Manual removal of AV terminator methods and related software _ virus killing

Source: Internet
Author: User
The recent AV terminator virus is very popular, many people are in, anti-virus software can not open, only C disk reload will be immediately poisoned. Because the AV terminator is also constantly updated, so antivirus software and kill always behind one step, can not killing.
Here is a small advertising bar, I created a new QQ group to provide you with a place to communicate, group number 4550740. Welcome all the Masters and need to help friends to join. When writing these, the group only I a Commander ...
Now I give you a manual antivirus idea, and the "permanent downloader" as an example to teach you how to manually remove the virus.
In fact, the AV Terminator does not refer to a particular virus, nor does it have a remote control or a stolen number function. The role of the AV terminator is to download one or several designated web site Trojan, but the AV Terminator has set a number of protection measures, it will turn off most anti-virus and anti-virus software, and in each partition to generate Autorun.inf and write to the registry, create image hijacking and so on.
"Permanent downloader" is a typical AV terminator, mentioned above that the AV terminator does not refer to a specific virus, so here can only provide manual antivirus ideas, Completely follow my anti-virus steps do not necessarily be able to completely clear. So this tutorial is suitable for people who know more about computers. At the end of the article I will also give a more suitable for beginners of the grid C-disk reload system will not immediately toxic methods.
Okay, let's get started.
工欲善其事, its prerequisite. So, get ready for three antivirus aids.
1.Icesword II 1.20 (ice blade)
Download Address: http://www.crsky.com/soft/6947.html
2.Autoruns
Download Address: http://www.crsky.com/soft/5285.html
3.SREng
Download Address: http://www.kztechs.com/sreng/download.html
For the virus, IceSword and Autoruns are the main players, and the reason will be mentioned later.
If you have used the flash disk to move the hard drive and so on during the poisoning, it is best to join together to kill, lest just kill a flash disk and poisoned.
One
First of all, the three software renamed, the name changed to no rules on the line. Like me here, IceSword changed to Ii.exe,autoruns renamed Aa.exe,sreng to Ss.exe
As shown in Figure 1.


A lot of people said that the virus above the three software is not open, because the virus on the commonly used anti-virus software and anti-virus auxiliary software for image hijacking, running these software does not change the name, is equal to the implementation of the virus file. We can run Autoruns first (has been renamed Aa.exe, Below I only mention the software name, no longer prompts is the name before renaming.
As shown in Figure 2.

What did you find out? Oh, the common anti-virus software and auxiliary software's name is basically here. As long as you run the same name as the list of software, it will automatically turn to run virus files.

Two

Running IceSword, looking for the virus process, the permanent downloader has two processes, protects each other, and the Task Manager using Windows cannot shut down its process. So here is the need to know more about the computer, or do not know what the virus process is. Because there are many types of AV terminators, So you need to judge for yourself which is the virus process.

As shown in Figure 3,

Find the virus process, first, write down the path of the virus behind you. Hold down CTRL to select all two processes, right-click to end the process, and because two processes are shut down at the same time, the process protection of the virus does not work. Refresh several times to see if there is no new virus process, if not, you can proceed to the

Three
Point IceSword to the left of the "file", find the path noted above two files, delete. Then find the Autorun.inf and *****.exe,***** in the root directory of c:\d:\e:\ and other partitions. EXE is autorun.inf inside write the name of the program, I am here epijcxh.exe.
As shown in Figure 4.

Now the AV Terminator virus to the Autorun.inf file has been improved, the right button does not appear in auto, double-click can also enter the partition, but regardless of whether the right key to open or double-click to enter, will run the virus file, This is a lot of people only after the C-plate reload immediately after the cause of poisoning. To delete these files, you must use Third-party software, such as Winrar,icesword,totalcmd, or Windows cmd command line, or run the virus program after entering the partition. Everything in front of you will have to be done again.
Note: After removing the Autorun.inf and *****.exe, whether right or double click on the partition, if you want to find a file or run a program, you can directly in the address bar, enter C: or D: And so on and enter into this section
Four
Now it's your turn to Autoruns, run Autoruns, click "User Login" to find the start command for the virus to write to the registry. Right-click to delete these two. "File not Found" is shown later, because we have already deleted the two files in IceSword.
As shown in Figure 5.

Then point image hijacking, remove all except the final your image File Name here without a path c:\windows\system32\ntsd.exe, tired, so much .... This should be done after the deletion, as shown in Figure 6.

To this end, the AV Terminator virus has basically been cleared. Hehe, I know it's not over yet. Because we just cleared the AV Terminator, we didn't kill the Trojan that the AV terminator downloaded. We've all noticed the red iexplorer process in Figure 3, This is the AV terminator download down the gray pigeon Trojan process. IceSword can discover hidden processes and are represented in red, which is not visible under Windows Task Manager. In general, this red process is not a good bird ~
The article begins by saying that there are many types of AV terminators, not all of which are written to the registry startup key like "permanent downloader." So Sreng this time, using the Sreng Scan, the Registry boot entry, service, drive These are tested again, Combined IceSword can also be removed from the Trojan. Because the use of Sreng requires a better understanding of the computer's service items and drivers, Computer beginners can use Sreng's smart scans to scan a report and send it to some big forums. Please master what you want to delete. Here I do not elaborate on how to manually kill Gray pigeons, the use of Sreng and IceSword can easily be removed.

I also consider to do an animated tutorial, but now is in the office of the machine is very bad and not very convenient, I will have time to do.
Welcome to join Group: 4550740

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.