Precautions for anti-virus operation of Trojan. DL. win32.autorun

Yesterday, the administrator of jianmeng threw a brick: http://bbs.janmeng.com/thread-650905-1-1.html. I tried again. The instance runs the sample.

The 014.exe is the subject of a recently popular Trojan Horse group. After poisoning, there are many virus files in the system.
Once it is in progress, it is difficult to clean anti-virus software. The reason is that the heap virus DLL is dynamically inserted into the system's core process and all applications running by the user.ProgramProcess.
Using Sreng to scan logs and xdelbox together is not difficult to delete virus files seen in logs. It is difficult to completely clear the virus. The reason is:
1. The Sreng log does not display all virus files. Figure 1 shows the Virus File deleted using xdelbox Based on the Sreng log and the regular search results. (A msdeg32.dll is lost during the operation and is manually deleted after restart .)
2. Large Volume of virus .exe program residues in the IE browser folder (figure 2 ). Many users do not have the habit of clearing temporary ie folders. Therefore, despite the use of xdelbox to delete all virus files, the next time I use IE to browse the Internet, the virus is making a comeback. The illusion that the virus will never be killed.

For virus files not displayed in the Sreng log, you can find them according to the naming rules of these virus files. After finding the file, add it to the "List of files to be deleted" in xdelbox and delete it with the virus files that can be seen in the Sreng log.
So far, the naming rules of these virus files are still: virus files are clustered; the names of virus files in each cluster are "the first four letters are the same "; virus files of various clusters are located in the % System % folder. That is: keystore, and the other is. dll. The path is the same as avwgcen. dll (in % System % ).
In addition, the current Temporary Folder temp may also contain virus files. delete these files when using xdelbox.

The registry entry added to the heap of viruses will not be detailed in detail. We may have seen more in the Sreng log of the Helper these days. If you have basic logs of autoruns, you can easily find these logs Through compare and delete them one by one.

In addition to deleting the virus add-on seen in the Sreng log, the attacker must also delete the AU under the HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate \ branch of the Registry.
This AU Sub-key is added as a virus. "Noautoupdate" = DWORD: 00000001 disable automatic Windows Update.

Note: This post only uses a sample of this type of virus as an example to illustrate the precautions for manually killing this type of virus. You can refer to it, but do not stick to the specific virus file name mentioned in the post. Do not ignore the. exe virus file in the non-system partition root directory.