Virus Trojan scan: manually killing pandatv

Virus Trojan scan: manually killing pandatv
I. Preface

At the beginning of this series of studies, I chose the "pandatv incense" virus as the study object. The reason for choosing this virus is mainly because it is representative. On the one hand, it had a huge impact at the time, making computer practitioners familiar with it or not; on the other hand, it was because the virus did not have many advanced technologies, even at the time, the technical means it uses are also very general, use our current knowledge, enough to analyze it. Therefore, I believe that starting with this virus will free readers who have never been involved in virus research from fear of the virus and make a good start throughout the learning process.

This article first studies how to manually scan and kill pandatv. Here, manual scanning and removal means scanning and removal of viruses without writing code. To put it bluntly, it is basically pointed by the mouse. Sometimes several DOS commands can be used to achieve anti-virus work. However, it is undeniable that using this method is very superficial, and it is often impossible to completely clean up viruses. However, learning to manually scan and kill viruses helps us better understand anti-virus work, this will lay the foundation for more in-depth discussions in the future.

It should be noted that manual virus detection and removal does not mean virus detection and removal without any software, in fact, using some professional analysis software is very helpful for our virus detection and removal. I will explain these tools in the study of different viruses. In addition, for the sake of security, none of my research articles will provide you with a virus sample. Please search for it on your own. I will only provide the basic information of the virus sample I use.

 

2. Manual virus removal process

There is a set of "fixed" Procedures for manually killing viruses and Trojans, which are summarized as follows:

1. troubleshoot suspicious processes. Because viruses often create one or more processes, we need to identify which processes are created by viruses and then delete suspicious processes.

2. Check the startup items. To enable Automatic startup, the virus will add itself to the startup Item in some ways to enable automatic startup. Therefore, we need to clear the virus from the startup Item.

3. Delete viruses. In the previous check startup item, we can determine the location of the virus subject so that we can easily Delete the virus file.

4. Repair files damaged by viruses. In general, this step cannot be completed directly by hand. The corresponding software should be used, which is not the focus of our discussion.

 

3. virus detection and removal

The basic information of the "pandatv incense" virus sample I have studied here is as follows:

MD5 code: 87551e33d517442424e586d25a9f8522,

Sha-1 code: cbbab116801165d5de593259c9b2fe4b0d967bc7

File Size: 59KB

The virus samples found on the Internet may be different from mine, but they are basically the same. The core idea of virus detection and removal is the same.

 

Here, I copy the virus sample to the previously configured Virtual Machine (Be sure to back up). First, open "Task Manager" to check the current process:

Figure 1 view the task manager before running the virus

Because my virtual machine system does not have any software installed, it is very pure, so a total of 18 processes (including the Task Manager Process ), the 18 processes are considered necessary by the system. Sometimes we need such a pure system to compare processes with systems suspected of being poisoned. Then we run the virus and try to open the "Task Manager" again and find that the task manager is closed immediately after it is opened, which indicates that the virus has an impact on our system, the first influence is that the "Task Manager" cannot be opened. But it doesn't matter. We can use the "tasklist" command in cmd to view the information:

Figure 2 view the infected process in cmd

After comparing the process spoclsv.exe, we can run the "taskkill/f/im 1820" command (Force delete the file image with a PID of 1820) to end the process:

Figure 3 terminate a virus Process

Then we can find that the "Task Manager" can be opened, indicating that the first step of our work is successful. Then you need to check the startup items. You can enter "msconfig" in "run ":

Figure 4 View startup items

We can quickly lock the parameter spoclsv.exe. We need to write down the file location first:

 

C: \ WINDOWS \ system32 \ drivers \ spoclsv.exe

Then the Registry location:

HKCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

Then, remove the prefix of the startup item to the corresponding location of the registration table, delete the run“spoclsv.exe, and delete the virus file body:

Figure 5 delete a Virus File

After the above work is complete, restart the system and open the "Task Manager" again, which can be opened normally, indicating that our work is successful. Open "my computer" and Right-click each drive letter (my system only has drive C ):

Figure 6 Right-click a drive letter

When we manually scan and kill viruses, we should develop a habit of using the right-click to open the drive letter, instead of double-clicking the left button. Here we can see that there is an "Auto" item in the right-click menu, so it is obvious that the drive C contains autorun. inf file (see article 006th on Anti-Virus Defense: Using WinRAR and AutoRun. inf). You can check in cmd:

Figure 7 view hidden files

Because I have determined that the drive C contains autorun. inf file, but the dir command is not seen, it indicates that it should be hidden, so here you need to use the "dir/ah" command (view the files and folders whose properties are hidden. Objects are suspicious files ). Because the properties of these two suspicious programs are hidden, you can remove these hidden properties before deleting them:

 

Figure 8 deleting a self-starting File

After the system is restarted, all manual virus detection and removal are completed, and our system becomes normal again.

 

Iv. Summary

In fact, pandatv is far more harmful to our computers than it is. It just means that we can basically do this without using any auxiliary tools. The manual detection and removal of the "pandatv incense" virus is here. In future studies on other viruses, they are more powerful than "pandatv, we have to use some professional tools as an aid. I also hope that you will try it yourself and start from here without fear of viruses.