[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL] "CheckedValue" = dword: 00000001
Method 2: Use acdsee to view
Today, we are faced with a tough virus and have a contest with the virus:
Cause 1
The virus appeared after I tested a file on a USB flash drive on my colleague's machine. It is estimated that the virus was spread through the USB flash drive.
The performance of the second virus:
1. Shut down my anti-virus software. The anti-virus software cannot run. Rising Antivirus service cannot be enabled, uninstalled, or reinstalled. The virus will shut down the virus when you go to the anti-virus installation interface of Rising Star.
2. Hidden Files cannot be displayed. You cannot change menu-tools-Folder Options-View-hide files and folders. displaying all files and folders does not work.
3 Super Rabbit magic settings cannot be opened. Super Rabbit magic settings cannot run either. Can be uninstalled and re-installed, but cannot open, the software cannot run.
4. A lot of software is not working properly and cannot run.
5. If the browser search engine contains sensitive words, such as viruses, viruses, and rising stars, the browser will immediately close the internet.
6. I copied my genuine version of Rising Antivirus 2007 to my hard disk. I opened the directory of the antivirus software installation disk and immediately disabled it.
7. A lot of software may not contain such words as viruses. Otherwise, they will be immediately disabled.
8. The security mode cannot be entered either. Press F8 at startup to enter the safe mode.
3. Response
1. Because the WINDOWS Resource Manager cannot display hidden files, use the resource manager of the external software ACDSee to open the hard disk. ACDSee can view files with hidden properties. Several hard disks except system disk C: are found to have two more hidden files in the root directory: 05AE9FE4.exe and AutoRun. inf.
Use NotePad to view the content of AutoRun. inf as follows:
[AutoRun]
Open42405ae9fe4.exe
Shell \ open = open (& O)
Shell \ open \ command%05ae9fe4.exe
Shell \ open \ Default = 1
Shell \ lead E = Resource Manager (& X)
Shell \ javase \ command%05ae9fe4.exe
Run the virus automatically, which is characteristic of the USB flash drive virus.
The 05AE9FE4.exe and AutoRun. inf files can be deleted, but will appear again immediately after deletion.
Because the degree of virus infection cannot be determined, reinstalling the system is not necessarily useful.
2. Use the System Configuration Utility to view the startup items. No problems are found.
Use the WINDOWS Task Manager to view the process. If no suspicious process is found, stop most of the processes and prohibit virus processes.
The Process Manager of the optimization Master cannot identify the process.
3. Use a computer infected with viruses to access the Internet and search for answers. IE is controlled by viruses and cannot search for answers. Type virus, antivirus, and so on, and the browser will be closed immediately. In addition, I found a machine, connected the internet, and searched for the keyword "the anti-virus software cannot run". I tried the following on my machine by referring to the methods of netizens:
Create two folders on the desktop named 05AE9FE4.exe and AutoRun. inf. Right-click Copy.
Use the ACDSee software resource manager to open the hard disk and delete the two files 05AE9FE4 in the root directory of the hard disk. e xe and AutoRun. after inf, right-click and paste the two empty folders, and use two empty folders to replace the two hidden virus files. The virus detects that the file has been deleted and cannot create a new virus file. Because the file name is the same, the virus file cannot be copied in. (if there is a folder in the same directory, if you want to paste a file with the same name, the system will prompt that a file or folder with the same name exists and cannot be pasted ). In the same way, replace all the virus files in the root directory of several hard disks except the system disk.
Next we will find out the real hiding place of the virus.
Disable System Restoration on all my computers. Clear the webpage address. Internet browser properties-General-Internet temporary files-clear temporary files, clear historical records.
The SREng software is also sensitive to the SREng software. In the beginning, the SREng software was disabled several times. I changed the name of the SREng software (for example, it can be changed to 3322.com). When it was opened, click the Start Project tab and the SREng software can be stabilized.
Finally, a startup Item was found using the SREng software and associated with C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ 05AE9FE4.exe. This is the truly hidden virus. Finally, the old nest of the virus was found. Delete the startup Item and create another item immediately. Cannot be deleted. Delete the file C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ 05AE9FE4.exe, prompting that the file is in use and cannot be deleted. Try to change the file to a hidden folder. If it succeeds, the new name file 05ae9fe46666.exe will be uploaded immediately. Another file C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ 05AE9FE4. dll is created for the virus. Delete it by the way.
Check whether the associated file name is C: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ 05AE9FE4.exe. restart the system immediately and the virus symptoms disappear, the renamed virus becomes a zombie. Delete the virus file and delete the startup Item created by the virus. You can view hidden files. Super Rabbit magic settings can be started, and Rising antivirus software cannot be started.
After deletion, reinstall the anti-virus service. The system prompts that the basic virus library is installed incorrectly. After the installation is complete, the anti-virus service cannot run. Once and after installation and uninstallation, rising cannot work properly. An error occurs during the installation process. After the installation is complete, the system cannot start automatically. Double-click the Rav.exe file and the system cannot find the file D: \ Siring \ Rav \ Rav.exe.
I remember that when I was working on a virus, I opened the directory where the anti-virus software of Rising Star was located several times. They all flashed through and were shut down by the virus, and the virus was in D: A hidden file is created under the root directory of the disk, which records some basic information about the anti-virus software. (I deleted the file created by the virus and forgot to record the file name and content, remember that the file contains information such as the folder location of the anti-virus software ). Think about whether the virus has written something into the registry, and disable the normal operation or reinstallation of rising.
So we completely uninstalled Rising antivirus, restarted the system, cleared the Registry with the optimization master, re-installed the rising software, and changed the installation directory named "D: \ Rising Antivirus \ rising". Here, rising antivirus software is installed successfully. Surfing the Internet, updating the virus database and Eliminating viruses, and discovering the 05ae9fe4.exe file in C: \ Documents and Settings \ *** \ Local Settings \ Temp \. The report is Worm. pabug. dc virus. The file name is 05AE9FE4 in C: \ windows \ Help. chm virus.
No search results are found for the 05ae9fe4.exe netsearch. It is estimated that the 05AE9FE4 string is randomly generated. After the two viruses are deleted, the virus is eliminated.
Conclusion 4: by changing the file name of the virus, the system cannot be associated with a virus during restart, turning the virus into a botnet, and finally killing the virus. Anti-Virus Software seems vulnerable to viruses, making it difficult to reinstall the software. It can be seen that anti-virus software must be enhanced.
Worm. Pabug. dc is the latest variant of the Worm. Pabug virus. The virus randomly generates eight-digit Virus File Names and cannot scan and kill viruses by virus file name. You can only view the startup Item to kill viruses. Here, I would like to praise the SREng software. The SREng software was used to fix the problem of failed security models.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
