Manually scan and kill the virus and completely restore the EXE program.

After being infected with Viking, the EXE can be restored. I have tried many mainstream anti-virus software in China since I was poisoned. No virus exists. On the Internet, we can see that many people suggest completely formatting the system disk and deleting all the EXE files... This is too scary and can cause a huge loss!

I. First talk about the process of poisoning:

(The system is XP + SP2)

One day before the day, visit a WWW. acess ***.. Net website, the page suddenly becomes slow. I thought it was caused by advertising, and I didn't care too much. then an error message is displayed, indicating that an application is 16 bits and cannot run normally. this file is located in the Temporary Folder where the current user is located (my system is optimized to point the user's Temporary Folder and the temporary folder of the system to another old hard disk, and specify the drive letter as Z :), which is obviously problematic!

(To prevent unauthorized access to the virus website, I changed the following number)

 

2. Take measures:

Immediately disconnect the network, unplug all USB flash drives and mobile hard drives. to Z: disk user_temp, check that there are a few more files starting with win **. EXE.

 

Iii. Diagnosis

1. Check C: The _ desktop. ini file appears under the root directory of the disk (drive C is the system disk). It contains the time format: 2007/3/31.

2. richdll.dlland login_1.exe are displayed in C:/Windows /.

3. The uninstall directory appears in C:/Windows/, which is a rundll32.dll

4、you can see login_1.exe in the system Process

5. Some new files at the same time also appear in C:/Windows/system32

4. Other Phenomena

1. Enter the IE temporary file directory, view the cookie, and find that the cookiegeneration time with acess *** is the same as the richdll.dlland login_1.exe file time! This is the source of the virus.

2. Norton only detects programs such as thieves and cannot detect and kill thieves.

3. the icons of all EXE files have changed to the blue boxes of normal EXE files.

V. Anti-Virus

1. restart the system and enter the security mode.

2. Delete Virus files
These two are the most important
C:/Windows/richdll.dlland login_1.exe
C:/Windows/the uninstall directory appears, which is a rundll32.dll

C:/_ desktop. ini
C:/Windows/system32/EXE file with the same time as login_1.exe

And so on.

Delete registry information:

KEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run/load
KEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/policies/Explorer/run/wnipzisrv
KEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/policies/Explorer/run/twin

Vi. Immunization

1. Create a New rundll32.dll in the C:/Windows/uninstall directory.
The method is as follows: Create a text file and change it to rundll32.dll.
Then, add the read-only attribute of the file.

2. C:/Windows/create richdll.dllw.login_1.exeand logo=.exe
The method is the same as above. Then, add the read-only attribute of the file.

The length of the newly created file is 0.

Restart the machine. The firewall reports that some programs want to access the network. All prohibited. This is caused by some Trojan viruses carried by Weijin.

Even though the Weijin virus is no longer active, the affiliated viruses are still there.

VII. Restore the use of the EXE program

You need to pay attention to the following two points:
A. Directory of the EXE program to be restored
B. System Process

Recovery steps:

1. Go to the directory where the EXE is to be restored

2. View System Processes
There is no name of the EXE file to be restored or the CMD process in the process.

In this example, together.exe (all other EXE files have been restored, and it takes some time to make sure this method is easy to use, so we can share it with you)
The mouse flashed and nothing appeared.
At this time, we will find that there is another together.exe in the system process (Note: it is a system process, not an Application List)

4、double-click the together.exe File

Note: The current file directory shows a together.exe.exe, and the file icon is normal.
In addition, the process of cmd.exe is added to the system process. In addition, a bat file starting with $ is displayed in the user's temporary directory. This file should not be moved and is useful!

5 worker together.exe Process
Together.exe.exeis changed to together.exe. The original file is deleted. In the system process, together.exeand cmd.exe disappear.
Only some temp files are left in the temporary folder, and the original $ *. BAT file disappears.

At this time, the EXE file has been restored!

This method has been tried on the already installed EXE file. I have not tried the uninstalled EXE file and do not know if it can be used!

8. You also need to use other anti-virus software to kill Trojans and other viruses.

 

This article is only personal experience, please be careful when using it. You are solely responsible for unexpected consequences!

We strongly condemn those who use technical information to lure developers into the virus Website !!!