Winlogon. EXE trojan virus

Recently, my friend's computer has been poisoned. It has been killed for a day. Search for the answer from the Internet. However, there is something wrong with the answer.

My computer is 98. Use Method 1: No. EXE is always not executable. [Hkey_classes_root \ exefile \ shell \ open \ command] No error. They finally found that they were wrong. The Registry should be
[Hkey_classes_root \ winfile \ shell \ open \ command]

Fault Analysis: It is most likely that a software or even a virus has deleted or modified the file with the extension exe. the following modifications can be made:

Method 1:
Modify EXE file association
You can modify the Registry to restore the EXE file. Modify "to" regedit.com ", run it, and find hkey_classes_root \ exefile \ shell \ open \ command in sequence. The default key value is" % 1 "% *, double-click the "default" string and change its value to "" % 1 "%. In addition, you can run the "FTYPE exefile = % 1% *" or "assoc .exe1_exefile=(assocand .exe) command in DOS to restore the association of EXE files.

Method 2:
Save the following content as exefile. Reg, double-click to import the registry, or Run regedit exefile. Reg in pure DOS to import the registry. (Note: leave an empty row behind regedit4)
Regedit4

[Hkey_classes_root \ exefile \ shell \ open \ command]
@ = "\" % 1 \ "% *"
Rename cmd.exe to cmd.com or cmd. scr, run cmd.com, and then run the following two commands:
FTYPE exefile = "% 1" % *
Assoc. EXE = exefile
Change cmd.comto cmd.exe. However, this method only applies to Win2000/XP.

Method 3:

First, enter assoc .exein the command line to display the exefile Association. The system shows that the extension has not found the file association for the extension name. "No wonder the EXE file cannot be executed. Enter FTYPE | more to display all file types in the system on the split screen. One row is displayed as "exefile =" % 1 "% *", is it possible to resolve the fault if the EXE file is associated with the "exefile? Therefore, enter assoc .exe1_exefile(assocand .exe, and the screen displays cmd.exe = exefile ". Close the Command Prompt window, press [CTRL + ALT + DEL] to bring up the "Windows Security" window, press the [Shut Down] button, and select the "restart" option, after Windows 2000 is started in normal mode, all the EXE files can run normally.
Experiences
Afterwards, I re-run the folder option command in the control panel and select the "file type" label. I found that no EXE exists in the "registered file type" list, there are no file types such as BAT and COM. It means that you cannot create these types of file associations using the folder option command. We can only set them using the assoc and FTYPE commands in the Command Prompt window.

Method 4:

Use Kingsoft Internet drug overlord 6 to solve the problem of opening EXE files

Currently, malicious web pages and Trojans are all targeting the Registry. To achieve permanent control of your computer, they adopt various methods. Modifying the EXE file association is one of them. In this way, we cannot run any EXE file in the system, so we cannot run Registry Editor Reg edit.exe to restore the key value in the registry. What should I do now? It's very easy, as long as you have Kingsoft drug overlord 6 in your system, you can easily solve this problem. In "Resource Manager", open the installation directory of Kingsoft 6 and find the Master of Kingsoft 6.ProgramKav32.exe, right-click it and choose "RENAME" to rename it to kav32.scr. Click kav32.scr and you will find Kingsoft drug overlord 6 started! Click "run" in the "Start" menu, enter regedit, and press enter to open the Registry Editor! Why can I open the Registry Editor now? This is because Kingsoft Internet security 6 will automatically check the EXE file association after running, and found that the default key value in the Registry hkey_classes_root \ exefile \ shell \ open \ command is not "% 1" % *, restore it. That is to say, Kingsoft Internet security 6 will automatically restore the EXE file association. After the EXE file association is restored, we can run the Registry Editor Regedit. Why should I change kav32.exe to kav32.scr? This is because kav32.scr is also an EXE file. Only the file named. scr can be started after the EXE file association is changed!

In addition to restoring the association of EXE files, what is the use of this technique? When a trojan is cleared, the trojan file is deleted. If a trojan is associated with a file, the Trojan server is associated with the EXE file, after the trojan file is deleted directly, any EXE file cannot run. This technique is useful. In addition, you can also try this technique when the Registry Editor is disabled and cannot be opened. Now, if you find that your EXE file association has been changed, run Kingsoft drug overlord 6 to solve this problem.