1. Delete the following files with XDelBox (right-click the clipboard to import without checking the path):
C:\WINDOWS\pchealth\Global.exe
c:\ WINDOWS \ pchealth \ help CTR \ binaries \ help host . com
C:\WINDOWS\system\KEYBOARD.exe
C:\WINDOWS\Help\microsoft.hlp
c:\ WINDOWS \ system32 \ regedit . exe
c:\ WINDOWS \ system32 \ drivers \ drivers . cab . exe
c:\ WINDOWS \ system32 \ dllcache \ autorun . INF
c:\ WINDOWS \ system32 \ dllcache \ default . exe
c:\ WINDOWS \ system32 \ dllcache \ svchost . exe
c:\ WINDOWS \ system32 \ dllcache \ global . exe
c:\ WINDOWS \ system32 \ dllcache \ tskmgr . exe
c:\ WINDOWS \ system32 \ dllcache \ explorer . exe
c:\ WINDOWS \ system32 \ dllcache \ rndll32 . exe
c:\ WINDOWS \ system32 \ dllcache \ Recycler。 { 645 ff 040-508 1- 10 1 b-9f 08-00aa 002 f 954 e } \ system . exe
c:\ WINDOWS \ system32 \ dllcache \ Recycler。 { 645 ff 040-508 1- 10 1 b-9f 08-00aa 002 f 954 e } \ global . exe
c:\ WINDOWS \ system32 \ dllcache \ Recycler。 { 645 ff 040-508 1- 10 1 b-9f 08-00aa 002 f 954 e } \ svchost . exe
C:\WINDOWS\Fonts\tskmgr.exe
c:\ WINDOWS \ font \ Fonts . exe
C:\WINDOWS\Media\rndll32.pif
C:\WINDOWS\Cursors\Boom.vbs
Under each hard disk partition
X:\Autorun.inf
X:\MS-DOS.com
After importing the above list, right-click and select Restart Delete Now.
The process after shutdown may take a few minutes, or even crash. You can forcibly shut down and restart.
After restarting and deleting, the remaining virus bodies that need to be manually deleted are:
The folder c: \ windows \ system32 \ dllcache \ recycler. { 645 ff 040-508 1- 10 1 b-9f 08-00a 002 f954 e }
There is also a. tmp file created by a virus, and the file name is uncertain (the whole Temp can be emptied).
c:\ Documents and Settings \ current user name \ local Settings \ temp \ ~ df * * * *。 Terminal Monitor Program (abbreviation of terminal monitor program)
2. Copy the contents between the following separation lines to Notepad and save it as a file with extension. Register.
Then run "regedt32"
Select File-Import, and then import. The reg file you just saved.
= = = = = = = = = The dividing line from. reg = = = = = = = = = = = = = = =
Windows registry editor version 5.00
; Nonsense about behavior comments starting with semicolons.
; Virus removal screen saver
[HKEY _ Current _ User \ Control Panel \ Desktop]
" ScreenSaveTimeOut"="600 "
“SCRNSAVE。 EXE"=-
" AutoEndTasks"="0 "
; Repair file association
[HKEY _ class _ root \MSCFile\Shell\Open\Command]
@ = " % SystemRoot % \ system32 \ MMC . exe \ " % 1 \ " % * "
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Classes \ MSC file \ Shell \ Open \ Command]
@ = " % SystemRoot % \ system32 \ MMC . exe \ " % 1 \ " % * "
[HKEY class root \ registry \ shell \ open \ command]
@="regedit % 1 "
[HKEY _ Class _ Root \ Registry File \ Shell \ Open \ Command]
@="regedit \"% 1\ " "
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Classes \ regedit \ shell \ open \ command]
@="regedit % 1 "
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command]
@="regedit \"% 1\ " "
; Delete switch script
[-HKEY Current User \ Software \ Policy \ Microsoft \ Windows \ System \ Script]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ System \ Scripts]
; Continue to display the extensions of com and exe.
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Classes \ com file]
" NeverShowExt"=-
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Classes \ exefile]
" NeverShowExt"=-
; Clear startup item
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ RunOnce]
@=-
" C:\ WINDOWS \ system \ keyboard . exe " =-
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ Run]
@=-
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ policies \ Explorer \ Run]
" sys"=-
[HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Run Once]
@=-
; Clear image hijacking
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ ctfmon . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ taskmgr . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ boot . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ autorun . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ autoruns . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ auto . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ msconfig . exe]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ Image File Execution Options \ proce XP . exe]
; Resume displaying system file related options.
[HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Explorer \ Advanced]
" show super hidden " = dword:00000000
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ Explorer \ Advanced \ Folder \ super hidden]
" ValueName"="ShowSuperHidden "
; What's the use of MUICache is not clear, and this pile doesn't seem to matter.
[HKEY _ Current _ User \ Software \ Microsoft \ Windows \Windows\ShellNoRoam\MUICache]]
" C:\ WINDOWS \ system32 \ dllcache \ Recycler。 { 645 ff 040-508 1- 10 1 b-9f 08-00aa 002 f 954 e } \ global . exe " =-
" C:\ WINDOWS \ system32 \ dllcache \ Recycler。 { 645 ff 040-508 1- 10 1 b-9f 08-00aa 002 f 954 e } \ svchost . exe " =-
" C:\ WINDOWS \ system32 \ dllcache \ Recycler。 { 645 ff 040-508 1- 10 1 b-9f 08-00aa 002 f 954 e } \ system . exe " =-
" C:\ WINDOWS \ system32 \ dllcache \ default . exe " =-" C:\ WINDOWS \ Fonts \ Fonts . exe " =-
; I wonder what Universal Picture is doing.
[HKEY _ Current _ User \ Software \ Microsoft \ Internet Explorer \ Desktop \ Component # Content #]
@=""
"Source" =
" SubscribedURL"=-
" FriendlyName"=-
"Logo" =-
"Location" =-
"Current Status" =-
" OriginalStateInfo"=-
" RestoredStateInfo"=-
[HKEY _ Current _ User \ Software \ Microsoft \ Internet Explorer \ Desktop \ Component]
" DeskHtmlVersion"=-
"Settings" =-
" GeneralFlags"=-
; I still don't know what I'm doing
[HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ policies \ system]
" DisableStatusMessages"=-
; Clear residual information
[-HKEY _ Current _ User \ Software \VB and VBA Program Settings]
[-HKEY _ Current _ User \ Software \ Policy \ Microsoft \ Windows]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ policies \ Explorer \ Run]
[-HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ policies \ Explorer]
= = = = = = = = = = = = = = = = = = = = = = =
4. It is recommended to run "sigverif" to check the digital signature of the file. If there is an unsigned file,
Copy one from someone else's machine to overwrite the original file.
(For the replacement of explorer.exe, please refer to the post sent by snowflurry. )
Attached is the somewhat troublesome method I used:
I found that my explorer.exe had been replaced.
So I opened the task manager and ended the process in explorer.exe.
Then Task Manager-File-New Task-Browse,
Locate the C:\WINDOW\explorer.exe to be deleted.
Find the right explorer.exe from others.
Copy it to C:\WINDOWS and select Open-OK.
5. Antivirus starts with the good habit of using USB flash drive. It is recommended to read the summary of using skills of USB flash drive.
6. For the "disappeared" folder in the U disk, you can run it (where X is the drive letter of the U disk):
Attribute X:\* /s /d