| 1. check Registry Startup items Most Viruses enter the Registry Startup items. You can view and delete them in some ways. Open the Registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion and click "run" to view the content in the registry. If you do not understand the content, delete all the content in the registry. However, this does not solve the virus, and the virus will be re-written, but it can solve the Trojan. If you want to manually disinfect the virus, read the following article! Ii. Solution to viewing hidden files
1. Sometimes viruses cannot view hidden files by modifying the registry and modifying file attributes (forged checkedvalue value, find HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall and delete the checkedvalue key (which is currently a string type ), create a checkedvalue of the DWORD type (the correct key is of the DWORD type) and change the value to 1. The hidden system file is displayed and returns to normal.
2. You can also use the attrib command to remove hidden and system attributes from the file. For example, to display the files in the root directory of the C drive, you can enter the CD \ command at the CMD command prompt to switch to the root directory, and then enter the attrib-s-h autorun. inf command. 3. How to delete a virus entity file
Virus files are all subject files. to manually disinfect the virus, we must first clear the virus's main file. The main file is generally a DLL file and cannot be deleted directly, we can try the following methods (currently, no DDL files can be deleted by these three methods ).
1. Go to safe mode to delete
2. Uninstall rundll32.exe with Windows system and then delete it. This method is very effective against wmpcd32.dll. Enter rundll32.exe file name. dll Uninstall in the command prompt
3. Find the host of the DLL file. Method: Use the procexp process management tool. Click find and find DLL to open the DLL file search dialog box and enter "file name" in DLL substring. DLL ". click the search button to see which process is calling the DLL file. You only need to stop these processes and try to delete the DLL file.
Note: If the virus file is rgwatch. sys, you can use the same method to locate the host process and delete it. In addition, the ice blade is also a good choice. 4. Delete registry virus Spam
There is nothing to say, that is, we should not forget to delete some information left by the registry in which the virus is manually eliminated. Method: Open regedit and search for the virus name to be deleted. Sometimes we cannot delete it. You can use an ice blade to forcibly delete it. Because the ice blade does not have the Registry Modification search function, we can first search for related items in the Registry Editor, then locate the search item in the registry of the ice blade, and then delete it! 5. Find the virus protection file and delete it forcibly!
Many viruses generate protection files. When you delete a virus, the virus will return again, which is annoying and hard to handle! We can use the following method to find out the protected files. Here we need two auxiliary tools: Filemon and ice blade. Filemon is used to record the ADD, modify, and delete records of all files, and shows which process was modified!
The method is as follows: Enable the ice blade, select "prohibit inbound/threading setup" in the settings, start the process, and leave all useless processes (the zookeeper er.exe process), leaving only the system basic process (excluding the zookeeper er.exe process) for detailed record. Delete the Registry Startup project one by one, and refresh the project to check whether the project will be automatically restored. This protection process will be found in Filemon! Vi. Solution to disabling anti-virus software
Anti-virus software is a virus's nemesis. To survive a virus, you must kill the anti-virus software. This is also a function of many viruses, that is, anti-virus software is unavailable after viruses are poisoned.
1. There are good solutions for rising (because I use rising (* ^__^ *)......). The tool list of rising has a function called "rising installation package Creation Program". This function can be used to upgrade rising to the latest rising virus library, in this way, you can save the trouble of re-updating when re-installing rising, and the process name of this installation package is different from that of rising protection process during running, in this way, you can install the anti-virus software.
2. The common antivirus software poisoning phenomenon is that the application initialization (0x00000ba) fails.
Cause analysis:
Ws2_32.dll is a Windows Sockets application interface used to support Internet and network applications. The ws2_32.dll file is automatically called when the program runs. Ws2_32.dll is a dynamic link library file located in the system folder. Windows searches the current directory of the application when searching for dynamic link library files, if not found, the system searches for the Windows directory. If not, the system 32 and System directories are searched. Some viruses use this principle to create ws2_32.dll files or folders in the Anti-Virus Software Directory. In the anti-virus software view, this file is called as needed, but in fact, this so-called "file" does not have the functionality of the really ws2_32.dll file, so the anti-virus software cannot run normally, so it will prompt: The application is initialized normally (0x00000ba) failed!
Solution:
Go to the antivirus software installation directory, find the ws2_32.dll file or folder, and delete it!
Note: if it cannot be found, it may be hidden. You can solve the problem by following the method described above. If the folder cannot be deleted after it is found, it is because there is a folder named 1. which cannot be identified in windows. You can delete it with an ice blade. 3. ifeo hijacking (ice blade and other anti-virus tools are unavailable) It seems that the ice blade is a major threat to the virus, and the virus will not be spared. Sometimes, all anti-virus software and anti-virus tools (such as the ice blade) cannot be used after poisoning, because ifeo is hijacked. Cause:
By modifying the registry, you can create a specific sub-key under HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options to block some specific programs or point to the target program, to start the virus and disable the tool.
Solution: in this directory, drag our tool out of the blacklist (delete it) 7. virus problems that cannot be solved by reinstalling the system Many people think that the system can solve the virus by reinstalling the system. In fact, some viruses force ie modification and set the default homepage, even if you reinstall the system, it still cannot be solved. The method is to stop the Java Virtual Machine and then stop the process.
Specific steps: In the Internet Options, remove all the startup items for the Java VM. Finally, I think the best way to learn about viruses is to analyze the virus code! |
