当前位置: 首页 > 图文教程 > 网络安全 > 安全基础 > 一次艰苦的病毒查杀过程

安全基础
U盘病毒预防的一个小技巧
微软漏洞补丁阻止防溢出者病毒
“网游盗号木马”将成为新毒王
IE浏览器RealPlayer的安全漏洞
网上购物 网络购物陷阱要预防
预先付费骗局让聪明人更容易相信
非法程序传播垃圾邮件的防范方法
汇款时收到只有卡号的短信
黑客入侵网站的常用方法
EXE可执行文件无法打开的解决方法
关于Gmail可能不知道的几个功能
微软官方提供的密码强度在线测试工具
网页代码中的“隐形杀手”分类
关闭无用服务保证Windows系统安全
网络信息安全与保密的6个技术目标
简单几招对付捆绑木马的技巧
让企业远离四处潜伏的众多安全威胁
有助于拨号上网用户预防黑客入侵的方法
工行专家建议的网上交易的安全性
网吧上网养成上网后清除个人信息的习惯

安全基础 中的 一次艰苦的病毒查杀过程


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-28   浏览: 44 ::
收藏到网摘: n/a

朋友今天中了一个病毒W32.Jeefo,病毒可以让文件空间变大,并且病毒的传染性很高,牵扯的面积也很广

有的朋友可能首先想到的是杀毒软件,比如瑞星,但是我们有一点没有考虑到,杀毒软件的功能是直接清除病毒或者
隔离,但是如果直接清除可能会损坏一些文件,而且朋友的个人服务器以及编写了1个月的程序都感染了该病毒,所以
更不能那样做。考虑的是能是先找下专杀,或者考虑找到病毒的资料然后去手动杀毒,有了这个思路以后我开始进行
杀毒措施了。

打开了瑞星官方网站www.ruising.com.cn寻找了下病毒库的资料,没有找到这个病毒的资料。郁闷啊,怎么连
瑞星的杀不了?别的杀毒软件我也没有去试。直接到了百度搜索,经过一些了解,知道了病毒的名字叫“杰
夫”杰夫病毒是个在内存下的病毒,如果运行了该病毒,会自身拷贝到windows根目录下并且命名为“svchost.
exe  %WinDir%\svchost.exe,然后在注册表中添一个键值
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]"PowerManager" = "%Windir%\svchost.exe"


每次重起这个病毒的副本都将随着运行,病毒查找受感染计算机的逻辑分区中以exe为扩展名的win32 PE可执行
文件,感染的文件大小增加36352个字节。
看到了病毒的介绍心里有了点认识,这个介绍是卡巴斯基发出来的,但是没有找到专杀工具,郁闷.
看来只能手工了,根据病毒的情况问了些人,在火狐技术论坛发了帖,林哥给了我些帮助工具
下载_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
解決方案:

Running Trend Micro Fix Tool

To completely remove this virus, PE_JEEFO.A, download the fix tool supplied at our site.
_blank>http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip

Identifying the Malware Program

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_JEEFO.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other email users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry or entries:
PowerManager = ?Windows%/SVCHOST.EXE?
Note:%Windows% refers to the default Windows directory, which is usually C:\Windows or C:\WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Disabling Malware Service

This stops the running malware service on systems running Windows NT, 2000, and XP.

Open a command prompt window. Click Start>Run, type CMD, and then press the Enter.
At the command prompt, type the following:
NET STOP