Four very good ways to identify a virus file

We use anti-virus software anti-virus, often detect a lot of "virus", many friends holding "rather wrong to kill a heap, never let go of a" attitude, will detect the "virus" all deleted. In fact, the deletion of the whole is undesirable, and some of the infected system documents cannot be deleted. I am here to introduce a number of methods to identify virus files, I hope to help you.

First, file time

If you feel that the computer is not right, use anti-virus software to check, nothing to reflect or remove a part of the virus still feel wrong, you can check the suspicious object according to the file time.

File time is divided into the creation time, the modified time (there is also an access time, no tube), you can see from the file's properties, click the file, right-click, select the properties in the menu can be seen on the "General" page of these times.

Usually virus, Trojan file creation time and modification time are relatively new, if you find early, basically is in recent days or the day. C:\Windows and C:\Windows \system32, and sometimes c:\windows\system32\drivers, if the 2000 system, the above windows to Winnt, these places are viruses Trojan often stay in place, Order BY Time (view-Details, then click on the title bar "Modified Time" to view the next few days of the files, pay special attention to EXE and DLL files, and sometimes dat, ini, cfg files, but the following normal files have a relatively new modification time, can not confirm on the first side, Focus on the EXE and DLL, anyway, the latter three is not an execution file. Generally speaking, system files, especially EXE and DLL, will not have such a new modification time.

Of course, other applications that are updated or installed may have a new modification time. Can be compared to the creation of time, and the other oneself what time has not installed what the software should know, really do not know with the search function, in the whole hard drive to find the relevant time has not set up what folder to see whether the installation of the application software, As long as the time is right, it is normal. If all does not match, is the virus, deletes.

To illustrate, just as not all the latest files are viruses, it's not that all viruses are up to date, and that some of the virus files are dated even a few years ago.

Of course we have other ways of resolving it.

Second, file name

File name is the first impression, through the file name to determine whether suspicious is the most direct method, the reason is placed in the back of the time, it is really from a large number of documents sorting suspicious molecules too difficult, or with time to arrange the order easier.

We used to say random letters (and sometimes numbers, less) combination of file names, viruses love to use it (once found that some normal software also has the habit of using this strange combination, such as Yahoo Internet Assistant, every time the file name is not the same, motives suspicious, there is a cat driver also seemingly random combination, But fortunately, there is the manufacturer's information to help distinguish, the next point to say.

There is also the length of the file name, some serious beyond the 8-bit file name of the standard, there are more than 10, which should be classified as suspicious objects, especially IE Plug-ins have these file names appear.

Of course the light says the file name is odd, random combination, there seems to be no standard, not familiar with the computer to see all the English file name may be considered strange, meaningless arrangement combination, so really rely on file name to judge, or to the system folder under the files, regular files have a certain understanding of the better grasp. Initially, there are other ways of combining the above to make a common judgment, or something can be found.

There is also a fake normal file, system files file name, which is better to identify, such as Svchost.exe and Svch0st.exe, it is obvious that the latter in the counterfeit the former, this is more easily exposed, if you are familiar with the system file name, something is all right open Task Manager to learn it.

Corresponds to the file name, and the service name, driver name, registry startup key name, relatively speaking, if the name of these projects does not show a certain meaning, it is really a virus, and not a few manufacturers are not responsible for their software to use the services, drivers, start-up items to start a meaningless, random combination of names, if the service, drive, The startup item name is problematic, so the file used below must be problematic.

Really not sure, put the file name (sometimes to include the full file path, different paths under the same name file is not the same, this later said, the service name, driver name, startup item name on the Internet search, see what others say, especially for the detected, there are services, drivers, Startup items and file name does not match ( If the same service name on the Internet to find a different document corresponding, or the contrary, can be classified as suspicious object.

Third, version information

Check the file time uncertainty, plus a check project file version, but also in the file properties, there are file version, manufacturer information. First of all, not all files have version information, and not all the files without version information are virus files, not all the files that show Microsoft information is really Microsoft.

File name, file time, and then the file version, the basic can come up with a result, such as a strange file name, showing Microsoft manufacturer information, obviously suspicious; or it should be a normal system file (such as Explorer.exe or Userinit.exe) without version information, may be replaced or destroyed by the virus, and soundman.exe manufacturer information is 1, you can consider the deletion, should not be the sound card program.

In addition to the manufacturer in the version information, there is the original filename, sometimes you will find a different name in the check file, really Bie you tiandi.

Four, position

Virus Trojans like to stay where the system folder, Windows, Windows\System32, Windows/system32 \drivers, and C:\Program Files\Internet Explorer/c:\ Program Files\Internet Explorer\plugin, C:\Program Files\Common Files\miscrosoft shared, as well as temporary folders, ie cache.

First temporary folder C:\Documents and Settings\ your username \local Settings\Temp and c:\windows\temp are sure to be clear, and can be boldly deleted, regardless of good or bad, deleted nothing, ie cache also want to clear, Not directly into the folder delete, and from IE menu tool-internet option to enter, delete files-delete all offline files, preferably in the advanced set to close the browser automatically empty temporary files, it is easier.

Other folders, mainly to see if there are not the existence of files, such as Windows folder in the number of rising files (Kaka is there), RealPlayer documents, absolutely suspicious, as well as Svchost.exe, Ctfmon.exe suddenly appear in Windows or other folders, rather than in the system32 they should be in, and can be identified as viruses. Of course can be combined with the above several methods to judge. Sometimes it is to rely on experience, relatively small files are relatively good to judge the folder, more than what is easy to find, such as Windows, IE folder, see more, you know the basic is those, more than one or two EXE or DLL, can be found immediately (many rogue software will be here to live).

There is a combination of registry startup, the general launch of the reference to the WINDWS, the basic input method, sound card management, more suspicious, pointing to the system32 under a lot of look at two eyes, really take not, the old way, to the Internet to check the file name. If you find that the startup item points to the Font font folder, don't think about it, there must be a problem.

The same is true for service drivers, not in System32 or driver (the nature of which is checked under them, not to mention).

In addition to the folder location, there are registry locations, in addition to a few run startup items, there are image hijacking (Ifeo) to check, the value of debugger should be noted, in addition to the last your image file name here without a Path has a debugger=ntsd-d, the other is not, as long as there is found to be hijacked (except for immunization, immunization is known virus program name hijacked to nonexistent files, so that it can not run), and then find hijacked files, is debugger behind the file, After it is found, it is deleted along with the registry key. But note, now hijacked some use is not a virus file, is a system file or command, such as Svchost.exe or ntsd-d, this does not delete the file, as long as the registry keys deleted.

Also have to note that the registry entries are Appinit_dlls, generally null (except that one of the cards will put this), if the value is a virus, by name to find delete. There is another one is userinit, is generally empty, the modification of many things will check whether normal.

Recommended to use Sreng to check, more convenient, will automatically prompt the above changes.

Conclusion:

To be honest, it's hard to find suspicious filenames from a bunch of English names. Comprehensive use of various methods, with tool software classification display is a shortcut, such as Sreng, the service driver listed, name, file, the path of a pendulum, it is obvious, and some names are disorderly writing, the file name on the back is very clear, Some are careful to impersonate the system service name, but in contrast to the normal one, even the network also can find out the problem (hide Microsoft Services after the non-Microsoft service is revealed, if the top of the system service name or close to the name of the system service, there must be a problem, not the normal service changed, is added to the Li Ghost).