Killing explored viruses that deplete CPU resources

The first is the discovery of the virus. Yesterday appeared two symptoms, one is on the local Area network broadcast packet (ARP) explosion, and even the export blocked, the second is the machine CPU resources exhausted. With Task Manager you can see suspicious processes Explored.exe and Services.exe are taking up nearly 100% of the CPU (later known, this is because the virus was started by the service), the process could not be stopped, the registry Hkey_local_ The item exists in the Machinesoftwaremicrosoftwindowscurrentversionrun, and even if it is deleted, the reboot remains as it is. This file is present in the Windows SYSTEM32 directory and not poisoned by the machine. It is therefore essential to confirm that the process is a virus.

Then the killing of the virus. There are two problems in this process, one is rising began unable to upgrade, this is because the virus itself to plug the export, TCP flow can not be normal transmission. We tried it and found that it was possible to isolate the virus program with a firewall, such as Skynet, and then connect the network to upgrade it. The second problem is the slow-rising virus-checking process (the NIC has been disabled first), this is because the viral program explored CPU too ruthless, in the case of the deletion of the process can not be set up, you may use Task Manager to improve the priority of the rising process (such as real-time), So rising from the hands of the virus grabbed CPU resources to run normally. However, this rising only to kill the camouflage into a svchost.exe worm virus, explored still exist.

We have no alternative but to use a very stupid way to delete explored, is to enter Safe mode, to the Windows System32 directory directly delete the file. By the way, it also deletes the entry in the registry to start the operation. After the reboot, prompted a service error, to the management tool under the "service" a look, only finally found the true face of the virus: the original "service" Inside there is a column "Windowslogin", the attribute display service name is "MpR", the executable file path is " C:winntsystem32explored.exe-services ". This explains why the process cannot be stopped, and deleting the system boot entry in the registry is useless. That is, you should stop the service in the service instead of trying to delete it in Task Manager.

Finally, the experience of virus killing to make a little summary: The above virus attacks have certain signs, such as the CPU is full, network bandwidth is full (can be seen through the network connection status, if the background does not run what process, network interface on/off the number of explosion, it is likely to be poisoned or connected to the network has machine poisoning), Because at ordinary times to keep vigilant, found abnormal quickly to check poison. It is best to use the virus-checking software, the Task Manager is sometimes cheated, now the name of the viruses are often similar to the system program or even the same, such as EXPLORED,SMSSS (SMSS is the System program), Svchost and so on. It is best to know the directory where the real system program resides, for example, the system svchost.exe should be under System32, and the virus may be hidden under system32drivers. The virus can be started in many ways: the registry, the INI file, and even--like explored--started with the service.

With one of the poison and then kill, better to do a good job in protective measures-patches, virus protection, firewalls, one can not be less ah!