Urgent ~ ~ I don't know what virus the computer has hit, and I can't open the antivirus software and website!

"AV Terminator" is a series of viruses that attack antivirus software, destroy system security mode and implant Trojan downloader. It refers to a group of viruses, Trojans and worms with the following destructive effects. The "AV" in the name of "AV Terminator" is the abbreviation of English "An-ti-virus". It can destroy the normal monitoring and protection functions of a large number of anti-virus software and personal firewalls, resulting in a decline in the security performance of users' computers and vulnerability to virus attacks. At the same time, other hacker viruses and malicious programs will be downloaded and run, which seriously threatens the personal and property safety of users on the Internet. In addition, it will prevent the computer from entering safe mode, and it can spread through mobile disks. At present, the virus has derived several new variants, which may be widely spread on the Internet. The most vicious point of the design of "AV Terminator" is that users can't solve the problem even if they reinstall the operating system: the formatted system disk is easily infected again after reinstallation. After the user formats, just double-click another drive letter and the virus will run again. "AV Terminator" will completely destroy the security defense system of users' computers, and the security is almost zero. It will also automatically connect to the website and download hundreds of Trojan viruses, various date stealing Trojans, advertising Trojans and risk programs. When the user's computer has no resistance, files come in, and the user's online banking, online games, QQ account passwords and confidential documents are in extreme danger.

Transmission routing

The important transmission route of "AV Terminator" is mobile storage media such as USB flash drive. Users are advised to temporarily turn off this function of the computer through the spread of the automatic play function of the U disk and the mobile hard disk. Users must pay attention to the safety of using USB flash drives in the near future, and don't use USB flash drives on suspicious computers to avoid their computers being infected.

Viral characteristics

The main features of this virus are: disabling all anti-virus software and related security tools, making users' computers unsafe; So that users can't enter the safe mode to clean the virus at all; Forcibly close the webpage with the word "virus". As long as the word "virus" is entered in the webpage, the webpage will be forcibly closed, and even some security forums can't log in, and users can't seek solutions through the network.

Viral phenomenon

1. Generate many virus program files named randomly by 8 digits or letters, and start it automatically.

2. Kidnapping security software, after poisoning, you will find that almost all anti-virus software, system management tools and anti-spyware software can't start normally. Even if the virus programs are deleted manually, the next time you start these softwares, there will be errors.

3. Hidden files can't be displayed normally, and its purpose is to better hide themselves from being discovered.

4. Disable windows automatic update and Windows firewall, so that the Trojan downloader will not pop up a prompt window when working. Open the door for the next destruction of the virus.

5. Destroy the safe mode of the system, so that users cannot start the system to safe mode for maintenance and repair.

6. When there are keywords related to antivirus, security and community in the current active window, the virus will close these windows. If you want to search for keywords about viruses through the browser, the browser window will automatically close.

7. autorun.inf and the corresponding virus program files are generated on the local hard disk, USB flash drive or mobile hard disk, and spread through the automatic play function. It should be noted here that many users format the system partition, reinstall it, access other disks, and immediately get poisoned, and users will think that virus formatting doesn't work.

8. The ultimate goal of virus programs is to download more Trojan horses and backdoor programs. The loss of end users depends on these trojans and backdoor programs.

counter-measure

For viruses, good preventive measures are better than trying to kill them after poisoning, and once infected, the removal process is quite complicated. Therefore, in the interview, anti-virus experts from Jinshan, Jiang Min, Rising and other companies provided reporters with preventive measures against the virus:

1. Take good care of your own mobile storage such as USB flash drive, MP3 and mobile hard disk. When connecting a foreign USB flash drive to a computer, please don't double-click to open it first, and be sure to carry out anti-virus treatment first. It is suggested to use anti-virus software with anti-virus function of U disk, such as the unique U disk shield technology of KV2007. Double-click the U disk to immunize all U disks to run.

2. Make system patches, especially MS06-0 14 and MS07- 17. At present, most Web Trojans invade computers through these two vulnerabilities.

3. Update the virus database of antivirus software immediately, and upgrade antivirus regularly.

4. The installed software should be downloaded from the regular website to avoid the software installation package being bundled into Trojan virus.

5. Turn off the automatic playback function of windows.

Virus solution

Method 1:

Because this virus will attack anti-virus software, the poisoned computer anti-virus software can't start normally, and double-clicking doesn't respond, so it can't be removed by anti-virus software at this time; It is also quite difficult to solve it manually. Moreover, AV Terminator is a batch of viruses, which cannot be deleted manually simply by analyzing reports. The recommended cleaning steps are as follows:

1. to /259.shtml Download the AV Terminator virus killing tool from a computer with normal Internet access.

2. It is forbidden to play it automatically on a normal computer to avoid being infected by inserting a USB flash drive or moving a hard disk. Disable method reference scheme attachment:

Copy the AV Terminator killing tool from a normal computer to a USB flash drive or a mobile hard disk, and then copy it to a poisoned computer.

3. Execute the AV Terminator killing tool, remove the known virus and repair the system configuration.

(Note: The important function of AV Terminator killing tool is to repair the damaged system, including repairing mirror hijacking; Repair the damaged security mode; Fix the normal display of hidden folders and delete the autoplay configuration of each disk partition. )

4. Don't restart the computer immediately, then start the antivirus software, upgrade the virus database and conduct a comprehensive scan. Delete other viruses downloaded by Trojan downloader.

Method 2:

Go to Black League or Hacker Animation, download an AV generator, and after running (be careful not to click Generate), select "Uninstall Local Server".

Manual removal method

1. Download the Ice Sword tool on the Internet and rename it, such as abc.exe's name, to break through the shielding of the tool by the virus process. Then double-click to open the IceSword tool to end the process of an 8-digit EXE file, sometimes there may be no such process.

2. Using the file management function of IceSword, expand to C: \ program files \ common files \ Microsoft shared \ msinfo \ and delete two 8-bit random number files with extensions of dat and dll respectively. Go to the %windir%\help\ directory and delete it. Hlp or. The chm file has the same name, which is the icon of the system help file.

3. Then delete the Autorun.inf file and the suspicious 8-bit digital file in the root directory of each hard disk. Be careful not to double-click to open each hard disk partition directly, but use the tree directory on the left side of Windows Explorer to browse. Sometimes you may not be able to view hidden files after computer poisoning. At this time, you can use the file management function of WinRar software to browse and delete files.

4. Use the registry management function of IceSword to extend the registry key to:

[HKEY _ local _ machine \ software \ Microsoft \ Windows NT \ current version \ image file execution option], and delete the IFEO hijack item in it.

After the above operations are completed, you can install or open anti-virus software, and then upgrade the anti-virus software to the latest virus database to thoroughly disinfect the computer. (Manual cleaning method is provided by anti-virus experts in Jiang Min.

Virus analysis

1. Generate file

% program files% \ common files \ Microsoft shared \ msinfo \ {random 8-digit alphanumeric name}. Digital audio tape)?DOS file name data file

% program files% \ common files \ Microsoft shared \ msinfo \ {random 8-digit alphanumeric name}. DLL

%windir%\{ random 8-digit letter+number name}. hlp

%windir%\Help\{ random 8-digit letter+number name}. chm

You can also generate the following files

%sys32dir%\{ random letters }。 Extensions of executable programs

Replace file%% %sys32dir%\verclsid.exe