Extract virus Trojan system files infected with exe program

Now the virus Trojan that infects the exe program likes to modify the system files. Normally, the anti-virus software can't restore the poisoned system files back to the original state. Is there any other way besides reloading and copying from other machines?

You can also extract the most original and safest "original" files from the installation disk! However, the files in the installation disk can be created without copy/paste directly, and the extraction methods of XP and Vista/2008 are different because they use different installation methods.

First, extract the XP installation disk files

Carefully observe the XP installation disk files, you can see that most files in the i386 directory are "EXPLORER.EX_" file names In fact, it is a compressed file, the file name is the same as the extracted file name, but the extension and file size are different, so the direct suffix can not be used.

There are two ways to extract out of the file:

Method a: for example, using 7-zip compression software to directly decompress the file. The reason for mentioning 7-zip is that it is free, because it will integrate the "7-zip" menu into the right-click menu of all files (or folders) by default, which is very convenient to use. Of course, using WinRAR can also be decompressed.

Method Two: Unzip the file using XP comes with the Expand command in the command line window. Usage: expand D:\\i386\\EXPLORER.EX_ C:\\explorer.exe, (Figure 1); meaning to extract the EXPLORER.EX_ file in the i386 directory of the D drive to the root directory of the C drive, and name it Explorer.exe. The i386 directory is the directory where the installation files are located on the XP installation disk. This command is often used to restore the system under the recovery console.

Figure 1 Extracting files using expand

Second, extracting files from the Vista/2008 installation disk

Vista/2008 uses a new installation technology, all installation files are saved In the sources\\install.wim file; this file cannot be opened with normal software and can only be opened with the imagex.exe program provided by Microsoft. This program does not have a graphical user interface. It is now used as an example for Vista usage:

Step 1: Run the command prompt as an administrator and use the CD command (for example: "CD i386" command is to enter The i386 subdirectory of the current directory) enters the folder where imagex.exe is located.

Step 2: Use imagex /info h: \\ sources \\ install.wim command to view the current version of the installation CD included. For example, the Vista installation disk has versions of Home Basic, Home Premium, Business, and Ultimate. When you see

Windows Vista ULTIMATE

This paragraph to explain where the index number 4 is mirrored Vista ULTIMATE installation files.

Step 3: Use the command such as imagex /mount g:\\sources\\install.wim 4 d:\\msdn to map the installation image with index number 4 in the G disk installation file to the d:\\msdn folder. . At this time, open d:\\msdn to extract the original file just like entering the normal folder, no need to extract it.

Figure 2 Using imagex to extract files

Step 4: After using up, you need to uninstall the image. The commands corresponding to the above operation are as follows: imagex /unmount d:\\msdn.

Tip:

1. If you cannot use imagex.exe, go to Control Panel → Add New Hardware and manually install WIMFLTR.INF.

2. The folder to which imagex is mapped must exist. If the original folder has files, then the mapped files will not disappear, but will be "disguised" by Vista's installation files.