Top 10 Windows virus hiding places

Source: Internet
Author: User

Virus is detected, but it cannot be cleared in safe mode or in Windows. What should I do? Due to the particularity of some directories and files, there is no way to be clear directly, including some methods such as anti-virus in security mode, but some special methods are required to clear the files with viruses. The following directories contain subdirectories.

1. The files with viruses are in the \ TemporaryInternetFiles directory.

Windows protects files in this directory (unconfirmed ). Therefore, the files in this directory cannot be cleared even in safe mode. In this case, close other program software and then open IE, select "tool" \ "Internet option" in the IE Toolbar and click "delete file" to delete the file. If you are prompted to "delete all offline content", delete the file together with IE.

2. The files with viruses are in the \ _ Restore directory or SystemVolumeInformation directory.

This is the directory where the system restores and stores the restored files. This directory is available only on Windows ME/XP operating systems. This directory is protected by the system. In this case, you need to cancel the "System Restore" function, delete the files with viruses, and even delete the entire directory. Disable the system restoration method. For Windows ME, disable System Restoration and delete under DOS. XP: Right-click my computer ", select "property"> "System Restore"> "Disable System Restore on All Drives", and press "OK" to exit.

The 3most infected files are in.,. cab, and other compressed files.

Currently, there are few anti-virus software that can directly scan and kill compressed files with virus files, and even some common compression formats are supported. Therefore, for most anti-virus software, you can only check the infected files in the compressed files, but cannot clear them directly. In addition, some encrypted compressed files cannot be directly cleared.

To clear the virus in the compressed file, we recommend that you decompress the file and clear it, or use the plug-in anti-virus program function of the compression tool software to disinfect the compressed files with viruses.

4. The virus is in the boot area, SUHDLOG. DAT, or SUHDLOG. BAK file.

This type of virus is generally a boot zone virus, and the reported virus name generally contains the words "boot" and "wyx. If the virus only exists on a mobile storage device, such as a floppy disk, a flash drive, or a mobile hard disk, you can use the anti-virus software on the local hard disk to directly scan and kill the virus. If the virus exists on the hard disk, you need to use a clean boot disk to start scanning and killing.

We recommend that you use a clean floppy disk for virus scanning and removal. However, before scanning and removal, you must back up the original boot zone, especially when other operating systems are installed, such as Windows and Linux.

If you do not have a clean boot disk, you can use the following method for emergency antivirus:

(1) make a clean boot disk on another computer. The boot disk can be created on the Windows95/98/ME system through "Add/delete programs, however, you must note that the operating system used to create a floppy disk must be the same as the operating system used by you;

(2) Use this floppy disk to boot the computer with viruses, and then run the following command:

A: \> fdisk/mbr

A: \> sysa: c:

If the files with viruses are in SUHDLOG. DAT or SUHDLOG. BAK, delete them directly. This is a backup file used by the system during the installation of the boot area of the hard disk. It does not work normally and the virus does not work in it.

5. The extension names of the files with viruses are. vir,. kav, And. kbk.

These files are generally backup files that some anti-virus software has made to the original files with viruses. Normally, If you confirm that these files are useless, delete them.

6. Infected files are contained in some mail files, such as dbx, eml, and box.

Some anti-virus software can directly check whether the files in these mail files are infected with viruses, but they often cannot directly operate on these files. For some emails containing viruses, you can find the letter containing the virus according to the information provided by the anti-virus software, delete the attachment in the letter, or delete the letter. If it is an eml or nws letter file containing the virus, you can use the relevant mail software to open it, confirm the letter and its attachment, and then delete the relevant content. Generally, a large number of eml and nws files are generated automatically by viruses. We recommend that you delete them directly.

7. The file contains the Residual code of viruses.

In this case, most common examples are the macro virus and the Residual code of some webpage viruses in CIH, Funlove, and macro virus, including Word, Excel, Powerpoint, and Wordpro documents, generally, antivirus software reports the suffix of the virus name to these files with Residual code, such as int and app, which is not common, such as W32/FunLove. app, Under normal circumstances, the residual code will not affect the running of Normal programs, and will not be infected. If you need to completely clear the code, you need to clear the virus based on the actual situation.

8. File error.

There are not many such cases. Generally, some antivirus software does not clean up the virus from the original files and does not properly fix the files, which causes the files to become unavailable, at the same time, it may cause false positives of other anti-virus software. These files can be deleted directly.

9. encrypted files or directories.

For encrypted files or directories, perform virus scanning and removal after decryption.

10. shared directory.

There are two scenarios: Local shared directory and remote shared directory on the network (including the ing disk ). In the case that the files with viruses in the shared local directory cannot be cleared, it is usually because other users in the LAN are reading and writing these files, and the virus in these files cannot be directly cleared during antivirus, if a virus is writing a virus to these directories, the virus is cleared after the shared directory is infected or virus files are generated continuously. In the above two cases, we recommend that you cancel sharing and thoroughly scan and kill shared directories. When resuming sharing, be sure not to open too high permissions and add a password to the shared directory. When virus removal is performed on a remote shared directory (including a ing disk), ensure that the operating system of the Local Computer is clean and that the shared directory has the highest read and write permissions. If the remote computer is infected with the virus, we recommend that you directly scan and kill the virus on the remote computer. In particular, we recommend that you cancel all local sharing and then perform anti-virus operations when removing other viruses. During normal usage, you should also pay attention to the security of the shared directory, add a password, and do not directly read the files in the remote shared directory if necessary, we recommend that you copy the data to the local computer and check the virus before performing the operation.

Add one:

We recommend that you try the following operations: Right-click my computer and choose "properties"> "System Restore" from the shortcut menu to turn off the grid check before "System Restore" on all drives.

Then go to safe mode (Press F8 during restart) to clear all the files in the following three folders.

C: \ WINDOWS \ Temp

C: \ DocumentsandSettings \ User Name \ LocalSettings \ Temp

C: \ DocumentsandSettings \ User Name \ LocalSettings \ TemporaryInternetFiles

Finally, try anti-virus (in security mode. The "User Name" in the two folders is the login name when you log on to the system, if you have not made any changes. The user name is Administrator.

Related Articles]

  • Topic: windows Network Security Guide
  • Windows System reinforcement

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.