Solution to the snow Virus

Solution to the snow Virus
What are the benefits of virus attacks?
The virus is everywhere, so I am busy.
Are they self-built by anti-virus manufacturers,
Something with a virus is used by someone.
The firewall is expensive and useless, especially the domestic firewall (do Chinese people really have no credit ?)
 
Here, we especially want to talk about Kingsoft drug overlord, a spam software. We suggest you do not use it.
A lot of viruses are detected, but they do not work. We have to manually delete them, so we are depressed.

For normal winlogon SYSTEM processes, the user name is "SYSTEM" and the program name is "winlogon.exe.
The User Name of the Trojan program is the current system user name, and the program name is winlogon.exe.
Process display mode: ctrl + alt + del and then select the process. Normally, there is only one winlogon.exe process, and its user name is "SYSTEM ". If two winlogon.exe files are displayed, one of them is in upper case and the user name is the current system user, a Trojan may exist.

This trojan is so powerful that it can break down the wooden star and make it unable to run normally. I have not found any other anti-virus software.
The windows winlogon. EXE is indeed a virus, but she is only a small role in this virus. You can open the D disk to see if there is a pagefile DOS pointing to a file and an autorun. inf file,
Haha, of course they are hidden. It is useless to delete these items, because she is associated with a lot of things and even difficult to do in security mode, as long as she runs any program, or double-click to open the D disk, she will be re-installed. Well, during this time, many people were stolen because of this attack, and the anti-virus software could not be found, some people call this virus "snow" a trojan dedicated to stealing the legend of the world. As for whether to steal other accounts such as QQ, online banking will watch her happy, and it is estimated that they will all be recorded together. If you are not afraid of viruses or want to reduce losses, it is best to enable the firewall to block all the other common tasks except those you trust. Of course, you 'd better back up them as soon as possible and then close the door to prevent viruses.

Solution to the "snow" virus
Symptom: The drive D cannot be opened by double-clicking the drive D, which contains the autorun. inf and pagefile.com files.
This virus is also too powerful, and cannot be solved in security mode like Administrator! After an afternoon of hard work, it was barely solved. I didn't use any software to scan and kill Trojans. I manually pulled it out one by one and deleted it. The associated files are as follows. Most files are displayed as system files and hidden files. Therefore, you need to open the hidden file in the folder option.
There are only two in disk D, so you cannot double-click to open disk D. There are more disks in drive C!
D: autorun. inf
D: pagefile.com
C: Program FilesInternet ‑eriexplore.com
C: Program FilesCommon Filesiexplore.com
C: WINDOWS1.com
C: WINDOWSiexplore.com
C: WINDOWSfinder.com
C: WINDOWSExeroud.exe)
C: WINDOWSDebug *** Programme.exe)
C: Windowssystem32command.com. Do not delete this file easily. Check if it is different from the following dates. It is the same as other file dates. If it is the same as most System File dates, it cannot be deleted, of course, the system file is definitely not in this period.
C: Windowssystem32msconfig.com
C: Windowssystem32egedit.com
C: Windowssystem32dxdiag.com
C: Windowssystem32undll32.com
C: Windowssystem32finder.com
C: Windowssystem32a.exe
By the way, check the date of these files to see if there are any files with the same time or suspicious files at the end of. COM in other places.
To run any program, or start again, including double-click the disk
There is another No. 1 file! WINLOGON. EXE! The purpose of doing so much work is to kill her !!!
C: WindowsWINLOGON. EXE
We can see in the process that two of them are true and false.
This is really a short description of winlogon.exe (I don't know if it is yours). The user name is SYSTEM,
The false is the capitalized WINLOGON. EXE, and the user name is your own user name.
This file cannot be aborted in the process. It is said that the key process cannot be aborted. It is the same as it is! Even in security mode
Stay in your process! All I know is this. If you are not at ease, you 'd better take a look at the modification date of one of the files, and then search for the files modified on this day with "Search, at the same time, there will certainly be a lot of resources, even in the system restoration folder !! These files will be associated by yourself. If you delete a part and accidentally run one, or run the msocnfig, command, and regedit commands in the "Start-Run" operation, all these documents will be added to the plenary session!
Once you understand these files, first close all programs that can be closed and open the WINDOWS resource manager in the program attachment, in the folder options in the preceding tool, you can view all files and files in false state, unhide the files in the protected operating system, open the Start menu, and enter the regedit command, enter the Registry
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
There is a Torjan pragramme, which clearly shows "I Am a Trojan". Delete it !!
Then log out! After re-entering the system, open "Task Manager" and check whether rundll32 exists. If yes, stop it first. I wonder whether it is true or false. Be careful. To drive D (do not double-click to enter! Otherwise, the virus will be activated again.) Right-click, select "open", and delete autorun. inf and pagefile.com,
Then, go to drive C and delete all the files listed above! Do not double-click one of the files. Otherwise, all steps must be taken again! Then, log out.
When I deleted those files, all the exe files could not be opened and run cmd.
Then, copy the cmd.exe file in C: Windowssystem32, for example, to the desktop and change it to cmd.com. I will also use the com file, and double-click the COM file.
Then, you can go to the DOS command prompt.
Run the following command:
Assoc. exe = exefile (there is a space between assocand .exe)
Ftype exefile = % 1% *
In this way, the exe file can be run. If you do not run the command, just open CMD. COM and copy the above two lines and paste them twice for execution.
However, after completing these steps, it will be slow when the user starts up and jumps out of a warning box saying that file 1 cannot be found. (It should be the 1.com file in Windows .), Finally, the Internet Assistant and other software are used to completely fix Internet Explorer settings.
Finally, let's take a look at how to solve the problem that the file "1.com" cannot be found during startup:
Run "regedit" in the running program and open the Registry. In [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
Restore shellegreser.exe 1to shellegreser.exe.

Start-> Run-> Enter command (in Windows 2000/XP/2003, Enter cmd), and press ENTER

In the command line, execute the following commands in sequence:

Cd % windir %
Copy regedit.exe regedit.com
Regedit

After the Registry Editor is opened, find the following branch:

HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command

Double-click the (default) value in the right window and set it to % 1% * [contains quotation marks]

Find again:

HKEY_CLASSES_ROOT \. exe

Double-click the (default) value in the window on the right and set it to exefile.
Then exit the Registry Editor and restart the computer.

Method 2: Applicable to Windows 2000/XP/2003

Start> RUN> Enter cmd and press Enter.

In the command line, execute the following commands in sequence:

Ftype exefile = % 1% * [contains quotation marks]
Assoc. exe = exefile