1. Start with the virus directory
First, we need to start with the directory where the virus is located. If the virus has its own directory like a normal software, we can smile a little-the virus is weak. Check the Directory Creation Time to know when the virus was infected and where the virus was discovered. If it does not have its own directory, but exists in the system directory, it is easy to do. The damage of this virus is generally not very large, you can directly view its attributes to learn all the necessary information. If it exists in every directory on your computer, the file search function provided by Windows will be used in this case.
Although it is replicated everywhere, this virus only has one main program file, and it is born with a mother, and the file size must be consistent. Open the Advanced file search function, enter the EXE file type, input the file size, and press the Enter key. Then, the virus hidden in every corner of your hard disk will be exposed. You can find the first virus that attacks your machine. Now, a few copies of all the virus data files are in front of you. At least it is the main component of the virus that can attack you, delete all the files, DLL files, and data related to the virus. But do not do too much, leave at least one EXE as a specimen, change its extension to DAT and pack it with RAR. We will also use it later.
In addition, please be very careful not to accidentally delete files that are not virus. This is a fatal error! After the hard disk virus is processed, do not restart the computer. This may lead to a desperate result, because some viruses cannot be easily discovered. If some viruses do not appear as EXE, but other viruses such as COM and RAR, our file size search method is also applicable. Just change the extension. But I still want to tell you one unfortunate thing. The virus with different sizes of the main program file does not exist yet, but does not mean it will not exist in the future. By then, we can only use key data to match and search.
Ii. Launch a general attack on the last position of the virus
Although the virus on the hard disk has been removed from the root, more troublesome things are still waiting for us. It is the most terrible thing to know that the enemy is the enemy of the stubborn fight. Where is the last position of the virus? It is undoubtedly the legendary registry. Because the system service information is stored in the registry, I will classify the service content in this section. The first thing you should do is to carefully check your service list, carefully check every service that is not described, and check whether it is related to the process you just ended. For Windows users in the Chinese version, virus detection has some advantages. The reason is that programmers who write viruses abroad do not understand Chinese, therefore, they do not use Chinese descriptions to disguise themselves as system services. Therefore, special attention should be paid to all services described in English.
I have also seen a virus that kills normal processes in the system, and then applies the description and name of the process to myself. The disguise is really seamless. However, the path of the EXE file is completely incorrect. When the process is secure, we can directly access the Registry. First, check the registration items automatically run during system startup to see if there are any suspicious programs. My experience is that when the system is started, it basically does not run any program. If you really want to run it, you should put it in the startup Item of the Start Menu. This is not only safe, but also brings great convenience to virus detection.
As a matter of fact, countless practices have proved that deleting all Automatic startup items has no adverse effect on the machine. The system itself does not place the key startup program there. The most important thing for system operation is the service. However, when you discover a virus, do not rush to delete the key value first. You should record it to see if its corresponding program has been filed by you. Then, copy all possible names of the virus program, search in the registry one by one, and delete all the matching items found. However, this operation is still risky. We strongly recommend that you export the key value before deletion for backup. After scanning and scanning the registry, we can finally breathe a sigh of relief, because the virus and its family may have been cruelly killed by us. After you check the process list again and make sure it is correct, you can restart the computer to see if the virus will attack again.
3. Truly terrible opponent
Do you still remember the viruses mentioned above in the middle layer that are parasitic in browser processes or system service processes? They deserve to be our most terrible enemy. However, as you clear the information they have hidden in the registry, most of them will not be attached to system processes after you restart the machine, in this case, we can clear them according to the above method. Doesn't that sound complicated? However, the even more frightening virus is still behind, that is, the virus monitors the Registry during operation. Once it is found that its registration information in the registry is damaged, it will be restored immediately, make your registry operation invalid. For such a virus, we can only start the machine with a clean DOS boot disk, delete its program file, start it to Windows, and delete its information in the registry.
Some may ask why they do not enter the safe mode for anti-virus. Of course, in security mode, the vast majority of useless services and processes will not be started. However, this is ineffective for the special virus that is mad at us, even when they find that your machine is in safe mode, they will immediately launch a final attack, paralyzing your machine completely. Although such a virus is rare for ordinary friends for a hundred years.