当前位置: 首页 > 图文教程 > 网络安全 > 安全基础 > 一次艰苦的病毒查杀过程

安全基础
利用Windows XP组策略加强机密数据安全
了解CPU,关于CPU的基础知识
WinToFlash制作Windows XP安装U盘
Windows 7视频时比较卡删除MMCSS解决
数据恢复:硬盘开盘更换磁头处理
网上邻居里的电脑双击出现密码输入提示
服务器系统默认启用的授权模式造成共享访问故障
Spoolsv.exe木马清除的方法
使用Dropbox免费空间的6个小技巧
163、126信箱POP3和SMTP重新开通
故障实例:USB设备无正确驱动签名
隐藏局域网中联网的计算机又能上网的设置方法
网上偷菜外挂含盗号病毒偷盗游戏账号
在QQ空间中放入土豆网Flash视频
重装系统后防止病毒入侵的5个系统设置技巧
Windows Update系统更新组件
人人桌面帮你在人人网农场游戏快速增长经验值
网络交换机限速 防止BT下载速度过快
Win7下连接无线网络资源管理器挂掉问题
在SNS里利用Flash脚本过滤不严进行挂马

安全基础 中的 一次艰苦的病毒查杀过程


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-28   浏览: 43 ::
收藏到网摘: n/a

朋友今天中了一个病毒W32.Jeefo,病毒可以让文件空间变大,并且病毒的传染性很高,牵扯的面积也很广

有的朋友可能首先想到的是杀毒软件,比如瑞星,但是我们有一点没有考虑到,杀毒软件的功能是直接清除病毒或者
隔离,但是如果直接清除可能会损坏一些文件,而且朋友的个人服务器以及编写了1个月的程序都感染了该病毒,所以
更不能那样做。考虑的是能是先找下专杀,或者考虑找到病毒的资料然后去手动杀毒,有了这个思路以后我开始进行
杀毒措施了。

打开了瑞星官方网站www.ruising.com.cn寻找了下病毒库的资料,没有找到这个病毒的资料。郁闷啊,怎么连
瑞星的杀不了?别的杀毒软件我也没有去试。直接到了百度搜索,经过一些了解,知道了病毒的名字叫“杰
夫”杰夫病毒是个在内存下的病毒,如果运行了该病毒,会自身拷贝到windows根目录下并且命名为“svchost.
exe  %WinDir%\svchost.exe,然后在注册表中添一个键值
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"PowerManager" = "%Windir%\svchost.exe"


每次重起这个病毒的副本都将随着运行,病毒查找受感染计算机的逻辑分区中以exe为扩展名的win32 PE可执行
文件,感染的文件大小增加36352个字节。
看到了病毒的介绍心里有了点认识,这个介绍是卡巴斯基发出来的,但是没有找到专杀工具,郁闷.
看来只能手工了,根据病毒的情况问了些人,在火狐技术论坛发了帖,林哥给了我些帮助工具
下载_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
解決方案:

Running Trend Micro Fix Tool

To completely remove this virus, PE_JEEFO.A, download the fix tool supplied at our site.
_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip

Identifying the Malware Program

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_JEEFO.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
PowerManager = ?Windows%/SVCHOST.EXE?
Note:%Windows% refers to the default Windows directory, which is usually C:\Windows or C:\WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Disabling Malware Service

This stops the running malware service on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD, and then press the Enter.
At the command prompt, type the following:
NET STOP