How to clear USB flash drive viruses by autorun.infand sbl.exe

The virus generates the following files:

Code:
C: \ windows \ system32 \ 1.inf
C: \ windows \ system32 \ chostbl.exe
C: \ windows \ system32 \ lovesbl. dll
Create autorun.infand sbl.exeunder each partition, and check whether the attributes of chostbl.exe are hidden.
The registration service anhao_vip_cahw points to c: \ windows \ system32 \ chostbl.exe to enable startup.

Start type: automatic
Display name: A good download cahw

Call the terminateprocess function to disable the following processes:

Code:
360safe.exe
360tray.exe
Runiep.exe
Avp.exe

Call the getwindowstexta function to obtain the title of the current window, and call the postmessagea function to try to send the wm_close, wm_destroy, and wm_quit commands to close the window with the following words:

Quote:
Kaka
Jiang min
Kingsoft
Task Manager
Mmaqando
Mu Ma Xing
Super patrol
NOD32 Core
Security
Security guard
Trojan killer
NOD32
Kernel
Od
Micropoints

Call the find0000wa function to find the following window and try to call the postmessagea function to send the wm_close command to it to close the window.

Quote:
AVP. alertdialog
AVP. product_notification
AVP. product_noti

Use cmd.exe to execute the net stop sharedaccess command to disable the Firewall service provided by windows.

C: \ windows \ system32 \ lovesbl.dllplugged into the svchost.exe Process
Use svchost.exe to download Trojans

Code:
Download http: // 218.61.18. */hao.exe
Http: // 218.61.18. */wei.exe
Http: // 218.61.18. */haowei.exe

(IP Address: Liaoning Dalian Netcom)

To c: \ Documents and Settings, the name is servciesa.exe ~ Servciesc.exe, download interval: 200 ms

In the test, the http: // 218.61.18. */haowei.exe(servciesc.exe) link is invalid.

Servciesa.exe is an infected downloader
Download http: // Rrr. *. CN/m1.exe ~ Http: // Rrr. *. CN/m3.exe, but the download link is invalid.

Infect the EXE files in the following folders

Quote:
Windows
Winnt
Recycle
System volume information
Internet Explorer
Outlook Express
NetMeeting
Common files
Messenger
Windows Media Player
WinRAR
Msocache
Documents and Settings

The infected file is added to the 593-byte content. The chart remains unchanged. Please kindly advise...

Servciesb.exe
Register Windows Remote
Start type: automatic
Display name: Windows accounts driver
A Trojan is downloaded but the download link is invalid.

After all the virus actions are completed, the Sreng log is as follows:
Service

Code:
[A good download cahw/anhao_vip_cahw] [running/auto start]

[Windows accounts driver/windowsremote] [stopped/auto start]

========================================
Autorun. inf
[C: \]
[Autorun]
Opentracing sbl.exe
Shellexecute=sbl.exe
Shell \ auto \ commandpolicsbl.exe
Shell = open
[D: \]
[Autorun]
Opentracing sbl.exe
Shellexecute=sbl.exe
Shell \ auto \ commandpolicsbl.exe
Shell = open
...

Manual solution:

Download Sreng, open it, and run srengps.exe.

"Start Project"-"service"-"Win32 service application"Program"Click" Hide authenticated Microsoft projects ",
Select the following items, click "delete service", click "set", and then click "no" in the pop-up box ":

Code:
A good download cahw/anhao_vip_cahw
Windows accounts driver/windowsremote

Restart the computer

Double-click my computer, tools, Folder Options, view, Click Show Hidden Files or folders, and clear the hooks before "Hide protected operating system files (recommended. In the prompt

Click Yes and then confirm
Click the folder button under the menu bar (search for the button on the right)