Manual killing is still the most feasible method.
1. Enter security mode
When the computer starts, press F8 to display the System Startup menu, from which you can choose to enter safe mode.
2. Disconnect the computer from the network to prevent hackers from continuing to attack you through the network.
3. display all files and folders (including hidden files and system protected files)
4. Disable System Restoration
Right-click "my computer"> System Properties> "Disable System Restoration on All Drives" and check the application (release the hard disk space and the space may be vulnerable to virus attacks)
5. Delete the Automatic startup Item of the virus/Trojan program
Open Registry Editor: Start → run → input: regedit → OK
Search for auto-start items
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run
RunOnce
Runservices
Three subfolders in the HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion Folder:
Run
RunOnce
Open the System Configuration Utility: Start → run → input: msconfig → OK
(If Windows does not have this file, you can run msconfig.exe in the shared folder)
Check: Windows. ini and system. ini start the add-on in the configuration file
In the [windows] field of win. ini
Run =
Load =
In general, "=" is followed by a blank space. If there is a heel program, such:
Run = c: windowsfile.exe
Load = c: windowsfile.exe
Among them, file.exe is probably a virus.
In the [boot] field of system. ini
Shell = assumer.exe file.exe
In general, when assumer.exe is followed by a blank space, if there is a followed program, such:
Shell = assumer.exe file.exe
Among them, file.exe is probably a virus.
In the [kernel ENH], [mic], [drivers], and [drivers32] fields of system. ini
Driver = "Path Program name"
Check other add-ons in the startup configuration file, initialization file, and system configuration file:
Winint. ini: mostly used for installation
Winstart. bat: generated by applications, automatically generated by Windows, and intercepted by Win.com. It has the same function as Autoexec. bat.
Autoexec. bat (generally implicit property, which can be used to search for hidden property files)
Config. sys (same as above)
Check the START Group: Start> program> start, and the content of the Start item.
Corresponding location in the registry:
Hkey_current_usersoftwaremicrosoftwindowscurrentversionjavasershell Folders Startup
Steps for manual scanning and removal: First kill the process, then delete the virus file, and finally repair the registry.
A virus is detected in the registry or table. The process is first killed in the table.
Open the task manager, find the virus program process, and terminate the operation.
If the process cannot be terminated, you can run the tool software of other monitoring processes to terminate the process.
If it still cannot be terminated, it can only be restarted to enter safe mode and disconnect from the network.
Delete the virus file in the DOS window or in the resource manager, but the virus may be automatically restored.
After restarting, return to the Registry to search for and delete the residual information of all viruses, especially the information in the startup Item.