After turning on my XP desktop yesterday, some icons became distorted and discolored.

I was accidentally infected by this virus last time~

There were suddenly so many processes in the process

sy1.exe

sy2.exe

sy3.exe

sy4.exe

winxp.exe

logo_1.exe

Let’s talk about how to remove this virus

About the production of Logo1_.exe (W32/HLLP.Philis.g trojan.pwsteal.gen) virus solution and immune patch!

W32/HLLP.Philis.g virus has been relatively common recently. As a result, many friends' Internet cafes were damaged by this virus, causing large-scale computer freezes and paralysis. I checked many viruses and compared them with the virus samples I collected, and found that this virus was extremely abnormal. The degree of harm can be compared with the top ten love backdoor variants in the world. The virus can spread through the Internet, with a propagation period of 3 minutes. If the newly built system is in a poisoned network environment, as soon as the machine goes online, it will be infected within 3 minutes. After being infected

Even if you install rising SkyNet Symantec McAfee Gate Rfw.exe RavMon.exe kill NAV and other anti-virus software, your system cannot be rescued. The virus file Logo1_.exe is the main virus, and it automatically generates virus attacks. Required SWS32.DLL SWS.DLLL KILL.EXE and other files. Once these files are derived. It will quickly infect system core processes such as EXPLORE and all .exe executable files in the system. Typical symptoms include discoloration of game icons such as Legend, Bubble Hall, etc. At this time, the system resource availability is extremely low. Every time you restart, the virus will attack. After 5 restarts, the system will basically crash.

This virus is very deadly to Internet cafes that have weak awareness of prevention and fail to restore the software and fashion in place. Its network propagation speed is very fast and effective. Old versions of anti-virus software cannot detect it, and new versions cannot completely eradicate it. Once a machine in an Internet cafe is infected with the virus, all non-infected machines in the Internet cafe will be in danger. Because virus attacks are stored in memory. And spread through EXPLORE.exe. Therefore, even if the restore wizard is installed, the machine that restores the card will still be infected. The system can be restored after you restart. But you will still be infected as soon as you turn on your computer.

logo1_.exe ( W32/HLLP.Philis.g) virus attack will generate several other viruses PWSteal.Lemir.Gen and trojan.psw.lineage and so on. They are all very powerful backdoor programs. It is similar to a plug-in virus, but its power is more than 50 times that of a plug-in virus. Under the WIN98 platform, the harm of modifying the virus is relatively small. It is fatal to Internet cafe systems on the WIN2000/XP/2003 platform

The technical report on this virus is as follows

Virus name: W32/HLLP.Philis.g or (use famous anti-virus software Macaffee (MACFEE) test results, other anti-virus software detected it as a Trojan Trojan

Virus type: Trojan program

Virus length: random

Affected System: Windows /98/NT/2000/XP/2003

Virus characteristics: If you run logo1_.exe manually, your system will be GAMEOVER. You will find that the system is extremely stuck after restarting. All the .EXE programs of your games are infected. After killing them with the latest anti-virus software, you can barely run them.

1 The virus body C:\winnt directory. Download logo1_.exe. KILL.EXE sws32.dll and other files are files after the virus attack.

2. Generate virus file

After the virus is run, copy it under c:\winnt to generate the virus file. The name of the file is variable and has different names according to different variants. name. It seems that there are 5 files in one ***. Among them, 3 are .exe and 2 are .DLL files. Among them are KILL.EXE and so on. Can't remember exactly.

3. Modify the registry

The virus modifies the registry, in the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\system.ini\boot] winlogo item and HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun and [HKEY_LOCAL_MACHINE]SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices/, add the key value =%System% (where, and are variable), so that the virus can run automatically the next time the system starts.

4. Stealing passwords

The virus attempts to log in and steal the password of the online game Legend 2 on the infected computer, and sends the game password to the person who implanted the Trojan virus.

5. Prevent the following anti-virus software from running

The virus attempts to terminate the running of the following processes, which are mostly anti-virus software processes. Including Kabasiji, the drug kingpin of Kingsoft Corporation. Rising et al. 98% of antivirus software runs.

Domestic software is killed by viruses after being poisoned. It is viruses that kill - anti-virus software. Such as Jinshan, Rising, etc. Which software can recognize viruses. But he was killed shortly after he was recognized. . I have always supported domestic products, but when it comes to computers and mobile phones, I cannot support them. Depressed~~~

The process is as follows:

rising

SkyNet

Symantec

McAfee

Gate

Rfw.exe

RavMon.exe

kill

NAV

KAV< /p>

LAST Finally, I would like to say that the solutions are based on my personal experience. If there are any shortcomings, please add more.

First download the anti-virus software that you think is better. Do not install at this time. Even if it is installed, it will be installed in vain. All software becomes infected soon after installation. It is not recommended to use Kingsoft, Rising, Jiangming, SPANT, etc. here. It is recommended to use Kabassky version 5.0 and my favorite McAfee anti-virus software.

Please set the system to "Show hidden files" first, because the virus is disguised as a hidden attribute, and you will not be able to see it without this setting. The setting method is as follows

Open " My Computer";

Open the menu "Tools/Folder Options" in turn;

Then switch to the "View" page in the pop-up "Folder Options" dialog box;< /p>

Remove the check mark in front of "Hide protected operating system files (recommended)" and make it unchecked;

Change it in the "Advanced Settings" list box below The "Don't show hidden files and folders" option is the "Show all files and folders" option;

Remove the check mark in front of "Hide extensions for known file types" and change it to Uncheck the status;

Finally click "OK".

2. Modify the registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot] winlogo item

Change WINLOGO Delete the C:\WINNT\SWS32.DLL after the item (meaning to delete^_^)

Next, put the two HKEY_LOCAL_MACHINE]SOFTWARE/Microsoft/Windows/CurrentVersion/Run key/RunOnce/RunOnceEx One of them is also C:\WINNT\SWS32.dll

Delete all the ones similar to the above. Be careful not to delete the default key value (you will be responsible for the consequences if you delete it)

Three End the process

Press the "Ctrl+Alt+Del" keys to pop up the task manager and find the SWS32 process. I can't remember the name clearly. Anyway, kill the process you see the most! ! ! ! There are also several rarely seen processes. Kill him with any AUS*** or anything like that. Find the EXPL0RER.EXE process (note that the fifth letter is the number 0, not the letter O), select it after finding it and click "End Process" to end the Trojan horse process. Then do the following step quickly, because if you do it slowly, the Trojan may automatically recover and run again, so that other Trojan files cannot be deleted (if the EXPL0RER.EXE process runs again, you need to redo this step ).

4. Install anti-virus software

Do not restart after installation (remember) to directly upgrade the virus database. After the upgrade, delete all virus-containing files in the C:\winnt directory. Then run the anti-virus software to start anti-virus.

After killing. There are also a few things that cannot be deleted by anti-virus software and need to be written down. Because different systems have different names. So it’s not clear here. Write it down yourself.

Restart and then disinfect again. Remember to end the suspicious process. Otherwise, the anti-virus software cannot clean the virus. The most important thing is to remember to set the virus that cannot be removed by anti-virus software to delete files. Generally, it takes 3-5 times to kill the virus completely.

Five. Take a look at the system after disinfection.

Many system files are missing. The system is in a critical state. If you have GHOST backup. Recover at this time. The system can be clean and intact. If not please run the SFC command to check the file system. The specific operation is to run-enter the CMD command to enter the DOS prompt. -Enter SFC /scannow -- prompts to insert the system CD. --Put it in. Then wait slowly.

Look at the results. The antivirus effect is remarkable. The poison is gone. But after killing the virus, many games cannot be played. I was so busy that I didn’t even know what I was doing. Be depressed. Then redo the system. Who said it was the Internet cafe's system that was poisoned?

PS: If the virus does not attack, it can be completely eliminated. If an attack occurs, do not kill the virus. Just restore it directly.

In just 28 hours, I received three calls from Internet cafe owners. . . . . . . . Being a technician is hard work. . . . . .

This is the first time I have written such a long piece of information. It was also after a year and a half of busy work and a year and a half of diving. Return to my role as a technician (I used to post recruitment posts a lot. But PS, I’m not the boss. I recruit people for my friends. I’m still a network manager and everyone’s colleague and friend). Love backdoor, variant of love backdoor. The FUNLOVE variant and other viruses once put my friend's Internet cafe out of business for a time. The purpose of writing this article is to hope that everyone can work together to do preventive work. It's best to write an immunity patch yourself. I hope everyone’s technology is improving

PS: Turn off the default *** sharing when building the system. Close IPC$Content$nbsp;ADMIN$Content$nbsp;Close 554. Close ICMP routing. Set passwords for all members of the ADMINISTRATOR group.

It is best to add numbers and English (the love backdoor virus can crack simple passwords and spread quickly on a large scale). Turn off these services and anti-virus software. LOGO1.exe basically has you covered. However, if the disk is being deleted in batches, it is recommended that the client computer should not use anti-virus software such as Kaba. Unplug the network cable when destroying the disk, and quickly install the restore wizard when the disk is restored. I don’t need to tell you why you need to be quick.

My hands are sore from writing so hard. . The sky turned bright without realizing it. . . . When reposting, I hope everyone will cherish the fruits of my labor.

Continued from above. After a period of observation, I found an immune patch that can change the virus (only applicable to machines that are not infected with the virus or have been infected with the virus but have not had an attack). It is actually very simple. Just delete the virus file LOGO1_1.exe every time you turn on the computer. Then even if Machines infected with the virus can also be rescued. Using this method, I saved 180 machines in 2 Internet cafes. So far so good.

The LOGO1_.exe immune patch is produced as follows:

1 Write a batch file. The function of automatically deleting logo1_.exe when the computer is turned on is that even if it is infected with the virus, the virus will be automatically deleted after the computer is turned on. Then the virus can never strike.

The content of the batch file is as follows:

del c:\winnt\logo1_.exe (Just this line. First save it as Notepad, and then save it as a .bat batch file.

2 Set the batch process to run automatically at boot

Modify the registry and add the following items (please refer to the enterprise version)

ndows Registry Editor Version 5.00

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"auto"="E:\\Online Games\\auto.bat"

Put the top text Save it as a .REG file. Then import it into the registry. { E:\\Online Games\\auto.bat } This is the directory where you just wrote the batch.

That’s it. Now you can sleep peacefully. Don’t be afraid of the nasty LOGO1_.exe.

I would like to emphasize again that if the virus has already occurred in your computer, it is better not to save it. . . Restart your computer.

If it doesn’t happen, you can use the above method to save your computer.