Finally, we found the complete solution to the dl1.exe virus.

Dl1.exe is a virus named worm. win32.delf. cc (Dove) in the task management process!

The virus has the following symptoms:

1. Security Mode destruction

2. Hidden Files cannot be displayed.

3. End common antivirus software and common antivirus tools

4. Monitoring window

5. IFEO image hijacking

6. It can be spread through mobile storage

After the virus runs

Release a dll with a combination of eight numbers and letters and a dat file with the same name under C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \.

Here is C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ 41115BDD. dll.

This dll is inserted into the Explorer process

Terminate (including but not limited to) the following processes

360rpt.exe

360Safe.exe

360tray.exe

Adam.exe

AgentSvr.exe

AppSvc32.exe

Autoruns.exe

Avgrssvc.exe

AvMonitor.exe

Avp.com

Avp.exe

CCenter.exe

CcSvcHst.exe

FileDsty.exe

FTCleanerShell.exe

HijackThis.exe

IceSword.exe

Iparmo.exe

Iparmor.exe

IsPwdSvc.exe

Kabaload.exe

KaScrScn. SCR

KASMain.exe

KASTask.exe

KAV32.exe

KAVDX.exe

KAVPFW.exe

KAVSetup.exe

KAVStart.exe

KISLnchr.exe

KMailMon.exe

KMFilter.exe

KPFW32.exe

KPFW32X.exe

KPFWSvc.exe

KRegEx.exe

KRepair. COM

KsLoader.exe

KVCenter. kxp

KvDetect.exe

KvfwMcl.exe

KVMonXP. kxp

KVMonXP_1.kxp

Kvol.exe

Kvolself.exe

KvReport. kxp

KVScan. kxp

KVSrvXP.exe

KVStub. kxp

Kvupload.exe

Kvwsc.exe

KvXP. kxp

KvXP_1.kxp

KWatch.exe

KWatch9x.exe

KWatchX.exe

Loaddll.exe

MagicSet.exe

Mcconsol.exe

Mmqczj.exe

Mmsk.exe

NAVSetup.exe

Nod32krn.exe

Nod32kui.exe

PFW.exe

PFWLiveUpdate.exe

QHSET.exe

Ras.exe

Rav.exe

RavMon.exe

RavMonD.exe

RavStub.exe

RavTask.exe

RegClean.exe

Rfwcfg.exe

RfwMain.exe

RfwProxy.exe

Rfwsrv.exe

RsAgent.exe

Rsaupd.exe

Runiep.exe

Safelive.exe

Scan32.exe

Shw.32.exe

SmartUp.exe

SREng.exe

Symlcsvc.exe

SysSafe.exe

TrojanDetector.exe

Trojanwall.exe

TrojDie. kxp

UIHost.exe

UmxAgent.exe

UmxAttachment.exe

Umxcmd.exe

UmxFwHlp.exe

UmxPol.exe

UpLive.EXE.exe

WoptiClean.exe

Zxsweep.exe

Common anti-virus software and some security tools have been killed by him.

Then, point these exe images to c: \ program files \ common files \ microsoft shared \ msinfo \ 41115bdd. dat through IFEO for image hijacking.

Monitor a window with the following words. If a window with the following words is found, close it immediately.

Trojan

MoMA

Virus

Anti-Virus

Anti-Virus

Virus Detection

Anti-Virus

Anti-Virus

Kill

Zookeeper

Kaspersky

Jiang min

Rising

KaKa community

Kingsoft drug overlord

Kingsoft community

360 security

Malware

Rogue Software

Report

Alarm

Kill soft

Zookeeper

Anti-renewal

All the above monitoring and window close operations are performed by inserting the Explorer process C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ 41115BDD. dll.

It's worse than pandatv, so you can't find the process.

Then go to HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellExecuteHooks

Add the registry project <{15BD4111-4111-5BDD-115B-111BD1115BDD}> <C: \ Program Files \ Common Files \ Microsoft Shared \ MSINFO \ 41115BDD. dll> [N/A]

Enable startup

And the dll will monitor this registry project. If it is deleted, it will be restored immediately.

Delete key

HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}

HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}

Sabotage Security Mode

Modify HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL \ CheckedValue drops? X00000000

The file cannot be hidden.

Release 8668122f.exe (bone: the file name varies with each computer) and autorun. inf to other partitions except the system partition

Then, download a self-decompressed file dl1.exe to a Temporary Folder through the assumerimport link network.

Decompress the file and release C: \ WINDOWS \ system \ 20290.exe.

C: \ WINDOWS \ system \ ad1309.exe

C: \ WINDOWS \ system \ DiskFree_hy1.5.exe

C: \ WINDOWS \ system \ dodolook027.exe and other files

There are drive Trojans and rogue software.

After all the files are run

Added the following files:

C: \ WINDOWS \ system32 \ drivers \ acpidisk. sys

C: \ WINDOWS \ system32 \ drivers \ tolnfo47.sys

C: \ WINDOWS \ system32 \ drivers \ vilpew30.sys

C: \ WINDOWS \ system32 \ drivers \ ykagjt85.sys

C: \ WINDOWS \ system32 \ 1b. dll

C: \ WINDOWS \ system32 \ 48a69

C: \ WINDOWS \ system32 \ 60e4.exe

C: \ WINDOWS \ system32 \ 7df9. dll

C: \ WINDOWS \ system32 \ 91b6. dll

C: \ WINDOWS \ system32 \ b60.dll

C: \ WINDOWS \ system32 \ bpjlgv91.dll

C: \ WINDOWS \ system32 \ df91.dll

C: \ WINDOWS \ system32 \ f91b.exe

C: \ WINDOWS \ system32 \ ieagent.exe

C: \ WINDOWS \ system32 \ mprmsgse. axz

C: \ WINDOWS \ system32 \ mscpx32r. det

C: \ WINDOWS \ system32 \ MSRundll.exe

C: \ WINDOWS \ system32 \ ntprint. dIl

C: \ WINDOWS \ system32 \ tolnfo47.dll

C: \ WINDOWS \ system32 \ tolnfo47.ini

C: \ WINDOWS \ system32 \ vilpew30.dll

C: \ WINDOWS \ system32 \ wingjt85.bin

C: \ WINDOWS \ system32 \ wingjt85.dll

C: \ WINDOWS \ system32 \ winkx. dll

C: \ WINDOWS \ system32 \ winlgv91.bin

C: \ WINDOWS \ system32 \ winpew30.bin

C: \ WINDOWS \ system32 \ winpew30.dll

C: \ WINDOWS \ system32 \ ykagjt85.dll

C: \ WINDOWS \ system32 \ cewrndm. dll

C: \ WINDOWS \ system32 \ tolnfo47.dll

C: \ WINDOWS \ system32 \ vilpew30.dll

C: \ WINDOWS \ system32 \ b60.dll

C: \ WINDOWS \ 03.bmp

C: \ WINDOWS \ 3fa.exe

C: \ WINDOWS \ 41115BDD. hlp

C: \ WINDOWS \ fa7c.txt

C: \ Program Files \ Internet Explorer \ PLUGINS \ system2.jmp

C: \ Program Files \ Internet Explorer \ PLUGINS \ SystemKb. sys

Two software packages are installed: adpush software and disk free.

========================================================== ============================

How to delete the dl1.exe Virus

First: the task manager crashes the process of assumer.exe.

Then, use winrar to Open C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo

The method is to start the winrar program first, and then click Open --> level 1 to open the above directory. In msinfo, there will be an eight-bit exe execution file, such as cf62255d.dlland cf62255d.exe. Delete it

Third: Start assumer.exe

Fourth: Open the Registry (start --> Run --> regedit --> press Enter)

Under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Image File Execution Options, the list of disabled anti-virus SOFTWARE is displayed. You can delete the anti-virus SOFTWARE name and run it.

Fifth: run the anti-virus software on your computer, upgrade it, and complete anti-virus.

The virus name is worm. win32.delf. cc (Dove ). There may be variants, and cc will become another one.