Situation
All the right keys are running, each disk will appear random 8-bit XXXXXXXX.exe and Autorun.inf files
Internet search virus, Trojan, etc will be virus turned off, can not open nod32 and other anti-virus
Software
Unable to view hidden files, workaround:
Method One: Modify the registry file (the following file save bit ok.reg) to run
Copy Code code as follows:
Windows Registry Editor Version 5.00
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall] "CheckedValue" =dword:00000001
Method Two: View with ACDSee
Today encountered a relatively strong virus, and the virus has a battle:
One cause
The virus is in the colleague's machine on the test with a U disk after a file appears, is estimated to be transmitted through U disk virus.
Performance of the two viruses:
1 My rising anti-virus software to turn off, rising anti-virus software can not run. Rising antivirus can not be opened, can not unload, also can not reinstall. Into the rising antivirus installation interface is the virus shut down the process.
2 cannot display hidden files. Cannot change menus-tools-Folder Options-view-hides files and folders, showing that all files and folders do not work.
3 Super Bunny Magic Settings are not open. Super Bunny Magic Settings also can't run. Can uninstall and reinstall, but not open, the software can not run.
4 have a lot of software work is not normal, can not run, a flash.
5 Internet access, browser search engine if there are sensitive words, such as viruses, anti-virus, rising, and so on, the browser immediately closed.
6 I put my genuine rising antivirus 2007 copy to my hard drive, open antivirus software installation disk directory, will immediately close.
7 Many software can not appear such as virus words, or immediately shut down.
8 Safe Mode also can't go in, boot press F8 key cannot enter Safe mode.
Three coping
1 because Windows Resource Manager cannot display hidden files, open the hard disk with the external software ACDSee resource Manager, ACDSee can view files that have hidden properties. Found in addition to the system disk C: Several hard drives, in the root directory more than two hidden files: 05AE9FE4.exe and Autorun.inf.
Use Notepad to view the contents of the Autorun.inf as follows:
[AutoRun]
Open=05ae9fe4.exe
Shell\open= Open (&o)
Shell\open\command=05ae9fe4.exe
Shell\open\default=1
Shell\explore= Resource Manager (&X)
Shell\explore\command=05ae9fe4.exe
The use of automatic operation to run the virus, with U disk virus characteristics.
05AE9FE4.exe and Autorun.inf Two files can be deleted, but will appear again immediately after deletion.
Since it is not possible to determine the extent of the virus infection, reloading the system is not necessarily useful.
2 Using the System Configuration Utility to view the Startup items, no problem was found.
Using Windows Task Manager to view processes, no suspicious processes are detected, most processes are terminated, and virus processes cannot be prevented.
The process manager with the optimization master cannot find out which process is the problem.
3 use my virus-infected machine to surf the internet, to find the answer, IE browser is controlled by virus, can not search out the answer. Type virus antivirus rising and so on, the browser is immediately closed. In addition to find a machine, the Internet, search keyword "Rising anti-virus software can not run", referring to the method of netizens, on my machine to do the following test:
Create a new two folder on your desktop, named 05AE9FE4.exe and Autorun.inf. Right-click Copy.
Use the ACDSee software resource Manager to open the hard drive, delete two files under the root of the hard disk 05AE9FE4.E xe and Autorun.inf, right click Paste, paste two empty folders, two empty folders instead of two hidden virus files. Virus found that the file was deleted, also can not create new virus files, because the file name is the same, virus files can not be copied in (in the same directory, if there is a folder, and then want to paste in the same name of the file, you will be prompted to have the same file name files or folders, In the same way, replace all the virus files in the root directory of several hard drives except the system disk.
Here's how to find out where the virus really hides.
Disable System Restore all on my computer. Clears the page address. Internet Browser Properties-General-internet temporary files-clears temporary files and clears history.
Download Sreng software, virus is also sensitive to Sreng software, at the beginning, Sreng software was shut down several times. I renamed the Sreng software (for example, can be renamed as 3322.com), in the open moment, quickly click the Startup Items tab, Sreng software finally can be stabilized.
With Sreng Software finally found a startup item, associated to C:\Program Files\Common Files\Microsoft Shared\msinfo\05ae9fe4.exe, this is the real hidden virus, finally found the virus's lair. Delete this startup item and set up another one immediately. Can't erase it. Delete C:\Program Files\Common Files\Microsoft Shared\msinfo\05ae9fe4.exe This file, the prompt file is in use and cannot be deleted. Try to change the properties of the file, remove the hidden attributes, succeed, immediately rename the file as 05AE9FE46666.exe, successful. The virus created another file C:\Program Files\Common Files\Microsoft Shared\msinfo\05ae9fe4.dll, by the way deleted.
View the deleted startup items, the associated file name, or C:\Program Files\Common Files\Microsoft Shared\msinfo\ 05AE9FE4.exe did not change, immediately reboot the system, the symptoms of the virus disappeared, was renamed after the virus became a zombie. Remove the virus file and remove the startup entry that was created by the virus. Can view hidden files, Super Rabbit Magic settings can be launched, rising anti-virus software or can not start.
Remove after the installation of rising antivirus, prompted the Virus basic library installation error, continue to install the completion, rising antivirus can not run. Ann loading and unloading several times, rising is not normal work. The installation process prompts for errors, after the installation is complete, can not start automatically, double-click Rav.exe file, prompted the system could not find the file D:\Siring\Rav\Rav.exe.
I remember when I was working on the virus, I opened a few times the directory of rising anti-virus software, is a flash, was turned off by the virus, and the virus in the D: disk's root directory to establish a hidden file, recorded the rising anti-virus software some of the basic information (virus created by the file I deleted, forgot to record the file name and content, Only remember the file has recorded the rising anti-virus software folder location and other information. Think of the virus is not to the register to write something, prohibit rising normal operation or reload.
So completely uninstall rising antivirus, restart the system, with optimization master clean up the registry, reinstall rising software, and changed the installation directory folder named "D:\ Rising Anti-Virus", to this, rising antivirus installation success. Internet, update virus library, antivirus, and in C:\Documents and settings\***\local settings\temp\ found 05AE9FE4.exe file, report is WORM.PABUG.DC virus, still in C:\windows A virus with file name 05ae9fe4.chm was found under \help.
There are no search results on the internet search 05AE9FE4.exe, and the estimated 05ae9fe4 strings are randomly generated. Remove two viruses after the antivirus ends.
Four summary: By changing the name of the virus, so that the system can not be linked to the virus, the virus into a zombie, and finally kill the virus. Antivirus software in front of the virus seems to be vulnerable, and finally even reinstall is difficult. Visible anti-virus software should also be strengthened.
WORM.PABUG.DC is the latest variant of the Worm.pabug virus, the virus randomly generated 8-digit virus file name, can not be the name of the virus to be the virus. Only to see the Startup items to kill the virus, here to praise the Sreng software. My safe mode is also repaired with Sreng software.
