朋友今天中了一个病毒W32.Jeefo,病毒可以让文件空间变大,并且病毒的传染性很高,牵扯的面积也很广
有的朋友可能首先想到的是杀毒软件,比如瑞星,但是我们有一点没有考虑到,杀毒软件的功能是直接清除病毒或者
隔离,但是如果直接清除可能会损坏一些文件,而且朋友的个人服务器以及编写了1个月的程序都感染了该病毒,所以
更不能那样做。考虑的是能是先找下专杀,或者考虑找到病毒的资料然后去手动杀毒,有了这个思路以后我开始进行
杀毒措施了。
打开了瑞星官方网站www.ruising.com.cn寻找了下病毒库的资料,没有找到这个病毒的资料。郁闷啊,怎么连
瑞星的杀不了?别的杀毒软件我也没有去试。直接到了百度搜索,经过一些了解,知道了病毒的名字叫“杰
夫”杰夫病毒是个在内存下的病毒,如果运行了该病毒,会自身拷贝到windows根目录下并且命名为“svchost.
exe%WinDir%/svchost.exe,然后在注册表中添一个键值
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServices]"PowerManager"="%Windir%/svchost.exe"
每次重起这个病毒的副本都将随着运行,病毒查找受感染计算机的逻辑分区中以exe为扩展名的win32PE可执行
文件,感染的文件大小增加36352个字节。
看到了病毒的介绍心里有了点认识,这个介绍是卡巴斯基发出来的,但是没有找到专杀工具,郁闷.
看来只能手工了,根据病毒的情况问了些人,在火狐技术论坛发了帖,林哥给了我些帮助工具
下载http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
解?方案:
RunningTrendMicroFixTool
Tocompletelyremovethisvirus,PE_JEEFO.A,downloadthefixtoolsuppliedatoursite.
http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
IdentifyingtheMalwareProgram
ScanyoursystemwithTrendMicroantivirusandNOTEallfilesdetectedasPE_JEEFO.A.Todothis,TrendMicrocustomersmustdownloadthelatestpatternfileandscantheirsystem.OtheremailuserscanuseHouseCall,TrendMicro’sfreeonlinevirusscanner.
TerminatingtheMalwareProgram
Thisprocedureterminatestherunningmalwareprocessfrommemory.Youwillneedthename(s)ofthefile(s)detectedearlier.
OpenWindowsTaskManager.
OnWindows95/98/MEsystems,press
CTRL+ALT+DELETE
OnWindowsNT/2000/XPsystems,press
CTRL+SHIFT+ESC,thenclicktheProcessestab.
Inthelistofrunningprograms*,locatethemalwarefileorfilesdetectedearlier.
Selectoneofthedetectedfiles,thenpresseithertheEndTaskortheEndProcessbutton,dependingontheversionofWindowsonyoursystem.
Dothesameforalldetectedmalwarefilesinthelistofrunningprocesses.
Tocheckifthemalwareprocesshasbeenterminated,closeTaskManager,andthenopenitagain.
CloseTaskManager.
*NOTE:OnsystemsrunningWindows95/98/ME,TaskManagermaynotshowcertainprocesses.Youmayuseathirdpartyprocessviewertoterminatethemalwareprocess.Otherwise,continuewiththenextprocedure,notingadditionalinstructions.
RemovingAutostartEntriesfromtheRegistry
Removingautostartentriesfromtheregistrypreventsthemalwarefromexecutingduringstartup.
OpenRegistryEditor.Todothis,clickStart>Run,typeREGEDIT,thenpressEnter.
Intheleftpanel,double-clickthefollowing:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
Intherightpanel,locateanddeletetheentryorentries:
PowerManager=?Windows%/SVCHOST.EXE?
Note:%Windows%referstothedefaultWindowsdirectory,whichisusuallyC:/WindowsorC:/WINNT.
CloseRegistryEditor.
NOTE:Ifyouwerenotabletoterminatethemalwareprocessfrommemoryasdescribedinthepreviousprocedure,restartyoursystem.
DisablingMalwareService
ThisstopstherunningmalwareserviceonsystemsrunningWindowsNT,2000,andXP.
Openacommandpromptwindow.ClickStart>Run,typeCMD,andthenpresstheEnter.
Atthecommandprompt,typethefollowing:
NETSTOP?owerManager?/b>
PressEnter.Amessageshouldindicatethattheservicehasbeenstoppedsuccessfully.
Closethecommandpromptwindow.
RemovingMalwareServiceInformation
OpenRegistryEditor.Todothis,clickStart>Run,typeREGEDIT,thenpressEnter.
Intheleftpanel,double-clickthefollowing:
HKEY_LOCAL_MACHINE>System>
CurrentControlSet>Services
Stillintheleftpanel,locateanddeletethefollowingkey:
PowerManager
CloseRegistryEditor.
看了很长时间由于英语水平有限,所以看明白了一些,总结了一下
1:禁止使用系统还原
2:重启到VGA模式或安全模式
3:运行norton的病毒扫描程序,进行全盘杀毒,如果检测到任何病毒,删
4:进入注册表备份下
HKEY_LOCAL_MACHINE//SOFTWARE//Microsoft//Windows//CurrentVersion//RUN
把右边的值:"PowerManager"="%windir%//svchost.exe"
删掉然后重起
忘了说一点,弄好了以后一定要记住去打个win32的补丁啊
这次弄这个病毒费了很大的劲,因为我用瑞星习惯了.
从这次杀毒我想以后要多学下注册表的知识了,因为很多病毒需要去注册表里杀,杀毒软件
虽然可以杀病毒,但是很可能造成一些损失.如果会手工杀的话就好了.
