Discovery SoundMan.exe Virus Deletion method _ virus killing

This virus uses the substitution service and so on to start itself, uses the SoundMan.exe this more familiar procedure to confuse the person. and has the function of ending antivirus software and downloading virus.

Virus releases the following files
%systemroot%\system32\ineters.exe
%systemroot%\system32\soundman.exe (pseudo SoundMan.exe, and the icon is the same as the real SoundMan.exe)
%systemroot%\system32\tthh3.ini

The digital signature of all documents is tomato garden

Write Auto.exe and Autorun.inf files if new Removable Storage access is available

Call cmd to turn off multiple services through net stop command
Shared access
Kpfwsvc
Kwatchsvc
McShield
Notron AntiVirus Server

End the following process
Shstat.exe
Runiep.exe
Ras.exe
MPG4C32.exe
Imsins.exe
Iparmor.exe
360safe.exe
360tray.exe
Kmailmon.exe
Kavstart.exe
Avp.exe
Ccenter.exe

Modify

Hklm\software\microsoft\windows\currentversion\explorer\advanced\folder

\hidden\showall\checkedvalue values for 0x00000006 masks show hidden files

Delete the following file (in order to delete the old version of the virus file)
%systemroot%\system32\updeta.exe
%systemroot%\system32\ineters.exe
%systemroot%\system32\soundman.exe
%systemroot%\system32\ttzhh.ini
%systemroot%\system32\hz3.ini
%systemroot%\system32\hz2.ini
%systemroot%\system32\1035.ini
%systemroot%\system32\tthh.ini
%systemroot%\system32\tthh1.ini
%systemroot%\system32\tthh2.ini
%systemroot%\system32\alcwzrd.exe
%systemroot%\system32\notepd.exe

Activate the Guest account in your computer
and add an account named Microsoft

Write the following information into the%systemroot%\1.inf
[Version]
Signature= "$WINDOWS nt$"
[Defaultinstall.services]
Addservice=helpsvc,,my_addservice_name
[My_addservice_name]
Displayname=help and Support
Description= enables help and Support Center to run on this computer. If the service is stopped, help and support

The center will not be available. If you disable a service, any services that are directly dependent on this service will not start.
servicetype=0x10
starttype=2
Servicebinary=%11%\ineters.exe
Errorcontrol=0

and install the service
The original helpsvc (Help Center) service image file was replaced with a virus%systemroot%\system32\ineters.exe

Remove the startup project for the following security software
Hkey_local_machine\software\microsoft\windows\currentversion\run\360safetray
Hkey_localmachine\software\microsoft\windows\currentversion\run\kavstart
Hkey_current_user\software\microsoft\windows\currentversion\run\kavpfw
Hkey_local_machine\software\microsoft\windows\currentversion\run\vptray
Hkey_local_machine\software\microsoft\windows\currentversion\run\kav
Hkey_local_machine\software\microsoft\windows\currentversion\run\runeip
Hkey_local_machine\software\microsoft\windows\currentversion\run\ravtask
Hkey_local_machine\software\microsoft\windows\currentversion\run\rfwmain

Add image hijacking project under Hkey_local_machine\software\microsoft\windowsnt\currentversion\imagefileexecutionoptions\
RavStub.exe
RavMON.exe
RfwMain.exe
Rfwsrv.exe
McAgent.exe
Mctskshd.exe
Mcupdmgr.exe
Rtvscan.exe
DefWatch.exe
CcSetMgr.exe
CcEvtMgr.exe
CcSetApp.exe
Nod32kui.exe
Nod32krn.exe
KWatch.exe
KPfwSvc.exe
KMaiMon.exe
KAVStart.exe
KVWSC.exe
Kvsrvxp.exe
PFW.exe

Connect network Download Other viruses
Download the address below
Http://www.*.cn/tthh3/gx.jpg
Http://www.*.cn/tthh3/qq.jpg
Http://www.*.cn/tthh3/omin.jpg
Http://www.*.cn/tthh3/crt.jpg
Http://www.*.cn/tthh3/f1.jpg
Http://www.*.cn/tthh3/f2.jpg
Http://www.*.cn/tthh3/f3.jpg
(essentially EXE files, but some links are invalidated)

Connect http://www.webye163.cn/ip/ip.asp Get the IP address of the infected machine
and get the default gateway address through the Route.exe Print command
Write it in C:\ip.txt
This information may then be used for ARP spoofing and other operations ...

Several of the downloaded viruses have worms that can scan 135 of ports in a nearby network segment. (

Specifically the behavior of the virus does not look very much)

The Sreng log scanned after downloading is as follows
Start Project
Registration Form
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[1]
==================================
Service
[Help and Support/helpsvc] [Stopped/auto Start]
%WINDIR%

\pchealth\helpctr\binaries\pchsvc.dll>

The added file may have
%systemroot%\system32\alcmtr.exe
%systemroot%\system32\alcwzrd.exe
%systemroot%\system32\qoq.exe

Workaround:

First, clean the virus files and the registry entries that they create
1. Open Sreng
Start the Project registry delete the following items
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[1]

2. Open IceSword
Click the file button in the lower left corner
Delete the following file
%systemroot%\system32\ineters.exe
%systemroot%\system32\soundman.exe
%systemroot%\system32\tthh3.ini
%systemroot%\system32\alcmtr.exe
%systemroot%\system32\alcwzrd.exe
%systemroot%\system32\qoq.exe

Second, the repair system
1. Please copy the following code into Notepad and save as a 1.reg file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
Advanced\folder\hidden\showall]
"Regpath" = "Software\\microsoft\\windows\\currentversion\\explorer\\adva

Nced "
"Text" = "@shell32. dll,-30500"
"Type" = "Radio"
"CheckedValue" =dword:00000001
"ValueName" = "Hidden"
"DefaultValue" =dword:00000002
"Hkeyroot" =dword:80000001
"HelpID" = "shell.hlp#51105"



Double-click 1.reg to import this registry key


2. Start-run input regedit
Expand Hkey_local_machine\system\currentcontrolset\services\helpsvc
Double-click image Path to edit the numeric data
%systemroot%\system32\svchost.exe-k Netsvcs
Are you sure

Note: SoundMan.exe only in%systemroot% (that is, windows/winnt directory) is the normal procedure, if the System32 folder, then most of the virus, please pay attention to screening. True SoundMan.exe:

Pseudo SoundMan.exe: