Manually delete the funny.exe Trojan

Source: Internet
Author: User

When the virus runs, it will be automatically sent/transmitted on QQ/MSN and other chat tools.
It starts three instances in the system at the same time to monitor each other, kill one of the processes, and the other two will immediately restart it.
In addition, if you modify multiple system registries, restarting the registry will still cause automatic operation.

Delete method: (take the system directory c:/winnt as an example)

0. Copy C:/winnt/system32/userinit.exe C:/winnt/system32/userinit32.exe first
Overwrite the file. (I have not tried this step at the beginning, but it is no harm to do it)

1. It must be started to safe mode, preferably in command line, but the virus may still be started.

2. Generally, in the root directory of the hard disk, for example, C:/D:/, you can copy funny.exe and delete it.

3. In the C:/winnt/rundll32.exe file, the size is about 55 K and the date is generated in the last few days,
In the C:/winnt/system32/userinit32.exe file, the size is about 55 K and the date is generated in the last few days,
In the C:/winnt/system32/iexplore. EXE and EXPLORER. EXE files, the size is about 55 K and the date is generated in the last few days,

4. delete these files. If the files cannot be deleted, you can change the name. It is best to change the name under the command line. Replace iw.e. EXE file under the System32 directory with the copy userinit.exe userinit32.exe method. Sometimes the file will appear again after it is deleted/renamed. Change the number of times and try again in the process. rundll32.exe iexploer.exe assumer.exe can always be changed/deleted after multiple times.

5. Note: The registration table is modified for this virus. If you delete userinit32.exe, the system will not be able to log on! HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Winlogon/userinit
The virus changes the value from C:/winnt/system32/userinit.exe to C:/winnt/system32/userinit32.exe.
This key value must run when the system is started.Program.

Solution:
A. If you are on the console, You can temporarily copy a copy of copy userinit.exe userinit32.exe.
B 、if you can modify the registration table in the window, search for all userinit32.exeand change it to userinit.exe

6. Delete the mmsystem content in the run entry in the registry. The content is C:/winnt/rundll.exe mmsystem. dll ....
Location: HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/run/mmsystem
HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/run

7. Restart the machine and check whether the above files still exist. If they do not exist, there will be no problem.
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.