ms-windowsA couple of days ago to get NB poisoning,A boot into windows,Appeared a big LOGO,上面寫著「United Kingdom Police」,Next to an old Arab sir,Below is a simple list of your computer specs,Then say what your computer has what,NB cameras but also start,Own instant screen will appear at the bottom,Looks quite scary,Seems to have been the overall monitoring。


Try a little bit,This effect is very special viruses,Just scary or hinder the operation mode on the very successful,In addition to pressing CTRL ALT DEL and select Shutdown outside,What can be done,Even start in safe mode also still see Ah sir。Had wanted to come to the virus through WinPE,But boot failure,Then try "Safe Mode(Command Prompt)」,Ah sir finally stopped coming。

First prompt, run the Registry Editor and services through command,After a simple view,Did not see unusual places,They try to run explorer,The results appeared Ah sir…。After repeated testing,Find a way to stop the Arab sir:

1.First implementation of MMC,Function call out service。    2.Execution explorer,At this page will be activated virus。    3.Press CTRL + ALT + DEL,Select reboot。    4.Then shut down the program will first turn off IE,That is a virus website,  Then pauses shutdown,MMC asks you whether you want to archive,  At this point you can ignore the first message archive,Started you want to do。

After inspection,Virus is mainly present All Users Application Data inside,Dat file has five plus a rundll32.exe file,Six pieces 檔案 move after removal Masashi,Is connected to clean up some debris。


To me that it is,In the beginning of the USER menu inside there is a msconfig startup shortcuts,Pattern using Registry Editor icon,This is one of the starting virus link。


Another relatively discreet,Enforcement regedit after,Locate the following two machine code:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmgmt\Parameters   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winmgmt\Parameters

The string to find the right ServiceDll,Value has been changed to one of the dat file path,This is called each time the explorer will cause the virus,Here to revert to "% SystemRoot% system32 wbem WMIsvc.dll"。


Virus variants,So everyone encountered situation may be different,Came out several pieces Gas 軟體 capital 沒掃 這次 basis taint 試了,So it should be pretty new variants,My solution to provide for your reference,Hope that helps。

6 Responses

  1. tix123 Says |

     Ah Ah sir Terrific! Never seen such a killing virus

    For ah,I
    And always look variants

    Anson Reply |
  2. In this Says |

    This is really too much to kill!!I won this virus today…I was going to try your method according to detoxify!

    Result…It is fully let me into safe mode…Three models have been tried…Totally can not enter…

    I can only bagging up!Look forward to your new variant of the solution = =

    When I Qingdu,Internet to find the method also did not use,It seems that the virus variants become very fast

    Anson Reply |
  3. Anonymous Says |



    Anson Reply |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.