Boot CPU is 100%cmd.exe virus Process Cleanup method _ virus killing

Source: Internet
Author: User
Tags safe mode
Release time: 2007-02-09
Poisoning symptoms:
The boot CPU is 100%, check the process, the original is Cmd.exe occupy the vast majority of the CPU. The CPU utility rate returns to normal after the Cmd.exe is turned off. But again, the CPU is 100%,cmd.exe still occupy most of the CPU.
  
1. Installed Ewido killing Trojan, identified a number of infection targets, has been deleted. But today
In the morning, the CPU is 100%,cmd.exe still occupy the vast majority of the CPU.
  
2. Reload "Trojan clear expert 2006", killing, the result did not find Trojan.
  
3. Check the CMD in System 32. EXE size, the result is as follows:
Cmd. EXE Size: 459 KB (470,016 bytes)
Occupy Space: 460 KB (471,040 bytes)
  
There should be no abnormalities.
String 3
Workaround: String 7
If this happens, unfortunately, you are 99% of the Trojan. However, if you continue to verify that your Windows installation disk is located in C:\ and that you need to open the option to view hidden files in the file viewing options and to display all file name extensions,
Check your C:\Program files\internet explorer\plugins\ directory, you should find New123.bak and new123.sys two files;
View your C:\Documents and settings\administrator\local settings\temp\ directory, Should find Microsoft.bat this file, you can use Notepad to open the Microsoft.bat file, found that mention an EXE file (the specific name will be different), you will also find this in the directory EXE file;
If the above two steps you do not find the appropriate file, please change your file view to do not hide the known file suffix, and in the system disk for file search, to confirm whether there is no relevant files.
Trojan description
The Trojan is mainly because the user installed the installation of the Trojan program caused by the installation program is very likely that you are in some unknown download the site downloaded some of the applications (such as QQ some version, etc.). The Trojan horse using the installation program in the case of the user does not remind users in the IE plug-in installed in the real Trojan ie Plug-ins. So that the general anti-virus and kill the horse program is not recognized.  And when you run some programs that need to call IE, the Trojan is automatically invoked, so the situation described in "symptom description" appears. String 3
The Trojan's mother is New123.sys, belonging to the TROJAN-PSW.WIN32.DELF.MC, may steal some of your application accounts and passwords.
Trojan Clear
The trojan can be easily removed manually, the process is as follows:
Open Task Manager, the end of the Cmd.exe run in the process, the CPU occupancy rate will be significantly reduced;
Into the C:\Documents and settings\administrator\local settings\temp\ directory, Delete Microsoft.bat the exe file and the bat file mentioned in this file; (This step does not have a problem, but it is best to clear out)
Into the C:\Program files\internet explorer\plugins\ directory, Delete the New123.bak file, but you cannot delete the New123.sys file at this time because the system is in use and you have two ways to process the New123.sys file:
Reboot the machine and enter Safe mode to remove the New123.sys;
The current state cannot delete the file, but you can change the New123.sys file name to New123.sysdel and restart the machine (without entering safe mode) before removing the New123.sysdel.
After processing, if the situation in the symptom description disappears, the cleanup is successful. String 7
XP system does not have a Cmd.exe process, Cmd.exe is an XP system command prompt program, can perform some DOS execution of the application, but does not run with the system startup, this may be a Trojan or other virus program, recommend killing
1, if the installation files on the hard disk, and the system is installed from the hard disk installation directory, then the installation directory to change the name
2, delete C:\winnt\system32\dllcache\cmd.exe,
3, and then delete the System32\cmd.exe
4, the system will be prompted to say that the system file loss required to insert a disc, ignore the line

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.