Manual anti-virus/Trojan using wsyscheck

Wsyscheck is used for manual anti-virus/Trojan. What is image hijacking?

In some cases, the vast majority of anti-virus software may not be available after the machine is poisoned, because the virus uses the "image hijacking" in the registry ". To put it simply, when the software a.exe is infected with virus B .exein the registration table, the website that is being started is B .exe. Viruses/Trojans generally hijack common security programs. Therefore, they are not only anti-virus software, but also Sreng (which is a powerful Trojan tool and has powerful log functions) and icesword (the famous ice blade), regedit, and msconfig cannot be used normally.

The Registry path involved in image hijacking is [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options]. Normally:

There is only one key named "your image file name here without a path", which has a key value: "Debugger", which is the prototype of image hijacking, microsoft builds this key for system debugging. The ntsd command can describe everything.

Note: When the process cannot be killed using the task manager, we can use the ntsd command to kill the process. Usage: ntsd-C q-p pid, which is the PID of the process. This command is very powerful. Only system, SMSs. EXE, and CSRSS. EXE cannot be killed. (most anti-virus software processes cannot be killed, which is what we expect ). The first two are pure kernel state, and the last one is the Win32 subsystem. ntsd needs it.

Next, let's perform a test. After "your image file name here without a pathpattern", we create a program named program to run, such as demo.exe. Then, we create a new key value named debugger on the right, whose type is string, the value is the program that is actually running (we have compared it to the background virus program). Here we use "D: \ Program Files \ editplus \ editplus.exe" for testing.

Ghost hijacked the editplus image, which is like virus hijacking of anti-virus software.

How to kill viruses and Trojans?

Note:

1. This method can easily deal with most viruses, as well as virus "image hijacking ".

2. Any errors in the repair process must start from step 2!

3. If regworkshopused in the Registry workcase is not running properly, rename regworkshop.exeas a random number combination. exe(wsyscheck.exe)

4. wsyscheck can also manage (browse, copy, cut, delete, etc.) files in the system instead of the resource manager. wsyscheck also has a built-in registry editing function to maintain the registry.

If you do not know the principle of image hijacking, It is tricky to pull out the virus. It's easy to know that this is the case, just say, "change the file name ". For general image hijacking, the file name will be written to the dead, for example, Kaspersky avp.exe. then we can change Kaspersky to avpxxx.exe to run. We will not discuss how to kill software here. As we all know, kill software is powerless against new viruses. Here we will discuss how to use wsyscheck (similar to the ice blade, and never miss it) and regworkshop (powerful registry editing tool) for manual antivirus.

Step 1: Download The regsitry workshop and wsyscheck0825 Chinese versions.

Regsitry workshop is a powerful Registry Editor that backs up and restores the registry and supports permission editing.

Wsyscheck is a good tool for repairing and killing viruses. It has powerful functions, including process and service driver checks, ssdt enhanced detection, file query, registry operations, and DoS deletion.

Step 2: Open regsitry workshop to minimize backup.

Step 3: Open wsyscheck, click "software Settings" in the upper-left corner, and select "prohibit process and file creation". This step prevents virus processes from re-emergence after they are killed.

Step 4: select all processes in red in process management, right-click them, and select "End selected processes". Be sure not to check that the standby regsitry Workshop process is enabled just now.

Step 5: In the process management, the single-click assumer.exe.exe is winlogon.exe. Check whether the following process module contains a DLL with a length of about 7-8 characters, which consists of random letters and numbers, of course, if you have some knowledge of Windows DLL, you can see at a glance whether there is an abnormal DLL. If you are not sure, You can Google and Baidu. Select the suspicious DLL, right-click the module, and select "add to DoS Delete list ". If something exists in the DOS deletion list, wsyscheck will first remove the DLL module of the virus Trojan under DOS when the computer restarts (the software virtualizes it. Because 32-bit DLL is powerless in DOS, all can be easily and thoroughly deleted.

Then, execute the following step 10 to delete the stubborn file and go to the normal system. Then, execute again from step 2. Ye [5u & ZX;

5mpn accept <YL

It should be noted that this DLL is not limited to a DLL with 7 or 8 random names, but may also be a DLL with other file names. Here, we mainly need to judge a strange DLL file, generally, the virus DLL inserted into explorer is contained in the following folders: [c: \ Program Files \ common files \ microsoft shared and Its subfolders] and [C: \ Program Files \ Internet Explorer and Its subfolders], [c: \ windows \ system32 \ drivers and Its subfolders], [C: \ Documents and Settings \ User Name \ Local Settings \ Temporary Internet Files] and so on, you need to make more judgments during the operation.

Step 6: select all the pink processes except csrss.exe winlogon.exe services.exe cute (4-5 processes are the core processes of the system, do not delete them), right-click, and "End the selected process ". This step is also important. Both the package named assumer.exeand ipolice.exe must be terminated.

Step 7: switch to the "general check" option of "security check", clear all the items in the "forbidden program management" list on the right: Right-click, and click "allow this program to run ".

Step 8: Right-click all items in "registry key value change detection" and click "Repair Option ".

Step 9: Use regsitry workshop to open the location of the image hijacking and delete all the hijacked items. At this time, the image hijacking has been fixed.

Step 10: switch back to the wsyscheck interface, open the "dos deletion" tab, click "delete dos", and restart the computer. The "delete stubborn Files" menu appears ", select "delete dos. Restart the instance. Before restarting, please use the wsyscheck's File Manager to access each hard disk and check that the root directory contains the autorun.infand new. EXE or. pif files. If yes, delete them.

Before restarting, you must use the wsyscheckinternal File Manager to access each hard disk and check that the root directory contains the autorun.infand. EXE files. If yes, delete them.

Now, the virus cleanup is complete.

Prevent image hijacking

1. Permission Restriction

Open Registry Editor and go

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ imagefileexecutionoptions \, select this option, right-click → permission → advanced, and cancel the write permission of administrator and system users.

2. Brute Force

Open the Registry Editor, go to [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \, and delete the "imagefileexecutionoptions" item.

Other security tools

SrengFull name system Repair Engineer (Sreng): It is generally translated as a system Repair Engineer and is one of the world's most advanced system Auxiliary analysis tools. Sreng logs are more comprehensive than hijakcthis logs (because hijackthis will omit some startup items). In addition, Sreng logs can provide more detailed diagnostic information to help clear stubborn viruses such as QQ tails.

Icesword(Ice blade)Similar to wsyscheck, a cutting-edge hacker is used to search for and handle behind-the-scenes hackers (Trojan shells) in the system. Of course, you need to have some knowledge about the operating system to use it.

AutorunsIt is an outstanding startup project management tool with powerful functions. It can not only manage various startup projects, but also directly control the registry, in addition, the software can directly use Google and MSN for online search.

FilemonThe file monitoring program can monitor file read/write operations on disks.

ProcessexplorerA driver-level process management tool that can mark services, independent processes, and. Net processes in different colors.

RegmonThe Registry monitoring tool can monitor registry access operations to check suspicious programs.

Rootkitunhooker RkuA foreign anti-rootkit tool that can effectively deal with ssdt hook, shadow ssdt hook, and inline hook. It is also a powerful process management tool.

SnipeswordJian, which is a popular tool for process management. I like to use its kernel code scanning and file checking, and disk filtering system checking functions. The stability is worse than that of ice blade and rku, but more powerful.