It is a process of the virus called worm. (Duff) in task management!
The symptoms of this virus are:
1. Destroy the safety mode
2. Cannot display hidden files
3. End the process of common antivirus software and commonly used antivirus tools
4. Monitoring window
Image Hijacking
6. Can be propagated through mobile storage
After the virus runs
Release a dll with the same file name of the same name and a dat file with the same name under C:\Program Files\Common Files\Microsoft Shared\MSInfo\
Here is C:\Program Files\Common Files\Microsoft Shared\MSInfo\
The dll is inserted into the Explorer process
End (including but not limited to) the following process
KVMonXP_1.kxp
KvXP_1.kxp
He killed common antivirus software and some security tools.
Then use these exes to image hijack through IFEO and point to c:\program files\common files\microsoft shared\msinfo\
Monitor windows with the following words. If you find a window with the following words, close it immediately.
*
Muma
Virus
Antivirus
Kill poison
Check for drugs
Anti-virus
Anti-virus
Special kill
Special kill
Kaspersky
Jiang Min
Rising
Kaka Community
Kingsoft Antivirus
Kingsoft Community
360 Security
Malware
Rogue Software
report
Call the police
Kill the soft
Killing software
Defense
All the above monitoring and closing windows are operated by C:\Program Files\Common Files\Microsoft Shared\MSInfo\insert
More ruthless than Pandas, it makes you unable to find the process
Then in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Add the registry item below <{15BD4111-4111-5BDD-115B-111BD1115BDD}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\> [N/A]
Achieve the purpose of starting up
And that dll will monitor this registry item and will be restored immediately if it is deleted.
Delete key
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
Destroy the safety mode
Modify HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue?x00000000
It makes it impossible to display hidden files
Release (Bone Language: This file name varies on each computer) and to other partitions except system partitions
Then download a self-extracting file through the Explorer process to the temporary folder
Self-extracting file release C:\WINDOWS\system\
C:\WINDOWS\system\
C:\WINDOWS\system\DiskFree_hy1.
C:\WINDOWS\system\ and other files
There are driver *s and rogue software.
After all the files are run
The following file has been added
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\
C:\WINDOWS\system32\48a69
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\
C:\Program Files\Internet Explorer\PLUGINS\
C:\Program Files\Internet Explorer\PLUGINS\
Two softwares are also installed, one is adpush software, the other is disk free
==========================================================
How to delete viruses
First: Enter the task manager and end the lost process
Then: Open C:\Program Files\Common Files\Microsoft Shared\MSInfo
The method to open is to start the winrar program first, then click Open --> level one to open the above directory. There will be an eight-bit exe execution file in msinfo such as: and. Delete it
Third: Start
Fourth: Open the registry (Start-->Run-->regedit-->Enter)
Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options The following is a list of disabled antivirus software. Delete the names of the relevant antivirus software and run it
Fifth: Run the antivirus software on your machine, upgrade and fully antivirus, and it's OK.
The virus is called worm. (Duff). There may be variants, and the latter, cc will become other.
The symptoms of this virus are:
1. Destroy the safety mode
2. Cannot display hidden files
3. End the process of common antivirus software and commonly used antivirus tools
4. Monitoring window
Image Hijacking
6. Can be propagated through mobile storage
After the virus runs
Release a dll with the same file name of the same name and a dat file with the same name under C:\Program Files\Common Files\Microsoft Shared\MSInfo\
Here is C:\Program Files\Common Files\Microsoft Shared\MSInfo\
The dll is inserted into the Explorer process
End (including but not limited to) the following process
KVMonXP_1.kxp
KvXP_1.kxp
He killed common antivirus software and some security tools.
Then use these exes to image hijack through IFEO and point to c:\program files\common files\microsoft shared\msinfo\
Monitor windows with the following words. If you find a window with the following words, close it immediately.
*
Muma
Virus
Antivirus
Kill poison
Check for drugs
Anti-virus
Anti-virus
Special kill
Special kill
Kaspersky
Jiang Min
Rising
Kaka Community
Kingsoft Antivirus
Kingsoft Community
360 Security
Malware
Rogue Software
report
Call the police
Kill the soft
Killing software
Defense
All the above monitoring and closing windows are operated by C:\Program Files\Common Files\Microsoft Shared\MSInfo\insert
More ruthless than Pandas, it makes you unable to find the process
Then in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Add the registry item below <{15BD4111-4111-5BDD-115B-111BD1115BDD}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\> [N/A]
Achieve the purpose of starting up
And that dll will monitor this registry item and will be restored immediately if it is deleted.
Delete key
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
Destroy the safety mode
Modify HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue?x00000000
It makes it impossible to display hidden files
Release (Bone Language: This file name varies on each computer) and to other partitions except system partitions
Then download a self-extracting file through the Explorer process to the temporary folder
Self-extracting file release C:\WINDOWS\system\
C:\WINDOWS\system\
C:\WINDOWS\system\DiskFree_hy1.
C:\WINDOWS\system\ and other files
There are driver *s and rogue software.
After all the files are run
The following file has been added
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\drivers\
C:\WINDOWS\system32\
C:\WINDOWS\system32\48a69
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\
C:\WINDOWS\
C:\Program Files\Internet Explorer\PLUGINS\
C:\Program Files\Internet Explorer\PLUGINS\
Two softwares are also installed, one is adpush software, the other is disk free
==========================================================
How to delete viruses
First: Enter the task manager and end the lost process
Then: Open C:\Program Files\Common Files\Microsoft Shared\MSInfo
The method to open is to start the winrar program first, then click Open --> level one to open the above directory. There will be an eight-bit exe execution file in msinfo such as: and. Delete it
Third: Start
Fourth: Open the registry (Start-->Run-->regedit-->Enter)
Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options The following is a list of disabled antivirus software. Delete the names of the relevant antivirus software and run it
Fifth: Run the antivirus software on your machine, upgrade and fully antivirus, and it's OK.
The virus is called worm. (Duff). There may be variants, and the latter, cc will become other.