Fight against the alman Virus

Today, we found the Virus. Win32.Alman Virus and fought with it for an afternoon. We will give a rough description of the process and hope to provide you with a reference.

Kaspersky, symantec, and nod32 can be identified. It can be cleared after repeated detection and removal, but the exe is completely lost and needs to be re-installed. Nod can be isolated, but the cleaning effect is not ideal, and exe cannot be used any more. Symantec is able to clean up viruses. No specific tests have been conducted to determine whether the exe can be used normally.
 
Action: Create linkinfo. dll in the windows directory.
Apphelps. dll in the windowsapppatch directory
Riodrvs. sys on windowssystem32drivers
Create riodrvs Service
Insert assumer.exe

Feature: it is also the most distinctive feature of the virus. It is the only strange phenomenon I have ever seen. I have used many tools to see only apphelps. dll file, the other two files are not visible, even the process is invisible, but anti-virus software will find them.

Related tools: Wsyscheck
Sreng2
Pocket KillBox [xdelbox is recommended for jiemeng. Unfortunately, all the hard disks are in ntfs format and cannot be used]
ProcessExplorer]
Jianmeng AlManFix
Nod32
 
Related processes: all are performed in disconnected networks.
 
1. In security mode, use sreng to fix portal errors and run Automatic repair once;
Use killbox to forcibly Delete apphelps. dll and disable creation;
Delete the riodrvs service;
Install nod32, restart to enter normal mode, scan and isolate the infected exe;
Repairing infected exe with jianmeng AlManFix
This is the first test process. After a period of time, it is ineffective. nod prompts the original infected exe again.
 
2. Observe again that apphelps. dll is no longer created and killbox takes effect;
Wsyscheck ends all red processes, observes winlogon, explorer, and svchost process modules, and finally finds linkinfo and riodrvs. sys, creates a security environment, deletes it;
The previously deleted riodrvs service is restored and deleted again;
Restart to enter the normal mode, use the nod scan again, and use the tool to fix the exe
This time is ideal and no longer prompts appear. However, the exe repair tool may be targeted at Virus. win32.Alman. a. It basically does not work for my B, and the infected exe still cannot be repaired. At present, it can only be reinstalled. Fortunately, only a few fixed exe samples are infected, which is not a problem.
 
3. Observe the cleaning process with Kaspersky 7.0 while handling the problem. The driver scanned the virus three times to completely clear the virus, but all the infected files are finished.