How can I check whether my computer has been hacked by Trojans?

How can I check whether my computer has been hacked by Trojans?

When using a computer, you may encounter the following situation: the computer suddenly crashes and sometimes restarts automatically. Some files are missing from the unprovoked terminal, and the desktop refresh is slow, no large program is running, but the hard disk is desperately reading and writing, and the system does not clearly search for the soft drive, anti-virus software and firewall alarms, it is found that the system speed is getting slower and slower, at this time, you should be careful.

Immediately respond (develop a good habit to reduce losses to the bowl): Use CTRL + ALT + DEL to call up the task table and check if any program is running, if you find a strange program, you should pay more attention to it. Generally, all programs in the task manager do not have a negative impact on the basic operation of the system (Note: Here is the basic operation, first, let me explain to you that I have obtained this research result on the Internet. So you can close some suspicious programs and check that some abnormal situations have recovered to normal, then we can preliminarily determine that it is a trojan. We found that multiple programs with the same name are running and may increase with the increase of time, this is also a suspicious phenomenon. If you find this phenomenon only after you connect to the Internet or LAN, do not doubt it. Check it with your hands !, (Note: it may also be that some other viruses are being blamed)

1. Upgrade anti-virus software to the latest version to perform a comprehensive inspection and scanning of the system.

2. Click "Tools"> "Folder Options"> "Hide protected operating system files (recommended)" and "Hide extensions of known file types.

3. Check the first lines in the Windows. ini file: [WINDOWS] load = ren = here, the program automatically executed by Windows is started. Let's take a look at the comparison.

4. view the lines in the SYSTEM. ini file in the Windows directory: [using ENH] device = here is the SYSTEM itself and the added driver. The added drivers generally use full paths, such as device = c: \ windows \ system32 \ tianyangdemeng.exe (here is an example)

5. Check "program"> "start" in the Start Menu ". Here, the program automatically executed by Windows is started. If so, it will be placed in C: \ Windows \ StartMenu \ Programs, save it in a safe place and then delete it. You can recover it when you need to recover it.

6. Enter "MSCONFIG" in "start"> "run" to check whether there are any suspicious startup items. You may ask, didn't you say that before? In fact, the two methods are different. You can use these two methods to view the differences. I don't know whether to go deeper or to be honest. Don't joke. I hope you can come and answer it!

7. view the registry and enter "REGEDIT" in "start"> "run ". Back up the registry before you can view registration. (Make sure you have a habit of backing up a wooden file before modifying it.) Check HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices and Run items, check whether there are any suspicious programs. Check HKEY_CLASSES_ROOT \ EXEFILE \ SHELL \ OPEN \ COMMAND to see if there is any. The trojan associated with the EXE file. The correct value is "% 1" % *. Check HKEY_CLASSES_ROOT \ INFFILE \ SHELL \ OPEN \ COMMAND to check whether there is a trojan. The trojan associated with the INF file. The correct value is "SYSTEMROOT % \ SYSTEM32 \ NOTEPAD. EXE % 1. Check HKEY_CLASSES_ROOT \ TXTFILE \ SHELL \ OPEN \ COMMAND to see if there is any. The trojan associated with the TXT file, the correct value is % SYSTEMROOT % \ SYSTEM32 \ NOTEPAD. EXE % 1 start CMD, enter the NETSTAT-AN to see if there is any abnormal port.

The execution file in 8Windows. Exe ,. Com ,. Dll ...... They may all be viruses placed by hackers or virus carriers. When the system is normal, back up the above files and write them back as needed!

9 in the Windows directory, check whether there is a file named Winstart. bat. This file is also an automatic batch processing file similar to Autoexec. bat. However, it can only work in Windows and cannot be used in DOS. Take a closer look at the driver you don't know. record it and go to Baidu to check it. Generally, this automatic batch processing file will not be used. (It can only be judged by experience)

10 Check c: \ autoexec. bat and c: \ config. sys. These two files contain drivers required by the system. Check whether there are any suspicious drivers.

11. Right-click "my computer"> Event Viewer to view the Security Log and check whether there is any suspicious content in it.

12. Enter NETUSER in CMD to check whether there are any suspicious users. If a user is not set up, use NETUSERABCD/DEL to delete the user. (here, ABCD is the user name, you just need to change it to the user you want to delete, and you can also go to the next check user clone server to view and all other tools that can help you, some users created by hackers are invisible in general methods, so you should pay attention to them.