From: Dream-hunting day blog
Recently, diskcheck ad Trojans are very popular, and many computers are infected.
Diskcheck.exe is an advertisement Trojan Adware. elodu is one of the main programs. It is spread by generating automatic running configuration files under the root directory of the drive. Therefore, it is infected with computers through removable storage devices such as USB flash drives and mobile hard disks. The symptom is to register an IEHelper object plug-in IE and pop up an advertisement window from time to time.
Once this trojan is run, the following files will be generated: % System % IESysIcon. ico % System % lsmgr. dll contains systemdrivers cmder.exe % SystemDrive % autorun. inf contains systemdrive=diskcheck.exe.
Assume that your computer has installed the Windows XP operating system on the drive C, the above variable value is:
% System % = C: windowssystem32
% SystemDrive % = all your drive letters, such as c: d: e:
. The trojan is successfully transmitted. Therefore, it is recommended that you develop a habit to disable the automatic playback function of the Mobile storage device. Do not double-click the drive to open the Mobile storage drive, instead, right-click the drive letter, select "Resource Manager.
If the advertisement Trojan has been infected, many people will find that it is always deleted, and the autorun.infand diskcheck.exe will always be deleted and deleted again. After the virus is completely eliminated, the security mode will get everything up, and the virus will not be cleared. The most critical feature is that the assumer.exe file hidden in the system32directory is not deleted: Once the user directly hangs on the user's double-hitting operation, the autorun.infand diskcheck.exe are deleted, and a new one is generated immediately. Please refer to the following link: the navigator file name of windows is also cmd.exe, but it is in the windows directory.
Clear method:
1. Delete: % System % IESysIcon. ico % System % lsmgr. dll contains systemincluer.exe % SystemDrive % autorun. inf contains systemdrive=diskcheck.exe. All these files can be deleted directly. If it prompts that assumer.exe cannot be deleted, all of them will try again.
2. Run the registry and find the following registry key: HKEY_LOCAL_MACHINESOFTWAREClassesDriveshellopencommand, and delete the value "%systempolicexplore.exe % 1" on the right"
.
3. Delete the following subkeys:
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID {EC564D32-0F1A-4367-8A9B-4A9F57688D03}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface {1CFFD533-46FE-4031-A3FF-5370943BA025}
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib {3E704673-BE49-4C13-8E36-288326D14709}
HKEY_LOCAL_MACHINESOFTWAREClasseslsmgr.mssgr
HKEY_LOCAL_MACHINESOFTWAREClasseslsmgr.mssgr.1
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet extends erextensions {D1EDDE84-E67E-4ccd-B28E-73AD3B71A7C9}
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionjavaserbrowser Helper Objects {EC564D32-0F1A-4367-8A9B-4A9F57688D03}
4. Cleared.
The processing of this advertisement Trojan emphasizes the following experience again:
1. It is best to disable the automatic operation function of the Mobile storage device;
2. Do not double-click to open the mobile device. Use the right-click menu instead;
3. Mobile devices used on other computers are used for anti-virus first after access;
4. the antivirus software virus library should be updated frequently. This advertisement Trojan can be scanned and killed by most antivirus software, but it is very troublesome to clear it once it runs.