Yesterday, the virus broke out on several machines, because they were not experts. After a long time, they had to be cleaned up. During the process, I felt that I could write it down and have some discussions with you.
The first is virus discovery. Two symptoms occurred yesterday.
I. broadcast packets (ARP) surge on the LAN, and even blocking the exit.
Ii. Machine CPU resources are exhausted.
The task manager can see that the suspicious process, mongoed.exeand services.exe, occupies nearly 100% of the CPU. (It was later known that the virus was started through the service.) The process cannot be stopped. registry key value:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
This item exists here. Even if this item is deleted, it remains unchanged after restart. This file exists in the System32 directory of windows. It is not found on the computer that is not poisoned. Therefore, you can basically confirm that the process is a virus.
Then scan and kill viruses. There are two problems in this process. First, rising cannot upgrade. This is because the virus blocks the exit and the TCP stream cannot be transmitted normally.
We tried it and found that we could use a firewall (such as Skynet) to attack the virus.ProgramIsolate and then connect to the network for upgrade. The second problem is that rising virus detection is slow (the NIC has been disabled before virus detection). This is because the virus program named Ed occupies too much CPU and cannot be set to delete the process, you can use the task manager to increase the priority of the rising process (such as real-time), so rising grabs CPU resources from the virus to run normally.
Then, rising only detected the pseudosvchost.exe worm, and the infected Ed still exists.
We have no choice but to use a very stupid method to delete the stored Ed, that is, to enter the safe mode, directly delete the file under the System32 directory of windows. By the way, the entry for starting and running in the Registry is also deleted.
After the restart, the system prompts a service error. After checking the "service" under the management tool, the system finally finds out the real face of the virus: the original "service" contains the "Windows login" column. The attribute shows that the service name is "flat", and the executable file path is "C: \ winnt \ system32 \ explored.exe-services ".
This explains why the process cannot be aborted, And it is useless to delete the system startup item in the registry. That is to say, you should stop the service in the service, instead of trying to delete it in the task manager.
Finally, let's make a summary of the virus scan experience: the above virus attacks show signs, such as CPU Full and network bandwidth full (you can see through the network connection status, if there is no process running in the background, the surge in the number of packets received/sent on the network interface may be caused by viruses or machine viruses on the Connected Network), because we need to be vigilant and quickly check for viruses if exceptions are found.
It is best to use virus detection software, and sometimes be cheated by the task manager. Nowadays, the names of viruses are often similar or even the same as those of system programs, such as received, smsss (SMSs is a system program), and SVCHOST. It is best to know the real system program directory. For example, the system svchost.exe should be under system32, and the virus may be hidden under system32 \ drivers.
Virus self-starting may take many ways: Registry, INI file, or even -- like the hosted Ed -- Starting through the service.
We recommend that you take effective protection measures-patches, virus protection, and firewall-against viruses!