Solution to the failure of anti-virus software 0xc00000ba caused by new ghost. pif variants

Some netizens asked for a solution to the 0xc00000ba error and found a solution from the internet. I don't know if I can solve the problem.

This problem is caused by a USB flash drive virus called Ghost. PIF.

However, the virus of the latest variant queries some key values of the following registry keys to obtain the installation directory of the relevant security software, and generates a folder named after the system file name "ws2_32.dll" under the obtained installation directory, this causes the related security software to fail to run.

Code:
Software \ rising \ RAV
Software \ Kingsoft \ Antivirus
Software \ Jiangmin
Software \ kasperskylab \ installedproducts \ Kaspersky Anti-Virus personal
Software \ kasperskylab \ setupfolders
Software \ Network Associates \ TVD \ shared Components \ framework
Software \ ESET \ nod \ CurrentVersion \ info
Software \ symantec \ sharedusage
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ app paths \ 360safe.exe

Because these security software will load ws2_32.dll when running ws2_32.dll, the correct location is under system32, and the software usually looks for the DLL by first looking for the virus from its own folder through the folder of these software create a forged ws2_32.dll, which causes the software to load the forged ws2_32.dll during startup, causing startup failure!

The solution is as follows:

1. Safe mode (Press F8 after the instance is started, and then select the first safe mode from the advanced menu to enter the system)
Enable Sreng

Start the project registry to delete the following items
<{0cb68ad9-ff66-3e63-636b-b693e62f6236}> <c: \ Program Files \ Internet Explorer \ romdrivers. dll> [Microsoft Corporation]

Double-click my computer, tools, Folder Options, view, Click Show Hidden Files or folders, and clear the hooks before "Hide protected operating system files (recommended. When you are prompted to confirm the change, click "yes" and then confirm

Right-click, right-click, and choose open drive C from the menu.
Delete

Code:
C: \ Program Files \ Internet Explorer \ romdrivers. Bak
C: \ Program Files \ Internet Explorer \ romdrivers. BKK
C: \ Program Files \ Internet Explorer \ romdrivers. dll

2. Clear C: \ release E ~ 1 \ USERNAME \ locals ~ 1 \ Temp

3. Right-click and choose "open" from the shortcut menu to open other partitions and delete autorun. inf and ghost. PIF.

Enable Sreng

start the project registry and delete the following project
code:
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[]
[] (which one to delete)

4. Delete the folder named ws2_32.dll under the folder of the anti-virus software Kingsoft antivirus software Kaspersky Antivirus Software 360 security guard.