A manual anti-virus attack on the computer of the phone chain store of Dickson

Source: Internet
Author: User

Chen Xiaobing

For operating systems infected with viruses, two methods are generally adopted. One is to reinstall the system, and the other is to completely clear the virus. If the system is backed up after the system is installed, you can restore the system. The latter is relatively difficult and has some security risks. Because my wife wants to change her mobile phone, I bought a new mobile phone at the phone store of Dixintong. After I bought the mobile phone, I sent a mobile phone memory card and wanted to copy some ringtones from my computer, after the memory card is inserted into the computer, the computer shows that it is very slow. I guess there is a virus. If you accidentally install a remote control software or a mobile phone virus on your mobile phone, no privacy is exposed! Occupation habits go straight into battle, three to five in addition to two, and it will soon be done. As soon as the store manager saw that I was proficient in operations, he needed my mobile phone number and the virus was manually cleared later. We will discuss the entire virus cleanup process with you.

I. Fault symptom

I was woken up by my cell phone in less than 8 o'clock. I'm still a little annoyed when I was dreaming about it. Since someone called so early, there must be something urgent! After receiving the call, I realized that the dedicated computer of the mobile phone store in Changping had gone on strike. The specific performance was that after the computer was started, the speed was extremely slow. It took three or four minutes to open any program; unable to log on to the business system. The computer is connected to the ERP system of the headquarters, and the computer is responsible for printing invoices. The computer connects to the Internet through the CDMA network card, and the store manager is very worried, so I think of it (haha, it is very important to look at the accumulation at ordinary times. Some customers will come to the door automatically, haha ). I guess it is because the last time I sent a work computer to Dixintong, the security reinforcement and virus cleaning work well, so I thought of me when I encountered a problem. Haha, there is a security problem. Haha, I like it, this is not a good thing!

Ii. Initial Diagnosis

After arriving at the site, we will first make a preliminary diagnosis of the computer and learn the details of the computer's problems. By asking the staff, we can make the following judgments:

(1) the computer is definitely infected with viruses;

(2) the computer has never been reinforced, even if it is a simple security reinforcement;

(3) the operating system has not been backed up, and all important business systems are on the system disk;

(4) Viruses may be infected and spread through USB flash drives and networks.

Because the system has not been backed up, reinstalling the system is obviously not feasible. Although reinstalling the system is the most secure and convenient method, many business systems are directly distributed by the company, it is difficult to restore the business system after the system is reinstalled. Considering the actual situation, only manual anti-virus can be performed.

3. A tough anti-virus Process

(1) Clear some viruses

1. Create a tool disk for virus detection and removal.

This time it was said that the virus was manually cleared, or some tools were used, although manual removal is also possible, but since there are some useful tool software, why should we leave it far away! First, prepare a readable and writable USB disk. If no such USB disk is available, you can burn the tool software to the CD. In this virus cleanup, Dickson's working computer is uniformly distributed by the company. During the delivery, the optical drive on the computer is removed, and there is no redundant optical drive in the store. Therefore, only the USB flash drive can be used, in the USB flash drive, I have prepared the following software:

(1) Autoruns: Used to clear and view the registry, auto-start, and service

(2)CurrPorts.exe: View network connection information

(3) 360 security guard Installer: cleans up malicious plug-ins

(4) anti-virus software for red umbrella: virus detection and removal

(5) IceSword: Managing intractable diseases

(6) ProcessExplorer: View and terminate processes

(7) one-click GHOST: Backup and Restore the Operating System

2. Solve the problem that CMD cannot run

The virus has modified the File Association, and the executable program cannot be opened. After CMD is opened, close it immediately. directly enter "command" in "run" to open the old DOS window, then copy the files in the USB flash drive to drive D. During the copy process, the USB flash drive virus keeps reading and writing the USB flash drive. Because the USB flash drive has been set to read-only, there is always a read/write disk error, check the process in the task manager and find that there are many suspicious processes. Select the suspicious process and end the process. If the process cannot end or the process is started immediately after the process is completed. It seems that the virus has taken some protection measures, regardless of this, directly run the autoruns program in the tool directory.

Note:

(1) In many cases, viruses will modify the registry and file associations. When opening a file, a dialog box is always displayed to open the file. Even if the correct executable file is selected, the file cannot be executed, for example, if you select the Notepad program to open the txt file, an error occurs. In this case, one way is to restore the registry, and the other way is to load the executable program through the command for cleanup, including executing some doscommands.

(2) viruses usually disable executable programs such as CMD and Registry. In this case, you need to run the command to restore the registry in the system.

3. Use autoruns to clear viruses

(1) Clear the trojan add-on in Scheduled Tasks.

1. Click "Scheduled Tasks" in the main autoruns window. You can see an At1.job option in which the description displays "Microsoft Corporation ", the executable file path is "C: WINDOWSsystem32winhelp.exe ". At first glance, we can see that the loading option is a virus. Select and delete it directly.

498) this. style. width = 498; "border = 0>
Figure 1

Figure 1 clear the trojan add-on in Scheduled Tasks using autoruns

Note:

(1) If you know about executable files in the system, the winhelp files mainly contain C: WINDOWS and C: WINDOWSsystem32dllcache, And the C: Example results.

498) this. style. width = 498; "border = 0>
Figure 2

Figure 2 the correct path and file size of the normal winhelp File

(2) Judging from actual experience, winhelp is a USB flash drive virus, so it must be cleared.

(2) install the one-click Ghost Software

Many of you may ask why you need to install the one-click Ghost Software in this step. I want to tell you that this step is very simple and necessary! Nowadays, many virus software is relatively evil, and the system is very infected. If you are not careful, the system will not be able to get started. Therefore, after installing the software, install the Ghost backup and restoration software as soon as possible. After the installation is complete, back up the system and then clean up the virus. To prevent Virus Cleaning failure or unexpected situations, you can recover the system in time.

(3) make a secure backup for the SystemAfter installing the Ghost Software, the system is backed up. Note that the backup must be performed after the system is restarted and can run normally. Otherwise, the meaning of the Backup will be lost. I will not go into details about using one-click Ghost backup.

(4) Clear suspicious and virus-loaded services

Run the command again to start the autoruns program. In the autoruns main window, click "Services", as shown in 3. You can see many Services that cannot find files, some names are very similar to normal service names and files. They delete suspicious services and virus-loaded services. We recommend that you have no experience in Virus Cleaning to familiarize yourself with and understand some normal services and programs on a normal computer to avoid accidental deletion! Although you can kill one thousand by mistake when cleaning up the service, we recommend that you verify the path of the service file. If you have Internet access conditions, you can search by Google, to verify whether the service is a normal file.

498) this. style. width = 498; "border = 0>
Figure 3

Figure 3 clear suspicious service and virus-loaded service options

(5) Clear suspicious and virus drivers

Click "Drivers" in autoruns, as shown in Figure 4. The naivaf5x. sys and mvstdi5x. sys Drivers do not have any description or Publisher, which are obviously important suspicious objects. delete them directly after selection. Drag the scroll bar to delete the suspicious services. Delete

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.