(In fact, 2000 and xp have necessary processes, but its path is c:\winnt\system32. You can use the Process Explorer tool to view the path)
Write a file on disk D and can be deleted, but it will be automatically generated after deletion.
1. After restoring the system disk image, enter the system. I found that I was still poisoned
2. Check the registry startup project. Run has a loading project tprogram=c:\windows\, which can be deleted. After startup, this is the registry again!
2. Download the latest version of * Casino and the installation is completed. The *s cannot be activated. The virus library cannot be loaded.
Three-change the * horse scavenger, after installation. It also cannot be started, and the prompt prompts that the virus library cannot be loaded because c:\windows\
4. Install nod32 antivirus, and the startup prompt cannot be scanned.
4 Enter safe mode. Installing the * Nemesis, the problem remains. This still exists.
Five enter dos, delete. After restarting, the virus will automatically generate and be depressed.
6. Format and reinstall the system, there are still viruses!
7. After DM deletes the partition, repartitions, formats and reinstalls the system, and the virus is finally gone!
The following information about the virus was collected online, and it is provided here. I hope it will be helpful for you to prevent and control the virus.
Journey flag icon * horse—
It is said that there are new "perverted" *s,
Main program: %Windows%\
Icon: Journey Banner Icon
document:
%Windows%\
%Windows%\(EXE association)
%Windows%\
%Windows%\
%Windows%\
%Windows%\
%Windows%\Debug\
%Windows%\Debug\
%System%\
%System%\
%System%\
%System%\
%System%\
%System%\
%ProgramFiles%\Internet Explorer\
%ProgramFiles%\Common Files\
D:\
D:\
Created startup item:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=" 1"
Modified EXE association to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winfiles]
*Drop the opponent:
TROJDIE*
KPOP*
*ASSISTSE*
KPFW*
AGENTSVR*
KREG*
IEFIND*
IPARMOR*
UPHC*
RULEWIZE*
FYGT*
RFWSRV*
RFWMA*
One of the methods to clear...
1. Run and
2. Use ProceXP to end the %Windows%\process, pay attention to the path and icons
3. Use SREng to restore EXE file associations
Pay attention to the order of steps 1, 2, and 3, and do not reverse it.
4. You can delete files and startup items...
Deleted startup items:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=" 1"
Modified to:
"Shell"=""
The deleted files are what you said at the beginning, just don’t delete them wrongly.
5. Finally, open the registry editor and restore the modified information:
Find "", modify the found "" to "";
Find "", "", "", and modify the found "", "", and " to "";
Find "", modify the found "" to "";
Find "", and modify the found "", together with the path, to the normal IE path and file name, such as "C:\Program Files\Internet Explorer\".
These are mainly in the following locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dunfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet
Write a file on disk D and can be deleted, but it will be automatically generated after deletion.
1. After restoring the system disk image, enter the system. I found that I was still poisoned
2. Check the registry startup project. Run has a loading project tprogram=c:\windows\, which can be deleted. After startup, this is the registry again!
2. Download the latest version of * Casino and the installation is completed. The *s cannot be activated. The virus library cannot be loaded.
Three-change the * horse scavenger, after installation. It also cannot be started, and the prompt prompts that the virus library cannot be loaded because c:\windows\
4. Install nod32 antivirus, and the startup prompt cannot be scanned.
4 Enter safe mode. Installing the * Nemesis, the problem remains. This still exists.
Five enter dos, delete. After restarting, the virus will automatically generate and be depressed.
6. Format and reinstall the system, there are still viruses!
7. After DM deletes the partition, repartitions, formats and reinstalls the system, and the virus is finally gone!
The following information about the virus was collected online, and it is provided here. I hope it will be helpful for you to prevent and control the virus.
Journey flag icon * horse—
It is said that there are new "perverted" *s,
Main program: %Windows%\
Icon: Journey Banner Icon
document:
%Windows%\
%Windows%\(EXE association)
%Windows%\
%Windows%\
%Windows%\
%Windows%\
%Windows%\Debug\
%Windows%\Debug\
%System%\
%System%\
%System%\
%System%\
%System%\
%System%\
%ProgramFiles%\Internet Explorer\
%ProgramFiles%\Common Files\
D:\
D:\
Created startup item:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=" 1"
Modified EXE association to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\winfiles]
*Drop the opponent:
TROJDIE*
KPOP*
*ASSISTSE*
KPFW*
AGENTSVR*
KREG*
IEFIND*
IPARMOR*
UPHC*
RULEWIZE*
FYGT*
RFWSRV*
RFWMA*
One of the methods to clear...
1. Run and
2. Use ProceXP to end the %Windows%\process, pay attention to the path and icons
3. Use SREng to restore EXE file associations
Pay attention to the order of steps 1, 2, and 3, and do not reverse it.
4. You can delete files and startup items...
Deleted startup items:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"TProgram"="%Windows%\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=" 1"
Modified to:
"Shell"=""
The deleted files are what you said at the beginning, just don’t delete them wrongly.
5. Finally, open the registry editor and restore the modified information:
Find "", modify the found "" to "";
Find "", "", "", and modify the found "", "", and " to "";
Find "", modify the found "" to "";
Find "", and modify the found "", together with the path, to the normal IE path and file name, such as "C:\Program Files\Internet Explorer\".
These are mainly in the following locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bfc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lnk\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dunfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InternetShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scriptletfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\telnet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet