How to manually clear winlogon.exe

This is an old article. I hope to help my friends with this virus.

Symptoms: After an infected computer runs slowly, many windows will pop up when any program is opened, or web browser windows will make the computer unable to run.

Test method: Press ctrl + alt + del. If there is an uppercase process WINLOGON. EXE in the task window, the computer is infected. At the same time, some virus files are generated in the root directory of disk D and the system directory of disk C, which is invisible to ordinary users.

It is inferred that the process cannot be terminated manually because it is the same as the system core file winlogon.exe.

Virus generation, such as finder.com, i0000e.com, command. pif, pagefile. pif, and i0000e. pif, allow the user to execute the virus body each time the exe file is executed to ensure its existence.

(It is estimated that there are other actions that I have not subdivided. I hope anti-virus software companies can solve this problem well. But I do not believe the current anti-virus software. Apart from updating the virus database, ignore malicious programs and be disappointed ......)

Solution:

Idea: because the process and related files cannot be terminated in normal mode, you must enter the safe mode with command prompt, to ensure that the most basic kernel of the system runs without executing any user program.

Use the doscommand attrib, dir, del to manually delete the relevant files. You can modify the registry key value after completing this step.

Step: restart the computer and press f8 before the windows icon appears. The Select menu is displayed;

Select "security mode with command prompt ";

Press cd press ENTER ---- c: Press enter at the cursor, type dir/ah, and press enter to check whether there is a recent *. pif file on the screen. If so, Type

Attrib-r-s-h name of the file (Press ENTER)

Del this file (Press ENTER)

Next, go to the browser directory:

Cd c: program filesinternet explorer

Dir/ah to check whether iexplore.com and finder.com exist. If so, attrib-r-s-h iexplore.com

Then del iexplore.com

Run cd .. to return to the upper-level directory, cd common files

Dir/ah press enter to check whether the directory contains the iexplore. pif file or other suffix files. If so, delete the files as described above;

Follow these steps to manually delete the following files:

D: autorun. inf

D: pagefiles. pif

C: WINDOWSWINLOGON. EXE

C: WINDOWS1.com (random, it is estimated that there will be other names, such as 2.com, 6.com)

C: WINDOWSiexplore.com

C: WINDOWSfinder.com

C: WINDOWSExeroute.exe

C: WINDOWSDebugDebugProgramme.exe (non-hidden)

C: Windowssystem32command. pif

C: Windowssystem32msconfig.com

C: Windowssystem32egedit.com

C: Windowssystem32dxdiag.com

C: Windowssystem32undll32.com

C: Windowssystem32finder.com

C: Windowssystem32a.exe

Be careful when executing commands. Do not execute the above files or open any other programs on the desktop, including anti-virus software!

After completing the above steps, you may wish to use dir/od/ahs to list the hidden files in the relevant directory, with the latest time at the bottom;

You can also do not add/ah to display all normal files to see if there are such files as 1.com (the date is the latest, such as). You can also add

/S file name to search for whether the specified file exists in the entire directory.

After you confirm that the above operations are completed, restart the computer to enter the system and you will find that all the exe file com files cannot run. For example, after clicking the IE icon, the system prompts "c cannot be found: program files internetexploreriexplore.exe ...... ", the solution is: open my computer, choose" Tools "menu -----" Folder Options "----" file type "---- click" new "---- enter a name" exe file ", point advanced, in the associated

Select "application" for the file type and click "OK" twice.

Start ---run ---regedit.exe and find the key value HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun.

Delete Torjan pragramme. If c: windowssystem32ealplayer.exe is deleted, it is obvious that it is not a good thing (delete the file at the same time ).

So far, cleanup is complete!

Supplement: (in either of the following situations, I have never met or have not worked, but I would like to give it a reference first)

1) set the DOS command associated with the exe file

Assoc. exe = exefile (there is a space between assocand .exe)

Ftype exefile = "% 1" % *

2) another method to prevent the prompt "file cannot be found:

Run "regedit" in the running program and open the Registry. In [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]

Restore "Shell" = "assumer.exe 1" to "Shell" = "assumer.exe"