Viking variants clear the best strategy in history

After two days of fighting, the viking variant was finally completed in the early morning. I have posted help here before, but I have no correct answer. So here I will share my accumulated experiences.
The following are my experiences two days ago:
Some suspicious processes were found after an Internet connection. Use ecq-ps process Wang to view their paths, some of which are virus files. Some of them are the dll and sys files that pass through the normal system process, such as "svchost.exe csrss.exe", and run as hooks. I thought again, these little hairs are coming again (my system has been installed for 04 years and has been in use since now, I have handled all the viruses in the past, and I thought I would like to kill one more time, and then I would like to kill one or two of them ). In my dual system, restart the dos in win98 to manually delete the files in the above path, and then enter winxp to delete the registry key values related to the above files. In the service, check the service items that discover virus residues, and pretend to be good. The description also looks like a normal Service, which manages the system application's 128-bit key transfer License Service. I want to smile. But let's look at the dependency between the source path (the file name is forgotten) and it will be exposed. I thought it was okay to be a layman .. If you do not want to delete it under machinesystemcurrentcontrolsevices!
Restart and observe the process. Everything is back to normal. Drool. Watch the Internet TV and rest .. But then the real death appeared. The nn multi-virus process suddenly exists in the system process. Rising has also been disabled, some of which are just not. I am panic. Delete the infected rising star first. (The latest version was upgraded only yesterday.) I tried to scan and kill it multiple times, but it will appear soon after each start... In addition, when the system prompts access denied (access denied) When deleting a virus file under pure dos of 98, it should be in the memory resident type. Then, start the pe operating system on the disc with the windowspe boot disk for cold start. I think the pe kernel is different. I think you will do it again. Therefore, the virus file was deleted in pe, and the startup process returned to normal this time. The Registry is restored. I opened Xunlei and looked at the tool and software I downloaded. As a result, I won the bid again... In my conclusion, the exe file is infected. Otherwise, how can we create more virus processes. And the file icon is lost (instead of generating the _ desktop. ini file in the same directory as mentioned on the Internet, it is the old version of the Maintenance Fund. I also have _ desktop. ini, but in c:, and in D, autorun. inf and iexplorer. to delete all * .exe.exe files, and then enable the disc to delete viruses. Now the process is back to normal. However, most icons on the desktop become white .. The virus infected most of the exe files. We haven't seen this for many years. I did not dare to start these programs. I won the bidding once the startup package was started, so I am ancaba. Security 6. 0307. upgrade to the latest version. Scan in security mode and scan in normal mode .. Nothing to scan. Youan 6. 04xx is also installed with the latest version of 5xxbeta. Both Chinese and English versions have been installed. You cannot find out ......... Furious !!!! (I think it's all for the old version of Vikin that Kabbah has obtained on the Internet.) So I will sell coffee (mcafee), upgrade mcafee Online, and scan... As a result, the coffee cannot be sold... Furious !!!! Then we found Kingsoft and rising's exclusive killing tools, which were not scanned... Furious !!!!.. The size of my win98sesetup.exe file is nearly 60 kb more than that on the source disc. In addition, each infected file has nearly 60 k more, proving that all infected files are vking !!... Jiangmin's exclusive killing tool can be used to kill, but fortunately I ordered to stop it quickly... Because I looked at it, most of its so-called kill operations are deleted !!! I deleted several exe files. Even if they are retained, they cannot run zombie files. What exe Repair Machine is not used at all. Cool !!

This is the end. Despair. I am reluctant to delete so many exe files.

I read about the immune methods of WeiJin on the Internet. Suddenly think of something .. After intense ideological struggles, I made the following decisions:

I did a test. I made a ghost for drive C, double-clicked an infected file, and the system process showed viking. Then I was double-clicked on the exe file icon to restore the size to normal. three files are first generated in the process. Ghost recovery .. This is a bit eye-catching.
It is to create some 0-byte txt files in the original directory of the virus and change them to the virus process name, such as: logon_1.exe disguise, change them to read-only, and then click the exe files one by one, release abnormal code in the exe file into the memory, and then end the corresponding process
Just do what you say. Build logon_1.exe richdll. dll in c: windows, which is different from the preceding three files. The path is also different. But the principle is the same.) Create rundl132.exe in c: windowsunistall and set the read-only
Find out all the exe files. I said on the Internet that only the files from 27kb to 10mb are infected, but my files from over 10 and 20 mb won the bid. I once again proved that it is not the viking file I mentioned on the Internet... Start from double-click release ..... That's it... That's it .. They roam happily. They sing for love... Wolf falls in love .... Hey !! The problem is all over.
*.*
No .. I just described the long history of opening thousands of files .. A few hours later. Finally .. Stretch the sore waist .. Recreate the Icon cache .... Cold start...
........ Success... So far. None Of All viking

It has not been such a fighting for a long time.
After such a long cycle. I have a preliminary understanding of the principle of this virus variant. The following lists the virus features and removal solutions I have summarized:
Viking Virus Variant
It should be regarded as a Trojan. The product of high Internet Development
First, a logon_1.exe rundl132.exe file is generated in the Windows directory of the machine. I have richdll. dll and what dll. dll vtd. dll is described on the Internet. It is the dll file and the system process is loaded. Cannot be deleted.
These files are associated and will appear immediately after the process is terminated and deleted.
Disable anti-virus firewall automatically and infect firewall files
Then, call the net share command to open the $ ipc named pipe sharing. To spread to other machines on the LAN.
Release such as rundll32.com services.exe finder.com iexplore. pif regedit.com dxdiag.com
Msconfig.com mhs.exe and other files, and modify the Registry exe file, website link, scr file, unknown (open mode) file, and other commonly used files associated with iw.e. pif or another virus program above. changing an exe file to a self-created winfile file type allows each exe file to call viruses at the same time during running, which is too embarrassing; change the file search and retrieval method and associate it with the program called by finder.com using the rundll32.exe file. For example, use the registry to change it to a command line with rundll32.com. Add a trojan plug-in named load under the hkey_local_machine or hkey_current_usersoftwaremicrosoftwindowscurrentversionun key value. Also available under currentversionlogon... In addition, some other key values are modified, which are more obvious.
Detect available drives. Generate _ desktop. ini or autorun. inf i0000e. pif in the file to change the double-click operation to "automatic playback virus". Therefore, you can only right-click the file to enable it...
The most hateful thing is to infect all drives with files larger than 27kb. Rundl132.exe
And restore the exe file to make it run properly...
At the same time, it automatically downloads dozens of other types of viruses from the Internet, QQ account theft Trojans, and popular online game Trojans. So far, taskmgr task manager is a mess ..
Because many Trojans will affect the efficiency and difficulty of clearing, the memory usage is too large, and the risk factor is also large. I have to admire this ..

If your system has the above conditions, please follow they step:
First, you disconnect the internet and delete anti-virus software. Because it has been infected with viruses, it is only troublesome in the memory.

Re-install anti-virus software. We recommend that you use kaback, mcafee, and Jiangmin. Do not stop or the new anti-bot will win the bidding again. In security mode, because msiexec cannot be enabled, many software cannot be installed.
Cold start or shutdown, power supply can also be switched on, wait until the photoelectric mouse light does not light up and then start up (too exaggerated)
Enter the Secure Mode with network connection (if you cannot access the Internet, you can still enter the normal mode), open all the files in the folder option, deselect the hide system files check box, and select the show known file extension; download the viking exclusive killer tool. We recommend that you use this tool. Download the "rising card assistant" to fix the registry later. If it is an exe file, you 'd better change the suffix. Change it back later. Upgrade anti-virus software to the latest version. Immediately restart to enter the pure security mode, and only run the system disk scan. Take notes on the scanned virus name and path.
Cold start .. Start dos on a CD or USB flash drive and find the files you just recorded and delete them. I am using the windowspe boot disk. This frees you from the trouble caused by the doscommand. It is critical to find and delete the files mentioned above.
Run regedit.exe (.exe) to enter .exe. If it is not deleted, the exe file will be opened again as a virus command line in the winfile file type .)
Press ctrl + f to find and delete the key value of the above file name.
In normal mode, the Internet may not be accessible due to anti-virus attacks. Use the downloaded "rising card assistant" to fix ie and registry. By the way, you may also scan other Trojans and residual Trojans that viking downloaded just now (do not start the broadband dialing program, because dial-up programs such as enternet500 are infected. If it is a default dial-up in xp, also, it is best not to do it)
The process should be clean, and it is necessary to process the infected exe files. If you do not want these files, you can directly use the special check tool to kill them or delete them directly by searching, the following steps are also saved. Because the following steps are the safest but easy to get tired
Logon_1.exe rundl132.exe richdll. dll
Create a new file named .txt and three file names, respectively. And set to read-only. In the directory where they are infected. The directory location is mentioned above. It is used for immunization to prevent virus files with the same name from being released from infected exe files.
You can also use gpedit. msc. In the Group Policy, the user configuration management template \ system does not need to run Windows program.
Rundl132.exe
You can also use the File rules in the mcafee antivirus software to prohibit the creation of *. exe *. com files on the hard disk.
I have not tried the last two restrictions, but it is theoretically true.
Next, find the exe files on each disk in order. Results are sorted by size in descending order. Open a task manager window next to it, and write down the task entries and quantity. For example, number of processes: 22
Double-click the empty icon exe file and pay attention to the changes in the task manager. For example, if you double-click game.exe, It is infected. In this case, the task manager calls game.exe one more time and then double-click it. Or double-click again. Game.exe will appear again. If the program is based on the 16-bit compatibility mode, an ntvdm process will appear, which can end without any impact. Later, you may find that the net and net1 processes flash through for less than 1 second, and then one or more cmd processes appear.