"Guangwai Girls" is the first work of the "Guangwai Girls" network group of Guangdong University of Foreign Studies. It is a new remote monitoring tool, which is very destructive. It is natural to upload, download, delete files and modify the registry remotely. Horribly, after being implemented, Guangwai Girl Service Center will automatically check whether the process contains words such as Kingsoft Internet Security, Firewall, iparmor, tcmonitor, Real-time Monitoring, Locking, Seconds Kill, Skynet, etc. If found, the process will be terminated, which means that the firewall will be completely ineffective!

After the Trojan horse runs, it will generate a copy of itself named DIAGCFG.EXE in the system directory of the system, which is the same as that of the Trojan horse. EXE file. If you delete the file rashly, it will lead to all. Unable to open the EXE file in the system.

Cleaning method:

1. Because Trojan cannot delete files at runtime, it starts in pure DOS mode, finds DIAGFG.EXE in the system directory and deletes it;

2. Because DIAGCFG.EXE's files have been deleted. Exe files cannot be run in Windows environment. We found the registry editor "Regedit.exe" in the Windows directory and renamed it "regedit.com";

3. Return to Windows mode and run the Regedit.com program in the Windows directory (that is, the file we just renamed);

4. Find HKEY _ class _ root \ EXFILE \ Shell \ Open \ Command and change its default key value to "%1"%*;

5. Find HKEY local machine software Microsoft Windows.

CurrentVersion\ RunServices, delete the item named "Diagnostic Configuration";

6. Close the Registry Editor, return to the Windows directory and change "Regedit.com" back to "Regedit.exe".

7. done.