If a virus is detected at any one of the steps, you do not need to judge it backwards.
I. Process
The first check is the process. The method is simple. Do not start anything after the instance is started!
Step 1: Open the task manager and check whether there are any suspicious processes. For unknown processes, Google or Baidu.
PS: If the Task Manager disappears after it is opened, it can be determined that it has been poisoned. If the prompt has been disabled by the Administrator, be alert!
Step 2: Open the software such as the ice blade, first check whether there is any hidden process (marked in red in the blade), and then check whether the path of the system process is correct.
PS: If the blade cannot be used normally, it can be determined that it has been poisoned; if there is a red process, it can basically be determined that it has been poisoned; if there is a process with a normal system process name that is not in the normal directory, you can also determine that the virus has been poisoned.
Step 3: If all processes are normal, use tools such as Wsyscheck to check whether suspicious threads are injected into normal processes.
PS: Wsyscheck uses different colors to mark the injected process and normal process. If any process is injected, do not worry. first determine whether the injected module is a virus, some kill software will also inject processes.
Ii. Self-Starting project
The process has been rectified. If no exception is found, the startup Item is checked.
Step 1: Use msconfig to check whether a suspicious service exists. Start and run. Enter "msconfig", click "OK", switch to the service tab, and select the "hide all Microsoft services" check box, then confirm whether the remaining services are normal one by one (experience-based identification or use of search engines ).
PS: if an exception is found, you can determine that the agent has been poisoned. If msconfig cannot be started or is automatically disabled after startup, you can also determine that the agent has been poisoned.
Step 2: Use msconfig to check whether there are any suspicious self-startup items. Switch to the "Start" tab and check the items one by one.
Step 3: Use Autoruns to view more detailed startup Item information (including service, driver, self-startup Item, IEBHO, and other information ).
PS: This requires some experience.
Iii. Network Connection
ADSL users can perform virtual dialing at this time to connect to the Internet.
Then, you can directly use the network connection of the ice blade to check whether there is any suspicious connection. for IP addresses, you can go to http://www.ip138.com/to query the corresponding process and terminal information, and go to googleor Baidu.
If an exception is found, do not worry. Turn off the network programs that may be used in the system (such as downloading software such as thunder, automatic update programs for anti-virus software, IE browser, etc.) and view the network connection information again.
Iv. Security Mode
Restart and directly enter the security mode. If you cannot access the system and have a blue screen, you should be vigilant. It may be a sequent of virus intrusion or the virus has not been cleared!
V. Image hijacking
Open the Registry Editor and navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options to check whether there are any suspicious image hijacking items. If any suspicious items are found, they may be poisoned.
Vi. CPU time
If the system runs slowly after startup, you can also use the CPU time for reference to find suspicious processes. The method is as follows:
Open the task manager, switch to the process tab, click "View" in the menu, select a column, select "CPU time", and then click the title of CPU time to sort, in addition to System Idle Process and SYSTEM, you need to be cautious when looking for processes with high CPU time.
Currently, these methods are sufficient to deal with common viruses and Trojans.