I think there may be problems in the article. I hope you can give me more advice. I will update the article before the Spring Festival and publish the full version. There will be some processes, services, and other things that need experience to be explained. They are all for beginners and persons who want to learn. I hope these experiences can help you, you can communicate with me in the forum or send emails. Thank you.
To answer this question, no matter what the virus is, paste the log to let everyone know about your computer before you can take the right medicine to solve your problem.
Manually detect unknown viruses
Recently, virus writers have been unable to withstand loneliness and have published new viruses. At the end of the year, the "pandatv incense", last year's "Weijin" and other large worms have brought me a lot of trouble, how should we deal with these viruses? We need to enhance our awareness of anti-virus. Although anti-virus software is doing very well now, the update speed of some viruses still needs to be improved. This requires us to manually detect unknown viruses.
Speaking of detecting unknown viruses, it may be very difficult for new users. This article will allow you to fully understand the virus detection and deletion processes, and add your own efforts to learn and practice, you can achieve your own manual anti-virus. So much nonsense. Let's take a look at how to detect unknown viruses.
1. Comprehensive detection of computers
For new users, it is very difficult to manually check the computer, because you need to open the registry, one by one to check, then we will use a simple method-using the SRE software, the full name of SRE is System Repair Engineer. After opening the software, click intelligent scanning on the left of the software, and then click "scan" to perform a comprehensive scan of the computer.
For new users who do not want to analyze the logs themselves, paste the logs to the Forum and someone will help you solve the problem.
2. Analyze and scan logs
This is the most critical step. For many new users, they choose to publish logs on the Forum to allow experienced experts to analyze the logs. This saves time and effort. However, if you learn to analyze logs, more people can help new users and reduce the efforts of moderators and Forum experts. It is difficult to analyze logs because you need to accumulate experience constantly. Here we will only introduce simple methods (if there are better methods, we hope to discuss them through forums or emails ).
1. Understand logs
SRE logs scan the Registry Startup items, startup folders, services, drivers, browser add-ons, processes, File Associations, Winsock providers, autorun. inf, HOSTS files, and API hooks respectively. I will focus on some frequently used items for detection.
2. View Processes
What are processes? Check whether there are other processes except the system's basic processes and software-generated processes. Note that the process paths are files under c: windows and C: windowssystem32, some new users may not know the basic processes of the system and those of software installation. This is where experience is needed.
For the DLL loaded by the system process, this needs to be analyzed in detail. If many Trojan Horses use this method, it must be improved in the following three steps.
3. Check the startup items (including the Registry Startup items, startup folders, services, and drivers)
After reading the process and having some knowledge about the suspicious files, you can start the project. The SRE log is very suitable for beginners, because it has hidden the startup items signed by Microsoft in the service and driver areas. For services, the driver must be experienced before it can be moved, next I will introduce one item.
4. Comparison
Compare all suspicious startup projects with all suspicious processes to see if they can be matched one by one. If not, we need to look at the problem and conduct further research on it. Check whether the virus is running or protected, or other viruses exist. Of course, the reason is not only that, but also that you need to accumulate experience. Practice is fundamental.
5. view other projects
The first thing we should look at is autorun. inf project. If a disk has this file or each disk has it, it indicates that your computer has a virus and there are many processing methods. Here we will introduce several methods. Of course, make sure that there is no virus running in the system.
First, use WinRAR. Method: Open the infected hard disk and delete the corresponding file. It indicates that the computer will not be infected, which is convenient and practical.
Method 2: Use the resource manager. Method: use the resource manager to select an infected drive letter on the left of the resource manager and delete the corresponding file on the right of the hidden file and system file. It indicates the risk of virus infection.
Third: Use a command prompt. The specific method uses the doscommand. The specific command is as follows:
Attrib-s-h-r-a X: autorun. inf
Attrib-s-h-r-a X: corresponding to the Startup File (EXE or PIF)
Del X: autorun. inf
Del X: Corresponding Startup File (EXE or PIF)
X indicates the infected drive letter.
The command can be completely deleted. You need to understand how to use the doscommand and CMD.
Method 4: Use an ice blade. After opening the ice blade, click the file below. The subsequent processing is like the resource manager. It indicates that the deletion is complete and is recommended for new users.
The second one should look at the HOSTS file. Here the view is based on the line. What is written before the log is the IP address of DNS resolution corresponding to the URL. If all IP addresses are the same, or it is different from the IP address resolved by other computers, so there is a problem, the most important thing is the same or the same 127.0.0.1. The solution is very simple. use NotePad to open the Host file. The path is in C: WINDOWSsystem32driversetc. It is best to delete the file after the virus is deleted.
3. process all suspicious files (clear virus files)
This is the most critical step. This step is about to delete the virus. I was very angry when I saw someone using the log scanning program such as SRE in the Forum, because this program cannot completely solve the problem. Now let's explain the cause. First, if the virus runs, the virus will automatically detect whether the startup Item is modified from time to time. After you delete the item with SRE, the virus will be detected immediately and automatically added, when the system restarts, it will return again. There is a solution. This can be done in security mode, but some viruses will still run in security mode, next, we will illustrate this. Second, there are many viruses that choose to start Winlogon or initialize the dynamic link library or start the driver. one common feature of these three types of start is that the virus will run in safe mode, so SRE has no effect on it. Then how can we handle it? The most reliable method is to use IceSword ).
Of course, the blade is not all-powerful. Now there is a virus that ends the blade with a process. What will happen in the future? The hacker line once published an article dedicated to introducing the vulnerability of the blade and taking advantage of this vulnerability, the virus can end the ice blade.
Let's talk about the above. Let's take a look at the specific solution. The ice blade needs to perform a preprocessing during anti-virus process. Click settings under the file above and select to prohibit thread creation. Then you can do the following.
Deletion method:
In the first case, there is a real EXE process. After the ice blade is turned on, click the process to end the suspicious process. In this case, the process will not be created. According to the above comparison result, if it is in the registry, you can see the registry under the ice blade, make changes directly. Note that the <> project needs to be double-clicked to open the edit box and clear it. For other items, find the corresponding key value and delete it. If the service is started, enter the service under the ice blade, right-click to start the service and choose disabled from the shortcut menu. If the driver is enabled, open the registry and enter HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices to delete the service. You can also use SRE to delete the service. Finally, use the ice blade to forcibly delete the file and the antivirus service ends.
In the second case, there is no definite EXE process. Nowadays, many Trojans prefer DLL infiltration methods, such as Jianghu Trojan and journey Trojan. the startup project corresponding to these Trojans is an EXE file, what ultimately works is a DLL that sneak into the process. The method for finding this DLL is also experienced. To delete a virus, you must first process the EXE file, open the ice blade, and enter the corresponding startup item. In the first case, delete the startup Item first. Then, force Delete the corresponding file, and finally force Delete the DLL file to complete anti-virus after it is restarted. If the corresponding DLL cannot be found, it can also be deleted. This DLL will become system garbage, put it in the location where it exists, without generating a role.
The third case is the most difficult situation to handle. The virus is reported by anti-virus software, but no virus trace can be found in the log. here you must first start the ice blade, perform a thorough search in the process, Kernel Program, startup group, and service (the problem is explained later). If it still does not exist, this is the case. In this case, the deletion is complicated. You can use the ice blade to forcibly Delete the corresponding file (this step is not required if the antivirus software is successfully deleted), open my computer, find the corresponding location, and create a folder with the same name (including the extension ), in this way, the virus will not be generated, and then the file monitoring software Filemon will be used for monitoring. during the monitoring process, the software will be run one by one, check the software to create the File deleted with the ice blade or anti-virus software. Find the file and delete all the files in the software and reinstall it.
Registry Startup item
In SRE, the table startup items include Winlogon startup, normal Registry Startup, and so on. This can only be viewed in the Windows XP Log that I just installed a version of SP2 under the virtual machine, of course, because each system (pirated or genuine) is different, the scans may not only be the same, but the rest will require your experience.
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
[(Verified) Microsoft Corporation] (enable input method)
Super Rabbit, MSN Messenger, etc. Started through this project
[HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows]
<> [N/A]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<"C: WINDOWSIMEimjp8_1IMJPMIG.EXE"/Spoil/RemAdvDef/Migration32> [(Verified) Microsoft Corporation] (soft input method startup Item)
[(Verified) Microsoft Corporation] (Microsoft Input Method startup Item)
[(Verified) Microsoft Corporation] (Microsoft Input Method startup Item)
Storm audio and video, NVIDIA graphics card, sound card, super solution, Rising anti-virus software, rising star personal firewall, Kaka netassistant, Kingsoft drug overlord, Jiangmin Antivirus software, Emule, Kingsoft word overlord, Nero, Real series, codoy, etc. Started through this project
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon]
[(Verified) Microsoft Corporation]
[(Verified) Microsoft Corporation] (Winlogon startup item, if there is something after a comma, 90% is a virus)
[(Verified) Microsoft Corporation]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows]
<> [N/A] (Initialization