The attachment mentioned in it is available on the following website, but you have to register to download it. Registration is simple.

/thread-537690- 1-2.html

Yesterday, several students were unfortunately poisoned by this poison, and finally they saw it with their own eyes. It's really powerful, but I don't know if there is only one kind or many varieties. Let's share the solutions I encountered here. (Note: The expert killer has come out now, and it belongs to Jinshan. Thanks to the friends in Bao Min, the original post is:/thread-542791-1.html, and the following attachment 6 of expert killer is attached for your reference. )

The symptoms of the virus are: autorun.inf file and a series of random number executable files are generated by dividing the system drive letter, and related dat and dll files are generated in the folder C: \ program files \ common files \ Microsoft shared \ msinfo, some of which are added in startup items, and some are written in CLSID. The registry has been tampered with in many places, especially the administrative command of the partition and the program orientation item of the image file execution option. All the basics related to root antivirus will be blocked, and the killing software will be killed, and the killing can't be opened. Even the ice blade has to change its file name, which shows that the virus is judged from both the file name and the film name. Through the unlocker check, it is found that the dll file is suspended in the process of explorer. If you enter virus-related information in ie, it will be closed automatically.

Because it is remote control, I didn't follow the steps I hoped. I hope there's nothing missing. Let's follow the steps.

Solution:

1. First shut down the system to recover and clear temporary files.

2. Import the registry with "Restore Hiding" provided by the attachment 1, and then remove "Hiding" from the View tab under Folder Options.

Protected operating system files "and select" Show all files and folders "and confirm.

3. Use the resource manager. Note: From now on, don't double-click any drive letter. Use Explorer to open this folder, otherwise it may.

All previous efforts were in vain. When you open drive D, you should find an autorun.inf file and an irregular file name (a string of numbers, sometimes letters).

Executable file, write down the file name, and set it as X here.

4. Search "autorun.inf" file, and select "Search System Folder", "Search Hidden Files or Folders" and "Search Subfolders" in the advanced options to delete all found files.

5. Search for "x" (that is, the file just written). Advanced options are as above. After searching, the X in each partition will be deleted, and then two hidden files will appear in the folder C: \ program files \ common files \ Microsoft shared \ msinfo (according to other netizens' reaction, it has also appeared under windows, but I haven't met it yet). One is dat type and the other is dll type, which is the culprit. Dll files hang in processes such as explorer, resulting in hanging as long as related programs run. Use the "Unlocker" in Annex 2 (after decompression, run greening first) to unlock them all, and delete the two files after confirmation.

6. Run the file (delold) in Appendix 3, and be careful not to double-click the partition number.

7. Open the operation, enter regedit, open the registry, search the X file name, and delete all related key values one by one.

8. Search autorun.inf and X files respectively in the resource manager (don't write suffixes, or just search x.*). Just delete some files, because files such as hlp and chm may be generated, and then fully immunize with the software provided in Annex 4, and then search autorun.inf. If it appears in the form of a folder, there is no problem.

9. If you can't enter the general security mode, you can double-click the import registry with the things provided in Annex 5 to enter the security mode.

10, install anti-virus software and upgrade to the latest, and take the time to thoroughly kill the virus in safe mode.

Of course, it is also recommended to use the software completely kill/index.php/344881/action _ viewspace _ itemid _106955.

There is also the use of sreng intelligence to repair and delete related items in startup items, as well as usbcleaner and usbkill, which are easy to search through the network, so attachments will not be uploaded one by one if the size is limited.

In addition, it is found that sometimes unlocking with unlocker will automatically add explorer, indicating that the virus has strong self-protection and control ability for the explorer process. If it doesn't work in the normal mode, you can first repair the safe mode with Annex 5, and then follow the steps again in the safe mode. You can try several times when unlocking the dll file until it is completely unlocked.

In the process of solving this problem, my classmates gave me great help, and mmzz moderators also provided some methods. Thank you here, I hope I can help you solve this virus. If you have any questions, please leave a message and discuss with us again. Wish you all the best.

References:

/thread-537690- 1-2.html