[{"data":1,"prerenderedAt":134},["ShallowReactive",2],{"content:\u002F2024\u002Fvirus-trueupdate":3,"surround:\u002F2024\u002Fvirus-trueupdate":122},{"id":4,"title":5,"body":6,"categories":91,"date":93,"description":94,"draft":95,"extension":96,"image":97,"meta":98,"navigation":99,"path":101,"permalink":102,"published":102,"readingTime":103,"recommend":102,"references":108,"seo":112,"sitemap":113,"stem":114,"tags":115,"type":119,"updated":120,"__hash__":121},"content\u002Fposts\u002F2024\u002Fvirus-trueupdate.md","病毒高占用CPU，三天杀俩",{"type":7,"value":8,"toc":81},"minimark",[9,14,18,21,24,27,30,33,36,39,47,50,57,60,63,66,69,72,75,78],[10,11,13],"h2",{"id":12},"随机进程名大量占用cpu","随机进程名大量占用CPU",[15,16,17],"p",{},"2024年2月26日，一名学弟找到了我，表示自己电脑里有进程大量占用CPU，程序名是由大小写字母、数字组成的随机内容。我询问这是否是自己编写的程序，学弟回答不是，所以判断这个程序有极大可能是病毒。",[15,19,20],{},"为了留存记录，我让学弟在任务管理器中右键打开程序所在的目录，拍照并关机。学弟回复打不开路径。",[15,22,23],{},"同时，不排除是勒索病毒正在加密文件，所以让学弟立马长按电源键强制断电，并且把笔记本带来实验室检查一下。",[10,25,26],{"id":26},"判断病毒类型",[15,28,29],{},"学弟带来笔记本以后，顺手就按下了开机键，我连忙打断施法，并且告诉他数据可能会被勒索病毒加密，要做好数据丢失的心理准备。",[15,31,32],{},"我在 PE 环境下想要检查文件，但是4个分区都被 BitLocker 加密了。学弟回想了一下电脑里最重要的文件，是电赛的一个文件夹，其他数据都无所谓。所以我在 PE 下把 BitLocker 解密后把这个文件夹打包，并且删除了文件扩展名，以此来绕过潜在的勒索病毒的威胁。",[15,34,35],{},"随后正常开机，解锁了 BitLocker ，检查个人文件发现并没有被加密，排除了病毒属于勒索病毒的可能。",[10,37,38],{"id":38},"杀灭程序",[15,40,41,42,46],{},"进程名是随机字符，所以很有可能是经过复制后的结果。打开任务管理器的进程列表，在网上搜索可能的进程名，发现 ",[43,44,45],"code",{"code":45},"TrueUpdate Client"," 应该是病毒复制的源头。",[15,48,49],{},"这个程序存放在了公用用户的文件夹下，删掉。",[15,51,52,53,56],{},"再找找被复制的病毒，在 ",[43,54,55],{"code":55},"C:\\ProgramData\\"," 文件夹下复制了不少，删掉。（有些隐藏了，有些设置了权限不容易删除）",[15,58,59],{},"计划任务里有不少病毒的自启动任务，删掉。",[10,61,62],{"id":62},"寻找病毒来源",[15,64,65],{},"在得到学弟的同意之后，我检查了学弟的电脑，想要看看病毒的来源。",[15,67,68],{},"学弟的电脑非常干净，只有嵌入式开发相关的软件，连游戏都没有。",[15,70,71],{},"在调查了各种软件的安装时间和来源之后，我推测，问题可能起因于从含有病毒脚本的不可靠第三方网站下载 Keil 软件时，不慎引入了恶意程序。还好没有发现病毒破坏文件的迹象，不然重要资料可能就危险了。",[10,73,74],{"id":74},"再见老朋友",[15,76,77],{},"两天后，我拖着疲惫的身躯回到宿舍时，已经临近熄灯时刻。舍友询问拯救者玩游戏帧数只有几十，我回答是游戏内设置问题，因为他会照着抖音里一些教程修改系统设置。但同时我注意到了电脑空载时，风扇仍然保持最大转速运行，再联想到前天的经历，我打开了他的任务管理器。",[15,79,80],{},"果然，又是一台中毒的电脑。",{"title":82,"searchDepth":83,"depth":83,"links":84},"",4,[85,87,88,89,90],{"id":12,"depth":86,"text":13},2,{"id":26,"depth":86,"text":26},{"id":38,"depth":86,"text":38},{"id":62,"depth":86,"text":62},{"id":74,"depth":86,"text":74},[92],"安全","2024-02-29 23:54:43","2024年2月两次处理同一病毒导致随机进程名高CPU占用问题，推测源自盗版软件，成功清理TrueUpdate Client引入的相关病毒脚本。",false,"md","https:\u002F\u002Fassets.zhilu.cyou\u002Fcover3\u002Fvirus-trueupdate.jpg",{"indent":99,"slots":100},true,{},"\u002F2024\u002Fvirus-trueupdate",null,{"text":104,"minutes":105,"time":106,"words":107},"4 min read",3.985,239100,797,[109],{"title":110,"link":111},"TrueUpdate白加黑木马分析保姆级教程","https:\u002F\u002Fwww.cnblogs.com\u002FVxerLee\u002Fp\u002F17736138.html",{"title":5,"description":94},{"loc":101},"posts\u002F2024\u002Fvirus-trueupdate",[116,117,118],"Windows","恶意软件","应急处理","tech","2024-03-02 00:09:56","mZ1_hzcmpToFgPVoD7NPZtT--e38myz3ZNeugRvQL9c",[123,129],{"title":124,"path":125,"stem":126,"date":127,"type":128,"children":-1},"运营商又想多收话费了","\u002F2024\u002Fcarrier-overbilling","posts\u002F2024\u002Fcarrier-overbilling","2024-02-23 18:32:25","story",{"title":130,"path":131,"stem":132,"date":133,"type":119,"children":-1},"系统引导配置分享","\u002F2024\u002Fboot-management","posts\u002F2024\u002Fboot-management","2024-03-01 14:06:19",1782091376293]