U disk in a 421KB uniform size of the. exe suffix camouflage folder, the virus double-click can be opened, can also be deleted, but deleted and then refreshed removable disk when the virus file appears again. Because it is the same as the original folder name, it is also known as the Disguise folder virus.
Rising security expert Tangwei said, from the virus folder deleted and immediately created after the phenomenon is not difficult to see, the system is loaded with virus files, the virus file constantly to the U disk write file and named "folder name. exe" virus. When you show hidden files through folder options, the original hard disk files are visible (Figure 1), but you cannot right-click the folder's properties.
Figure 1
Tangwei pointed out that the use of anti-virus aids to the system of suspicious processes in the investigation and removal is the end of this "culprit" the most convenient means. This manual processing virus by the tool is XUETR, currently supports 32-bit Windows 2000, XP, 2003, Vista, 2008 and Win7 and other operating systems, is a free anti-virus aids, it can view process modules, registry keys, system startup items, etc. And through a series of screening work to finally detect the virus file and kill it, the function is very powerful, and easy to operate friendly, manual anti-virus is very good one of the auxiliary tools. The specific steps are as follows:
1 Find and end the obvious exception process in the system Winweb.exe, right-click it and select the "End and delete files" action. (Figure 2)
Figure 2
2 Use the Xuetr tool to forcibly delete the two virus files "my photos. exe" and "Office document. exe" in the U disk, and note that "block file regeneration after deletion" is checked. (Figure 3)
Figure 3
3 in order to check whether the virus file will regenerate, using the Xuetr tool to refresh the mobile disk, you will find that two virus files appear again, according to the analysis system there are remnants of the virus files are still loading, and keep to the U disk to create a suffix of the folder. In order to completely clear the virus file, and then go back to the process to check each system under the current loading of all files, found Explorer.exe under the suspicious module Iconhandle.dll, and no digital signature. (Figure 4)
Figure 4
4 Find the directory where the file is located c:windows System32, and use the "created date" to arrange all the files in the directory to view the details, then found an unexpected harvest: the directory of Webad.dll and web.dat two files with Iconhandle.dll creation time is the same, and then carefully check that you will find Web.dat file size of 421KB, and the U disk under the two virus folder size is the same! and the normal system in the C:windowssystem32 path does not exist in the original three files, This makes it possible to infer that all three files are created by viruses and can be deleted altogether. (Figure 5)
Figure 5
5) Right-click on the Explorer.exe loaded Iconhandle.dll, the global uninstall. (Figure 6)
Figure 6
Note: Due to iconhandle.dll hanging in the Explorer.exe process, the global uninstall when the Explorer.exe process will restart, is a normal phenomenon, do not worry.
5 through the Xuetr tool to find the above three suspicious files, all selected, right click Select "Add to restart Delete" operation, and then restart the computer immediately. (Figure 7)
Figure 7
After the computer restarts need to do the final check, through the XUETR view Explorer.exe process is no longer loaded iconhandle.dll, and the C:windowssystem32 directory of three suspicious files are no longer exist, the obvious signs of the virus has not been reproduced, Another attempt to delete the "my photos. exe" and "Office document. exe" under the U disk will find that the virus folder will not be generated again. So it seems that the U disk virus is clean, but the original folder system properties are still hidden and can not be modified, then also have to do after the manual disinfection operations, here through the attrib instructions to modify the folder system properties, the following methods: (Figure 8)
1, click "Start" → "Run", enter "cmd" and then return to open the DOS window
2, because the current U disk in the system in the disk symbol for e disk, so enter "E:" in the command line, and then return
3, continue to enter the command line "attrib/s/d–s-h" after the return, after the command run to see the folder under E-disk icon are back to normal
Figure 8
So far, the manual processing of the U disk virus and Repair process has been completed. Through the process of manual anti-virus, you will find that the virus is not as scary as you think, as long as you find the virus files, and through a reasonable and feasible way to clear the system can be. The above main to provide you with a manual treatment of virus ideas and skills, although the U disk virus phenomenon is not the same, but the principle of manual removal is similar, as long as the Master of manual processing virus core ideas and key elements, then no matter what type of virus in the manual processing will have a breakthrough point.