Export and. DLL files to the text. Then run the virus.
Obviously. the task manager is disabled. when QQ is opened, messages will be sent out automatically (I already know this. xi. of course I am not stupid enough to talk to other people. Q .) in fact, after analysis. this is actually a Trojan. some of the things that interest the virus maker will be sent to his mailbox via e-mail.
The purpose of doing so is to prevent people from terminating the virus process.
Then he went to the Registry to unlock it. But he didn't disable the Registry. He started thinking. This Sb didn't actually disable the registry? It can be changed!
Find hkey_current_usersoftwaremicrosoftwindowscurrentversionpolicies
Disabletaskmgr is deleted directly.
Reload the Windows Shell. but I found a problem .... the task manager cannot be opened. open the Registry again. the key value of disabletaskmgr still exists. depressed. no wonder he does not disable the registry.
You should have thought of it. This should be the ghost of the virus program in the memory. Once he detects your modifications to the Registry, he will automatically change it back.
Obfuscation of this system file. Only one letter is missing. You can't find it without careful consideration.
Next we will start to solve the problem.
1. open cmd. enter the command tasklist and press enter to view details .. the process was found: svohost.exe (although the task manager is disabled, the process information can still be viewed using the tasklist command in cmd)
2. Shut down him. Enter the command taskkill/f/IM svohost.exe
Prompt successful.
3.search for the svohost.exe file (hide the search file) and delete it! Invalid.
4. I thought it was okay. later I found a problem. he also modified one of the registry so that the folder option always sets hidden files to "do not show hidden files ", the main purpose of this operation is to prevent you from finding the virus source file with hidden properties in windows. but there are several ways to find him. 1. search by windows. search for hidden files and folders in advanced options. 2. run the Dir/a command in the command prompt. A little trouble. because there are too many files in the windows and system32 directories. when using the Dir command. you 'd better add another parameter. DIR/A/P will be better.
Go to the Registry and change him back to normal.
V open the registry. find the hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddenshowall key. look at the right side. find the value of a checkedvalue. I noticed that this damn virus actually changed him to a string value. if you are not careful. you may think it is useless to change it. delete the value. the value of recreating a DWORD is checkedvalue. set his value to 1.
Basically done. at first, I just wanted to figure out how he works. actually. I believe you should also see it. if your AntiVirus virus library is new enough. attackers can kill the virus source program. all you need to do is to fix related items in the registry. here we also provide a DIY solution to the problem. the virus source files may be different. according to the actual situation. follow the above steps.
Friendly reminder: the files sent on QQ. Don't be confused without confirmation. Maybe you won't be careful.
PS: some things have to be said: I found many people misunderstand what I mean'
This article is just a way to tell you. I found that many netizens searched for svohost.exeand lsasa.exe on their computers. In fact, there are many kinds of viruses, and the source files are ever-changing. They cannot identify the virus. What is important is the method. As long as there is a virus running, there must be a virus process. 'I don't think there is any virus that hides the process yet ~ After careful observation, you can always find the source file ~ It may be the same as the system file name but the path is different ~ For example, svchost.exein different regions, rundll32.exe, and so on ~
For average users, it is best to use powerful anti-virus software to kill.
For manual cleanup. There are also many ways to query ~ Generally, viruses are set to self-starting ~ In this case, you can go to the Registry to find some places that can be started. Such as run and shell ~ You can search for related articles online. Some viruses will register the service and start it as a service ~ You can open services. MSC to view details.
Many viruses like fake service processes. In this example, we will check whether svchost.exe is suspicious ~
Enter the command in cmd: tasklist/SVC and press ENTER ~ See the service represented by the process of svchost.exe.
As you can see, there are four svchost.exe. What are the values of tasklist?
Also four ~ This proves that all four svchost.exe files are normal (except for viruses loaded in service mode)
What if the figure below shows 5 svchost.exe? This means. The multiple svchost.exe must be faulty. So we can check the number of svchost.exe files that are not in the system32directory on the C drive. The svchost.exe file must be a virus ~
You can turn off all applications and background programs except system processes to narrow down the search scope. This requires experience.
Windows provides many small tools to help you solve the problem, such as system information query tools, msconfig, servicse.msc, tasklist.exe and so on. If you have used these tools, it is not too difficult to remove the virus!
We recommend that you install a better software solution. If it is too troublesome, I think the virus can be killed by myself. It is a very happy thing.
We recommend that you use the Longhorn task manager! The task manager of Longhorn can right-click in the process to open the folder where the application is located, which is very useful for virus detection ~ If the task manager is disabled, you can use a third-party Task Manager. For example, the process management provided by the Windows optimization master is good. You can directly view the application path, which saves a lot of time.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
