How to manually clear stubborn viruses that cannot be cleared by antivirus software

Anti-virus software is not omnipotent and cannot clear all viruses, especially new viruses that can prevent execution files from running. It not only prevents normal execution files from running, it can also stop anti-virus software from running. Although anti-virus software is blocked from running, you can also clear it manually. The cleanup method is as follows:

Determine the virus Process
Common system processes include
Csrss.exe,lsass.exe,er.exe,services.exe,svchost.exe,winlogon.exe
. Right-click the taskbar and select "Taskbar manager" or press Ctrl + Alt + Delete to open "Windows Task Manager", as shown in 1:

So many processes, how to determine the virus process, especially some viruses often pretend to be system processes? First, check whether there are any abnormal processes. You can preliminarily determine through the "Description" after the process; then, check whether there are one or two more system processes than usual, when there is more, you need to pay attention to it. The following is an example.
The csrss.exe and svchost.exe processes are normally in the Windows \ System32 \ directory.
Directory or other directories, usually virus. Other processes are also determined. If you are not sure, search online.
Clear viruses
(1) terminate the process.
Open "Windows Task Manager", right-click the process to end, and select "End Process". Leave the prompt blank and end the process directly. If the process cannot end, force the process to end.
Method to force Process Termination (start -- run -- Enter cmd and press enter to open the command execution window ):
1. ntsd-c q-pn process name. For example, ntsd-c q-pn csrss.exe
2. ntsd-c q-p PID Number. Obtain the PID, "Windows Task Manager" -- "View" -- "Select column" open the "select process column" window, 2, in
Click "check" before PID. After "OK", the PID of the process is displayed.

(2) Delete A Virus File.
1. Delete the virus execution file. Right-click the virus process, select "open file location", and delete it.
 
2. delete other virus files. Virus files may be stored in multiple directories. Some files are difficult to identify and can only be found in the conventional method.
A. Methods for determining suspicious files. You can determine the file creation time, file name, and file version.
Exe, ddl, ini, inf, dat, and cfg files. In addition, it can be determined based on only one type of files in some directories, such as windows/system32/drivers.
The directory is a driver file, which is generally *. sys. If an exe file exists, it may be a virus.
 
B. Check whether suspicious files exist in the root directory of each disk, such as AUTORUN. INF, _ DESKTOP, and INI.
File. If so, check the file creation time to determine whether the software was created by yourself, not possibly a virus. Then, check whether the file name is a mix of messy letters or numbers, yes, it may be a virus. Finally, check whether the file version information has Zhang guanli Dai.
Note: All files (Folder window-tool-Folder option-select "show hidden files and folders") should be displayed before viewing. virus files are often hidden. If you cannot select "show hidden files and folders", the virus blocks it. You can modify the following options in the registry:
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, double-click
Modify the CheckedValue to 1. If the hidden file is not displayed, delete the CheckedValue, right-click it, and select "New Dword ".
Value, and name it CheckedValue. Set the key value to 1.
 
C. view the system directories, software installation directories, temporary folders, and IE caches that are common to viruses.
System Directory: windows, windows/system32, windows/system32/drivers, etc;
Software Installation Directory: c:/program files/internet explorer, c:/program files/internet
Explorer/plugin, c:/program files/common files/miscrosoft shared, etc;
Temporary Folder: c:/documents and settings/user name/local settings/temp and
C:/windows/temp.
If you are not sure, you can search for the virus on the Internet. Generally, relevant instructions are provided. After you confirm, delete all its files.
 
(3) Delete information about viruses in the registry.
1. Delete Virus execution files
The virus information in the registry may also have multiple settings. You can only determine the location of the execution file first. Method: start -- run -- Enter "regedit" -- open the registry, registry Editor -- edit -- search -- open the search window, 3:

Enter the virus execution file name (csrss.exe) to search until the virus execution file (the directory [C: \ Windows \ csrss.exe] in the key value and
The directory [C: \ Windows \ csrss.exe] specified in task manager is the same.) Right-click the file name and delete it. The following describes how to search for other locations. For more information, see "Summary of locations where viruses are hidden in the Registry.
 
2. Check the Run startup Item. Common Startup items are as follows:
A. HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
B. HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Runonce
C. HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer \ run
D. HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
E. HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Runonce
F, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ policies \ explorer \ run
Determine how these startup items contain viruses:
1) determine based on the identified Virus File. The key value is the path of the file.
2) Only the Run item has a key value, and the others have only one default string (except 98). Therefore, if other items have a key value, it may be a virus startup Item.
3) if the key value is a messy file name, such as 1.exe; or the path is in a temporary folder, it may also be a virus startup Item.
 
3. Check the driver startup Item
Location: HKLM \ System \ CurrentControlSet \ Services
There are many items here, which can be determined by the identified files under the windows/system32/drivers directory.
 
4. Check Winlong startup items
Location: HKLM \ SOFTWARE \ Microsoft \ Windows
NT \ CurrentVersion \ Winlogon