Drive virus is rampant. master teaches you the secret recipe for detoxification.

Source: People's Daily Author: Yang Rui

Drive trojan has recently become a hot topic in the security field. It is reported that since March, the author of drive trojan has updated several times, and the infection rate and damage are gradually increasing.
Drive Trojan Introduction: "Drive Trojan" is also called dummycom. After the program runs, it is disabled and stops 360 security guard from running security software such as Kabbah, rising, Jinshan, and Jiangmin, in addition, files containing "360" are deleted. After the infection, the smss.exeand lsass.exe processes are added. After the Task Manager is used, the computer restarts and a large number of Trojans are automatically downloaded to the local machine.

According to the analysis, the trojan uses different methods to disable the security software. By sending a bunch of spam messages, the security program crashes and even icesword is not spared. After running the program, smss.exe, lsass.exe, netcfg. dll, and other files will be generated under the Com directory of system32, and dsnq. dll files will be generated under system32. A file will be written to the startup Item of the Start menu at the moment of shutdown;

Note that the virus is infected with All executable files (*..

Symptoms after drive Trojan Infection:

1. Slow system operation, frequent crashes, blue screens, and error reports;

2. Two lss.exeand two smss.exe are displayed in the process, and the user name of the virus process is the current login user name;

3. The anti-virus software is damaged and cannot be enabled normally. Multiple Security auxiliary tools cannot be enabled normally;

4. system time tampering;

5 Gbit/s virus infected the .exe file, causing its icon to change;

6. Unable to enter the security mode;

7. Hidden Files cannot be displayed;

8. The Group Policy is damaged.

Drive trojan detection and removal

1. Use the rename method to temporarily change the name of cmd.exe in the "System32" and "dllcache" directories to" cm. dll "(figure 1). restart the system.

2. After the system is restarted, check the system32 and dllcache directories. We found that cm.dllis all behind the change, but a strange cmd.exe is found in the system32directory (SEE ). The logoof this example. exeis not the same as the normal example. .exe. This is not a virus found in the I386 directory, right? Khan! It is estimated that this DD cannot run.

32.16.pdf first, check that the virus file can be deleted manually (if that cmd.exe is used, NetApi000.sys can be loaded, and the virus has been fully run. Virus files cannot be deleted ).

Result: All virus files are deleted one by one.

Delete the abnormal cmd.exe in the system32directory in 4. Change cm.dllfrom system32and dllcachedirectory to cmd.exe. Note: My computer has only one partition. It's all done here. Multi-partition systems, non-system partitions, and viruses. After such processing, the problem cannot be completely solved. You also need to kill software and complete anti-virus. Remember!