MSN prevents manual removal of the chcp.exe Virus

The IM virus has a long history, just as the system always has vulnerabilities, and the software always has bugs.

With the strength of Instant Messaging Tools, Trojan viruses have also accelerated scripts, and MSN has long been a platform for third-party computers. In the circle of friends, as long as an MSN friend account is stolen or infected with a user computer, the virus will reach out and send virus information during users' MSN chats.
Virus analysis

The virus is a variant of the MSN worm. the infected computer will automatically send a tempting text message and a compressed file to the MSN contact. when the other party receives and opens the virus file in the compressed file, the system becomes a new victim and thus tries to infect another computer. The virus is 434,176 bytes in size and spread through MSN chat tools.

In the infected computer, the virus first executes the file in the system directory, and in the Registry

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Create a "chcp.exe" = "%Windows%chcp.exe" self-starting project under the Branch, and then the virus begins to modify the registered branch

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

Under "SFCDisable" = dword: ffffff9d and "SFCScan" = dword: 00000000 values, disable and Change System File Protection

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl

The value of "WaitToKillServiceTimeout" = under the Branch is "7000", to change the waiting time of the process to be automatically disabled.

The hacker spoofs the user to open it.

Clearing method

Users who are infected with the virus should not be nervous. It is not difficult to clear the virus after learning about its survival principles. You only need to perform the following steps to clear the virus, make MSN in the system run normally.

1. First, go to the Registry Branch

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

In the left-side navigation pane of the iov cc console.

2. Go to the "Windows" directory and delete the chcp.exeand f0538_jpg.zip files of the virus.

Deleted, and changed backup. ftp and backup. tftp under the % System % microsoft directory back to the directory % System %.

4. Delete "SFCDisable" = dword: 00000000 key value under the Registry branch [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon] to restore system file protection.

5. Finally, change "WaitToKillServiceTimeout" = "20000" under the [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl] branch of the Registry to restore the default configuration for automatically disabling the process wait time.

According to the author, there are many kinds of variants in the MSN virus, such as: MSN robot, MSN clown, MSN sexy album, etc. The principle is to use MSN as a platform to send virus information while communicating with chat friends, the user clicks are spoofed by MSN friends, and then spread again to form a powerful channel of transmission. In order to better deal with such viruses, we recommend that you enhance the early protection of your computer, for example, to enable the soft fix, upgrade the database, install security software, and occasionally install system patches, learn more about the daily virus status and take immediate measures to prevent it. Once a user is infected, the system should immediately respond and manually delete or download the corresponding exclusive killing tool for cleanup, to prevent more users from being victims.