Trojan-downloader.win32this virus is injected into the assumer.exe process and written into the registry. The virus generates a dll file with 6 letters and 2 digits randomly based on the computer. The dll file is located in the system32 folder, and a sys file with the same name is located in the system32 \ drivers folder. It is said that this Trojan uses Rootkit technology to hide itself.
General anti-virus software such as Kaspersky can prompt to find the virus dll, but cannot delete it. The simplest way is to use a software called unlocker (http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe ), after the download and installation are complete, unlock the virus file name dll file in the system32 folder and the sys file in the system32 \ drivers folder with the same name (after the software is installed, an unlocker file is automatically generated on the right-click menu. menu item ), then you can delete the virus file (you can't delete the files without unlocker unlocking. You need to delete both files; otherwise, you will be prompted to not find the files on the desktop ).
Delete the registry
HKEY_LOCAL_MACHINE \ SYSTEM \ Controlset001 \ Services
HKEY_LOCAL_MACHINE \ SYSTEM \ Controlset002 \ Services
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services
If you cannot find these three items, search for the Services folder on the left of the registry and delete them from the right.
However, this is not my case. My Trojan file name is
C: \ WINDOWS \ system32 \ bvupkc. dll
C: \ WINDOWS \ system32 \ gzwrim. dll
C: \ WINDOWS \ system32 \ zrnwbd. dll
C: \ WINDOWS \ system32 \ drivers \ bvupkc. sys
C: \ WINDOWS \ system32 \ drivers \ gzwrim. sys
C: \ WINDOWS \ system32 \ drivers \ zrnwbd. sys
After I deleted the file with Unlocker and restarted the computer according to the above method, the secondary virus still exists. Think about it as resident in the driver file. I decided to use F8 to enter the safe mode, the above method still does not work. Think about it. Find a WIN98 disk, start the disc into DOS, and delete it under DOS. The command is
A: \> C:
C: \> cd windows \ system32
C: \ windows \ system32> del bvupkc. dll
C: \ windows \ system32> del gzwrim. dll
C: \ windows \ system32> del zrnwbd. dll
The drivers directory is the same, and then the F8 safe mode is restarted. In the registry editor, delete the key value in the registry and restart the computer. After normal access to the system, when Kaspersky is used to completely clean up the residual Trojan files, it will be OK.