Skip to main content

runauto.. 查杀

同学机器中毒了,症状如下:

每个盘根目录下增加autorun.inf 和一个目录runauto..
很多命令msconfig, cmd, regedit等不能运行.

我看了下,首先根据autorun.inf找到一个pif
然后根据文件日期又找到一堆exe,这些都好办,删掉就行了. 我记得有
c:\windows\lsass.exe
c:\windows\setuprs1.pif
c:\windows\cmd.exe.exe

可能不全.

不过那个runauto..目录却删不掉, 但是我发现在纯dos下可以进入(但是由于属性等问题,不好删)...

参考了http://hi.baidu.com/creative_zone/blog/item/5555efb494408d728bd4b2bb.html

发现应该用rd "runauto.../" /s /q, 然后成功删除,

这个非常奇妙,我自己试了试md "tmp.../", 然后有类似现象,是Windows的bug么?

另外需要停掉一个服务,叫做Kerberos Key Distribution Centers, 最好也从注册表里删掉

最后发现那些命令还是不能用, 然后搜了下注册表, 发现在HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
下,有很多项,其中 cmd.exe, msconfig.exe 等项中均有一个键叫叫做"Debugger",值为病毒pif, 那没什么好说的,删! 于是都正常了.

最后又搜了一遍,删了几个可疑项和键值, 至此就算完成了.

Comments

Popular posts from this blog

Determine Perspective Lines With Off-page Vanishing Point

In perspective drawing, a vanishing point represents a group of parallel lines, in other words, a direction. For any point on the paper, if we want a line towards the same direction (in the 3d space), we simply draw a line through it and the vanishing point. But sometimes the vanishing point is too far away, such that it is outside the paper/canvas. In this example, we have a point P and two perspective lines L1 and L2. The vanishing point VP is naturally the intersection of L1 and L2. The task is to draw a line through P and VP, without having VP on the paper. I am aware of a few traditional solutions: 1. Use extra pieces of paper such that we can extend L1 and L2 until we see VP. 2. Draw everything in a smaller scale, such that we can see both P and VP on the paper. Draw the line and scale everything back. 3. Draw a perspective grid using the Brewer Method. #1 and #2 might be quite practical. #3 may not guarantee a solution, unless we can measure distances/p...

Installing Linux on Surface Pro 1g

Windows 10 will soon reach its end of life, and my 1-gen Surface Pro is not supported by Windows 11. I (finally) decided to install Linux to it. Fortunately, it's a not-so-easy nice adventure: The device has only one USB port, so I have to bring back my 10+-year old USB hub. My live USB drive cannot boot directly, I have to disable Secure Boot first, by holding Volume Up during boot. I think years ago I learned that booting on USB might not work through a USB hub, but fortunatelly it worked well with my setup. This is done by holding Volume Down during boot. Wifi adapter was detected in the live Linux environment, but not functional. And I don't have a USB-Ethernet adapter. Luckily, nowadays we have USB-tethering from Android phones, which works out-of-the-box. Originally I planned to following this guide to set up root on ZFS, however, the system froze when building the ZFS kernel module. Then I decided to just use EXT4, yet I still learned a lot from the guide about disk par...

Fix Google Security Code

Google Security Code (http://g.co/sc) is one type of 2-step verification. This is particularly useful when security keys and passkeys are not available. I have been using it in my LXC containers, until today I found out that it stopped working. It just kept saying "The code is invalid". It is easy to rule out some factors: The code works on other browsers on my laptop. The code works on other devices that are directly connected to the router. So it appears that Google also checks IP addresses besides the security code. Recently I have IPv6 enabled, so most devices that are directly connected to the router have both IPv4 and IPv6 addresses. But  I only enabled IPv4 for my LXC containers. So I guess when a code is generated by device A and used by device B, Google should be able to check that device A and device B are closely located. But in my case, IPv6 address appears on device A but not on device B, which may look suspicious. To fix the problem, I just needed to disable IPv...