Now using the cracked version of Heirloom 5 1 will produce a winlogon SYSTEM process with normal WINLOGON.EXE process, the user name is "system" and the program name is lowercase winlogon.exe.
The user name of Trojan disguised as this process is the current system user name, and the program name is capitalized WINLOGON.exe.
View the process by ctrl+alt+del, and then select the process. Under normal circumstances, there is only one winlogon.exe process whose user name is "SYSTEM". If there are two winlogon.exe, and one of them is capitalized and the user name is the current system user, it indicates that there may be a Trojan horse.
This Trojan is so powerful that it can destroy the Trojan nemesis and make it unable to function normally. At present, other anti-virus software can't find out.
That WINLOGON.EXE under WINDOWS is really a virus, but she is only a small role in this virus. Let's open drive D to see if there is a DOS pointing file of pagefile and an autorun.inf file. Hehe, of course it is hidden. It is useless to delete these files, because they are related to many things, even in safe mode, as long as you run any program. Or double-click to open drive D, and she will be reinstalled. Hehe, many people were stolen because of this cracked heirloom, and antivirus software could not find it. Some people call this virus "falling snow", which is a Trojan horse specialized in stealing the legendary world. As for whether it will steal other accounts such as QQ, online banking will see that she is happy. Hehe, I guess we'll record it together. If you are not afraid of drugs and want to reduce your losses, you'd better open a firewall to prevent you from going out except for a few common tasks you trust. Of course, you'd better back up as soon as possible, and then close the door to kill virus.
Including the 5 1pywg family heirloom modified by Fang Xin and all other plug-ins they cracked. The most suspect is 5 1PYWG this time. As for other cooperative websites, it is estimated that they are doomed, especially Fang Xin's website, which has been confirmed to have been hacked many times. Although he explained that it was hacked, he could not rule out other possibilities. Pay special attention to those plug-ins that connect to the website after starting, and do not rule out that the launcher itself is toxic. Anyway, in a word, this kind of cracking software connecting websites is the easiest to poison. As for when and how to release it, such as how cool it is, try to crack the verified version completely locally. Although it seems that the linked alliance has not found out whether it is put by itself or by itself, it must be careful. Recently, more than N people in the legendary world have been hacked, targeting these websites. The following is the method to remove the recently particularly poisonous WINLOGON.EXE hacker virus. Note that this fake WINLOGON.EXE is under WINDOWS, and the process is displayed as the current user or administrator. The winlogon.exe of the other system is normal, so don't delete it. Please read it clearly. The first is capitalized and the last is lowercase, and some netizens have confirmed that the connection destination of this file is Henan.
Solution of "falling snow" virus
Symptoms: Double-click the D disk and it won't open. There are autorun.inf and pagefile.com files in it.
The person who made this virus is too strong to solve it in a safe mode like an administrator! After an afternoon of fighting, it was barely solved.
I didn't use any software to kill Trojans. I just manually pulled them out and deleted them one by one. The files associated with it are as follows, most of which are displayed as system files and hidden.
Therefore, it is necessary to open and display hidden files in folder options.
There are only two D disks. You can't double-click to open D disk. There are more C disks!
D:\autorun.inf
D:\pagefile.com
c:\ Program Files \ Internet Explorer \ ie xplore . com
c:\ Program Files \ Common Files \ ie xplore . com
C:\WINDOWS\ 1.com
C:\WINDOWS\iexplore.com
C:\WINDOWS\finder.com
C:\WINDOWS\Exeroud.exe (I don't know if it's the name, but the red icon has the legend world icon).
C: \ Windows \ Debug \ * * program. Exe (also the icon above, the name has been forgotten-_-great, obviously not hidden).
c:\ Windows \ system32 \ command . com
Don't delete this easily, see if it is different from the date below but the same as other documents. If it is the same as most other files, it cannot be deleted. Of course, the system files are definitely not from this period.
c:\ Windows \ system32 \ msconfig . com
c:\ Windows \ system32 \ regedit . com
C:\Windows\system32\dxdiag.com
c:\ Windows \ system32 \ rundll32 . com
C:\Windows\system32\finder.com
C:\Windows\system32\a.exe
By the way, look at the dates of these documents and see if there are any documents with the same time or with suspicious endings. COM in other places. Be careful not to run any programs or start them again, including double-clicking the disk.
There is also a number one document! WINLOGON.EXE! All this is to kill her! ! !
C:\Windows\WINLOGON。 Extensions of executable programs
This can be seen in the process, there are two, one is true and the other is false.
It's really lowercase winlogon.exe, (I don't know if yours is), and the user name is SYSTEM.
The fake is a capital WINLOGON.EXE, and the user name is your own user name.
This file can't stop in the process, and it's really like saying that the key process can't stop! Even in safe mode, it will stay in your process!
That's all I know now If you don't trust me, you'd better look at the modification date of one of the files, and then use "search" to search for the files modified that day. Many files will definitely come out at the same time, even in the system restore folder! !
These files will be associated with themselves. If you delete a part, accidentally run one, or run msconfig, command and regedit at the beginning of running, these files are all made up by yourself!
Knowing these files, first close all programs that can be closed, open the WINDOWS Explorer in the program attachment, set the view option in the folder to display all files and folders in the above tools, unhide the protected operating system files, then open the start menu, enter the command regedit, enter the registry, and enter HKEY_LOCAL_MACHINE\SOFTWARE\ In Microsoft \ Windows \ currentversion \ run, there is a Torjan program, which is obviously "I am a Trojan horse". Delete it! !
Then log off! After re-entering the system, open Task Manager to see if there is rundll32. If there is, stop first. I don't know if this is true or not, so be careful.
Go to disk d (be careful not to double-click to enter! Otherwise the virus will be activated again. Right-click "Open" to delete autorun.inf and pagefile.com, and then go to drive C to delete all the files listed above! Be careful not to double-click one of the files, or all the steps will be repeated! Then log off.
In the process of my struggle, after deleting those files, all the exe files can't be opened and cmd can't be run.
Then, go to C:\Windows\system32, copy the cmd.exe file to the desktop and rename it cmd.com Hehe.
I will also use the COM file, and then double-click this com file, and then the action can enter the command prompt under DOS.
Then type the following command:
Assoc.exe = EXFILE (there is a space between Assoc and. Exe)
ftype exefile="% 1" %*
So the exe file can be run. If you can't command, open CMD.COM, copy the above two lines, and paste them twice to execute.
But after I finish this, the boot user will be a little slow to input users, and a warning box will pop up, saying that the file "1" cannot be found. (It should be a 1.com file under Windows. ), and finally use the Internet assistant and other software to completely repair IE settings.
Finally, how to solve the problem that the file "1.com" cannot be found when booting:
Run "regedit" in the running program and open the registry in [HKEY _ local _ machine \ software \ Microsoft \ Windows NT \ current version \ Winlogon].
Restore "shell" = "explorer.exe1"to "shell" = "explorer.exe".
You're done! Let's share it!