Basic defense and solutions for viruses and Trojans in Windows

I. Basic defense ideology: backup is better than remedy.
1. Backup. After the machine is installed, first back up the file directories in windows (System Disk) and C: \ WINDOWS \ system32.
Run the following command;
Dir/a C: \ WINDOWS \ system32> c: \ 1.txt
Dir/a c: \ windows> c: \ 2.txt
Then, fc 1.txt 3.txt> c:/4.txt
Because most Trojans need to call the dynamic connection library, you can back up the system32 list in more detail, as shown below:
Cd C: \ WINDOWS \ system32
Dir/a> c: \ 1.txt
Dir/a *. dll> c: \> 2.txt
Dir/a *. exe> c: \> 3.txt
Then save the backups in one place. In addition to comparing the list of problems, we can easily check which DLL or EXE files are added. Although some files are generated when the software is installed, they are not virus Trojans, however, a good reference can be provided.
2. Run the following command to back up the DLL in the process: CMD
Tasklist/m> c:/dll.txt
In this way, the DLL list of the running process will appear under the c root directory. In the future, we can compare the above methods. It is too much trouble to check the DLL one by one for DLL Trojans. It is more convenient.
3. Back up the registry,
Run REGEDIT, file -- export -- all, and find a place to save it.
4. Back up drive C
Start Menu, all programs, attachments, system tools, and backups. Then, follow the instructions below to go to the next step. Select the backup content and back up the system to a specific location.
If something goes wrong, open it again, Select Restore, find your backup, and restore it.
2. Basic defense ideas: preventing diseases is better than treating diseases.
1. Disable sharing. Disable port 139.445 and terminate xp default sharing.
2. Disable the Service server, telnet, Task schedstry, and Remote Registry. (You cannot execute scheduled tasks such as scheduled anti-virus and scheduled upgrade after the task is disabled .)
3. control Panel, Administrative Tools, local security policies, security policies, local policies, and security options should be renamed to administrators and guest users, preferably with a Chinese name, it is better to modify the default empty command of the Administrator. However, changing a name is enough for hackers with a general game mentality. Experts are generally not interested in personal computers.
4. Disable all the other tcp/ip protocols in the network connection properties, or simply uninstall them.
5. Disable remote connection, desktop, my computer, attributes, and remote connection. Cancel the connection. You can also disable the Terminal Services Service, but after it is disabled, the user name cannot be seen in the task manager.
3. Basic Solution: process service registry.
1. First of all, you should have a simple understanding of the process service registry. It takes about three hours to see the relevant knowledge on the Internet.
Is the token modified. There are a lot of online materials and detailed articles about the startup project. I just want to give my thoughts. The following lists 35 common startup associated projects.
1. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entVersion \ Run \
2. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce \
3. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices \.
4. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServicesOnce \
5. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
6. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce \
7. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce \ Setup \
8. HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
9. HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce \
10. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
11. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Active Setup \ Installed Components \
12. HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Servic es \ VxD \
13. HKEY_CURRENT_USER \ Control Panel \ Desktop
14. HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Contro l \ Session Manager
15. HKEY_CLASSES_ROOT \ vbsfile \ shell \ open \ command \
16. HKEY_CLASSES_ROOT \ vbefile \ shell \ open \ command \
17. HKEY_CLASSES_ROOT \ jsfile \ shell \ open \ command \
18. HKEY_CLASSES_ROOT \ jsefile \ shell \ open \ command \
19. HKEY_CLASSES_ROOT \ wshfile \ shell \ open \ command \
20. HKEY_CLASSES_ROOT \ wsffile \ shell \ open \ command \
21. HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command \
22. HKEY_CLASSES_ROOT \ comfile \ shell \ open \ command \
23. HKEY_CLASSES_ROOT \ batfile \ shell \ open \ command \
24. HKEY_CLASSES_ROOT \ scrfile \ shell \ open \ command \
25. HKEY_CLASSES_ROOT \ piffile \ shell \ open \ command \
26. HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \
27. HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Winsock2 \ Parameters \ Protocol_Catalog \ Catalog_En tries \
28. HKEY_LOCAL_MACHINE \ System \ Control \ WOW \ cmdline
29. HKEY_LOCAL_MACHINE \ System \ Control \ WOW \ wow1_line
30. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit
31. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entVersion \ ShellServiceObjectDelayLoad \
32. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ run
33. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ load
34. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Policies \ Explorer \ run \
35. HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Curr entVersion \ Policies \ Explorer \ run \
3. Check the service. The simplest is that the Service list is too long and you may not remember it all. To put it simple, run msconfig and the service, select "hide all microsoft services", and then you will see that it is not a service that comes with the system, finally, look for the properties in the service to see the associated files. Currently, we usually need to add services for antivirus purposes. I hate adding services for antivirus purposes.
4. process. For more information on the Internet, only two points are described. open the task manager and select "pid" in "View" and "option column" to view the pid. 2. right-click a process and choose "Open Directory". This is obvious, but many buddies ignore it. This shows the folder where the process file is located for diagnosis.
5. Run the netstat-ano command in cmd. You can view the protocol port connection and remote ip address.
6. Delete the Registry {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
{0D43FE01-F093-11CF-8940-00A0C9054228}
After searching for the two items, you will see that they are related to the script and deleted after backup, mainly to prevent malicious code on the Internet.
4. A simple example of clearing.
1. The object is a trojan contained in a popular BT green software. The virus can be eliminated, but the error is determined as a gray pigeon. Some of them cannot be killed. In the following example, no tool is used to determine or clear the data. Of course, any tool includes anti-virus.
2. Poisoning judgment: when used, the hard drive lights suddenly flash violently for no reason. The system slows down for a short time. Some programs do not normally reflect the issue, and we suspect that there is a problem.
2. check, the Service finds that there is another unknown service, and the file points to the server.exe file under C: \ Program Files \ Internet assumer. obviously this is not the file that comes with the system. Check the port in the command line, there is a normal port connection. Unknown process found. The startup project named "cmdserver.exe." is a trojan.
4. Clear: Open the registry, close the process, delete the startup project, search for the service name in the registry, delete and delete the source file. Check the tempfolder at the same time and find a new folder with a "no killer .exe" file in it. delete the file and clear the cache. Of course, it is best to do so in security mode.
5. check the dll list under the original backup system32 to find and delete suspicious dll files, you can also select "select details" in "View" and select "create date" (this system is not added by default). Then, view the details and display them by creation date, you can find new files. This trojan is relatively simple and does not modify the file date.
Some of them forget to clean up. If the virus is associated with this file, it will still appear after deletion .)