手动删除方法
MANUAL REMOVAL INSTRUCTIONS
Terminating the Malware Program
This procedure terminates the running malware process.
Open Windows Task Manager.
・On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the process:
WINJAVA.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
NeroUpdater6.8 = "winjava.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
NeroUpdater6.8 = "winjava.exe"
Close Registry Editor.
NOTE:If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Restoring the Windows HOSTS File
Deleting entries in the HOSTS files prevents the redirection of antivirus Web sites to the local machine.
Open the following file using your default text editor:
%System%\Drivers\etc\Hosts
(Note: %System% is the Windows system directory, which is usually C:\WINNT\System32 or C:\Windows\System32.)
Locate and delete the following lines:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Save the HOSTS file and close the text editor.
Additional Windows XP Cleaning Instructions
Users running Windows XP must
disable System Restore
to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete files detected as WORM_AGOBOT.AMK . To do this, Trend Micro customers must download the
latest pattern file
and scan their system. Other Internet users can use HouseCall, Trend Micro's
online virus scanner
.
Applying Patches
This malware exploits known vulnerabilities in Windows. Download and install the fix patch supplied by Microsoft in the following pages:
Microsoft Security Bulletin MS03-026
Refrain from using the affected software until the appropriate patch has been installed.