Job Recruitment Website - Zhaopincom - There is a virus in my computer, the icon becomes bigger, and the EXE files change color.
There is a virus in my computer, the icon becomes bigger, and the EXE files change color.
The virus is fatal to internet cafes with weak awareness of prevention. The repair software failed to reach fashion places, and its network spread very quickly and effectively. The old antivirus software can't be detected, and the new one can't be completely eradicated. Once the machines in Internet cafes are infected with this virus, all the machines in Internet cafes that are not poisoned are in a dangerous state. Stored in memory due to virus attack. And spread all over EXPLORE.exe. Therefore, even if the recovery wizard is installed, the machine with the recovery card will be infected. After restarting, the system can be restored. But once it is turned on, it will still be infected.
Virus attack of logo 1 _. Exe (W32/hllp.philis.g) will generate several other viruses, such as PWSteal. Lemir.Gen and trojan.psw.lineage and so on. They are all powerful backdoor programs. Similar to plug-in virus, but its power is more than 50 times that of plug-in virus. Under the WIN98 platform, the threat of virus modification is relatively small. WIN2000 /XP/2003 platform is fatal to the Internet cafe system.
The technical report on this virus is as follows. Support top)
Virus name: W32/HLLP. Philis.g or (according to the test results of the famous antivirus software maccoffee, other antivirus software is detected as a Trojan horse.
Virus type: Trojan horse program
Virus length: random
Affected systems: Windows /98/NT/2000/XP/2003.
Virus characteristics:
If you run logo 1_ manually. Exe, your system will be finished. The operating system is extremely stuck. After the reboot, you will find all of them. EXE program is infected. use
After the latest antivirus software kills. Except that the system barely works. You can't run away from the rest.
Logo 1 _。 Exe is placed in the virus body C:\winnt directory. KILL.EXE, sws32.dll and other files are all files after virus attacks.
2. Generate virus files
After running, the virus will replicate itself and generate a virus file under c:\winnt. The name of the file is variable, and there are different names according to different varieties. It seems that a * * * has five gears. In ...
Three are. Exe and two are. DLL file. Among them are KILL.EXE and others. I can't remember the details.
3, modify the registry
The virus modified the registry in [HKEY _ local _ machine \ software \ Microsoft \ Windows NT \ current version \ inifile mapping \ system.ini \ boot].
Winlogo project and
HKEY _ Local _ Machine Software The current version of Microsoft Windows runs and
Add the key value =%System% to the [HKEY Local Machine] software/Microsoft/Windows/CurrentVersion/Runservices/(where sum is variable), so that.
time
When the system is started, the virus will run automatically.
Step 4 steal passwords
The virus attempts to log in and steal the password of the online game Legend 2 from the infected computer, and sends the game password to the Trojan implanter.
5. Stop running the following antivirus software.
The virus attempts to stop the following processes, most of which are anti-virus software processes. Including Kingsoft Internet Security Kaspersky. Rising and others. 98% antivirus software runs.
Domestic software is killed by virus after poisoning, which is virus killing-antivirus software. Such as Jinshan and Rising. What software can identify viruses? But he was killed shortly after he recognized it. . I am alone.
Everyone supports domestic production, but there is no way to support computers and mobile phones. Depressed ~ ~ ~
The process is as follows:
lifting
Skynet
Famous American software company
McAfee
gate
Rfw.exe
RavMon.exe
kill
net asset value
KAV
Finally, I want to say that the solutions are all my own personal experience. Please add more.
Download the antivirus software that you think is better first. Do not install at this time. Even if it is installed, it is also white. All the software was infected soon after installation. Jinshan, Rising and Jiang are not recommended here.
Ming, span, etc. I recommend using Kabasiki version and my favorite coffee antivirus software.
Please set the system to "show hidden files" first, because the virus is disguised as a hidden attribute, and it can't be seen without this setting. The setting method is as follows.
Open "My Computer";
Open menu tools/folder options in turn;
Then switch to the viewing page in the pop-up folder options dialog box;
Remove the check mark in front of "Hide protected operating system files (recommended)" so that it is not selected;
Change the option "Do not show hidden files and folders" in the list box of "Advanced Settings" below to the option "Show all files and folders";
Remove the check mark before "Hide extensions of known file types" so that it is not selected;
Finally, click OK.
Second, modify the registry.
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ inifile mapping \ system . ini \ boot]
Winlogo project
Kill C:\WINNT\SWS32. DLL after WINLOGO item (for delete _).
Next, one of HKEY _ local _ machine] software/Microsoft /Windows/CurrentVersion/Run key /RunOnce/RunOnce is also established.
C:\WINNT\SWS32.dll
Delete all the above. Be careful not to delete the default key value (if you delete it, you will bear the consequences).
Three. End the process
Press "Ctrl+Alt+Del" to pop up the task manager and find the SWS32 process. I can't remember the name. Anyway, I will kill the process I have seen the most! ! ! ! There are a few rare ones.
Cheng. What AUS*** and so on all killed him. Find the EXPL0RER.EXE process (note that the fifth letter is the number 0, not the letter O), find it, select it, and click "End Process" to end it.
Trojan horse process. Then do the next step quickly, just because if the action is slow, the Trojan horse may automatically recover and run again, so that other Trojans cannot be deleted.
◆ If the EXPL0RER.EXE process runs again, you need to redo this step.
Four packs of antivirus software
Do not restart after installation (remember) to upgrade the virus database directly. After upgrading, delete all files with viruses in the C:\winnt directory. Then run antivirus software to start antivirus.
After the murder. There are still a few things that antivirus software can't delete. Write down the names. Because different systems have different names. So it is not clear here. Write it down yourself.
Antivirus again after restart. Remember the end of the suspicious process. Otherwise, antivirus software can't clean up antivirus. The most important thing to remember is to set the virus that can't be removed by antivirus software as deletion.
Documents. Generally, it needs to be disinfected repeatedly for 3-5 times.
Five. Look at the system after antivirus.
Many system files are missing. The system is in a dangerous state. If you have a backup. Resume at this time. The system can be clean and complete. If not, please run SFC command check.
File system. The specific operation is run-enter the CMD command to enter the DOS prompt. -Enter SFC /scannow-prompt and put it on the system CD. -Put it in. Then wait slowly.
Look at the results. The antiviral effect is remarkable. Poisoning is clean. But many games can't be played after killing drugs. I don't know what I'm busy with after a busy circle. Depressed. Then do the system. who
The so-called poisoning is the system of internet cafes.
PS: The virus does not break out and can be completely eliminated. If you are attacked, don't kill the virus. Let's move on.
In just 28 hours, I received three phone calls from the owners of Internet cafes. . . . . . . . Being a technician is really hard. . . . . .
This is the first time I have written such a long document. It is also after 1 year and a half of busyness and 1 year and a half of diving. Back to the identity of the technician (I used to post a job post. But PS, oh, I'm not the boss,
Recruitment is for friends. I am also a webmaster, a colleague and friend of everyone. Love the back door, love the back door variant. Viruses such as FUNLOVE mutation once stopped my friend's internet cafe.
Industry status. The purpose of writing this article is to hope that all colleagues will work together to do a good job in prevention. You'd better write an immunization sticker yourself. I hope everyone's technology is improving ~ ~ ~ Netstar Blessing College
There is a webmaster who is happy every day.
PS: Turn off the default * * * enjoyment when making the system. Close IPC$ ADMIN$ Close 554 Close ICMP routing. Set passwords for all members of the Administrators group. The best number plus English (love
Love backdoor virus can crack simple passwords and spread quickly and widely. Turn off these services and add anti-virus software. LOGO 1.exe basically didn't fold you. But if it's a batch
Pan Ke advised customers not to use anti-virus software such as Card 8. Unplug the network cable when breaking the disk, and quickly install the restore wizard when breaking the disk. Why fast? I don't need to say it.
My industrious hands are sore. . The unconscious sky also lit up. . . . When reposting, I hope everyone will cherish the fruits of my labor.
Go on. After a period of observation, I found an immune patch that can change the virus (only for machines that are not infected with the virus or have been infected with the virus but have not attacked). It's actually quite simple. You only need to delete the virus file LOGO 1_ 1.exe every time you start the computer, even the infected machine can be saved. In this way, I saved 180 machines in two internet cafes. So far, the situation is normal.
LOGO 1_。 Exe immune patch is made as follows:
1 to write batch files. The function of automatically deleting logo 1_. Exe automatically deletes viruses when it is started, even if it is infected. Then the virus will never break out.
The contents of the batch file are as follows:
Del c:\winnt\logo 1_。 Exe (just this line. First save it as Notepad, and then save it as. Bat.
2. Set batch processing to start and run automatically.
Modify the registry to add the following items
Windows registry editor version 5.00
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ Run]
"auto"="E:\\ online game \\auto.bat"
Open group policy
Run gpedit.msc
User Configuration-Management Module-System-Specify programs not to run for windows.
Click Enable, and then click Show to add logo 1_exe.
This can prevent the LOGO 1 virus from running and attacking.
Save the top text as a. REG file. Then import the registry. {E:\\ online game \\auto.bat} This path is the directory where you just wrote the batch. Very important.
All right, that's it. You can go to bed. . Don't be afraid of that damn LOGO 1_.exe.
Let me emphasize one more point. If the virus has broken out in your computer. Then don't save it. . Let's make a new offer.
If there is no attack. Then you can save your computer by the above methods. The basis of judgment is to see if the online game icon has changed color. also
C:\winnt, are there any documents from KILL.exe, sws.dll and sws32.dll in the catalogue?
Repost ~ I forgot the specific post there ~ Poisoned friends try it ~ I am also a webmaster ~ But this virus in our Internet cafe has spread ~ It can't be solved with this ~ Try it if it doesn't spread ~
- Previous article:Gdp of Meilong Town, Haifeng County
- Next article:Is Kunming No.1 Middle School the same as Xi No.1 Middle School?
- Related articles
- What brand is ds Master stereo?
- G939 high-speed train passes through the station.
- What is the treatment of post 7 of Hebei Mobile Shijiazhuang Branch?
- What are the landscaping companies in Dongguan?
- Dean of Surgery, Qingdao Huahan Plastic Surgery Hospital: How about Zhao Yunan? Is it reliable? Case!
- Zhuji recruitment
- Basic introduction of Wang Yang
- What else can be tested in the second half of 2023?
- Can I not go to the job fair after reporting the travel expenses?
- Is it true that Beijing Chenxian Financial Consulting Company recruits traders?