A tough virus scanning and Removal Process

Source: Internet
Author: User

Double
Heiji

My friend has a virus W32.Jeefo today. The virus can increase the file space, and the virus is highly contagious and involves a wide area.

Some may first think of anti-virus software, such as rising, but we have not considered that the anti-virus software function is to directly clear viruses or
Isolation, but directly clearing some files may damage, and a friend's personal server and a program written for one month are infected with the virus, so
Do not do that. You can first find a specific killer, or find the virus information and then manually disinfect the virus. With this idea, I will start.
Anti-virus measures.

Opened the rising Official Website
Www.ruising.com.cn. Should be a http://www.rising.com.cn /)
I searched for information about the virus database and did not find any information about the virus. Depressed, how to connect
Why can't rising kill? I have not tried any other anti-virus software. Go to Baidu to search for the virus. After some knowledge, I know the name of the virus is "Jie ".
Jeff is a virus in the memory. If the virus runs, it will be copied to the windows root directory and named "svchost.
Exe %WinDir%svchost.exe, and then add a key value to the Registry.
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] "PowerManager" = "%windir#svchost.exe"


Each time the copy of the virus restarts, it will run. The virus searches for the win32 PE with the exe extension in the logical partition of the infected computer and can be executed.
File. The infected file size is increased by 36352 bytes.
I have some knowledge about the introduction of the virus. This introduction was developed by Kaspersky, but I didn't find the exclusive tool, which is depressing.
It seems that I can only do it manually. I asked some people based on the virus and posted a post on the Firefox Technology Forum. Lin Ge gave me some help tools.
Download http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip
Solution:

Running Trend Micro Fix Tool

To completely remove this virus, PE_JEEFO.A, download the fix tool supplied at our site.
Http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip

Identifying the Malware Program

Scan your system with Trend Micro antivirus and NOTE all files detected as PE_JEEFO.A. to do this, Trend Micro customers must download the latest pattern file and scan their system. other email users can use HouseCall, Trend Micros free online virus attack.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name (s) of the file (s) detected earlier.

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL + ALT + DELETE
On Windows NT/2000/XP systems, press
CTRL + SHIFT + ESC, then click the Processes tab.
In the list of running programs *, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
* NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. you may use a third party process viewer to terminate the malware process. otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start> Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE> Software> Microsoft>
Windows> CurrentVersion> RunServices
In the right panel, locate and delete the entry or entries:
PowerManager =? Windows %/SVCHOST. EXE?
Note: % Windows % refers to the default Windows directory, which is usually C: Windows or C: WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Disabling Malware Service

This stops the running malware service on systems running for Windows NT, 2000, and XP.

Open a command prompt window. Click Start> Run, type CMD, and then press the Enter.
At the command prompt, type the following:
Net stop owerManager? /B>
Press Enter. A message shocould indicate that the service has been stopped successfully.
Close the command prompt window.
Removing Malware Service Information

Open Registry Editor. To do this, click Start> Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE> System>
CurrentControlSet> Services
Still in the left panel, locate and delete the following key:
PowerManager
Close Registry Editor.
After reading this article for a long time, due to the limited level of English, I understood it and summarized it.
1: Disable system restoration.

2: restart to VGA or safe mode.

3: run the norton virus scanning program to perform full antivirus. If any virus is detected, delete

4: Go to registry backup

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RUN

Set the value on the right to "PowerManager" = "% windir % \ svchost.exe"
Delete and restart
I forgot to mention it. Remember to make A win32 patch after it is completed.
This time it took a lot of effort to get this virus, because I used to get used to it.
I want to learn more about the registry in the future, because many viruses need to be killed in the registry, anti-virus software.
Although the virus can be killed, it may cause some losses. If the virus is manually killed, it will be fine.


 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.