Autorun.inf and Sbl.exe of the U disk Virus removal method _ virus killing

The virus generates the following files:

Code:
C:\WINDOWS\system32\1.inf
C:\WINDOWS\system32\chostbl.exe
C:\WINDOWS\system32\lovesbl.dll
Create Autorun.inf and Sbl.exe under each partition and constantly detect whether the Chostbl.exe properties are hidden
Registration service ANHAO_VIP_CAHW Point to C:\WINDOWS\system32\chostbl.exe, the purpose of boot up.

Startup type: Automatic
Display Name: A good DownLoad cahw

Call the TerminateProcess function to close the following process

Code:
360safe.exe
360tray.exe
Runiep.exe
Avp.exe


Call the Getwindowstexta function to get the current window caption and call the Postmessagea function to attempt to send a wm_close,wm_destroy,wm_quit command to close a window with the following words


Quote:
Kaka
Jiangmin
Jinshan
Task Manager
Trojan Sweeper
Mumak Star
Super Patrol
NOD32 Core
Safety
Security guards
Trojan Kill Guest
NOD32
Kernel
Od
Micro Point

Call the Findwindowa function to find the following window and attempt to call the Postmessagea function to send wm_close instructions to close the window

Quote:
Avp. Alertdialog
Avp. Product_notification
Avp. Product_noti


Call cmd.exe Execute net stop sharedaccess command to turn off Windows ' own Firewall service

C:\WINDOWS\system32\lovesbl.dll Insert Svchost.exe Process
Use Svchost.exe to perform download Trojan operation
　　
Code:
Download Http://218.61.18.*/hao.exe
Http://218.61.18.*/wei.exe
Http://218.61.18.*/haowei.exe

(IP address is Liaoning Dalian Netcom)

Under C:\Documents and settings and named Servciesa.exe~servciesc.exe respectively, download interval 200ms
　　

Http://218.61.18.*/haowei.exe (servciesc.exe) link is invalid in test

Servciesa.exe for an infected downloader
Download Http://rrr.*.cn/m1.exe~http://rrr.*.cn/m3.exe, but the download link has expired

Infection except for EXE files under the following folder
　　
Quote:
Windows
WINNT
Recycle
System Volume Information
Internet Explorer
Outlook Express
NetMeeting
Common Files
Messenger
Windows Media Player
WinRAR
MSOCache
Documents and Settings

The infected file is added to the 593-byte content chart unchanged infection way also have to ask a master to teach ...

Servciesb.exe
Registration Service Windowsremote
Startup type: Automatic
Display Name: Windows Accounts Driver
Also a trojan download but the download link is invalid

After the complete action of the virus, the Sreng log is as follows:
Service

Code:
[A good DownLoad CAHW/ANHAO_VIP_CAHW] [Running/auto Start]

[Windows Accounts Driver/windowsremote] [Stopped/auto Start]

==================================
Autorun.inf
[C:\]
[Autorun]
Open=sbl.exe
Shellexecute=sbl.exe
Shell\auto\command=sbl.exe
Shell=open
[D:\]
[Autorun]
Open=sbl.exe
Shellexecute=sbl.exe
Shell\auto\command=sbl.exe
Shell=open
...
　　


Manual Workaround:

Download Sreng to open decompression after running Srengps.exe


"Startup Project"-"services"-"Win32 Service Application" Midpoint "Hide Certified Microsoft Project",
Select the following items, click "Remove Service", click "Set", and click "No" in the pop-up box:

Code:
A Good DownLoad cahw/anhao_vip_cahw
Windows Accounts Driver/windowsremote


Restart the computer

Double click on my Computer, tools, Folder Options, view, click to select "Show hidden files or folders" and clear the "Hide protected operating system files (recommended)" Front of the hook. In the hint

When you determine the changes, click Yes and then determine
Click on the Folder button below the menu bar (search for the right button)