Manually clear USB viruses

Manually clear USB viruses

Author: Zhang guiquan

 

The 21st century is the golden age of the rapid development of information technology. With the popularization of the Internet and the vigorous development of modern e-commerce applications, information security has attracted people's attention. Obviously, computer viruses are quietly growing, and even flood the development of the entire technological revolution in its unique way. The development of viruses cannot be ignored. Today, not only computers, but also mobile storage devices are increasingly becoming targets of viruses. As long as your computer is running, you may be infected with viruses at any time. Even if your computer is not directly connected to the network, it is very likely that your mobile device has been infected with viruses for a long time.

 

Virus is not a good thing. It gradually makes people feel uneasy or even frustrated. When anti-virus software confidently tells you "Don't worry, my friend, there is no virus on your computer", do you believe it? If not. Then you are right, because antivirus software is always restrained by virus software, because it has no foresight ability, and it cannot possess human intelligence. When new viruses emerge, no. When they flood, antivirus software vendors begin to design targeted solutions. However, the reality tells us that the virus modification capability far exceeds the update speed of anti-virus software. Therefore, anti-virus software sometimes becomes clumsy. In this case, we need to solve the problem by ourselves.

 

It is necessary to have some basic virus identification and removal capabilities. Even if you trust anti-virus software, you have not prepared your own anti-virus software at all times. Next, I will introduce the manual cleaning process of general USB viruses with my own experience.

 

Experience tells me that when your device is infected with viruses, there will be abnormal responses, but you must be careful or it will be difficult to find out, or it will become very serious when you discover it. For example, if you want to view all the files in the system by setting "Folder Options", but you do not see the hidden files in the system, you must be infected with viruses, of course, manual settings must be excluded. Because viruses often hide themselves by changing the attributes of the file system folder. Of course, as long as your registry editor can be used, You can reset it.

 

Figure 1 system process information

 

Let's get down to the truth. The story is like this. One day when I was using my own USB, I felt that the system was abnormal and opened the Task Manager (generally press the shortcut key: CTRL + ALT ←) to see my sight. I tried to kill it directly, but it started again later. If you want to view the hidden file, it is useless to find that the Registry has been changed. Fortunately, the Registry Editor can also be used (of course, even if the registry is disabled, there are many ways to restore it, but this topic is not within the scope of this article ), I will change it back soon. The specific modification method is as follows:

1) Open the Registry Editor (Regedit command), find the key value in table 1, and create a defaultvalue item for the REG-DWORD class, set its value to 2, the modified result 2 is shown in.

 

Showall path in the Registry

HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/Explorer/advanced/folder/hidden/showall

Table 1 showall path in the Registry

 

Figure 2 effect after registry Restoration

 

2) search for "showall" in the Registry Editor, find the same path as in table 1, and perform the same operation, as shown in 3.

3)

 

Figure 3 search for "showall" in the Registry Editor"

 

 

After the above operations are completed, you will find that USB (my drive letter is e), delete it, and then exit USB,

Plug in again to find that the virus program is still there. Delete it, and then open the recycle bin of the E disk. You will find the virus in it, as shown in figure 4. File property 5.

Figure 4 lcass.exe

 

Figure 5 attributes of lcass

 

By clearing the desktop recycle bin, you can find that the virus is gone, ...... And then again. Why?

When you find that the problem has not been solved, you should go around. Find the feeling. Experience tells me that there must be something wrong with the system disk (I have a C disk). Let's take a look.

 

If it is good, you will see an "autorun" configuration file in the system disk. If you are familiar with windows, you should know what is going on, as shown in figure 6.

 

Figure 6 special files on the system disk

 

Right-click the "edit" menu and you will find "autorun" content 7. The meaning is the lcass.exe file in the recycle station automatically run when the system starts. Because the file has the memory injection function, even if you delete the file, it will be automatically restored when the system is disabled. Therefore, the process is as follows:

1) Kill the lcass.exe process;

2) Clear the lcass.exe program in USB;

3) Delete the Autorun file from the system disk;

4) Clear the recycle bin.

5) restart Windows and check whether lcass.exe has been deleted.

If not, repeat the above operations to avoid forgetting some of the links. If you can't repeat it several times, think about other methods!

 

Figure 7 Autorun content