When the virus is running, it will automatically send / infection on chat tools such as QQ / MSN. It starts three instances in the system, mutual monitoring, killing one of the processes, and two other will restart it immediately. And modify multiple system registry, restart still cause automatic operation. Delete method: (with the system directory as C: / Winnt as an example) 0, first copy c: /winit/system32/Userinit.exe c: /winnt/system32/userinit32.exe for file override. (This step is not tried, but don't have bad things) 1. You must start to security mode, preferably the command line, but this virus may still be launched 2, generally in the root directory of the hard disk, such as C, for example, C : / D: / Wait for a copy of Funny.exe, delete 3, in the c: /winnt/rundll.exe (or rundll32.exe) file, the size is about 55K, the date is generated in recent days, At the c: /winnt/system32/Userinit32.exe file, the size is about 55K, the date is generated in recent days, in the c: /winnt/system32/iexplore.exe (or expel.exe) file, the size is about 55K, The date is generated in recent days, 4, deleted these three files. If you can't delete it, you can change your name, it is best to line it on the command. First change the system32 directory. Some files are deleted / renamed, they will appear again, do not take it. Change several times and kill Rundll.exe rundll32.exe ipploer.exe extlorer.exe, multi-toss several times, always change / delete. 5, the virus modified the registry, if only userinit32.exe is deleted, the system will not be able to log in (enough!) HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / WinLogon / Userin Tax will value by C: / Winnt / System32 / Userinit.exe changed to c: /winnt/system32/Userinit32.exe (virus) This key value is a program that must run when the system is started. Workaround: a Temporarily copy a copy userinit.exe userinit32.exe or b Modify the registry, find all USERINIT items 6, delete the MMSystem content in the RUN item in the registry, and the content is C: /Winnt/Rundll.exe MMSystem. DLL .... location: hkey_local_machine / software / microsoft / windows nt / currentversion / run / mmsystem hkey_current_user / currentversion / run 7, restart machine, see if the above files still exist, there is no No problem.
