Manually eliminate the pagefile. pif virus solution

Source: Internet
Author: User

This is a virus cleanup method long ago.

1. Find the pagefile. pif file of drive d to see when it was created. Deleted.


2. Use the System Restoration function to restore the system to the date before the virus was generated. In this way, there will be no viruses and associated processes in the system process. However, it seems that some people do not perform system restoration at this time (the prompt is "the system has not been modified and cannot be restored ").

At this time, you can also use another method: Use the Windows Search function to find the files generated by the virus on drive C and drive d, respectively. The file size is limited to 50 kb, and the file name is not limited. In this way, a total of about four MS-DOS-related files (including pagefile. pif) with the same date and size are found, and deleted.


3. Start --- run --- cmd (open the command prompt)

D: dir/a (No parameter A is invisible, and A shows all meanings) at this time, you will find that disk D has an autorun. inf file, run attrib autorun. inf-s-h-r remove autorun. inf file system, read-only, hide attributes

Finally run del autorun. inf

 

4. if you do not understand the preceding steps, select "show all files and folders" in "tools-Folder Options-View" and deselect "Hide protected operating system files ", in this way, you will see a hidden file autorun on disk D. inf. The file was generated on July 15, December 27 (remember to cancel the read-only attribute ). Open this file and you will see the content that runs automatically, as shown below:

[Code]

[Autorun]

OPEN = D: pagefile. pif

[/Code]

Delete the autorun. inf file.


5. Start --- run --- regedit (open the Registry)

Search for pagefile. pif and delete the entire shell Sub-key. Now, the virus is deleted perfectly.

 

1. Trojan. PSW. Lmir. iux

This bad guy, I don't know who is going to be on my computer, but I have attracted this bad guy. At first I still don't know. I think it's getting slower and slower. After reading the process, how does C: WINDOWSservices.exe have this bird thing. I knew that zhongma was connected, and then I deleted it. I didn't expect this guy to be associated with so many files, but also Internet Explorer.

I wasted some time yesterday. Norton couldn't find this guy and I was dizzy. Then I pulled out the terrible rising online anti-virus service and found a total of N files. Yesterday I didn't know how many files there were, so how can this problem be solved.


I didn't expect this guy to have quite a few. I wrote a BAT and gave it to K.


@ Echo ===================================================== ==========

@ Echo Delete Trojan. PSW. Lmir. iux By o _ 4 pollo

@ Echo ===================================================== ==========

@ Echo Start...

@ Echo ===================================================== ==========

@ Echo Execute ATTRIB...


@ Echo off

Attrib-s-r-a-h c: windows1.com

Attrib-s-r-a-h c: windowsservices.exe

Attrib-s-r-a-h c: windowsexplorer.com

Attrib-s-r-a-h c: windowsfinder.com

Attrib-s-r-a-h c: windowsexeroute.exe


Attrib-s-r-a-h c: windowsdebugdebugprogram.exe


Attrib-s-r-a-h c: windowssystem32egedit.com

Attrib-s-r-a-h c: windowssystem32dxdiag.com

Attrib-s-r-a-h c: windowssystem32msconfig.com

Attrib-s-r-a-h c: windowssystem32command. pif


Attrib-s-r-a-h c: windowssystem32finder.com

Attrib-s-r-a-h c: windowssystem32undll32.com

Attrib-s-r-a-h c: windowssystem32i.com


Attrib-s-r-a-h c: progra ~ 1common ~ 1iw.e. pif

Attrib-s-r-a-h c: progra ~ 1intern ~ 1iexplore.com


Attrib-s-r-a-h d: pagefile. pif

Rem ============================================== ==========

@ Echo Execute DELETE...


@ Echo off

Del c: windows1.com

Del c: windowsservices.exe

Del c: windowsexplorer.com

Del c: windowsfinder.com

Del c: windowsexeroute.exe


Del c: windowsdebugdebugprogram.exe


Del c: windowssystem32egedit.com

Del c: windowssystem32dxdiag.com

Del c: windowssystem32msconfig.com

Del c: windowssystem32command. pif

Del c: windowssystem32finder.com

Del c: windowssystem32undll32.com

Del c: windowssystem32i.com


Del c: progra ~ 1common ~ 1iw.e. pif

Del c: progra ~ 1intern ~ 1iexplore.com


Del d: pagefile. pif


@ Echo ===================================================== ==========

@ Echo End...

@ Echo ===================================================== ==========


After restart. An error occurred while associating with the Exe. Execute assoc. exe = exefile in command line security mode and restart.


Okay, you don't have to think about this guy anymore. Haha.


Note: This virus is reported by rising. Other anti-bot tools are not necessarily the same. I found the following points:

1. The Shell parameter "cmder.exe 1" is added to the startup Item and "1" is added. Normally, There Is No 1.

2. A Trojan Program exists in the Run and Runonce key values, and the Program file is located in c: windowsservices.exe.

3. Write an Autorun. inf file into disk D. The parameter of Open is pagefile. pif. This is a bad team. Opening a dashboard is also a bad team, but the services.exe process cannot be found in taskmgr.exe. I closed it with an ice blade and deleted it.


Nothing else has come up for the moment. I don't know what this guy is stealing. It seems like a horse in the legend of the world. It's not clear.

 

 

2. These days, the host was very slow. I used the 2000 system. During the process, I found that rising was always occupying the CPU, but I didn't have the anti-virus solution. Now, rising cannot start it on its own, it cannot be started manually or upgraded. It seems that it is under control. I found a file in drive D, pagefile. pif shortcuts are very unusual. They are MSDOS icons and the autorun. inf points to this file, but it still exists after I delete it and restart it. It cannot be deleted in safe mode. It still exists after it is started, and pagefile cannot be found in the hard disk. pif source file.


Let's take a look at my problem?


The solution introduces this area.

1. Modify the Registry Startup key and add it (which can be found in MSCONFIG)

C: windowsservices.exe

After the virus file is run, modify the .exeassociated file (assoc.exe as winfiles, normally exefile), and generate several fixed virus files for association call.

2. generate the following

D: disk generation

Autorun. inf

[Autorun]

OPEN = D: pagefile. pif (Role: run the virus when the D disk is opened)

C: windows directory c: windows services.exe cannot be manually terminated when running as a system process

C: WINDOWSExERoute.exe EXE

C: executed when WINDOWS1.com is started,

C: WINDOWSfinder.com

C: WINDOWSexplorer.com

In addition, there are several COM files with the same size: 33,833

C: WINDOWSsystem32command. pif

C: WINDOWSsystem32undll32.com

C: WINDOWSsystem32finder.com

C: WINDOWSsystem32MSCONFIG. COM

C: WINDOWSsystem32dxdiag.com

C: WINDOWSsystem32egedit.com

C: WINDOWSDebugDebugProgram.exe program error debugging call other directory C: ProgramFilesInternetExploreriexplore.com is associated with IE execution of the Start Menu and htm execution C: ProgramFilesCommonFilesExplorer. when you open the partition, the desktop is refreshed, indicating that the file is manually cleared by calling:

1. Delete all related files in the DOS state. Because the file attributes are RHS, you must first change the attributes:


Attrib-r-h-s *. com

Delete each directory one by one.

2. Restore EXE file association

Assoc.exe = exefile

3. Be sure to delete the file. If one exists, it may be executed and re-infected. If DOS cannot be entered, you can use the software to help delete the file.


1. Run cmd.exe

Cdwindowssystem32

Copydesk.execmd.com

If cmd.exe cannot be accessed, you can directly change it to cmd.com in the folder.


2. Use Trojan Horse to scan and kill a Trojan Horse. rar http://down.fzii.com/security tool /trojan horse. rar

All Trojans are scanned and killed. Do not execute any files.


3. Start-> Run-> enter pai.com (or click "View", select "c: windowssystem32", and find "pai.com". If it is not changed to "com", you must change it before running it, in this case, the virus has changed the association. If you do not see the suffix, go to the folder option to enable it, and do not hide the options for known associations)


The 4cfolder has been imported to the DOS directory. Input assoc.exe = exefile to remove the EXE file.


5. Open msconfig.exe to remove services from startup. If the virus is still infected, it indicates that some files are not cleared. I manually cleared them in DOS, and deleted them by checking the file with a size of 33833.

In addition, I would like to add my solution. With KV2005, we can delete the above virus and manually clear the startup options ., After the virus is solved, there will be sequelae. The IE on the first desktop cannot be used, and you can re-specify the IEploer location. The second, D: the disk cannot be opened. Select open on the right disk, and there is autorun in it. ini may be hidden (my computer, -- tool -- folder -- displays all files without hiding system files .) If you see this, you can delete it.

 

III,


The solution introduces this area.

1. Modify the Registry Startup key and add it (which can be found in MSCONFIG)

C: windowsservices.exe

After the virus file is run, modify the. exe associated file (assoc. exe shows winfiles, which should be exefile ),

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.