Complete manual processing techniques for auto autorun. inf desktop. ini sxs.exe auto.exe viruses

This article describes auto Autorun. INF desktop. the manual processing of INI sxs.exe auto.exe is completely skillful. You can refer to the image setting method to make auto Autorun. INF desktop. INI sxs.exe auto.exe class virus has nowhere to hide

The most recent virus is:

1. There will be three files under each partition, whose attributes are hidden. The file names are autorun.inf,top.in,sxs.exe. The EXE file is a virus file!

2. You cannot double-click to open a partition, for example, drive D. After double-clicking, a prompt is displayed for selecting the opening mode!

3. Right-click an auto item in the menu and you cannot clear it.

4. The "show all files and folders" option cannot be selected (this is the most serious case ).

There are already relevant information on the Internet (attached), but some are troublesome and some are not really useful. Here we provide a commonly used manual solution for your reference.

If your system has only one or two of the above four cases, it is easier to handle them.

1. After entering the security mode, do not double-click any disk. Instead, right-click the disk or right-click the resource manager. Enter the folder options, such:

2. Open (do not double-click) C: disk, D: disk, etc. Check if there are any of the above three files or one or two of them. If yes, delete it, (Do not double-click any of the files, or the virus will be executed immediately.

3. If no, open the dialog box again to check whether the options are the same. If the options are different and the options change back, the current virus is running. Transfer to 4.

4. If the virus is already running, we can only forcibly stop the virus process to modify the above position. There are many ways to forcibly end the virus. Here is a reference to this method.

================ Method 1 to end the virus Process

Many people find that they cannot delete a computer directly when it has a virus. Because the virus is running, there is no way to delete it.
Many people like to use third-party tools to end the virus process and then scan and kill the virus. In fact, I do not agree to rely on third-party tools because they are what people make and they only use them, I never know how it works, so I will always be a cainiao.

Here we will teach you two ways to end the process without using a third-party tool.

First, this method has been used in xp. For example, if we want to end the aaa.exe process, press start/run/Enter cmd in sequence. at the command prompt, enter taskkill/IM aaa.exe, then, we can forcibly kill this process.

Second, the above methods are effective for some viruses, but for some more "stubborn", there may be no way. at this time, the built-in command ntsd of Windows 2000 and later is used to forcibly kill all virus processes. This command can be used except for system smss.exe csrss.exe which cannot be terminated.
Enter the three keys: Alt + Ctrl + Delete. in the Windows Task Manager, click "View" in the Task Manager menu and select the "PID" option. click OK and select "process". Then you can see the "PID" of the virus process.

For example, the "PID" of the virus is 123. Then, enter "ntsd-C q-P 123" in the command prompt to end the virus process.
If you want to see the usage of ntsd parameters (as long as you have patience and your English has passed 6 levels), then enter ntsd /? You can.

As for some viruses that have hidden their own processes, I am sorry, I have limited capabilities. So far, I have used third-party tools to view hidden processes. So I think I am a rookie in this regard, please forgive me!

================================ End the virus Process Method =

There are other methods, such as using some software, such as master optimization and 360 security guard. End the virus process (if you don't know which virus process is, you can end all the non-system processes, and repeat Step 1 about which processes are system processes.

5. Now you should see the above three files in the disk. delete them and force them to be deleted.

6. Select search to find the desktop. INI file, you will find that there is a file like this in each folder, there may be thousands in total, press SHIFT + DEL to force Delete, it's okay, no problem, it's okay even on drive C!

7. After the deletion, restart the computer and check whether the computer can be used normally. Sometimes the operation still fails, and sometimes the auto is still in the context menu. If so, so your system should have some troublesome variants. You can refer to the following network files for the solution, but you have to modify the registry or something. If it is me, I will leave it alone, ghost. You don't have to spend more time processing things you have done in 30 minutes. (We recommend that you use computer company 6.0ghost, which is really easy to use. Thank you)

8. After reinstalling or ghost, the virus outside the C disk is still there and will not die automatically. However, the system is clean and will be processed in the first step, be sure to start from the first step. Once again, do not double-click any drive letter. Otherwise, all the work will be done! Re-install it again.

Well, after this processing, the problem about the virus in your system can be solved. If it is another virus, use other methods to solve it. We recommend that you install the system. After cleaning up the above virus, install an upgradeable anti-virus software and perform a full scan. Kabbah is recommended, however, in the past few days, Kabbah may not be able to upgrade due to the earthquake damage of submarine optical cables and the official Kaspersky crackdown on piracy. (For installation of Kaspersky, please download and install security guard on www.360safe.com and then download and activate it. Then you can upgrade it to a genuine version. Of course, rising or other anti-virus software is also good, as per your needs. After the scan is complete, install the software. It is best to use ghost to back up the system. If there is a problem after the backup, you can quickly restore it. Of course, you must have a tool CD, we recommend that you use the ghost XP company edition mentioned above. If you cannot find it, contact me via QQ: 24560974. I will help you find it ).

Well, enjoy your system!

============ The following are the solutions for this virus found on the Internet. For more information, see ==============

Worm. Viking. m
This virus is a complex virus that integrates executable files, network infections, download network Trojans, or other viruses on Windows platforms. After the virus runs, it disguise itself as a normal system file to confuse users, modify the registry key so that the virus can run automatically when it is started. Meanwhile, the virus uses thread injection technology to bypass firewall monitoring and connects to the website specified by the virus author to download specific Trojans or other viruses, at the same time, after the virus runs, enumerate all available shares in the Intranet, and try to connect to the target computer with a weak password.
The running process is infected with executable files on the user's machine, which slows down the running speed of the user's machine and damages the executable files of the user's machine, posing a hazard to the user's security.
Viruses are infected by the shared directory, file bundling, and runningProgramAnd virus-infected email attachments.

1. Copy the virus to the Windows folder. The file name is:
% SystemRoot % \ rundl132.exe

2. After running the infected file, the virus copies the virus to the following file:
% SystemRoot % \ logo_1.exe

3. The virus is generated in the virus folder at the same time:
Virus directory \ vdll. dll

4. Search for EXE files in all available partitions from drive Z and infect all executable files of 27kb-10mb. The virus is generated in the infected folder after infection:
_ Desktop. ini (file attributes: System and hidden .)

5. The virus will try to modify the % sysroot % \ System32 \ drivers \ etc \ hosts file.

6. Add the following registry key to automatically run a virus upon startup:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"Load" = "C: \ winnt \ rundl132.exe"
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"Load" = "C: \ winnt \ rundl132.exe"

7. When the virus is running, try to find the program named "ravmonclass", find the form, and send a message to close the program.

8. enumerate the following antivirus software process names and terminate the processes after finding them:
Ravmon.exe
Eghost.exe
Mailmon.exe
Kavpfw. exe
Iparmor. exe
Ravmond.exe

9. At the same time, the virus tries to use the following command to terminate the virus-killing software:
Net stop "KingSoft Antivirus service"

10. Send ICMP detection data "Hello, world" to determine the network status. When the Network is available,
Enumerate all internal network shared hosts and try to connect to shared directories such as \ IPC $ and \ ADMIN $ with a weak password. After successful connection, the network is infected.

11. infect the EXE file on the user's machine, but not the files in the following folders:
System
System32
Windows
Documents and Settings
System volume information
Recycled
Winnt
Program Files
Windows NT
Windowsupdate
Windows Media Player
Outlook Express
Internet Explorer
Complus applications
NetMeeting
Common files
Messenger
Microsoft Office
InstallShield installation information
MSN
Microsoft Frontpage
Movie Maker
MSN gaming zone

12. enumerate the system processes and try to selectively inject the virus DLL (vdll. dll) into the processes corresponding to the following process names:
Explorer
Iexplore
Find a qualified process and inject one of the above two processes at random.

13. When the Internet is available, the injected DLL file tries to connect to the following website to download and run related programs:
Http: // www.17 **. com/GUA/zt.txt is saved as: C: \ 1.txt
Http: // www.17 **. com/GUA/wow.txt is saved as: C: \ 1.txt
Http: // www.17 **. com/GUA/mx.txt is saved as: C: \ 1.txt

Http: // www.17 **. com/GUA/zt.exe: % SystemRoot % \ 0sy.exe
Http: // www.17 **. com/GUA/wow.exe save as: % SystemRoot % \ 1sy.exe
Http: // www.17 **. com/GUA/mx.exe: % SystemRoot % \ 2sy.exe
Note: all three programs are Trojans.

14. The downloaded "1.txt" content will be added to the following registry items:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ soft \ downloadwww]
"Auto" = "1"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows]
"Ver_down0" = "[boot loader] \\\\\\\\\\\\\\\\\++ ++ ++"
"Ver_down1" = "[boot loader]
Timeout = 30
[Operating systems]
Multi (0) disk (0) RDISK (0) Partition (1) \ Windows = \ "Microsoft Windows XP Professional \"////"
"Ver_down2" = "default = multi (0) disk (0) RDISK (0) Partition (1) \ WINDOWS
[Operating systems]
Multi (0) disk (0) RDISK (0) Partition (1) \ Windows = \ "Microsoft Windows XP Professional \"/////"
Five major crimes against the "viane" virus
SIN 1: infect system files
System damage and manual cleaning are difficult;
Second sin: downloading malicious Trojans
Attackers can steal World of Warcraft and legendary accounts, open a backdoor to prevent the system from being completely controlled by hackers, and use the qqrobber virus;
Third sin: Multi-Channel Network Transmission
Spread through infected files and LAN sharing;
Fourth sin: Force disable well-known anti-virus software in China
Reduces sexual security and is vulnerable to other viruses;
Fifth sin: many variants
Multiple variants have appeared in a few days

When I was working in a computer company a few days ago, I found that a considerable number of customers could not open the hard drive Drive! Right-click and find that the first item is not open, but something like auto. Needless to say, it's a natural trick. Generally speaking, computer companies are used to installing systems. Is it simple? People who have been in computer companies for three or five days can do this. However, the problem cannot be solved after the technical trainees and customers of our company reinstalled the system (the omnipotent clone was completed in just a few minutes! I had to solve it manually!

Of course, the process and the hidden files and extensions should be taken into consideration when the trojan is killed. However, the virus has been moved here. In the folder option, "hide files and folders" hide do not show hidden files and folders. Hide show all files and folders. Select "show all files and folders, click "application" to confirm, and then click "re-open" to check that the application is automatically changed. Fortunately, I have seen super hidden and other things before. I also saved the Registry file that shows hidden files and folders!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall]
"Checkedvalue" = DWORD: 00000001

Open the registry and find the preceding registry key. It is found that the checkvalue is set to 0. If the normal computer is 1, change it to 1. Set the folder option again to display all folders and restore to normal. It is found that there are several hidden files under each partition. No wonder it is useless to reinstall the system, and even the anti-virus software of rising star cannot be installed! End related processes, delete all related files, and right-click to restore to normal! It turned out to be a virus file, and the system was set up so that users could not display hidden files and naturally could not see themselves! After being deleted, anti-virus software is installed. Everything is normal and there are no other problems! Although the problem is quite simple, a considerable number of customers have encountered the same repair problem in the past few days. I don't know if it's something new! Although it is the most basic thing for people engaged in computers, it is not a simple problem for ordinary users!

I studied it later. I have nothing to worry about recently. I think there is nothing to write a blog, and I am posting it here for beginners to query it. Don't laugh!

1. In the registry [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden]
There are two items: nohidden and showall. Some people say there are three items (98), but my own computer only has these two items. Nohidden naturally does not show hidden files, and showall displays all files. Both items have checkedvalue and defaultvalue!
In the preceding example, the registry key value [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall] is changed.
"Checkedvalue ",
The system defaults to "checkedvalue" = DWORD: 00000001, "defaultvalue" = DWORD: 00000002. If you set checkedvalue to 0, all hidden files cannot be displayed! Normally, you can hide the folder and file attributes, but users with basic knowledge know how to change it to show hidden files and manually modify the registry, set checkdvalue in showall to 0 to prevent normal users from viewing it. This is no use for laruence!
2. All hidden files are displayed as default values of the folder option! As for the default value of defaultvalue, I did not find the meaning of each value at Microsoft, but it can be set to either 1 or 2 or 0. If "ultultvalue" of [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall] is set to 1, it should be set to default, you will find that both items are selected when the default value is restored in the view. If you want to set all hidden files to the default value, you can set the defaultvalue of nohidden to 1 and the defaultvalue of showall to 1! By default, all hidden files are displayed! You can change it to see the specific effect.
3. If you have encountered a similar problem, you can check if you have been passive! Hope to pass through the registry and leave detailed settings for each value!
4. What we can see on the Internet: What's more, using the Registry Editor, we can hide all three single-choice buttons under the "Hidden Files" item on the "View" tab. We only need to set the "text" string key in the "nohidden", "nohidorsys", and "showall" branches under "hidden" (note: in Windows XP, keys with different key values are cleared. In this way, exit the Registry Editor and go to the "View" tab. You will find that the "hidden files and folders" are empty. Anyone who wants to view our personal files is two words-no way, because there is no way to choose this place! (Delete "hidden" and "nohidden", and nothing will happen. Haha)

Attachment: Default Folder Options: (in the xp system, you can save the following text as a registry file and import it to the Registry to fix related problems)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden]
& Quot; text & quot; = & quot; @ shell32.dll,-30499 & quot"
"Type" = "group"
"Bitmap" = hex (2): 25, 00, 53,00, 79,00, 00, 00, 6f, 00 ,\
, 25, 00, 5C, 79, 00, 00, 6d, 00, 00, 5C, 00 ,\
, 4C, 00, 4C, 00, 00, 2e, 00, 6C, 00, 00, 2c ,\
00
"Helpid" = "shell. HLP #51131"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ nohidden]
"Regpath" = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
& Quot; text & quot; = & quot; @ shell32.dll,-30501 & quot"
"Type" = "radio"
"Checkedvalue" = DWORD: 00000002
"Valuename" = "hidden"
"Defaultvalue" = DWORD: 00000002
"Hkeyroot" = DWORD: 80000001
"Helpid" = "shell. HLP #51104"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall]
"Regpath" = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
& Quot; text & quot; = & quot; @ shell32.dll,-30500 & quot"
"Type" = "radio"
"Checkedvalue" = DWORD: 00000001
"Valuename" = "hidden"
"Defaultvalue" = DWORD: 00000002
"Hkeyroot" = DWORD: 80000001
"Helpid" = "shell. HLP #51105"

Supplement:

In the inventory file, the first item in the right-click menu of each disk is auto. No relevant information is found on the Internet.ArticleThis file also appears to have changed, but the process cannot be seen in the task manager. After deletion, it will be restored immediately in C: \ windows \ system32the ourfns.exe file and a related DLL (forgot) are found in the registry. the startup item of this execution file is not found in the Windows Task Manager and cannot be deleted, we recommend that you end the process with an ice blade and then perform related operations!

Disk D and disk e cannot be opened by double-clicking. The first one in the right-click menu is auto and black. What is the reason, but disk C can be opened by double-clicking.-12-26. The solution is:

Run “regedit.exe in the security mode to find all the key-value items of autorun.exe and delete them. Press F3 to continue searching until it does not exist.
Search for autorun.exe in the hard drive and delete all.
3. Press ctrlw.alt0000delto Delete the user name (pid.pdf is the current user's autorun.exe process.
Run msconfigon the 4th node. Check the box in front of boot.exe in the startup plug-in.