Udisk virus autorun.infand ravmon.exe KILL

Source: Internet
Author: User

Recent U disk viruses such as autorun.infand ravmon.exe are rampant, causing strong dissatisfaction.
The virus automatically modifies the registry so that users cannot view the following hidden file autorun. inf:
[AutoRun] opentracing RavMon.exe shellopen = open (& O) shellopencommand#ravmon.exe shellexplore = Resource Manager (& X) shellexploreCommand = "RavMon.exe-e" the Registry import results from the previous days are displayed normally and the blue screen is restarted
Reinstall the system and then click another disk, and the right-click will only enable auto-free
Try BAT @ echo on
Taskkill/im assumer.exe/f
Taskkill/im wscript.exe
Start reg add hkcusoftwaremicrosoftwindowscurrentversionjavaseradvanced/v ShowSuperHidden/t REG_DWORD/d 1/f
Start reg import kill. reg
Del c: autorun. */f/q/
Del % SYSTEMROOT % system32autorun. */f/q/
Del d: autorun. */f/q/
Del e: autorun. */f/q/
Del f: autorun. */f/q/
Del g: autorun. */f/q/
Del h: autorun. */f/q/
Del I: autorun. */f/q/
Del j: autorun. */f/q/
Del k: autorun. */f/q/
Del l: autorun. */f/q/
Start assumer.exe
Delete A Virus File
Restart
Use REG to import
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddennohidden]
"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
& Quot; Text & quot; = & quot; @ shell32.dll,-30501 & quot"
"Type" = "radio"
"CheckedValue" = dword: 00000002
"ValueName" = "Hidden"
"DefaultValue" = dword: 00000002
"HKeyRoot" = dword: 80000001
"HelpID" = "shell. hlp #51104"

[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddenshowall]
"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
& Quot; Text & quot; = & quot; @ shell32.dll,-30500 & quot"
"Type" = "radio"
"CheckedValue" = dword: 00000001
"ValueName" = "Hidden"
"DefaultValue" = dword: 00000002
"HKeyRoot" = dword: 80000001
"HelpID" = "shell. hlp #51105"

[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfoldersuperhidden]
"Type" = "checkbox"
& Quot; Text & quot; = & quot; @ shell32.dll,-30508 & quot"
"WarningIfNotDefault" = "@ shell32.dll,-28964"
"HKeyRoot" = dword: 80000001
"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
"ValueName" = "ShowSuperHidden"
"CheckedValue" = dword: 00000000
"UncheckedValue" = dword: 00000001
"DefaultValue" = dword: 00000000
"HelpID" = "shell. hlp #51103"

[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfoldersuperhiddenpolicy]

[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfoldersuperhiddenpolicydontshowsuperhidden]
@ = ""
Invalid !! Ravmon.exe has the following traits:
RavMon.exe
Process file: RavMon.exe Svchost.exe
Process name: Troj_Worm.Novar
English description: N/
Process Analysis:
The Real-time Monitoring Program of the anti-virus software.

Process location: System Directory
Program purpose: viruses written in Visual Basic that can be transmitted by mobile devices are extremely destructive.

Security level (0-5): 0 (N/A is not dangerous 5 is the most dangerous)
Disc software: Yes
Advertising software: Yes
Virus: Yes
Trojan: Yes
System Process: No
Application: No
Background Program: Yes
Access: Yes
Internet access: No
Run cmd in the Start menu to go To the DOS-like interface. Enter a drive letter, open it, and use dir/afiles to find a ravmon.exe file. Rising has a program called ravmon.exe, which is confusing. You can use attrib to check its attributes. If it is an SHR attribute, it is a virus.
The rose virus also has an image, so if you find it is the rose virus, the solution is similar.
Enter safe mode (you must ensure that it is in safe mode and do not double-click the drive letter during this period; otherwise, you will be able to discard your efforts !)
Step 1:
The values of keys are deleted. This is the root cause of ravmon.exe.
Step 2:
Run cmd in the Start menu and go to the DOS-like interface to enter a disk. Use attrib-h-s-r AutoRun. inf and attrib-h-s-r RavMon.exe are used to remove the hidden read-only features of these two files, and del AutoRun is used. inf and del RavMon.exe to delete them. The reason why the autorun.inf file is modified by the ravmon.exe virus is that your hard disk cannot be opened. This applies to each hard disk. Note: If you have used a USB flash drive, you must also operate the USB flash drive! It also contains viruses.
4. Complete:
Restart to normal mode. Double-click the drive letter to enable it. Someone on the Internet said it may not be able to open the drive letter, prompting you to locate something, which I did not encounter. Some methods are as follows: If you are asked to locate a command, such as DESKTOP. run regedit when EXE or other files, select Edit search, and enter DEKTOP. EXE or others, the first one found is the automatic running of the C disk, deleting the entire shell Sub-Key
Finally, clear the virus

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.