How to detect and clear hidden viruses on the LAN

True or false

No virus or Trojan exists in the system and cannot be completely isolated from the process. Even if the hidden technology is used, it can still find clues from the process. Therefore, viewing active processes in the system is the most direct method for detecting viruses and Trojans. However, there are so many processes running simultaneously in the system, which are normal system processes and Trojan processes, what role does a system process that is often counterfeited by viruses and Trojans play in the system?

When we confirm that there is a virus in the system, we can use the "Task Manager" to view the process in the system and we cannot find a strange process. This shows that the virus has taken some hidden measures, we define this phenomenon as a recessive virus. Common recessive viruses include the following situations:

1. Hard to distinguish between true and false

We know that the normal processes in the system include svchost.exe‑assumer.exe‑i‑e.exe and so on. You may have found that the system has such a process: svch0st.exe‑police.exe‑i‑er.exe‑winlogin.exe. What are the differences? This is a common trick used by viruses to confuse users' eyes. Generally, they will change the o of the normal process name in the system to 0, l to I, I to j, and then become their own process name. The difference is only one word, but the meaning is completely different. If you have more than one snapshot or less than one snapshot, for example, assumer.exeand I %e.exe, it is easy to mix up, and then the current I %er.exe is even more messy. If the user is not careful, it is generally ignored, and the virus process has escaped.

2. Tables and tables are different

If the name of a process is svchost.exe, It is not inferior to that of a normal system process. Is this process safe? In fact, it only utilizes the defect that "Task Manager" cannot view executable files of processes. We know that the executable file of the svchost.exe process is located in the "C: \ WINDOWS \ system32" Directory (C: \ WINNT \ system32 directory for Windows2003). If the virus copies itself to the "C: \ WINDOWS \ drivers, and renamed svchost.exe. after running, we can see svchost.exe In the manage task manager, which is similar to a normal system process. Which of the following processes is a virus?

We know that there are many types of viruses. As long as we discover them carefully, we can always find the virus source. Because the route of virus transmission is constantly changing, hackers can achieve the desired purpose. Therefore, we cannot fix the virus removal method, but it brings us some difficulties to clear the virus, based on the virus characteristics in your computer, you can determine and use which policy to clear the virus.
Emails containing viruses

Summary of virus cleanup Methods

1. Clear viruses in safe or pure DOS mode

When a computer is infected with a virus, the vast majority of virus infections can be completely cleared in normal Mode. Here, the accurate description of normal Mode should be Real Mode ), let's talk about it in plain words. It includes "MS-DOS mode" or "command prompt" for Windows in normal mode and Windows in normal mode ". However, some viruses often attack anti-virus software or even delete the anti-virus software in the system because they are more concealed and tricky, the vast majority of anti-virus software for such viruses are designed to be installed, used, and processed in security mode. When cleaning in Safe Mode or pure DOS, for most popular viruses, such as worms, Trojans, and webpage code viruses, they can be completely cleared in safe mode, and do not need to start anti-virus using a floppy disk as before; however, some boot zone viruses and Viruses Infected with executable files require anti-virus in pure DOS (we recommend that you use a clean floppy disk to enable anti-virus ). In addition, when a computer is infected with a virus, you need to install the anti-virus software (upgrade to the latest virus database) in Safe Mode) or clear the virus in pure DOS!

Ii. add files with viruses to some mail files

The vast majority of anti-virus software can directly check whether the files in these mail files are infected with viruses. For emails infected with viruses in the mailbox, you can set anti-virus or delete the emails infected with viruses according to the user's settings, however, due to the composite file structure of these mailboxes, virus attacks can still be detected in the mailbox after virus removal. This is because the mailbox is not compressed for space release, you can select "Tools"> "options"> "maintenance"> "clear now"> "compression" in Outlook Express to delete all offline content, also select and delete them.

3. The files with viruses are in the Restore directory, *. cpy File

This is the directory where the system restores and stores the restored files. This directory is available only when the Windows Me/XP/VISTA operating system is installed. This directory is protected by the system. In this case, you need to cancel the "System Restore" function, delete the files with viruses, and even delete the entire directory.

The four-character drug files are stored in. rar,. Zip,. cab, and other compressed files.

For the vast majority of anti-virus software, the function of virus detection and removal in compressed files has been basically improved, some special types of compressed files or compressed files with password protection may be cleared directly. To clear the virus in the compressed file, we recommend that you decompress the file and clear it, or use the plug-in anti-virus program function of the compression tool software to disinfect the compressed files with viruses.

Share directory Anti-Virus

5. Virus residue code in the file

In this case, the most common is the Residual code with CIH, Funlove, macro viruses (including macro viruses in documents such as Word, Excel, Powerpoint, and Wordpro) and individual webpage viruses, generally, antivirus software reports the suffix of the virus name to these files with Residual code, such as int and so on, and is not common, such as W32/FunLove. app, W32.Funlove.int. Under normal circumstances, the residual code will not affect the running of Normal programs, and will not be infected. If you need to completely clear the code, you need to clear the virus based on the actual situation. You can also use related clearing tools and modify the registry.

Vi. Share directory Anti-Virus

The virus files in the shared local directory cannot be cleared. When other users in the LAN are reading and writing these files, the virus is detected as being unable to directly clear the viruses in these files, if a virus is writing a virus to these directories, the virus is cleared after the shared directory is infected or new virus files are generated. In the above two cases, we recommend that you cancel sharing and thoroughly scan and kill shared directories. When resuming sharing, be sure not to open too high permissions and add a password to the shared directory. When virus removal is performed on a remote shared directory (including a ing disk), ensure that the operating system of the Local Computer is clean and that the shared directory has the highest read and write permissions. If the remote computer is infected with the virus, we recommend that you directly scan and kill the virus on the remote computer. In particular, we recommend that you cancel all local sharing and then perform anti-virus operations when removing other viruses. During normal usage, you should also pay attention to the security of the shared directory, add a password, and do not directly read the files in the remote shared directory if necessary, we recommend that you copy the data to a local computer and check the virus before performing the operation.