Logo_1.exe Virus Variant Solution
Decompress the attachment and copy the files in the virus folder to c: \ windows \. Do not worry. These files are empty. The file name and virus name are the same. But they are all 0 bytes.
Then run logo1virus. bat to add the system. Hide. Read-Only attributes to the files that were just placed in c: \ windows.
That is to say, even if your computer is infected with the virus, it is impossible to attack the virus. It is 100% impossible!
For double insurance, proceed to the next step:
Start-run the input gpedit. msc
User Configuration-manage templates-do not run the specified windows program.
The following figure shows how to add the file names in virusname.txt.
Logo1.rar contains viruses. You can give it a try. Even if you run the virus, it will not attack or infect you.
I will not talk about this nonsense. I hope everyone will be lucky. Rising's latest report. There are already tens of thousands of people infected with this virus. It takes only three days. There are several Internet users who have been poisoned within two days. It cannot be ignored.
The table says you have never seen this QQ message.
Look. My recent photo ~ To scan the QQ photo album ^_^!
Http://www.qq.xxx.search _2.shtml .cgi-client-entry.photo.39pic.com/qq%E5%83%8F%E5%86%8C2/
If you click...
The table says you won't click. If you are at home, will your computer be used only by yourself? If you accidentally click ....
If you are visiting an internet cafe or another person in the Internet cafe ........
Virus Information:
Virus name: Worm. Viking. bo Worm. Viking. bp
Detected as a trojan
The fact is far from that simple...
Infection: currently, it is infected by QQ information. Of course, it does not deny that some people will use malicious web pages to spread.
Feature: After infection, the logocmd.exe file is included in the Windows file on the C drive. After running, the virus body is logocmd.exe kill.exe sws32.dll sws. dll rundl132.dll.
Modify registry
Modify the Registry by using the [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ IniFileMapping \ system. ini \ boot] winlogo and
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and
[HKEY_LOCAL_MACHINE] Add the key value = % System % in SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/(where, and variable) so that the next time
When the system starts, the virus runs automatically.
The virus can rapidly infect the core processes such as er.exe.
With all the executable programs of. exe... is completely modified. instead of simply modifying file associations... specific performance. game icons are discolored. or it becomes blank .. basically. the virus. it means you have to format all the hard disks.
Mongologocmd.exe process. Several others forgot their names ..
At the same time, the online game trojan will be released, including WOW, legend, Jianghu, and xiyou, as well as trojan, psw, and lineage...
You can say that I have anti-virus software installed. Unfortunately, this virus has another function .. It is to kill anti-virus software. The following processes will be killed when the virus is running:
Rising
SkyNet
Symantec
McAfee
Gate
Rfw.exe
RavMon.exe
Kill
NAV
KAV
The table tells me that I don't know what the process is.
You can say that I have a restoration software installed. Unfortunately, the virus can penetrate several mainstream restoration software such as the recovery Genie and freezing point. I have tested it and it is useless to even restore a card.
You can say that I have a ghost. It's okay to restore it. Unfortunately, it's useless to recover the mirror because it's a full infection.
For poisoned friends, I can only say sorry by the way. If you really want to remedy it, there are the following methods.
Go to safe mode and click "All Tables". Start-run-regedit
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping \ system. ini \ boot]
Winlogo items
Delete. C: \ WINDOWS \ SWS32.DLL
HKEY_LOCAL_MACHINE] SOFTWARE/Microsoft/Windows/CurrentVersion/Run delete all similar C: \ WINDOWS \ SWS32.dll. Check the items in/RunOnce/RunOnceEx.
For security. In the registry, search for the following logo=.exe logo_1.exe kill.exe sws32.dll sws. dll rundl132.dll and delete all the searched key values.
The key values found. You must remember the path. For example, c: \ windows \ sws32.dll c: \ windows \ logocmd.exe. Delete the Registry Information and delete these items on drive c.
Then, enter the startup Item after msconfig in the run. Cancel all the startup items you have never seen before.
If it is an Internet cafe, the sub-. server service must be disabled because the virus will spread through sharing and try to unbind the user password of the sub-server to transfer files.
This step is implemented. install Kaspersky. virus Detection. delete all the infected objects. of course. this is a consistent style of Kabbah. multiple system files are deleted. please use the system repair function to repair the system... OVER.
In fact, I mean. this virus has been detected. basically, there is no need for restoration. the host is restarted every time. the virus itself has been copied more. reinstalling a new system is not troublesome. the trouble is that you need to reinstall the system. how can we stop the virus. this is what I want to talk about. after checking the virus information. familiar with manual anti-virus experience. I am using the following anti-virus ideas. the test results are good.
After the system is reinstalled, (unplug the network cable during system installation) create several new files under c: \ windows \.
Logocmd.exe logo_1.exe sws32.dll sws. dll and so on. Set the file attribute to read-only.
In theory, you can create only this one.
Start-run the input gpedit. msc
Local Computer Policy-user configuration-management template-do not run the specified windows program on the right side of the system by double-clicking the "enable" tab. Add the following file name: logocmd.exe logo_1.exe kill.exe. check whether there are other viruses. subject name. check more.
In this step, the virus basically cannot run.
To prevent logocmd.exe from running, you can add a batch in the startup item. The batch content is
Attrib c: \ window \ logow..exe-r-h
Del c: \ window \ logow..exe/y
Copy multiple rows. Add other file names to be deleted
This means that these files are deleted when the system is started. Of course, they cannot be run. ... But this method usually fails .;)
Another point is to avoid clicking the link in the QQ information. Enable the QQ Security Center. If you want to display the link in the QQ information but do not want to click it. There are also ways.
In the QQ menu-settings-Security Settings-network information security, set the security level to the highest. The two check boxes in the chat information security section below are removed.
Tables are randomly inserted into unfamiliar websites.
In a word, good surfing habits are the best anti-virus tool.
The hands are getting sour. Hope to help you...
PS: Poor expression ability. Table attacks. What do you don't understand ..
The modified logo1virus. bat
The first step is saved. That is to say, after you directly run logo1vires. bat, you can modify the Group Policy. The modified logo1virus. bat content is
---------------------------------------------------
Echo> c: \ windows \ logocmd.exe
Echo> c: \ windows \ rundl132.exe
Echo> c: \ windows \ 0Sy.exe
Echo> c: \ windows \ vDll. dll
Echo> c: \ windows \ 1Sy.exe
Echo> c: \ windows \ 2Sy.exe
Echo> c: \ windows \ rundll32.exe
Echo> c: \ windows \ 3Sy.exe
Echo> c: \ windows \ 5Sy.exe
Echo> c: \ windows \ 1.com
Echo> c: \ windows \ exerouter.exe
Echo> c: \ windows \ EXP10RER.com
Echo> c: \ windows \ finders.com
Echo> c: \ windows \ Shell. sys
Echo> c: \ windows \ smss.exe
Echo> c: \ windows \ kill.exe
Echo> c: \ windows \ sws. dll
Echo> c: \ windows \ sws32.dll
Attrib c: \ windows \ logow..exe + s + r + h
Attrib c: \ windows \ rundl132.exe + s + r + h
Attrib c: \ windows \ 0Sy.exe + s + r + h
Attrib c: \ windows \ vDll. dll + s + r + h
Attrib c: \ windows \ 1Sy.exe + s + r + h
Attrib c: \ windows \ 2Sy.exe + s + r + h
Attrib c: \ windows \ rundll32.exe + s + r + h
Attrib c: \ windows \ 3Sy.exe + s + r + h
Attrib c: \ windows \ 5Sy.exe + s + r + h
Attrib c: \ windows \ 1.com + s + r + h
Attrib c: \ windows \ exerouter.exe + s + r + h
Attrib c: \ windows \ EXP10RER.com + s + r + h
Attrib c: \ windows \ finders.com + s + r + h
Attrib c: \ windows \ Shell. sys + s + r + h
Attrib c: \ windows \ smss.exe + s + r + h
Attrib c: \ windows \ kill.exe + s + r + h
Attrib c: \ windows \ sws. dll + s + r + h
Attrib c: \ windows \ sws32.dll + s + r + h
-------------------------------------------
I just sorted it out. I have written the Group Policy into the registry. Copy the following content to the text. modify it to the reg suffix and import it.
------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Group Policy Objects \ Local User \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ DisallowRun]
"** Delvals." = ""
"1" = "0Sy.exe"
"2" = "1.com"
"3" = "1Sy.exe"
"4" = "2Sy.exe"
"5" = "3Sy.exe"
"6" = "5Sy.exe"
"7" = "exerouter.exe"
"8" = "EXP10RER.com"
"9" = "finders.com"
"10" = "finders.com"
"11" = "kill.exe"
"12" = "logocmd.exe"
"13" = "rundl132.exe"
"14" = "rundll32.exe"
"15" = "Shell. sys"
"16" = "smss.exe"
"17" = "smss.exe"
"18" = "sws. dll"
"19" = "sws32.dll"
"20" = "tool.exe"
"21" = "tool2005.exe"
"22" = "tool2006.exe"
"23" = "tools.exe"
"24" = "vDll. dll"
Attachment: viking.rar (462 K)