Experts interpret ARP virus (IV.)

"Editor's note: The previous article, we told the ARP virus on the location of the computer, here we introduce to you the ARP virus computer killing methods." 】

Six, the ARP virus computer's killing method

Through the above method, has found the ARP poisoning computer, then the next operation is how to antivirus. One thing to note is: When you find a poisoned computer, you should immediately unplug the computer network cable, so as not to continue the contract to disrupt the operation of the whole network.

For the ARP virus computer, the first can use anti-virus software antivirus, but because now the virus variant is extremely numerous, may encounter antivirus software to detect the situation, this time need to use manual antivirus method, the following introduction some experience.

According to some experience, the older type of ARP virus operating characteristics are relatively covert, computer poisoning, there is no obvious anomaly, such viruses run themselves without process, through injection into the Explorer.exe process to achieve the hidden itself. The startup entry in its registry is also very special, not the normal run key value load, is not the service load, but through the registry of the Appinit_dlls key value to load the implementation of the boot, this is relatively covert, because the normal system Appinit_dlls key value is empty. Also because of this feature, the use of autoruns tool software can quickly scan the virus file body, as shown in Figure 9.

Figure 9 The Autoruns tool detects the body of a virus file

The red box in the picture above, is the ARP virus file body, although the file name extension log, looks like a system log file, but in fact, it is a virus! In addition to the log form of virus files, and some BMP as the extension of the virus files, the same virus files are not picture files, but exe format executable, in the same directory also has the same name DLL files, these are virus body.

%WinDir% Kb*.log

Or

%WinDir% *.bmp

%windir%. dll with the same name

How to distinguish the normal log log files, BMP picture files and virus files? In fact, it is very simple, using Notepad to open the file, to see if its file header has "MZ" tag, such as Figure 10 is a name "KB896475.log" Virus file.

Figure 101 ARP Virus file body

After you locate these files, you can clear the relevant key values in the registry, and then reboot the system into safe mode to manually delete the files.

For the most recent, new ARP virus that modifies Web request pages, then changed the form of the virus file, is simple, using the system process to view and launch the registry to see the Run key value, you can obviously find the file of the virus, in addition, the use of KV unknown virus scanning program to detect, is also a good way.