parameters are for (as long as you are patient and your English is over Level 6), then enter NTSD/? Can

As for some viruses hide their own process, I am sorry, my ability is limited, so up to now, I use third-party tools to view the hidden process, so I think this is still a rookie, please forgive!

==================== end the virus process ===============

There are other methods, such as the use of some software, such as Optimization master, 360 security guards, etc., here no longer tired. End the virus process (if you do not know which is the virus process, then the system process is all over, the system process, and then repeat the 2nd step.)

5, then you should be in the disk can see the above three files, delete them, forcibly deleted.

6, select Search, find Desktop.ini files, you will find in each folder there is a file like this, there may be thousands of, press the Shift+del forcibly deleted, nothing, no problem, even if the C-disk is OK!

7, after the deletion, restart the computer, and then see whether the normal use, sometimes this does not work, sometimes the right menu or there is that auto, if so, then your system should be some of the more troublesome variants, processing methods can refer to the following Web text, but have to modify the registry or something, If it's me, I'm not going to take care of it, Ghost, 30 minutes. There's no need to take more time to step in. (Recommended to use computer company 6.0GHOST Edition, really good, thanks)

8, after reloading or ghost, in fact, the virus is still in the outside of C disk, will not automatically die, but, the system is clean, then from the first step to deal with, must be from the first step, again, must not double click any letter, otherwise naught! It's going to reload again.

Well, after this, the problem with the virus in your system can be solved in general, if it is another virus, then use other methods to deal with it. It is recommended to install the system, clean up the above virus, install an anti-virus software can be upgraded, to carry out a comprehensive scan, recommend the use of Kabbah, but these days because the submarine cable was damaged by the earthquake and Kaspersky official in the fight against piracy, Kabbah may not upgrade. (Kaspersky installation, please download and activate the www.360safe.com after downloading and activation, you can upgrade the equivalent of the original, of course, rising or other anti-virus software is also good, according to your needs.) After the scan is complete, install the software, it is best to use ghost backup system, after the backup if there is a problem can quickly recover, of course, you must have a tool CD, the proposed use of the above mentioned Ghost XP computer company version, if you can't find, you can contact me, QQ : 24560974, I'll find it for you.

Well, enjoy your system!

=========== The following is found on the Internet to deal with the virus, reference ============

Worm.viking.m
The virus for the Windows platform integrated executable file infection, network infection, download Trojan horse or other virus complex virus, the virus after the operation of its own disguised as a system of normal files to confuse users, by modifying the registry keys to make the virus boot can automatically run, At the same time, the virus through the thread injection technology to bypass the monitoring of the firewall, connected to the site designated by the virus to download a specific Trojan horse or other viruses, while the virus is running to enumerate all the available shares in the intranet, and try to connect to the target computer through a weak password.
The running process infects the executable files on the user's machine, which causes the user's machine to run slowly, destroys the user's machine executable file, and poses harm to the user's security.
Virus mainly through the sharing of directories, file bundles, running infected programs, virus-like mail attachments and other means of transmission.

1. After the virus is run, copy itself to the Windows folder, the file name is:
%systemroot%\rundl132.exe

2. After running the infected file, the virus copies the virus body to the following files:
%systemroot%\logo_1.exe

3, at the same time the virus will be generated in the virus folder:
Virus directory \vdll.dll

4, the virus from the Z-disk began to search all the available partitions in the EXE file, and then infected with all the size of 27KB-10MB executable files, infected in the infected folder generated:
_desktop.ini (File attributes: System, hidden. )

5, the virus will try to modify the%sysroot%\system32\drivers\etc\hosts file.

6, the virus by adding the following registry key to achieve the virus boot automatically run:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Load" = "C:\\winnt\\rundl132.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load" = "C:\\winnt\\rundl132.exe"

7, virus runtime try to find the form named: "Ravmonclass" program, find the form and send a message to close the program.

8, enumerate the following antivirus software process name, find to terminate its process:
Ravmon.exe
Eghost.exe
Mailmon.exe
Kavpfw. Exe
Iparmor. Exe
Ravmond.exe

9, at the same time the virus attempts to use the following command to terminate the relevant virus-killing software:
net stop "Kingsoft AntiVirus Service"

10, send ICMP detection data "Hello,world" to determine the network status, when the network is available,
Enumerate all shared hosts in Intranet, and try to connect \\IPC$, \admin$ and other shared directories with weak password, and then network infection after successful connection.

11, infected users on the machine EXE file, but do not infect the following folder files:
System
System32
Windows
Documents and Settings
System Volume Information
Recycled
Winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
Msn
Microsoft Frontpage
Movie Maker
MSN Gaming Zone

12. Enumerate the system processes and try to inject the virus DLL (Vdll.dll) selectively into the processes that correspond to the following process names:
Explorer
Iexplore
One of the above two processes is randomly injected after a qualifying process is found.

13. When the extranet is available, the injected DLL file attempts to connect to the following Web site to download and run the related programs:
Http://www.17**.com/gua/zt.txt Save As: C:\1.txt
Http://www.17**.com/gua/wow.txt Save As: C:\1.txt
Http://www.17**.com/gua/mx.txt Save As: C:\1.txt

Http://www.17**.com/gua/zt.exe Save As:%systemroot%\0sy.exe
Http://www.17**.com/gua/wow.exe Save As:%systemroot%\1sy.exe
Http://www.17**.com/gua/mx.exe Save As:%systemroot%\2sy.exe
Note: Three programs are Trojan program

14, the virus will download the contents of "1.txt" to the following related registry entries:

[Hkey_local_machine\software\soft\downloadwww]
"Auto" = "1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows]
"Ver_down0" = "[Boot loader]\\\\\\\\\\\\\\\\+++++++++++++++++++++++"
"Ver_down1" = "[boot loader]
Timeout=30
[Operating Systems]
multi (0) disk (0) rdisk (0) partition (1) \\windows=\ "Microsoft WINDOWS XP professional\"////"
"Ver_down2" = "Default=multi (0) disk (0) rdisk (0) partition (1) \\WINDOWS
[Operating Systems]
multi (0) disk (0) rdisk (0) partition (1) \\windows=\ "Microsoft WINDOWS XP professional\"/////"
Five counts of "gold" virus
First crime: infecting system files
cause system damage, and manual removal difficulties;
The second crime: Download the vicious Trojan
Theft of Warcraft, legendary account, gray pigeon backdoor make the system completely controlled by hackers, qqrobber virus, etc.
Third crime: Multi-channel network communication mode
Through the infection file, LAN sharing to spread;
Crime Four: Mandatory disabling of domestic well-known anti-virus software
Reduce sexual safety, easy to infect other virus;
Sin V: multiple variants
In a few days, multiple variants have appeared

A few days ago in the computer company to work, found that a considerable number of customers in addition to the hard disk in general except for the C disk, double-click the letter can not open, for individual ordinary users of this simple problem naturally to find someone! Click the right mouse button to find that the first item is not open, but a what auto and things like that. Needless to say naturally is the recruit, generally speaking computer company is accustomed to install system, simple, in the computer company to 35 days people can do. However, with our company's technical trainees and customer reaction after reloading the system (universal cloning a few minutes to finish it), can not solve the problem! I have to hand over to solve!

Kill the horse of course to see the process and display hidden files and extensions, but the virus actually in here to move hands and feet. "Hide files and folders" In Folder Options ⒈ do not show hidden files and folders ⒉ Show all files and folders cannot be displayed after selecting "Show All Files and folders", click Apply to confirm the same, reopen found automatically changed back. Fortunately, I have seen the super hidden in the past and other things, I also saved that display hidden files and folders registry file!

Windows Registry Editor Version 5.00

[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"CheckedValue" =dword:00000001

Open the registry and locate the above registry key. Found the CheckValue set to 0. Look at the normal computer for 1, naturally changed to 1 to say. Once again, set the folder Options, display all folders, and return to normal. found that each partition has a few hidden files, no wonder that the reload system is not used, and even rising anti-virus software can not install! End the related process, all the relevant files deleted, right key back to normal! The original is the ghost of virus files, and set up the system so that users can not show hidden files will naturally not see it itself, It's so pervasive! Install antivirus software after removing everything is normal and no other problem! Although the problem is quite simple, but those days there are a considerable number of customers to repair are the same problem, do not know what is not new appearance! Although it's the most entry-level thing for a computer guy, But for ordinary users is not a simple problem!

Afterwards studied a bit, recently nothing, think about blog also have nothing to write, affixed here for novice query, Master don't laugh!

1 in the registration form [Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden]
There are two items: Nohidden and ShowAll, some say three (98), but my own computer has only these two. Nohidden nature is not to show hidden files, ShowAll is to display all files. There are checkedvalue,defaultvalue values under both items!
The example above changes the relevant registry key value [Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\ ShowAll]
The "CheckedValue",
The system defaults to "CheckedValue" =dword:00000001, "DefaultValue" =dword:00000002, and if you set the CheckedValue to 0, you will not be able to change the display of all hidden files! Normal situation can be set folder and file properties hidden, but with the knowledge of the user to change to show hidden files, by manually modify the registry, the ShowAll under the Checkdvalue set to 0 to prevent ordinary users to see, for the old bird nature without any use!
2 displays all hidden files as default values for Folder Options! As for the DefaultValue value is naturally the default value, I did not find the meaning of the specific value here, but can be set to have a certain 1, 2 or 0. If the [Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall] DefaultValue "set to 1 should be made default, you will find that when you look at the option to restore the default value, both items are selected. If you want to set the display of all hidden files as defaults, you can set the DefaultValue of Nohidden to 1 and the ShowAll defaultvalue to 1! This defaults to show all hidden files! You can change it for yourself and look at the specific effect.
3 in summary encountered similar problems, you can see if there is no passive hands and feet! Look past the registry master left each value of the detailed settings!
4 online See: Even more, with Registry Editor, we can hide the three radio buttons under the hidden files item in the View tab. All we need to do is clear the Hidden of the "Text" string key in the "Nohidden", "Nohidorsys", "ShowAll" three branches (note: Windows XP has a different key value). This way, when you exit the Registry Editor and then go to the View tab, you'll find that "hidden files and folders" is empty underneath. Anyone who wants to see our personal files is two words-no way, because this place has no choice! (Will hidden and nohidden two delete, there is nothing, haha)

Attached: Folder option defaults: (XP system, you can save the following text as a registry file to import the registry to fix related issues)

Windows Registry Editor Version 5.00

[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden]
"Text" = "@shell32. dll,-30499"
' Type ' = ' group '
"Bitmap" =hex (2): 25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID" = "shell.hlp#51131"

[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\nohidden]
"Regpath" = "software\\microsoft\\windows\\currentversion\\explorer\\advanced"
"Text" = "@shell32. dll,-30501"
' Type ' = ' radio '
' checkedvalue ' =dword:00000002
' valuename ' = ' Hidden '
' defaultvalue ' =dword:00000002
"Hkeyroot" =dword:80000001
"helpid" = "shell.hlp#51104"

[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"Regpath" = "software\\microsoft\\windows\\currentversion\\explorer\\advanced"
"Text" = "@shell32. dll,-30500"
"Type" = "Radio"
"CheckedValue" =dword:00000001
"ValueName" = "Hidden"
"DefaultValue" =dword:00000002
"Hkeyroot" =dword:80000001
"HelpID" = "shell.hlp#51105"

2006-11-08 Day Supplements:

Yesterday in the Internet café again encountered this situation, did not write this before, There is a autorun.ini file and Sxs.exe file under each letter, cause each disk right button menu is auto, not on the Internet to find relevant information, but before writing this article, but also this file, but it seems to have changed, in the task manager can not see its process, deleted immediately after the recovery, in C : \Windows\System32 under the Ourfns.exe file and a related DLL (forgotten), in the Registry has the implementation of the file's Startup items, Windows Task Manager can not see the process, and can not be deleted, the proposed ice blade to end the process and related operations!

The D and E disks cannot be double-clicked, the first one in the right menu is auto and is black. What is the reason, but the C-disk can be double click to open. 2006-12-26 00:02 in the snow virus. The solution is:

First, enter Safe mode, run "regedit", find all the key values Autorun.exe and give delete. Press F3 to continue the search until it is not so far.
Second, after the restart in the hard drive to search Autorun.exe, and all deleted.
Third, press Ctrl+alt+del, kill the user name (PID) for the current user's autorun.exe process.
Four, run Msconfig, in the Launch tab to remove the Boot.exe front small box check.