邵峰主演的农村电视剧:Backdoor.Ranky是什么毒？？？

backdoor.ranky病毒终于搞定

这个病毒搞得我两天昏头昏脑。

病毒现象：
CB服务器CPU占用率长期100％，查看进程，有个很明显的进程1.tmp可疑，但无法中止。
重启服务器，过了不到一天，又不行了，这次变成了323323.tmp进程。

用金山的IE编辑工具，查看启动项目，发现有个恶意启动程序 "Services" = ，很明显是个木马。把它删除掉，重启。

可是到了今天早上，又出了个xxxx.tmp,启动项里又出现了services。

在网上找了很久，终于找到一个解决的办法。http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ranky.html

居然还是在norton的网站。晕。

When Backdoor.Ranky runs, it does the following:

Opens port 53201.

Adds the value:

"Services" =

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.
3. Restarting the computer in Safe mode or VGA mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
For Windows NT 4 users, restart the computer in VGA mode.

4. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with Backdoor.Ranky, click Delete.
Delete the files, "mspalu" and "palu.blf," from the %System% directory if you find them. These files are not harmful by themselves, and thus, Symantec antivirus products do not detect them.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any value that looks like:

"Services" =

Exit the Registry Editor.
看明白没有？其实全是废话，只有两句就搞定：

重启－－到安全模式－－用norton在winnt\system32目录下，傻出11个.tmp病毒。
把启动项目的"Services" = ，干掉。
重启后正常。

总结：

1、中了木马，norton很又可能杀不了（无法关闭进程），可以到安全模式去杀，应该没问题。

2、顽固的木马，一定会想办法自动加载，所以启动项目里一定有猫腻。

3、用金山IE修改工具很方便，d.xfcrc.com上面有下载

重启－－到安全模式－－用norton在winnt\system32目录下，傻毒。
把启动项目的"Services" = ，干掉。
重启后正常。

后门病毒