Rising experts teach manual processing U disk Camouflage folder virus

At present, U disk has become one of the main ways to spread the virus. Users often see a U disk virus phenomenon, u disk in a 421KB uniform size of the. exe suffix camouflage folder, the virus double-click can be opened, can also be deleted, but delete and then refresh the removable disk when the virus file appears again. Because it is the same as the original folder name, it is also known as the Disguise folder virus.

Rising security expert Tangwei said, from the virus folder deleted and immediately created after the phenomenon is not difficult to see, the system is loaded with virus files, the virus file constantly to the U disk write file and named "folder name. exe" virus. When you show hidden files through folder options, the original hard disk files are visible, but you cannot right-click the folder's properties.

Figure 1 Folder Options Computer knowledge

Tangwei pointed out that the use of anti-virus aids to the system of suspicious processes in the investigation and removal is the end of this "culprit" the most convenient means.

This manual processing virus by the tool is XUETR, currently supports 32-bit Windows 2000, XP, 2003, Vista, 2008 and Win7 and other operating systems, is a free anti-virus aids, it can view process modules, registry keys, system startup items, etc. And through a series of screening work to finally detect the virus file and kill it, the function is very powerful, and easy to operate friendly, manual anti-virus is very good one of the auxiliary tools. The specific steps are as follows:

1, find and end the obvious exception process in the system Winweb.exe, right click on it, and select the "End process and delete files" operation.

Figure 2 Ending the process and deleting the file

2, using the Xuetr tool to forcibly delete the U disk two virus files "my photos. exe" and "Office document. exe", note that check "Prevent file regeneration after deletion."

Figure 3 Preventing file regeneration after deletion

3, in order to check whether the virus file will be regenerated, with the Xuetr tool to refresh the mobile disk operation, it will be found that two of virus files appear again, the analysis system and the remnants of the virus files are still loading, and constantly to the U disk to create a suffix to the folder. In order to completely clear the virus file, and then go back to the process to check each system under the current loading of all files, found Explorer.exe under the suspicious module Iconhandle.dll, and no digital signature.

Figure 4 finds a suspicious module hanging under Explorer.exe iconhandle.dll