Shualai.exe Virus and Manual killing method _ virus killing

This is a use of ANI to spread the Trojan Horse group, its "dynamic insertion process" function is caused by the difficulty of antivirus after the one of the reasons.

Another: After the recruit, the system partition of the. exe is all infected. This is also the problem after the poison.

"Symptoms" After the Recruit: Shualai.exe process is visible in the list of processes.

Suggestion: Use Sreng to keep the log, in order to understand the basic situation, easy to the back of the manual antivirus operation.


Manual killing process is as follows (with IceSword operation):

1, prohibit the process creation.

2, according to the Sreng log, the first end of the virus process shualai.exe and all the processes inserted by the virus module (virus inserted which process, depending on the program you were running.) Here's an example of how I ran the sample. ）


Code:
[pid:484] [C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]

[C:\docume~1\baohelin\locals~1\temp\lgsy0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\msxo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\fyzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\rav30.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\gjzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\lgsy1.dll] [N/A, n/a]
[C:\windows\system32\cmdbcs.dll] [N/A, n/a]

[pid:2252] [C:\Program files\tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2]

[C:\docume~1\baohelin\locals~1\temp\fyzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\msxo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\lgsy0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\gjzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\rav30.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\lgsy1.dll] [N/A, n/a]

[pid:3880] [C:\WINDOWS\system32\shadow\ShadowTip.exe] [Powershadow, 1, 0, 0, 1]

[C:\docume~1\baohelin\locals~1\temp\lgsy1.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\gjzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\rav30.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\fyzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\msxo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\lgsy0.dll] [N/A, n/a]

[pid:2760] [C:\Program Files\sreng2\sreng.exe] [Smallfrogs Studio, 2.3.13.690]

[C:\docume~1\baohelin\locals~1\temp\lgsy1.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\gjzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\rav30.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\fyzo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\msxo0.dll] [N/A, n/a]
[C:\docume~1\baohelin\locals~1\temp\lgsy0.dll] [N/A, n/a]

[pid:2548] [C:\windows\shualai.exe] [N/A, n/a]


3, delete the virus file, empty IE temporary folder.


4. Remove virus Startup Items


Consider a special case:

If someone put autoruns and other tools outside the system partition, at this time run Autoruns ———— trouble big!! After this poison is in the ————, all of the. exe outside the system partition is infected.

5, Cancel IceSword "Prohibit process creation".

6, repair the Hosts file.

Note: Those outside the system partition are infected with the virus. exe--is not expected to be hopeless.