Run anti-virus after the system is poisonedSoftwareOf course, this operation is beyond review. However, anti-virus software is usually implemented according to the defined signature.VirusAfter all this is done, I think everything is done and I have to retire. Things are often not so smooth. Kill soft leaves a system with all the holes to the user, and the sequelae of the virus have become a constant pain in our hearts. Next we will take care of several typical sequelae of antivirus drugs to restore a healthy system.
I. startup
Symptom 1: After the virus is cleared, restart the system to enter the desktop. The prompt box "xx file loading error, cannot find the specified file" is displayed every time. (Figure 1) = 700) window. open (http://www.bkjia.com/uploads/allimg/131120/04392VV9-0.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/04392VV9-0.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
This problem occurs because the antivirus software clears the virus source file but does not clear the corresponding registry key value. Therefore, the file is loaded when the system starts. Because the source file is deleted, such a dialog box is displayed, the solution is:
Solution 1: Start msconfig and find the corresponding project according to the startup Item location prompt. deselect the check box.
Solution 2: Follow the prompts in the prompt box to enter the registry and search for its loaded key value to delete it.
These key registry keys are:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
The preceding key values appear in the "Start" item of msconfig.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion RunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunServicesOnce
The preceding key values are relatively hidden.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersion Winlogon]
"Shell" = "EXPLORER. EXE, *. exe"
* It is an executable file of a virus or Trojan. This method is very concealed and used by many current viruses.
Symptom 2: common programs cannot be opened after the virus is eliminated. Double-click an application to open the selection mode window.
This is because the virus modifies the association of executable files and is often associated with itself. When the virus is killed and the file association is not restored, it cannot be run. Therefore, the user can choose to open the file, the solution is:
Step 1: restart and press f8.CommandThe security mode of the row.
Step 2: Enter the command prompt and run the ftype exefile = "% 1" % * command to restore the connection. You can also use tools such as sreng to restore the connection. (Figure 2) = 700) window. open (http://www.bkjia.com/uploads/allimg/131120/04392W120-1.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/04392W120-1.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Symptom 3: Double-click a drive letter to open it. You can only right-click the drive letter and select "Resource Manager". At the same time, the first item in the right-click menu turns to "auto" (Figure 3)
= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/04392T061-2.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/04392T061-2.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
This is because the virus has created a similarAutorunFile such as. inf, and then call the virus source file through the file. After the virus is removed, the autorun. inf file is not cleared. The solution is:
Step 1: CreateBatch ProcessingFile kill. bat, the Code is as follows:
@ Echo off
Cd
Attrib-s-h-a autorun. inf
Del autorun. inf
D:
Attrib-s-h-a autorun. inf
Del autorun. inf
Taskkill/f/im assumer.exe
Start assumer.exe
Exit
Tip: Anti-Virus Software clears the virus file in the root directory of the system, but does not delete the autorun. inf file. (Assume there are only two partitions, C and D .) If the problem is not completely resolved, perform the second step.
Step 2: locate the Registry
HKEY_CURRENT_USER Software MicrosoftWindowsC urrentVersion Explorer Mountpoints2: delete all auto-related items under item c and item d.
Step 3: delete the file under the HKEY_CLASSES_ROOTdevice entry in the registry.ShellTo open all hard disk partitions.
Symptom 4: The desktop cannot be accessed after the virus is eliminated, or the desktop loading error is prompted. Sometimes, the desktop cannot even enter the system.
The cause of this problem is that under the registry [HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Winlogon], there are two key values: Userinit, the original value is "Userinit" = "userinit.exe, "The original Shell value is" Shell "=" EXPLORER. EXE ", if these two values are modified by the virus, and the anti-virus software is not repaired, it will not be able to enter the system desktop. The solution is:
Step 1: when the system is inaccessible to the table, use the combined key ctrlw.alt?del=to retrieve the task manager role, and then run cmder.exe to go to the desktop.
Step 2: follow the instructions above to restore the registry key value. (Figure 4)
= 700) window. open (http://www.bkjia.com/uploads/allimg/131120/04392R526-3.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/04392R526-3.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Symptom 5: many security programs cannot be used after anti-virus.
The cause of this problem is that anti-virus software is not completely antivirus, and there are some legacy virus files in the system, because these files make some security software unable to run. The solution is:
Step 1: Create a batch file del. bat with the code:
@ Echo off
Del/f/a/q? % 1
Rd/s/q? % 1
Exit
Tip: The preceding Command forces the deletion of all files and directories. Del. copy the bat file to the directory where the virus exists, and then copy the file similar to w32sys. dll files or folders like arp are dragged to del. bat file. If not, perform step 2. (Figure 5) = 700) window. open (http://www.bkjia.com/uploads/allimg/131120/04392R0E-4.jpg); "src =" http://www.bkjia.com/uploads/allimg/131120/04392R0E-4.jpg "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>
Step 2: run the following command at the command prompt:
For/f "tokens = *" % I in (dir/a/B/s c: progra ~ 1w32sys. dll) do rd/s/q % I
Tip: If w32sys. dll is a virus file, the preceding command deletes c: progra ~ 1. w32sys. dll files in all subdirectories in the directory.
Ii. System Problems
Symptom 1: The system cannot display hidden files.
The system cannot display hidden files because the virus sets itself as a hidden file to protect itself and then modifies or deletes the corresponding registry key value, anti-virus software does not restore the registry key value after the virus is cleared, making it impossible to set and view hidden files in the system through "Folder Options. The solution is:
Solution 1: Use winrar (compression software) to view and operate. winrar can view hidden files without System Restrictions on file attributes due to its special technology, even some files that cannot be viewed in the "show all hidden files" status.
Solution 2: Restore the key value of the registry and run the following code:SaveHtml "target = _ blank>File. Reg, double-click to import the Registry
Windows Registry Editor Version 5.00
(Note: A row must be empty in the middle. This row cannot be copied !)
[HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion javaseradvanced Folder HiddenSHOWALL]
"RegPath" = "softwaremicrosoftwindowscurrentversionpoliceradvanced"
& Quot; Text & quot; = & quot; @ shell32.dll,-30500 & quot"
"Type" = "radio"
"CheckedValue" = dword: 00000000
Solution 3: Use sreng to fix the problem.
Symptom 2: security mode cannot enter
Virus Trojans delete or modify registration related to security mode to protect themselves