当前位置: 首页 > 图文教程 > 网络安全 > 安全基础 > 一次艰苦的病毒查杀过程

安全基础
实例讲解网站被入侵后需做的检测
网络安全基础 教你怎样关闭网络端口
反黑小技谋:IP地址的侦察和隐藏
网络管理员必读:无须重启的更改IP
网管必知 多角度详解网站安全保护方法
消除上网的恐惧:用网上隐身衣保护自己
无所遁形:快速查找对方IP经典技术汇
抵挡DoS远程连接让网络更安全
新手触网之安全工具
ADSL Modem防火墙的配置
妙用Spybot让间谍软件在你的电脑上无处遁形
电脑初级用户网络安全详尽全攻略
小方法:如何修改注册表清除黑客程序
与黑客过招:给自己的网络设防
推陈出新 防止IE浏览器主页被篡改又多一招
安全无忧:防范非法用户侵入系统的七招技巧
网管必备技巧—Windows日志的保护与伪造
木马和未授权远程控制软件的关闭
防范WinGate代理防火墙被攻击
谨防网络硕鼠 完全解析ADSL账号为何被盗

安全基础 中的 一次艰苦的病毒查杀过程


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-28   浏览: 54 ::
收藏到网摘: n/a

朋友今天中了一个病毒W32.Jeefo,病毒可以让文件空间变大,并且病毒的传染性很高,牵扯的面积也很广

有的朋友可能首先想到的是杀毒软件,比如瑞星,但是我们有一点没有考虑到,杀毒软件的功能是直接清除病毒或者
隔离,但是如果直接清除可能会损坏一些文件,而且朋友的个人服务器以及编写了1个月的程序都感染了该病毒,所以
更不能那样做。考虑的是能是先找下专杀,或者考虑找到病毒的资料然后去手动杀毒,有了这个思路以后我开始进行
杀毒措施了。

打开了瑞星官方网站www.ruising.com.cn寻找了下病毒库的资料,没有找到这个病毒的资料。郁闷啊,怎么连
瑞星的杀不了?别的杀毒软件我也没有去试。直接到了百度搜索,经过一些了解,知道了病毒的名字叫“杰
夫”杰夫病毒是个在内存下的病毒,如果运行了该病毒,会自身拷贝到windows根目录下并且命名为“svchost.
exe  %WinDir%\svchost.exe,然后在注册表中添一个键值
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"PowerManager" = "%Windir%\svchost.exe"


每次重起这个病毒的副本都将随着运行,病毒查找受感染计算机的逻辑分区中以exe为扩展名的win32 PE可执行
文件,感染的文件大小增加36352个字节。
看到了病毒的介绍心里有了点认识,这个介绍是卡巴斯基发出来的,但是没有找到专杀工具,郁闷.
看来只能手工了,根据病毒的情况问了些人,在火狐技术论坛发了帖,林哥给了我些帮助工具
下载_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
解決方案:

Running Trend Micro Fix Tool

To completely remove this virus, PE_JEEFO.A, download the fix tool supplied at our site.
_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip

Identifying the Malware Program

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_JEEFO.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
PowerManager = ?Windows%/SVCHOST.EXE?
Note:%Windows% refers to the default Windows directory, which is usually C:\Windows or C:\WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Disabling Malware Service

This stops the running malware service on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD, and then press the Enter.
At the command prompt, type the following:
NET STOP