Learn how to manually scan and kill QQ viruses

Source: Internet
Author: User

1. http://www.18hi.com deletion method
Delete the following files in safe mode:
% WINDOWS % \ n0tepad.exe (associated with the TXT file, Kingsoft overlord RM icon)
% WINDOWS % \ System \ n0tepad.exe (associated with the TXT file, Kingsoft movie overlord RM icon )_
% WINDOWS % \ System \ taskmgr.exe (Kingsoft overlord RM icon)
% WINDOWS % \ System \ win. dll
% WINDOWS % \ System \ Windll. dll
% WINDOWS % \ System32 \ n0tepad.exe (associated with the TXT file, Kingsoft overlord RM icon)
Note: 0 in n0tepad.exe is the number 0, not the letter O.

Remove the startup Item of the virus:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
"Taskmgr" = "% WINDOWS % \ System \ taskmgr.exe
Finally, we need to restore the TXT file association.

2. http://dvd.qq92.com deletion method
Use the task manager tool "smss.exe". A system cannot be controlled, a virus can be used, and intrenat.exe winsym.exe winpass.exe can exist.
Delete the following files:
% Windir % \ intrenat.exe
% Windir % \ smss.exe
% System % \ winsym.exe
% System % \ winpass.exe
Delete HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run: % WinDir % \ smss.exe in the Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices: % WinDir % \ smss.exe
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run: % WinDir % \ smss.exe
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices: % WinDir % \ smss.exe

3. http://www.joyiex.com deletion method
Run assumer.exefirst, and then run assumer.exe.

In the Registry Editor, modify the value of checkedvalue in HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall to 1.
Delete the following files:
% WINDOWS % \ bak.exe
% System % \ huangjiaju.exe (0 bytes)
% System % \ cc1.exe
% System % \ cc2.exe
% System % \ cc3.exe
% System % \ whboy.exe
% System % \ whboy.txt
% System % \ whboy ***. txt (*** is a number)
Edit shell = cmder.exe % System % \ whboy.exe in the system. ini file as shell cmder.exe (Windows 9x );

In the Registry Editor, go to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ versions % System % \ whboy.exe1_to cmder.exe" (Windows NT/2000/XP/2003 ).
The main change is the xx1.exe0000xx2.exeand xx3.exe files under the %systemcategory directory. If the changes are different from the above content, please mistakenly move the hard cover. You can solve the problem by yourself if you have made some modifications.

4. http://www.mydj2005.com deletion method
Delete in security mode:
% System % \ down1.exe
% System % \ down2.exe
% System % \ huangjiaju.exe (0 bytes)
% System % \ migpwda.exe
% System % \ migpwdb.exe
% System % \ migpwdc.exe (associated with txt)
Delete the startup entry of a virus:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce
Windows Update = % System % \ migpwda.exe/

The virus changed the TXT file association to "% System % \ migpwdc.exe % 1". You can modify it from the registry or use a tool such as regfix to fix it.
Edit shell = cmder.exe % System % \ migpwdb.exe in the system. ini file as shell = cmder.exe (Windows 9x)
In the Registry Editor, go to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ versions % System % \ migpwdb.exe1_to cmder.exe" (Windows NT/2000/XP/2003 ).


Worms spread through QQ, depending on the system: Win9x/NT/2000/XP. the virus is written in Delphi language. After running the virus, copy yourself to the system "System32" directory. The virus file name is "assumer.exe", disguised as a system file, and you can modify the Registry to enable automatic startup. The virus modifies the association between INI and TXT files. When you open these two files, the virus runs first.
After the virus runs, it will resident in the memory to find and end the firewall and task manager to prevent the virus from being terminated. Find the QQ chat window and send messages automatically. "Haha. Let's take a look at this. You can use QQ to nickname your quick match. You can see what http: // *** quick look is used with you. users will be poisoned after clicking this URL. The virus will also download a new virus file from the Internet, and the content of the QQ message sent will change accordingly.

Delete Method
Delete the % WINDOWS %/smss.exe file in Safe Mode
Search for the Registry and delete all SMSs-related items
Modify startpage (the default homepage of IE)

Note: The default folder % System % is:
C: \ WINDOWS \ SYSTEM (Windows 95/98/ME ),
C: \ winnt \ SYSTEM32 (Windows NT/2000 ),
Or c: \ windows \ system32 (Windows XP ).

6. http://www.91tg.net/rm.asp ?. Rm deletion method
Delete the changes made by the virus to the Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run: member.exe
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run: services.exe
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices: member.exe
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices: services.exe
Hkey_classes_root \ CLSID \ {9f352324-0fc5-41b4-99e2-e0757afffef6 }.
Restart and delete the following files:
% Windir % \ services.exe
% System % \ browscue. dll
% System % \ member.exe
% System % \ winsocks. dll
A1.exe, a2.exe, and a3.exe can be generated under the root directory of the desktop and system disk and under the % Documents and Settings % \ Users user name.


7. http://www.400.net deletion method
Run the Task Manager "assumer.exe", and then run" assumer.exe "again. Then, delete the following files:
% WINDOWS % \ bak.exe
% System % \ whboy.exe
[% System % \ whboy.txt and % System % \ whboy ***. txt (*** is a number)] -- if the two files have
Edit shell = cmder.exe % System % \ whboy.exe in the system. ini file as shell = cmder.exe (Windows 9x/ME );
In the Registry Editor, go to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ versions % System % \ whboy.exe1_to cmder.exe" (Windows NT/2000/XP/2003 ). --At the same time, the TXT file can be deleted only after the file "assumer.exe" is created.

8. http://www.joyiex.com deletion method
First use the task manager to execute the assumer.exe process, and then delete the following files (you can use Program Delete Files ):
% System % \ msapi.exe
% System % \ msapi. dll
The Registry Editor has been disabled for this virus. You can search for an unlock method on the Internet or use the registry Repair Tool to easily unlock it.

Other boys in Wuhan
In the security mode, first use the task manager to execute the assumer.exe process, and then delete the following files:
% Windir % \ bak.exe
% System % \ whboy.exe
[% System % \ whboy.txt and % System % \ whboy ***. txt (*** is a number)] -- if the two files have
Edit shell = cmder.exe % System % \ whboy.exe in the system. ini file as shell = cmder.exe (Windows 9x/ME );
In the Registry Editor, go to "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ versions % System % \ whboy.exe1_to cmder.exe" (Windows NT/2000/XP/2003 ).
!
9. http://www.QQ.5qt.net deletion method
Delete in security mode:
% System % \ logonuit.exe
% System % \ mstinitt.exe (associate the TXT file)
% System % \ windows.exe
Delete the startup Item of the virus added to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce: Windows Update = % System % \ logonuit.exe
Edit shell = cmder.exe % System % \ windows.exe in the system. ini file as shell = cmder.exe (Windows 9x );
In the Registry Editor, locate "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ versions % System % \ windows.exe.exe changed to cmder.exe" (Windows NT/2000/XP/2003 ).
The TXT association must be restored.

10. http://photo.rm510.com/pic.asp? Delete Method
Delete the information in the Registry Editor:
Hkey_classes_root \ CLSID \ {081fe200-a103-11d7-a46d-c770e4459f2f}

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ lnterapi64.classname]

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ shellexecutehooks {081fe200-a103-11d7-a46d-c770e4459f2f}

Hkey_classes_root \ CLSID \ {9f352324-0fc5-41b4-99e2-e0757afffef7}

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ sharedtasksched.pdf {9f352324-0fc5-41b4-99e2-e0757afffef7}

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
(Default) = "winmem"
"Services" = "% WINDOWS % \ services.exe

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices
"Services" = "% WINDOWS % \ services.exe "\

After restarting the Computer, delete the following files:
% WINDOWS % \ services.exe
% WINDOWS % \ mlcrosoftsound.wav(the second letter of mlcrosoftsound.wav is L)
% System % \ bhjx. dll
% System % \ lnterapi32.dll (the first letter of lnterapi32.dll is L
% System % \ lnterapi64.dll (the first letter of lnterapi32.dll is L)
% System % \ svch0st. EXE (0 in svch0st. EXE is a number 0, not a letter O)
% System % \ winco.exe
% System % \ winco1.exe
% System % \ winco2.exe
% System % \ winmem.exe
% System % \ winsocks. dll

11. QQ automatically sends executable files with attractive names (icons are icons of compressed files)
Open the task manager and drop rundll32.exeand timp1atform.exe (note that it is number 1)
Then let windows show hidden files, find the following files and delete them :'
% System % \. exe
% System % \ notepad.exe
% Windir % \ System \ rundll32.exe
Timp1atform.exe In the QQ directory (note that the Number 1 is not the letter L, do not delete it wrong)
Then open registry editor and delete:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ msipv and mainsetup, mainup, and mainver DWORD values in HKEY_CURRENT_USER \ Software \ Classes \ msipv
Finally, use the registry Repair Tool to fix the association between EXE and TXT files, and restart.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.