Common commands for manual antivirus on windows Servers

[Applicable objects]

1. vps host User

2. Server hosting users

3. Server security enthusiasts

I. TaskList command backup system process

When installing the system, it is best to use the TaskList command to back up the system processes. In this way, when a computer is abnormal, you can compare the process list to find out the processes that may be virus.

Enter:

TaskList/fo: csv> g: zc.csv

The preceding command output is in the format of csvcsv to the latest zc.csv file. g: The disk you want to save. You can open the file in Excel.

2. Compare process list files with FC commands

When the server is infected with viruses, it is necessary to check and enter the command prompt and enter the following command:

TaskList/fo: csv> g: yc.csv

Generate a previous yc.csv file list, and enter:

FC g: zccsv g: yc. csy

Abnormal process.

3. Run the Netstat command to view the process Port

How can we determine whether a suspicious process is a virus? According to most viruses (especially Trojans), the virus is transmitted through external connections through the port. You can check the port occupation.

Enter:

Netstat-a-n-o

The parameter description is as follows:

A: displays information about all ports that are connected to the host.

N: displays the PID code of the port opening process.

O: Display address and port information in digital format

By viewing the network program running on the local machine, you can determine that this is an illegal connection!

The connection parameters are as follows:

LISTENINC: indicates that the listener is in the listener state. That is to say, the port is open and is waiting for connection, but it is not connected yet. Only the TCP service port can be in the LISTENINC state.

ESTABLISHED means to establish a connection.

The two machines are communicating.

TIME-WAIT indicates that the connection has ended.

It indicates that the port has been accessed but the access is over. It is used to determine whether an external computer is connected to the local computer.

4. NTSD command: solves the problem that the task manager is difficult to delete

I already know that “Winion0n.exe is an illegal process, but the virus process cannot be terminated through the task manager. What should I do?

Enter the following command at the command prompt:

Ntsd-c q-p 1756

After you press enter, the virus process can be successfully ended.

Tip: "1756" is the process PID value. If you do not know the process ID, open the Task Manager and click "View & rarr; select column & rarr; check the PID (process identifier.

NTSD can forcibly terminate all processes except Sytem, SMSS. EXE, and CSRSS. EXE.

5. After determining the virus, you must cut the root and find the original file of the virus.

Find the hidden location of a virus file, and delete it by searching "all local partitions", "search system folders and hidden files and folders.

However, in this case, the main virus file is deleted. By viewing its attributes, the file is searched again based on the creation period and size of the file, and its associates are found and deleted.

If you are not sure that some files are relative, search for the virus information through the hundred-level virus name, such as winion0n.exe.

6. Clear registry junk

Because of the large number of self-boot key values, it is inconvenient to manually search for viruses.

Here, we use reg export + batch processing command for backup.

Start notepad and enter the following command:

Reg export HKLMsoftwareMicrosoftWindowsCurrentVersionRun f: hklmrun. reg

Reg export hkcusoftwaremicrosoftwindowscurrentversion+iesexplorerrun f: hklcu. reg

Reg export hklmsoftwaremicrosoftwindowscurrentversion+iesexplorerrun f: hklml. reg

Note: Only a few copies of common key values are listed here. For other key values, refer to the above method.

Save it as ziqidong. bat and run it at the command prompt to back up all the self-boot key values to the corresponding reg file, and then enter:

Copy f: *. reg ziqidong.txt

The command outputs all the corresponding regfiles to “ziqidong.txt. In this way, if you find that the virus has added a self-starting item, export the self-starting value the same time, and use the FC command described above to compare the two txt files before and after, you can quickly find new self-starting.

2. Use reg delete to delete the new auto-start key value.

For example, in [HKER_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun] Using the above method, find a "Logon" self-starting item and set the startup program to "c: windowswinlogon.exe". Now, enter the following command to delete the Virus self-starting key:

The code is as follows:	Copy code
Reg delete HKLMsoftwareMicrossoftWindowsCurrentVersionRun/f

3. Use reg import to restore the registry.

Reg de-lete delete is the entire RUN key value. Now you can use the backed up reg file to restore the registry quickly by entering the following command: reg

The code is as follows:	Copy code
Import f: hklmrun. reg

The above describes several system commands for manual antivirus. In fact, as long as these commands are used, we can KILL most of the viruses. Of course, we must back up the virus at ordinary times.