The computer was pretending to die as soon as it was turned on. It was probably poisoned. When I opened the task manager, I found that several unknown processes ended one by one, but there were two very stubborn and they ran automatically after the end. Googled and found its features:
1. After the system is implanted and run successfully, change the .exe file association. After being hit, the user will activate the * when running any .exe program. Using SREng in WINDOWS mode cannot repair .exe file associations!
2. Protect each other with dual processes.
3. After implanting the system, you repeatedly write * files and their add-ins (very vulgar).
4. If you hurriedly delete the * file in WINDOWS mode and fail to successfully repair the exe file association, you will be stupid after restarting! Although SREng's suffix can be changed to run SREng, it is still impossible to fix .exe file associations. All your .exe programs cannot run.
If you encounter a ghost, you will naturally kill it
2. Manual processing process:
1. Start to safe mode.
2. Open Notepad. Paste the following content into the Notepad window. Save as.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=""
3. Run IceSword 1.2. Use IceSword 1.2 to prohibit thread creation.
4. Use IceSword 1.2 to end the following process:
C:\WINDOWS\
C:\WINDOWS\SYSTEM32\
5. Use IceSword to find and delete these * files.
If you open Explorer in advance, you can also delete the * file without using IceSword. After canceling IceSword's prohibition/thread creation and setting folder options (showing hidden files), use the explorer to find and delete those * files.
6. Double-click to import it into the registry.
[Note]: If your computer has partitions such as E, F, etc., there are also sums in the root directory of these partitions, and they must be deleted.
This is basically the method, but I didn't use icesword, but used mcafee8.5 to end the process and killed it with the task manager, because mcafee will find out, but it cannot be deleted (this * resides in memory, of course, cannot be killed). After ending this process, mcafee immediately took effect to clear the virus file. Then end that, and clear it out as well. Take a full disk scan, and the viruses are all done.