Correctly clear computer viruses to protect Windows System Security

I. Toxic features such as the slow running of machines, the inability to access the Internet, the inability to generate antivirus software, the inability to open Word documents, the inability to start computers, the inability to locate hard disk partitions, and data loss, it is a sign of poisoning.

Ii. poisoning diagnosis 1. Press Ctrl + Shift + Ese (press these three keys at the same time) to bring up the windows Task Manager to view the processes running on the system, identify unfamiliar processes and write down their names (this requires experience: Find a pure system that has just been installed, record all processes for future comparison ), if these processes are viruses, they can be easily cleared later. Do not end these processes temporarily, because some virus or illegal processes may not end here. Click performance to view the current status of CPU and memory. If the CPU usage is close to 100% or the memory usage remains high, the possibility of computer poisoning is 95%.

2. view the service items currently started in windows. Open "service" in "Administrative Tools" in "Control Panel ". The row in the right column is in the "Start" Startup category as "automatic". Generally, normal windows Services, basically, there are descriptive content (except for a few spoofed by hackers or worms ), double-click the service item that you think is faulty to view the path and name of the executable file in its properties. If the name and path are C: winntsystem32explored.exe, click it on the computer. One scenario is that the "control panel" cannot be opened or all the icons in it can be reached to the left. There is a vertical scroll bar in the middle, and the right side is blank. Then, double-click the Add/delete program or management tool. The window is empty. This is the feature of winhlpp3. You can back up services of pure systems before comparison.

3. Run the Registry Editor command regedit or regedt32 to check that all programs are started with windows. Mainly look at Hkey_Local_MachineSoftwareMicroSoftWindowsCurrentVersionRun and the following RunOnce, view the item value on the right of the form, and check whether there are illegal startup items. Running msconfig in Windows XP also plays the same role. With the accumulation of experience, you can easily determine the startup items of the virus. Back up the startup items of the pure system and compare them later.

4. Use a browser to access the Internet. The previous outbreak of Gaobot virus can go to websites such as yahoo.com and sony.com, but cannot access websites of famous security vendors such as www.symantec.com and www.ca.com. Anti-virus software installed with symantecNorton2004 cannot be upgraded online.

5. unhide the system folder winnt (windows) system32. If the folder is empty, the computer is poisoned. After system32 is opened, the icons can be sorted by type, check whether the execution file of the virus exists. By the way, check the Folder Tasks, wins, drivers. currently, some virus execution files are hidden here. The hosts in driversetc is the object that the virus prefers to tamper with. It was originally about 700 bytes, and it became more than 1 kb after being tampered, this is the reason why General websites can be accessed, websites of security vendors cannot be accessed, and the famous anti-virus software cannot be upgraded.

6. the antivirus software determines whether the virus is poisoned. If the virus is poisoned, the antivirus software is automatically terminated by the virus program and the manual upgrade fails. If a hacker-type security software is used, the virus will be reported. Some software shelling also causes this phenomenon.

Iii. Anti-Virus

1. Delete the illegal programs started with the system in the registry, search for all the key values in the registry, and delete them. As a virus program started by the system service, it will be hidden in Hkey_Local_MachineSystemControlSet001services and controlset002services, and then eliminated together.

2. Stop the problematic service and change it to disabled automatically.

3. If the file system32driversetchosts is tampered with, recover it, that is, only one row of valid value "127.0.0.1localhost" is left, and other rows are deleted. Set the host to read-only.

4. Restart your computer and press F8 to enter the "safe mode with network ". The purpose is not to start the virus program, but to patch Windows and Upgrade anti-virus software.

5. Search for virus execution files and manually delete them.

6. Install patches for Windows and Upgrade anti-virus software.

7. disable unnecessary system services, such as remoteregistryservice.

8. After completing step 4, Use anti-virus software to fully scan the system and eliminate the fish that have been leaked.

9. restart the computer after completing the previous step.

10. Then go to the system and use software to delete system spam. Complete!