It is difficult to clear viruses that use drivers as services

System Repair Engineer (Sreng)
Autoruns v8.53 in Chinese
Unlocker (used to delete virus files)
Fair force Delete Tool
Download, install, and use tutorials for pure dossystem for 2000/XP (required when unlocker fails to be deleted)
(Notice on finding a virus file: open my computer, Click Tools> click Folder Options> View ~~ Then, click "show all files and folders" on the options of hidden files and folders, and deselect the "Hide protected system files" check box; deselect the check box before "Hide extensions of known file types" and click "OK .)
If you still cannot find the virus file, we recommend that you use the File force Delete tool or ice blade to view all the files.
To clear a virus file, follow these steps:
★1. Delete the virus driver file:
Because such sys files are first loaded when the system is started and added to the system process, they cannot be deleted in security mode in a timely manner. You must rely on the delete tool or rising's kill tool. We recommend that you disable all running Program And windows, such as IE browser, QQ, BT, anti-virus software, to ensure the deletion is successful.

if no kill or kill is ineffective, we recommend that you use the unlocker, Phil force Delete tool, and ice blade. This is the most simple and effective deletion tool found at present.
with the above tools, you generally do not need to delete them in DOS.
next, we will restart them to enter security mode. If you are in security mode, you can create an extension with the same name (. sys), because files and folders of the same name are not allowed to exist in any computer operating system, this can prevent self-repair of virus files after restart. We recommend that you create a folder for future recurrence. (This is also a way to suppress virus regeneration by the Fair force Delete tool .)
--------------------------
★2. Delete the virus driver registry entry:
This entry must be restarted to safe mode. If the virus driver is still loaded into the memory without restarting, modifying the registry will fail. If you can only restart to normal mode and cannot enter safe mode, you must create an immune folder in the previous step, preventing other startup files that haven't deleted the virus from fixing the sys Driver file we deleted.
after restarting to safe mode, check whether the deleted sys Virus File is successfully deleted and then delete the registry key.

Method 1: manually delete: Click Start-run-Enter "Regedit" to open the Registry Editor, click Edit-search Virus File Name (with extension, some items without an extension cannot be deleted directly. It doesn't matter if they are left behind.) Delete the loading key in the left column of the Registry. After deletion, press F3 to continue searching. Next.
Method 2: Use the Rising Star Card netbook Security Assistant 3.0: Click system startup Item Management-click drive-to view them. Right-click the right column, select "contains null items", and remove the hooks before "Hide XX signed items". All loaded drivers are displayed. Right-click the service item of the virus and select "delete currently selected item" to delete it.
method 3: Use System Repair Engineer (Sreng): click "Start Project"> "service"> "driver"> "Selected virus driver". You can click "delete service ", click "set. For some unknown drivers, we can modify the Startup Type to disabled (Forbidden) in order to avoid being wronged, click "Modify Startup Type", and then click "set. (In this case, the authenticated Microsoft Project is hidden and the search will be faster .)
Method 4: Use autoruns: Click drive-right-click virus driver-Delete.
If this option is not performed, an error log is generated when the system is started. But there will be no explicit prompts or any adverse effects on our system. If the self-entry fails, it indicates that there is protection for the virus program. Perform the next step first. After cleaning the virus, return to the Registry to fix it.
--------------------------
★3. Disable the registration service. We also need to do this in security mode. These services are not loaded in the security mode, so we can clear them smoothly.
right-click my computer and choose "manage"> "services"> "Applications"> "services". Find the virus service we found and double-click the "properties" dialog box, stop the service and change the Startup Type to disabled ".
(This item does not need to be executed in security mode. Because the virus service is not loaded, we can directly clean up the registry. But we must develop a step-by-step habit. This is a safe step. The key is to clear some viruses that cannot enter the safe mode, such as 3448. This item must be done first. Use repair tools such as the Rising Star Card and the Internet Security Assistant, Sreng, autoruns, etc. This item can flash and go directly to the next step .)

--------------------------
★4. Delete registered service items and rename virus files: these files are generally EXE or DLL files and will not be loaded in safe mode. If you are not in safe mode, use unlocker to rename the virus file.

Method 1: manually delete: search for the file name in the Registry and delete the service items registered in the left sidebar of the registry. The service items are usually loaded to more than two locations in the Registry and must be deleted.
(The service item is in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services. There will also be under controlset001 \ Services controlset002 \ Services controlset003 \ Services and so on, all will be deleted .)
Method 2: Use the Network Security Assistant of the Rising Star Card: Click system startup Item Management-click service item-to view them. Right-click the service item of the virus and select "delete currently selected item" to delete it.
Method 3: Use Sreng: click "Start Project"-service-Win32 service application (same as step 1)
Method 4: Use autoruns: click "service"-Right-click virus service-Delete.
--------------------------
★5. Delete the registered virus startup items and startup files: these files are generally EXE or DLL files and will not be loaded in safe mode. If it is not in safe mode, you need to use unlocker to rename the virus file and then clean up the registry:

Method 1: manually delete: Search for the virus file name in the Registry and delete the startup Item registered in the row that contains the file name in the right sidebar of the Registry. (If it is not in safe mode, you may need to use unlocker to change the name, and then you may need to restart it before you can clear the Registry ).
Method 2: Use the Rising Star Card netbook Security Assistant: Click system startup Item Management-click logon item-to view them. Point contains an empty entry to view all possible hiding places of such viruses. Right-click the startup Item of the virus and select "delete currently selected item" to delete it.
method 3: Use Sreng: click "Start Project"-"Registry"
Method 4: Use autoruns: click "Log on"-Right-click virus to start-Delete.
If the virus startup Item of the registry is not deleted, the system startup may prompt that the relevant file cannot be found or the file loading fails. But there will be no other adverse effects.
--------------------------
★6. Additional instructions:
the above steps are based on the levels and order of Virus File loading, and are cleared from the bottom layer. Generally, do not reverse the steps. If a task fails to be cleared, the task cannot be restarted. You can flash it to the next step. At this time, You Need To unlocker one and create a folder with the same name, which is a step-by-step method. After attacking one, you can calculate one, restart it, and then delete it.
after deleting a file, remember to clear the registry key. Otherwise, the system report will be scanned again. The 360 report does not show whether the file actually exists, it is troublesome for us to continue diagnosis. Please remember !! To clear the registry, we recommend that you use repair tools such as the Rising Star Card and the Internet Security Assistant, Sreng, autoruns, to save trouble.