Remove the suffix method of the System exe virus file manually

Such viruses are generally run in a process-like manner, and these viruses are generally better found. Below the first say this kind of virus, is where to start.





1. Registration Form





If you find that the computer has a process and unusual situation, please check the following places in the registry to find and live the program to delete:


Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun


hkey_local_machinesoftwaremicrosoftwindowscurrentversionrunonce


hkey_local_machinesoftwaremicrosoftwindowscurrentversionrunservicesonce


Hkey_current_user/softwaremicrosoftwindowscurrentversionrun


hkey_current_usersoftwaremicrosoftwindowscurrentversionrunonce


Hkey_current_usersoftwaremicrosoftwindowscurrentversionpoliciesexplorerrun


hkey_current_user/software/microsoft/windows/currentversion/<br>explorer/shellfolders


startup= "C:/windows/start menu/programs/startup


2. System Win.ini File





In the Win.ini file, "run=" and "load=" are the ways in which the Trojan can be loaded, and they must be carefully watched. Under normal circumstances, they have nothing after the equal sign, if found behind with a path and filename is not familiar with your startup files, your computer may be the upper-middle "Trojan horse." Of course you also have to see clearly, because a lot of "Trojan", such as "AOL Trojan Trojan", it disguised itself as a command.exe file, if not pay attention may not find it is not a real system boot pieces. Perhaps you will ask me is the XP system AH why not this? Don't worry about giving you the right one. You'll know if there's a suspicious procedure. Below is the normal Win.ini (XP):; For 16-bit app support


[Fonts]


[extensions]


[mci extensions]


[Files]


[Mail]


Mapi=1


Cmcdllname32=mapi32.dll


Cmcdllname=mapi.dll


cmc=1


mapix=1


mapixver=1.0.0.1


olemessaging=1


[MCI Extensions.bak]


Aif=mpegvideo


Aifc=mpegvideo


Aiff=mpegvideo


Asf=mpegvideo2


Asx=mpegvideo2


Au=mpegvideo


M1v=mpegvideo


M3u=mpegvideo2


Mp2=mpegvideo


Mp2v=mpegvideo


Mp3=mpegvideo2


Mpa=mpegvideo


Mpe=mpegvideo


Mpeg=mpegvideo


Mpg=mpegvideo


Mpv2=mpegvideo


Snd=mpegvideo


Wax=mpegvideo2


Wm=mpegvideo2


Wma=mpegvideo2


Wmv=mpegvideo2


Wmx=mpegvideo2


Wvx=mpegvideo2


Wpl=mpegvideo








3.SYSTEM. INI file in





in the System.ini file, there is a "shell= filename" under [BOOT]. The correct filename should be "explorer.exe", if not "Explorer.exe", but "shell= Explorer.exe program name", then followed by the program is "Trojan" program, is that you have in the "Trojan Horse." Someone will ask, I am XP system how is not the same? Give you a normal XP system. INI, please refer to the normal System.ini file:








; For 16-bit app support


[Drivers]


Wave=mmdrv.dll


Timer=timer.drv


[MCI]


[Driver32]


[386enh]


woafont=app936. FON


Ega80woa. Fon=ega80woa. FON


Ega40woa. Fon=ega40woa. FON


Cga80woa. Fon=cga80woa. FON


Cga40woa. Fon=cga40woa. FON








4. Within the Config.sys





This kind of loading method is relatively rare, but not without. If none of the above methods can be found, please come here and there may be a gain.





5. Within the Autuexec.bat





This kind of loading method is also relatively rare, the proposal is the same as Config.sys method.




The loading of
4 and 5 suggests that you first have to make sure that the computer has a virus, and that the methods above are not found, and finally come here to find it.





Summary: This kind of virus is more easily exposed, it is recommended to manually delete the best way to enter Safe mode, because Safe mode only run Windows prerequisite system process, EXE virus is very easy to expose, the following attached a Windows security mode must process table:








Smss.exe Session Manager


Csrss.exe Subsystem Server process


Winlogon.exe Admin User Login


Services.exe contains many system services


Lsass.exe manages IP Security policies and initiates Isakmp/oakley (IKE) and IP security drivers. (System services) generates


session key and grant service credentials (ticket) for interactive client/server authentication. (System services)->netlogon


Svchost.exe contains a number of system services!!! ->eventsystem, (SPOOLSV. EXE loads the file into memory so you can hit
later

printing. )


Explorer.exe Resource Manager (phonetic icon for internat.exe tray area)


system

The
System Idle process is not allowed to be turned off from Task Manager. This process is run as a single thread at every place


, and assigns processor time when the system does not process other threads


Taskmagr.exe is the task Manager.