"I recently discovered a strange phenomenon. My system time has always been changed to 1980. After the change, the computer automatically changed it back. I asked a friend and said that the motherboard battery was out of power. I bought a new battery and installed it but couldn't get it done. Yesterday, I found that the QQ was stolen." User Mr. Zhang said helplessly.
Dai Guangjian, an anti-virus expert in Kingsoft Antivirus, said that there have been many encounters similar to Mr. Zhang recently. The virus tampers with the system time. Because the modification time was in 1980, many netizens called it the "1980 virus". The purpose of the virus to adjust the system time is to turn off the monitoring function of the antivirus software, and then download the gray pigeon in the background to run it. In this way, your machine will be infected with the two viruses 1980 and gray pigeon at the same time. After being infected with the Gray Pigeon virus, remote attackers can easily steal the user's QQ number.
It is understood that the 1980 virus has been popular on the Internet for a while and has caused the computer system time of a large number of netizens to be tampered with. There are also many help posts about the virus in the forum. However, since its destructiveness is not as bad as viruses such as Panda Burning Incense, there is no relevant complete solution on the Internet, which has caused a lot of trouble to users' removal. Below is a detailed analysis report and solution by Kingsoft Antivirus Antivirus experts on the 1980 virus. I hope it can be helpful to users infected with the virus!
Viral behavior:
The virus is a download * horse and will reset the system time to April 23, 1980. Running the virus will download and execute a gray pigeon virus. After the gray pigeon is in the middle of the gray pigeon, your system will be remotely controlled.
1. The generated file C:/ and set its attributes to hide.
2. Add system startup items to ensure that the virus program is automatically executed every time you boot.
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
"sxs2" = "c:/"
3. Hide all hidden files so that administrators cannot view hidden system files.
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL
"checkedvalue" = "0x00000001"
4. Download and install gray pigeon from the following path
http://drsunbo..***/
5. Generate configuration files in other partitions. Even if you can't stand it, reinstall the system and restart the virus the next time you double-click other disks.
----------------------------------
[autorun]
open=
shellexecute=
shell/Auto/command=
---------------------------------
When manually clearing viruses, first search and end the process in the process, search for the files on the hard disk, and delete them all after finding them. Follow the following method to modify the registry to restore the display of hidden files.
Run regedit to open the registry editor
Browse to
HKEY_LOCAL_MACHINE/Software/Microsoft/windows/CurrentVersion/explorer/Advanced/Folder/Hidden/SHOWALL
Delete the CheckedValue key created by the virus, right-click to create a new - Dword value - named CheckedValue, and then modify its key value to 1, which is hexadecimal. After pressing OK, refresh and exit the registry, so that you can choose to display all hidden files and display system files.
If you are not very familiar with the system, it is recommended to install Kingsoft Antivirus 2007 and check and kill it after upgrading. You can also log in and use online antivirus to solve it.
Dai Guangjian, an anti-virus expert in Kingsoft Antivirus, said that there have been many encounters similar to Mr. Zhang recently. The virus tampers with the system time. Because the modification time was in 1980, many netizens called it the "1980 virus". The purpose of the virus to adjust the system time is to turn off the monitoring function of the antivirus software, and then download the gray pigeon in the background to run it. In this way, your machine will be infected with the two viruses 1980 and gray pigeon at the same time. After being infected with the Gray Pigeon virus, remote attackers can easily steal the user's QQ number.
It is understood that the 1980 virus has been popular on the Internet for a while and has caused the computer system time of a large number of netizens to be tampered with. There are also many help posts about the virus in the forum. However, since its destructiveness is not as bad as viruses such as Panda Burning Incense, there is no relevant complete solution on the Internet, which has caused a lot of trouble to users' removal. Below is a detailed analysis report and solution by Kingsoft Antivirus Antivirus experts on the 1980 virus. I hope it can be helpful to users infected with the virus!
Viral behavior:
The virus is a download * horse and will reset the system time to April 23, 1980. Running the virus will download and execute a gray pigeon virus. After the gray pigeon is in the middle of the gray pigeon, your system will be remotely controlled.
1. The generated file C:/ and set its attributes to hide.
2. Add system startup items to ensure that the virus program is automatically executed every time you boot.
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
"sxs2" = "c:/"
3. Hide all hidden files so that administrators cannot view hidden system files.
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL
"checkedvalue" = "0x00000001"
4. Download and install gray pigeon from the following path
http://drsunbo..***/
5. Generate configuration files in other partitions. Even if you can't stand it, reinstall the system and restart the virus the next time you double-click other disks.
----------------------------------
[autorun]
open=
shellexecute=
shell/Auto/command=
---------------------------------
When manually clearing viruses, first search and end the process in the process, search for the files on the hard disk, and delete them all after finding them. Follow the following method to modify the registry to restore the display of hidden files.
Run regedit to open the registry editor
Browse to
HKEY_LOCAL_MACHINE/Software/Microsoft/windows/CurrentVersion/explorer/Advanced/Folder/Hidden/SHOWALL
Delete the CheckedValue key created by the virus, right-click to create a new - Dword value - named CheckedValue, and then modify its key value to 1, which is hexadecimal. After pressing OK, refresh and exit the registry, so that you can choose to display all hidden files and display system files.
If you are not very familiar with the system, it is recommended to install Kingsoft Antivirus 2007 and check and kill it after upgrading. You can also log in and use online antivirus to solve it.