Summary of how tel.xls.exe detects and removes USB flash drive viruses

Source: Internet
Author: User
How to kill tel.xls.exe

System symptoms:

Each time you double-click a drive letter, a new window appears, and an excel program appears in Windows Task Manager. Right-click the drive letter and the word "Auto" appears. Hidden Files cannot be displayed, extensions of known file types cannot be hidden.

 

1. Generate a file

% SystemRoot % \ socksa.exe

Tel.xls.exe and autorun. inf on a non-System Disk

Autorun. ini content:

[Autorun]

Opendesktel.xls.exe

Shellexecuteappstel.xls.exe

 

2. Registry

(1) Add a startup Item

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

"Asocksrv" = "socksa.exe"

Change the value of the hidden file in the folder Option

The type of HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ f older \ Hidden \ showall \ checkedvalue is REG_SZ (originally REG_DWORD)

 

After the virus is infected, the system will no longer display hidden files and extensions. At the same time, tel.xls.exe is also disguised as an Excel icon, inducing users to click to cause deep infection. Autorun.ini tel.xls.exe runs automatically when users double-click it.

 

1. Scan and kill methods

1. Delete the virus programs that reside: Open the "Task Manager" and find the tel.xls.exeand socksa.exe processes (some EXCEL programs are also terminated. Find socksa.exe in c: \ windows \ system32to delete it. If it cannot be deleted, use killbox to restart or delete it, or enter safe mode to delete it.

 

 

2. Disable the automatic operation function of mobile devices (to avoid re-infection of USB flash drives): Save the following code

Noautorun. Reg. Import the registry.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]

"NoDriveTypeAutoRun" = DWORD: 000000ff

 

3. Restore all file items: Run -- à Open regedit, find

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall, and check whether its type is REG_DWORD. If not, delete checkedvalue, right-click "new"-"DWORD Value", name it checkedvalue, and modify its key value to 1.

 

4. Delete Virus files: Open "Folder Options"-"View", select "show all files and folders", and hide"

Remove the √ of the "check box for protected system files. Right-click each disk and choose "open" to delete the non-system disk root.

The autorun.infand tel.xls.exe files under the directory.

 

 

2.killand tel.xls.exe)

If an excle task is displayed in the task manager after the task is started, you are poisoned.

Note !!! Do not double-click the hard disk partition in the following process. If you want to open the partition, right-click it and choose> open

1. Disable virus processes

CTRL + ALT + DEL Task Manager, find a job similar to excle in the application that you do not know [the taskbar is not displayed], right-click the job and go to the process to find the process similar to [svchost.exe, right-click and choose End Process tree.

2. Display hidden system files

Start-> Run-> regedit

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall,

Delete the checkedvalue, right-click it, and choose new> DWORD value> checkedvalue,
Then, set the key value to 1, so that you can select "show all hidden files" and "Show System Files ".

In the folder-> toolbar-> Tools-> Folder Options, set the hidden and suffix names of system files to display,

 

3. Delete viruses

Right-click a partition disk and choose "open". The autorun. inf and tel.xls.exe files are displayed in each disk and directory and deleted. USB flash disks are the same.

 

4. Delete automatic run items of Viruses

Start-> Run-> msconfig-> Start->, delete unknown items such as sa.exe, and keep the items as [anti-virus program, ctfmon, camera, firewall]

Or open the registry and run-> regedit

HKEY_LOCAL_MACHINE> Software> Microsoft> Windows> CurrentVersion> RUN

Delete items similar to c: \ windows \ system32 \ svchost.exe

 

5. Delete legacy files

C: \ windows \ and c: \ windows \ system32 \ under the directory, the excelpattern is deleted by virus .exe and all files with Excel icons. Do not delete them by mistake in each folder, the virus in your computer has been fixed. Restart and everything is OK.

 

3.use kill .exe to clean up

Note !!! Do not double-click the hard disk partition in the following process. If you want to open the partition, right-click it and choose> open

 

1.The task manager has an Excel workflow (Task logging manager, in the application page, algsrv.exe)

2.run kill .exe

3. manually delete c: \ windows \ system32 \ algsrv.exe and other files and folders with icons like Excel

4. Restart, OK!

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.