U disk virus Clear Discovery.exe killing method _ Virus killing

This is the latest variant of the Niu.exe virus, and recently the spread of new variants of the virus has been raised, I hope that attention.


Quote:
File:Discovery.exe
size:74240 bytes
Modified:2008 year February 2, 0:03:34
md5:2da55f2a36e852ee6fc96d34dd520979
Sha1:44ce8f1c1a02591a88867f421c0c658b200d94c1
crc32:e20e292d


1. After the virus runs, the following copies and documents are derived:

Quote:
%systemroot%\system32\discovery.exe

The root directory of each partition to generate Autorun.inf,discovery.exe to achieve the purpose of transmission through U disk.

And check that they exist every once in a while, and write back immediately if they do not exist
2. Start the hidden process Svchost.exe two empty shells, write the virus code to Svchost.exe memory, and two processes monitor each other, then Discovery.exe exit

3. Create a registry entry

Quote:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\discoverr point to%systemroot%\system32\ Discovery.exe

The purpose of booting itself up

4. Delete the following key to break Safe mode

Quote:
system\\controlset001\\control\\safeboot\\minimal\\
System\\controlset001\\control\\safeboot\\network\system\\currentcontrolset\\control\\safeboot\\minimal\system \\CurrentControlSet\\Control\\SafeBoot\\Network\\


5. Destroy Display hidden files

Quote:
Hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\ Change the value of CheckedValue to 0x00000000


6. Trying to end a lot of security software processes

Quote:
For example: 360rpt.exe
360Safe.exe
360tray.exe
Srengps.exe
Ravmond.exe
Rfwsrv.exe
Rfwmain.exe
....


7. Add image hijacking project hijack the following process (including but not limited to)

Quote:
360rpt.exe
360Safe.exe
360tray.exe
Ackwin32.exe
Adam.exe
Advxdwin
AgentSvr.exe
Alertsvc.exe
Alogserv
Amon.exe
Amon9x
Anti-trojan.exe
AntiVir
ANTS
AppSvc32.exe
Apvxdwin.exe
Arvmon.exe
Atcon
Atupdater
Atwatch
Autodown.exe
AutoGuarder.exe
Autoruns.exe
Autotrace
Avconsol.exe
Ave32.exe
AVGCC32
Avgctrl.exe
Avgrssvc.exe
Avgserv
AVGSERV9
Avgw
Avkpop
Avkserv
Avkserv.exe
Avkservice
Avkwctl9
AvMonitor.exe
Avnt.exe
Avp.com
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avpmon.exe
Avpnt.exe
Avptc32.exe
Avpupd.exe
Avrep32.exe
Avsched32.exe
Avsynmgr.exe
Avwin95.exe
Avwinnt
Avwupd32.exe
Avxmonitor9x
Avxmonitornt
Avxquar
Avxw
Blackd.exe
Blackice.exe
BullGuard
Ccapp. Exe
CCenter.exe
CcSvcHst.exe
Cfgwiz
Cfiadmin.exe
Cfiaudit.exe
Cfind.exe
Cfinet.exe
...




8. Find the following window and simulate the button to deal with Kaspersky Antivirus software

Quote:
Active Defense Alert
Active Defense Warning
Active Defense Information


It then looks for "allow" to apply to all "skipped" windows and then sends Wm_lbuttondown,wm_lbuttonup messages

9. Start a iexplore.exe download other trojans and viruses
Read the Http://xxx.*.com/txt071219/208.txt download list before downloading the virus according to the file list

10. Also has the infection htm,html,asp,aspx,php,jsp and so on the webpage file function and the lock IE homepage function, but did not discover in the test

Workaround:


1. Decompression IceSword Compression Pack Icesword.exe renamed to 1.com operation
Click on the file in the menu bar-set the check to prevent the hook from being created by the thread and then determine

Switch to the Process column find the red Svchost.exe and end the two processes in turn

Click the file button in the lower left corner
Go to File list
Delete the following file%systemroot%\system32\discovery.exe
And the Discovery.exe and Autorun.inf under each partition (be sure)

2. Decompression Sreng Srengps.exe renamed to 2.com operation
Start the Project registry delete the following items
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\discoverr]
<%systemroot%\system32\Discovery.exe> []

and delete all the red Ifeo items

System repair-windows shell/ie Full Select Click Repair button
Advanced Repair-Fix security mode

3. Use anti-virus software or manual method to kill other downloaded virus or Trojan