Reflection on virus detection and elimination Autorun storm

Worker script calls the process,
Hazard: it makes people look uncomfortable! There are no other dangers. It is estimated that the prank guy wrote it.
Then the Internet found a solution, the URL is as follows http://hi.baidu.com/robertcome/blog/item/0d0ab112a9c7e3cec3fd7831.htm
Post first
Virus Autorun. vbs detection and removal method

Q: Recently, there was a strange phenomenon on the machine. After "my computer" is opened, no matter which disk icon is double-clicked, the system will open a new window and report the antivirus software: the regedit.exe program tried to modify the xxx key value of the registry and has been blocked.
Then I opened the partitions on the hard disk and found that there were seven more files in the root directory: Autorun. bat Autorun. vbs Autorun. bin Autorun. INF autorun.txt Autorun. reg autorun.wshis a hidden hacker system that only reads logs and opens the task manager. Only one wscript.exe is running, and the machine speed is not slow.
The content of the autorun. inf file is as follows:
Autorun storm
[Autorun]
Open =
 
Shell/open = open (& O)
Shell/Open/commandcmdwscript.exe./Autorun. vbs
Shell/Open/default = 1
Shell/volume E = Resource Manager (& X)
Shell/cmde/commandpolicwscript.exe./Autorun. vbs
Registry Startup entry:

A: Step 1: Go to the Registration Table project and delete autorun.exe next to the Registration Table userinit.
Then stop the wscript process and stop the script call.
Delete all 7 files on each disk and system32.
Restart
This is an extended Trojan using Autorun. bat, Autorun. vbs, and autorun. Reg.
First, when you double-click the hard disk icon for the first time, Autorun will be loaded for the first time. BAT, and then the reg file will be called to add the autorun after the initial process userinit in the Registry to ensure that it can start automatically next time, and then Autorun. the bat file will enable wscript in Windows to run its Autorun. vbs to implement a loop chain, and files deleted will be restored.

Further reflection, I studied Autorun. reg file, found so simple, I have a preliminary understanding of the virus before the internet query, know its working mechanism, know that it must have modified the registry, however, I don't know where the registry was modified. Now I know, hey, in fact, many viruses are very simple and can be easily discovered. It is also very easy to solve manually, try again if you try not to access the Internet if possible,

The solution is attached, and the post is not easy to modify, so I will help him explain more specifically,
1. Open the registry and find [HKEY_LOCAL_MACHINE/software/Microsoft/Windows NT/CurrentVersion/Winlogon]
"Userinit" = "userinit.exe, Autorun. Bat", delete the Autorun. Bat key value,
2. Open the task manager and stop the process using wscript.exe"
3. modify directory properties to view hidden files. Do not use thumbnails,
4. Enter the address from the Resource Manager (this method is secure and the Autorun file is not activated) to go to the root directory and system32 directory of each drive, and delete all files named autorun,
5. restart the computer and bless!
PS: during the operation, do not double-click the root directory of the disk to activate the Autorun file,