当前位置: 首页 > 图文教程 > 网络安全 > 安全基础 > 一次艰苦的病毒查杀过程

安全基础
建立防火墙的主动性网络安全防护体系
家庭上网必学八招安全绝招
弹出网页或不定时弹出网页的解决办法
一个弹出窗口引发一场追踪
预防QQ被盗的两个小技巧
详解网络加密技术及应用
论常见的壳与加壳技术
了解下反垃圾邮件技术
常用的几种免杀方法及工具
确保数据中心虚拟化安全的10个步骤
Windows激活木马的解决办法
08企业安全,应用开发过程中建立信任
如何实现最基本的IT检查的10条建议
ARP掉线的快速解决方案
安全审核 用Nmap为网络查找安全漏洞
网络安全重心转向主动防御
从原理入手扼杀传播病毒的恶意网页
ntfs.dll病毒ntfs.dll木马清除
保护计算机远离黑客骚扰的策略
安全打开U盘目录的简单方法

安全基础 中的 一次艰苦的病毒查杀过程


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-28   浏览: 46 ::
收藏到网摘: n/a

朋友今天中了一个病毒W32.Jeefo,病毒可以让文件空间变大,并且病毒的传染性很高,牵扯的面积也很广

有的朋友可能首先想到的是杀毒软件,比如瑞星,但是我们有一点没有考虑到,杀毒软件的功能是直接清除病毒或者
隔离,但是如果直接清除可能会损坏一些文件,而且朋友的个人服务器以及编写了1个月的程序都感染了该病毒,所以
更不能那样做。考虑的是能是先找下专杀,或者考虑找到病毒的资料然后去手动杀毒,有了这个思路以后我开始进行
杀毒措施了。

打开了瑞星官方网站www.ruising.com.cn寻找了下病毒库的资料,没有找到这个病毒的资料。郁闷啊,怎么连
瑞星的杀不了?别的杀毒软件我也没有去试。直接到了百度搜索,经过一些了解,知道了病毒的名字叫“杰
夫”杰夫病毒是个在内存下的病毒,如果运行了该病毒,会自身拷贝到windows根目录下并且命名为“svchost.
exe  %WinDir%\svchost.exe,然后在注册表中添一个键值
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"PowerManager" = "%Windir%\svchost.exe"


每次重起这个病毒的副本都将随着运行,病毒查找受感染计算机的逻辑分区中以exe为扩展名的win32 PE可执行
文件,感染的文件大小增加36352个字节。
看到了病毒的介绍心里有了点认识,这个介绍是卡巴斯基发出来的,但是没有找到专杀工具,郁闷.
看来只能手工了,根据病毒的情况问了些人,在火狐技术论坛发了帖,林哥给了我些帮助工具
下载_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
解決方案:

Running Trend Micro Fix Tool

To completely remove this virus, PE_JEEFO.A, download the fix tool supplied at our site.
_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip

Identifying the Malware Program

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_JEEFO.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
PowerManager = ?Windows%/SVCHOST.EXE?
Note:%Windows% refers to the default Windows directory, which is usually C:\Windows or C:\WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Disabling Malware Service

This stops the running malware service on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD, and then press the Enter.
At the command prompt, type the following:
NET STOP