When the virus is running, it will automatically send / infection on chat tools such as QQ / MSN. It starts three instances in the system, mutual monitoring, killing one of the processes, and two other will restart it immediately. And modify multiple system registry, restart still cause automatic operation.
Delete method: (as an example of the system directory as C: / WinNT)
0, first copy c: /winnt/system32/Userinit.exe c: /winnt/system32/Userinit32.exe for file override. (I haven't tried this step, but I have no bad place)
1. Must start to security mode, it is best to be command line, but the virus may still start.
2, generally in the root directory of the hard disk, for example, C: / D: /, etc. may have a copy of Funny.exe, delete
3, in the c: /winnt/rundll32.exe file, the size is about 55K, the date is generated in recent days, in the c: /winnt/system32/Userinit32.exe file, the size is about 55K, the date is generated in recent days , In the c: /winnt/system32/iexplore.exe, the explorer.exe file, the size is about 55K, the date is generated in recent days,
4. Delete these files, if you can't delete it, you can rename it, it is best to change your name under the command line, first change the ipplore.exe, Explorer.exe file name under the System32 directory, and modify the Rundll32 under Winnt. EXE, Userinit32.exe overwrites with a copy userinit.exe userinit32.exe mode. Sometimes the file is deleted / renamed, it will appear again, do not take it. Change several times and kill Rundll32.exe ipploer.exe explorer.exe in the process, and you can change / delete multiple times.
5. Note: The virus modifies the registry, if only Userinit32.exe is simply deleted, the system will not be logged in! HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / WinLogon / Userinit virus will be changed from c: /winnt/system32/Userinit.exe to c: /winnt/system32/userinit32.exe This key value is when the system is started, it must A program running. Workaround: a, if you are in the console, you can temporarily copy a copy userinit.exe userinit32.exe b, if you can modify the registry in the window environment, find all userinit32.exe items, change to userinit.exe6, delete mmsystem contents of the Run key in the registry, the content is c: /winnt/rundll.exe mmsystem.dll .... location: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Run / mmsystem HKEY_CURRENT_USER / Software / Microsoft / Windows / Currentversion / run
7, restart the machine, see if the above documents still exist, there is no problem.
