Basic defense and solutions for viruses and Trojans

Intended audience: general online users
Objective: To prevent and solve common Trojan viruses without using any external tools

There are too many documents on the Internet about virus and Trojan Horses. It is hard to say that they are their original articles. Therefore, Jinzhou explains that no more information has been written on the Internet, the main idea is to explain it. This article was originally written to a friend of mine in Shanghai. It is very simple.
Note: 1. Because my friends do not use tools, This article says that they do not use any tools to simply defend against viruses and Trojans.
2. It also solves simple Trojan viruses. My friends usually use computers. I advise him to reinstall the complex virus Trojan.
3. My friend's Windows XP Professional version is used.
4. I will not elaborate too much on some of the methods already on the Internet. You can search by yourself.

I. Basic defense ideology: backup is better than remedy.

1. Backup. After the machine is installed, Golden State first backs up the file directories in windows (System Disk) and C: WINDOWSsystem32 (System Disk.
Run the following command;
Dir/a C: WINDOWSsystem32> c: 1.txt
Dir/a c: windows> c: 2.txt
Then, fc 1.txt 3.txt> c:/4.txt
(Golden State Description: dir/a is used to view hidden files, and the backup location is stored in the c root directory for ease of searching)
Because most Trojans need to call the dynamic connection library, you can back up the system32 list in more detail, as shown below:
Cd C: WINDOWSsystem32
Dir/a> c: 1.txt
Dir/a *. dll> c:> 2.txt
Dir/a *. exe> c:> 3.txt
Then save the backups in one place. In addition to comparing the list of problems, we can easily check which DLL or EXE files are added. Although some files are generated when the software is installed, they are not virus Trojans, however, a good reference can be provided.

2. Run the following command to back up the DLL in the process: CMD
Tasklist/m> c:/dll.txt
In this way, the DLL list of the running process will appear under the c root directory. In the future, we can compare the above methods. It is too much trouble to check the DLL one by one for DLL Trojans. It is more convenient.
3. Back up the registry,
Run REGEDIT, file -- export -- all, and find a place to save it.
4. Back up the C drive (used by friends with large hard drives, Golden State notes)
Start Menu, all programs, attachments, system tools, and backups. Then, follow the instructions below to go to the next step. Select the backup content and back up the system to a specific location.
If something goes wrong, open it again, Select Restore, find your backup, and restore it.
(Golden State shows that this method is better than system restoration, and it is the final solution, just backup the system to be installed .)

2. Basic defense ideas: preventing diseases is better than treating diseases.

1. Disable sharing. You can search for shared items on the Internet. Golden State does not describe them in detail. Disable port 139.445 and terminate xp default sharing.
2. Disable the Service server, telnet, Task schedstry, and Remote Registry. Prevents at commands commonly used by small hackers. For other services, you can search for relevant information and view it on your own. (You cannot execute scheduled tasks such as scheduled anti-virus and scheduled upgrade after the task is disabled .)
3. control Panel, Administrative Tools, local security policies, security policies, local policies, and security options should be renamed to administrators and guest users, preferably with a Chinese name, it is better to modify the default empty command of the Administrator. However, changing a name is enough for hackers with a general game mentality. Experts are generally not interested in personal computers.
4. Disable all the other tcp/ip protocols in the network connection properties, or simply uninstall them.
5. Disable remote connection, desktop, my computer, attributes, and remote connection. Cancel the connection. You can also disable the Terminal Services Service, but after it is disabled, the user name cannot be seen in the task manager.
(Note: If you are a hacker-friendly person and want to study hacking technology, the above settings are not suitable for you. In addition, there are a lot of security details on the Internet, so you will not be so embarrassed. You can search by yourself .)

3. Basic Solution: process service registry.

1. First of all, you should have a simple understanding of the process service registry. It takes about three hours to see the relevant knowledge on the Internet.
Is the token modified. There are a lot of online materials and detailed articles about the startup project. I just want to give my thoughts. The following lists 35 common associated startup projects. (I did not find them by myself, but I think this is the most comprehensive one .)
1. HKEY_LOCAL_MACHINESoftwareMicrosoft WindowsCurr entVersionRun
2. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
3. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices.
4. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
5. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
6. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
7. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnceSetup
8. hkey_users.defasoftsoftwaremicrosoftwindowscurrentversionrun
9. hkey_users.defasoftsoftwaremicrosoftwindowscurrentversionrunonce
10. HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
11. HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components
12. HKEY_LOCAL_MACHINESystemCurrentControlSetServic esVxD
13. HKEY_CURRENT_USERControl PanelDesktop
14. HKEY_LOCAL_MACHINESystemCurrentControlSetContro lSession Manager
15. HKEY_CLASSES_ROOTvbsfileshellopencommand
16. HKEY_CLASSES_ROOTvbefileshellopencommand
17. HKEY_CLASSES_ROOTjsfileshellopencommand
18. HKEY_CLASSES_ROOTjsefileshellopencommand
19. HKEY_CLASSES_ROOTwshfileshellopencommand
20. HKEY_CLASSES_ROOTwsffileshellopencommand
21. HKEY_CLASSES_ROOTexefileshellopencommand
22. HKEY_CLASSES_ROOTcomfileshellopencommand
23. HKEY_CLASSES_ROOTatfileshellopencommand
24. HKEY_CLASSES_ROOTscrfileshellopencommand
25. HKEY_CLASSES_ROOTpiffileshellopencommand
26. HKEY_LOCAL_MACHINESystemCurrentControlSetServices
27. HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_CatalogCatalog_En tries
28. hkey_local_machinesystemcontrolwow1_line
29. hkey_local_machinesystemcontrolwowwow1_line
30. HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
31. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionShellServiceObjectDelayLoad
32. HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsun
33. HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
34. HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionPoliciesExplorerun
35. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionPoliciesExplorerun
(Note: all Trojans must be started, so these simple startup projects should look good .)
3. Check the service. The simplest is that the Service list is too long and you may not remember it all. To put it simple, run msconfig and the service, select "hide all microsoft services", and then you will see that it is not a service that comes with the system, finally, look for the properties in the service to see the associated files. Currently, we usually need to add services for antivirus purposes. I hate adding services for antivirus purposes.
4. process. For more information on the Internet, only two points are described. open the task manager and select "pid" in "View" and "option column". In this way, you can see the pid. The so-called pid Jinzhou is a process ID card, this facilitates a lot of related processing. 2. right-click a process and choose "Open Directory". This is obvious, but many buddies ignore it. This shows the folder where the process file is located for diagnosis.
5. Run the netstat-ano command in cmd. You can view the protocol port connection and remote ip address.
6. Delete the Registry {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
{0D43FE01-F093-11CF-8940-00A0C9054228}
After searching for the two items, you will see that they are related to the script and deleted after backup, mainly to prevent malicious code on the Internet.
(Golden State Note: if you are interested in scripts, do not delete the scripts that you want to learn and test)

4. A simple example of clearing.

1. The object is a trojan contained in a popular BT green software. The virus can be eliminated, but the error is determined as a gray pigeon. Some of them cannot be killed. In the following example, no tool is used to determine or clear the data. Of course, any tool includes anti-virus.
2. Poisoning judgment: when used, the hard drive lights suddenly flash violently for no reason. The system slows down for a short time. Some programs do not normally reflect the issue, and we suspect that there is a problem.
2. check, the Service finds that there is another unknown service, and the file points to the server.exe file under the C: Program FilesInternet assumer. obviously this is not the file that comes with the system. Check the port in the command line, there is a normal port connection. Unknown process found. The startup project named "cmdserver.exe." is a trojan.
4. Clear: Open the registry, close the process, delete the startup project, search for the service name in the registry, delete and delete the source file. Check the tempfolder at the same time and find a new folder with a "no killer .exe" file in it. delete the file and clear the cache. Of course, it is best to do so in security mode.
5. Check the dll list under the original backed-up system32 to find and delete suspicious dll files.