Summary of "Pago", also known as "avterminator" (Jinshan) and "U disk parasite" (Jiangmin) "detection and removal

Recent New Variant Analysis http://forum.ikaka.com/topic.asp? Board = 28 & artid = 8340289
This newly changed Spector cannot detect and kill at the moment.
Recently, "Pago" (named by rising), avterminator (named by Kingsoft), USB flash drive parasite (named by Jiangmin), went viral
The main symptom is that anti-virus software, firewall, and some anti-virus gadgets cannot be opened, and windows with the words "anti-virus" and "anti-virus" cannot be opened. The security mode is damaged and hidden files cannot be displayed. Download Trojans...
This is another major outbreak of viruses following pandatv
In fact, these viruses are what we call a random combination of 7 letters, 8 digits, and letters.
Mainly spread through mobile storage such as USB flash drives
There are also some exclusive and manual killing methods on the Internet. For your convenience, I would like to summarize some of the popular exclusive and manual killing addresses on the Internet.
I. Manual detection and removal methods

First, you should determine the situation
Method: Open the task manager to search for processes with irregular 7-character letters (two digits) (familiar with common computer processes)
Common processes that can be excluded are as follows:
..
If two irregular 7-character processes are found, you are infected with the virus with the 7-character random letter.
Refer to the following articles.
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/c7ff5731702b4718ebc4afd9.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/512e9d1b2ccc1a188618bfb8.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/40043130296b7798a9018eea.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/67186ca74e1b0e94d1435802.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/5991e5ef9a17b737acafd539.html
Http://hi.baidu.com/newcenturysun/blog/item/683c772707ab2c02918f9dc9.html
Http://hi.baidu.com/newcenturysun/blog/item/db3da71be85d3e188618bf5a.html

If no irregular 7-character process is found, you may be infected with the virus with a combination of 8 random letters and numbers.
Refer to the following articles.
Http://hi.baidu.com/newcenturysun/blog/item/2ad3d7cedcea3c0292457e2c.html
Http://hi.baidu.com/newcenturysun/blog/item/76c1e41ffb59c4f4e0fe0bc6.html
Http://hi.baidu.com/newcenturysun/blog/item/3f7b424e42983908b3de0596.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/4f43b02fa60ec3391f308921.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/ff17fa07495a3ccc7b8947ba.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/c14b171206b97850f819b885.html
Http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/blog/item/230a82af1f6619cd7cd92a9d.html

Users who use Kingsoft drug overlord can refer to: http://hi.baidu.com/litiejun/blog/item/479cdaed7d4ff84e78f055f0.html

Comprehensive detection and removal method: http://hi.baidu.com/litiejun/blog/item/479cdaed7d4ff84e78f055f0.html
II,Exclusive detection and removal

Rising orange exclusive in August
Http://download.rising.com.cn/zsgj/orangeaug.com
Kingsoft avterminator exclusive(Recommended)
Http://down.www.kingsoft.com/db/download/othertools/DubaTool_AV_Killer2.COM
Http://duba-011.duba.net/duba/kavtools/DubaTool_AV_Killer2.COM
Http://down.www.kingsoft.com/db/download/othertools/DubaTool_AV_Killer2.COM

Jiangmin community kill (Private Edition)
[Updated in-22] random seven or eight-digit virus exclusive! Easy to solve! (Registration required)
Http://forum.jiangmin.com/dispbbs.asp? Boardid = 2 & id = 489462 & page = 1

CERT Lab (official version)
Http://www.antiy.com/download/AVLPK.BAT

We also need to restore the system after we use the exclusive anti-virus service.
The general steps for restoring the system are as follows:
1. Restore ifeo image hijacking
You can use autoruns this software http://www.skycn.com/soft/17567.html
This software is also hijacked by the image.So we need to change his name.
Open the software and find image hijack (image hijacking)
Delete all items except your image file name here without a pathsymbolic Debugger for Windows 2000 Microsoft Corporation C: \ windows \ system32 \ ntsd.exe
You can also use a null pointer ifeo image hijacking Repair Tool.
Http://www.mopery.cn/mopery/ifeoheavy orientation hijacking Repair Tool .exe
2. Restore the display of hidden files
Import the following code into notepad and save it as a 1. reg file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall]
"Regpath" = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
& Quot; text & quot; = & quot; @ shell32.dll,-30500 & quot"
"Type" = "radio"
"Checkedvalue" = DWORD: 00000001
"Valuename" = "hidden"
"Defaultvalue" = DWORD: 00000002
"Hkeyroot" = DWORD: 80000001
"Helpid" = "shell. HLP #51105"

Double-click 1. reg to import the registry entry
3. Restore security mode
Download Sreng
Http://www.kztechs.com/sreng/download.html
Enable Sreng
System Repair advanced repair click repair security mode click yes in the pop-up dialog box
4. the last and most important thing is to delete the autorun. inf and the EXE with 7-or 8-bit random numbers under each partition.
Note: Do not double-click it or right-click it or use WinRAR to delete it.

For downloading Trojans, we need to use anti-virus software to completely disinfect the virus or go to the Forum for help.
We hope that you can use the exclusive and manual detection methods described above to eliminate the virus !!!