This afternoon, I accidentally found my computer infected with a backdoor. Program Viruses and viruses cannot be cleared several times, that is, anti-virus in security mode is powerless. Each time, several viruses can be detected, which are mainly distributed in the C: \ WINDOWS \ SYSTEM \ directory (I use WINXP and the c: \ winnt \ System \ directory under win2000 \), and other drive letter root directories except drive C. After the virus is successfully detected, double-click the drive letter other than drive C to display the system prompt: The program iexplores.exe is the backdoor virus program displayed by Jiangmin Software.
Google collected some countermeasures against similar situations and learned that the autorun. inf program under the drive letter root directory was at fault. After several attempts, I finally found a solution.
.
Second, change the registry settings, specifically: Start-run-Regedit to enter the registry, In the hkel_local_machine \ Software \ Microsoft \ Windows \ CurrentVersion \ Run project, delete the illegal project loaded when the system starts. The possible items are: cmpnt (name)/REG_SZ (type)/C: \ WINDOWS \ driver.com (key value ), or an invalid project with another name. Partition (key value ). Next, check the hkel_local_machine \ System \ controlsetool \ Control \ Session Manager project and delete invalid items, such as pendingfilerenameoperations (name)/reg_multi_sz (type )/"\?? \ C: \ WINDOWS \ SYSTEM \ loadms.exe "(key value ).
Again, delete the virus execution file under the C: \ WINDOWS \ SYSTEM \ directory. The names of the files I encountered are: virus files, which can be clearly identified. (Because most files in this directory are in. dll format)
Delete the autorun.infand iyunes.exe files in the dosenvironment. The specific commands are as follows:
D: \> attrib autorun. inf-s-h-R (remove the system, hide, and read-only attributes of the file)
D: \> Del autorun. inf
D: \> attrib iexplores.exe-s-h-R
D: \> Del iexplores.exe
D: \> DIR/A (view all files in the directory, and you will not be able to see the above two files! ^_^)
So far, the virus has been cleared.
If Windows cannot find iexplores.exe or double-click an active hard disk, the following issues should be solved:
If your active hard disk is a f disk
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ mountpoints \ f \ shell to delete the item!
The problem has been solved. analyze the cause. The reason why Windows cannot find iexplores.exe is as follows:
First, your active hard drive is infected with win32.hack. tompai. B .20.24. On the website of Kingdom drug overlord, This is the explanation:
The virus uses a backdoor, which allows the backdoor growers to secretly control infected machines. The virus works on Windows 32 platforms.
Http://db.kingsoft.com/c/2005/03/24/181620.shtml)
Through analysis, I found that tompaivirus will generate the iexplores.exe file in the root directory of the active hard disk. The function of this file is: When you double-click the active hard disk, the system will use the iexplores.exe file to automatically play the active hard disk content as a way to spread viruses.
Deleted directly.
.
As you can see, the machine is infected with viruses and you can manually scan for the iexplores.exe virus and backdoor!
First, open the task manager and stop the non-legal process. Optional non-legal process packages: ntdllf.exe,
Netcompt.exe1_comptnt.exeand ptsnopt.exe. For XP users, you can also run tasklist in cmd.
List system processes, and then use tskill to kill the above illegal processes.
Second, change the registry settings, specifically: Start-run-Regedit to enter the registry,
In hkel_local_machine \ Software \ Microsoft \ Windows \ CurrentVersion \ Run
Project, delete the illegal project loaded when the system starts, the possible item is: cmpnt (name)
/REG_SZ (type)/C: \ WINDOWS \ driver.com (key value), or an invalid project with another name.
At the same time, find the run directory under the CurrentVersion directory such as runonce and runservice,
Check whether there is an invalid key value, for example, shell( ,、mainmainsv.exe (key value ). Next, check
Hkel_local_machine \ System \ controlset001 \ Control \ Session Manager project,
Delete invalid items, such as pendingfilerenameoperations (name)/reg_multi_sz (type)
/"?? C: \ WINDOWS \ SYSTEM \ loadms.exe "(key value ).
Again, delete the virus execution file in the C: \ WINDOWS \ SYSTEM directory. Possible file names include:
Ntdllf.exe?mainsv.exe=netcompt.exe=netcomptnt.exe=ptsnopt.exe,
Loadms.exeand loadmsnt.exe, which are generally .exe files, can be clearly identified.
(Because most files in this directory are in. dll format)
Delete the autorun.infand iyunes.exe files in the dosenvironment,
The specific command is:
D:> attrib autorun. inf-s-h-R (remove the system, hidden, and read-only attributes of the file)
D:> Del autorun. inf
D:> attrib iexplores.exe-s-h-R
D:> Del iexplores.exe
D:> DIR/A (view all files in the directory, and you will not be able to see the above two files! ^_^)
Of course, you can also choose toolbar-Folder option-under each drive letter to view and select to display all files
And folder, while removing the check box before hiding the protected system files, the above two files are displayed,
Kill! Virus can be cleared!