How to tell if your computer contains viruses _ Surfing the Internet

A variety of viruses today can be regarded as a blossoming, make a panic, once found that their computer is a bit abnormal to identify the virus in the mischief, everywhere looking for anti-virus software, a no, and then one, in short, it seems not to find "culprit" just like, the result of virus software is used one after another Perhaps for this the renminbi is used one after another, or not see the "culprit" traces, in fact this is not necessarily the virus in mischief.

Such examples are not uncommon, especially for some novice computer users. Below I combine personal computer use and enterprise network maintenance of anti-virus experience from the following aspects to introduce how to determine whether the virus, I hope to help identify "real poison" has some help!

　　 the differences and connections between viruses and hardware and software failures

Computer failure is not only because of the virus will have, the use of personal computers in the process of a variety of fault phenomenon is due to the computer itself, hardware and software failures caused by the network is due to the permissions set. Only when we fully understand the difference and the relationship between the two can we make the correct judgment and discover it in time when the real virus comes. I'll briefly list some common computer failure symptoms caused by viruses and hardware and software failures.

　　 Possibility of the intrusion of symptom viruses soft, hardware failure

　　 often freezes: Viruses open many files or occupy a large amount of memory, instability (such as poor memory quality, bad hardware overclocking performance); Large-capacity software consumes a large amount of memory and disk space, some test software (with many bugs), hard disk space, etc. When running software on the network, it may be because the network is too slow, the program running is too large, or your workstation hardware configuration is too low.

　　 system failed to start: The virus modified the boot information on the hard drive, or deleted some boot files. If the boot virus boot file is corrupted, the hard drive is damaged or the parameter is set incorrectly, and the system files are accidentally deleted.

　　 The file won't open .: The virus modifies the file format; The virus modifies the file link location. file damage; the hard drive is damaged; the link location for the file shortcut has changed; the software that edited the file has been deleted, and if it is in the LAN, it has changed the location of the file in the server and the workstation did not rinse the contents of the new service in time (the resource manager has been open for a long time

　　 often reporting insufficient memory: Viruses illegally occupy a large amount of memory, open a large number of software, run the memory resources of the software, the system is not configured correctly, the memory is not enough (the current basic memory requirements of 128M) and so on.

　　 tip Hard disk space is not enough: Virus replication of a large number of virus files (this encountered several cases, sometimes good near 10G hard disk installed a WIN98 or WINNT4.0 system said there is no space, a software installation prompts the hard disk space is not enough. Hard disk each partition capacity is too small, installed a large number of large-capacity software; All software is centrally installed in a partition, the hard disk itself is small, if the system administrator in the LAN for each user set the workstation user's "private disk" to use the space limit, because view the entire network disk size, in fact, "private disk" The capacity has been exhausted.

　　 Read and write signal when the floppy disk and other devices are not accessed: Virus infection; The floppy disk was removed and opened files that had been opened in the floppy disk.

　　 There are a lot of dubious documents.: Virus copy files, may be temporary files generated in some software installation, or some software configuration information and running records.

　　 Start black screen: Viral infection (the deepest memory is 4.26 in 98, I paid a good price for the cih thousands of yuan, the day I first boot to the Windows screen on the crash, the second time the boot on nothing at all; monitor failure, display card failure, motherboard failure, overclocking excessive, CPU corruption, etc.

　　 Data Loss: The virus deleted the file, the hard disk sector is damaged, the original file is overwritten by the recovery file, and if it is a file on the network, it may be mistakenly deleted by another user.

　　 The keyboard or mouse is locked to death: Virus mischief, especially to pay attention to "Trojan"; keyboard or mouse damage, the keyboard or mouse interface on the motherboard is damaged, running a keyboard or mouse lock program, the program is too large, long time system is busy, showing the keyboard or mouse does not work.

　　 The system is running at a slow speed: Viruses occupy the memory and CPU resources, running a large number of illegal operations in the background; Low hardware configuration, open programs too many or too large, system configuration is not correct, if you are running a program on the network mostly due to the low configuration of your machine, it is also possible that the network is busy at this time, many users open a program at the same time Another possibility is that your hard disk space is not enough to use for temporary exchange of data when running the program.

　　 system performs actions automatically: Viruses perform illegal operations in the background; the user sets up automatic running of programs in the registry or startup group, and some software needs to automatically restart the system after installation or upgrade.

Through the analysis of the above comparison, we know that most of the fault may be due to man-made or soft and hardware failure, when we found that the exception do not rush to assert, in the case of anti-virus can not be resolved, we should carefully analyze the characteristics of the fault, the elimination of soft, hardware and man-made possibilities.

　　 The classification of viruses and their characteristics

　　To really identify the virus, timely killing the virus, we also need to have a more detailed understanding of the virus, and the more detailed the better!

Because the virus is written by many dispersed individuals or organizations, and there is no standard to measure and divide, the virus classification can be divided roughly according to several angles.

　　 the virus can be divided into the following categories, such as by the infected object:

　　A, guided virus

　　The object of this type of virus attack is the boot sector of the disk, this will enable the system to obtain priority in the implementation of the right to control the entire system, such viruses because the infection is the boot sector, so the loss is relatively large, in general will cause the system can not start normally, but the killing of such viruses is also easier, Most anti-virus software can kill this kind of virus, such as KV300, killing series and so on.

b, file-type virus

These early viruses are generally infected with EXE, COM, and so on as extensions of executable files, so that when you execute an executable file, the virus program will be activated. Recently, some viruses have been infected with DLLs, OVL, SYS, and other files with extensions, because these files are usually the configuration of a program, linked files, so the virus will automatically be loaded when a program is executed. They are loaded by inserting a whole paragraph of the virus code or by scattering it into the blank bytes of these files, such as the CIH virus that splits itself into 9 segments embedded into the PE structure of the executable file, after the infection usually the number of bytes of the file does not increase, which is its hidden side.

C, network-type virus

The virus is the result of the rapid development of the network in recent years, infected objects are no longer limited to a single model and a single executable file, but more comprehensive, more covert. Some network viruses can now almost infect all Office files, such as Word, EXCEL, e-mail, and so on. Its attack mode also has the transformation, from the original deletion, modifies the file to now carries on the file to encrypt, steals the user useful information (for example hacker program) and so on, the transmission way also took place the qualitative leap, no longer limits the disk, but through the more covert network carries on, like the electronic mail,

D, Complex virus

Classify it as a "compound virus", because they also have some characteristics of "boot type" and "File type" virus, they can infect the disk's boot sector file, or can infect an executable file, if this kind of virus does not have a thorough removal, then the residual virus can recover itself, Also can cause the boot sector file and executable file infection, so this kind of virus killing difficult, the use of anti-virus software to both kill two kinds of virus function.

　　 The above is according to the target of virus infection, if according to the degree of damage to the virus, we can divide the virus into the following several：

　　A, benign virus

　　These viruses call them benign viruses because they are not meant to destroy your system, they just want to play, and most of the primary virus enthusiasts want to test their own development of the virus program level. They don't want to break your system, just make some kind of sound, or some hint that there's no harm in the other than taking up a certain amount of hard disk space and CPU processing time. such as some Trojan virus program is also the case, just want to steal some of your computer communication information, such as passwords, IP addresses, etc., in case of need.

b, malignant virus

We have only to the software system to cause interference, theft of information, modify system information, will not cause hardware damage, data loss and other serious consequences of the virus attributed to the "vicious virus", this type of virus intrusion system in addition to not normal use, there is no other loss, the system after the damage generally only need to reload a part of the system files can be restored And, of course, kill the virus and reload the system.

C, extremely malignant virus

This type of virus is much more damaging than the type B virus, in general, if it is infected with this type of virus your system will be completely broken down, can not start normally, you will be left on the hard disk of useful data can not be obtained, the lighter is just delete system files and applications.

D, catastrophic virus

This kind of virus from its name we can know it will bring us the degree of destruction, this kind of virus is usually destroys the disk the boot sector file, modifies the file allocation table and the hard disk partition table, causes the system not to be able to start at all, sometimes may even format or lock down your hard drive, causes you to be unable to use the hard disk. If, once infected with this type of virus, your system is very difficult to recover, the data kept on the hard disk is very difficult to obtain, the loss is very large, so we should be the worst of the evolution of the plan, especially for enterprise users, should be full of catastrophic backup, Fortunately, most large enterprises now recognize the significance of backup, spend a lot of money on the daily system and data backup, although we all know that perhaps a few years may not encounter such disastrous consequences, but still relax the "in case". That's the way I live in Nestle, and it's a matter of great importance. such as 98 years 4.26 attack CIH virus can be classified as this class, because it not only damage the software, more directly to the hard disk, motherboard BIOS and other hardware damage.

　　 such as in the manner of their intrusion into the following categories:

A, source code embedded attack type

From its name we know that this kind of virus intrusion is mainly in the high-level language source program, the virus is in the source program before compiling the virus code, and finally with the source program is compiled into an executable file, so just generated file is a poison file. Of course, this kind of file is very few, because these virus developers can not easily get those software development company before compiling the source program, moreover this kind of intrusion way difficult, need very professional programming level.

B, Code substitution attack type

This kind of virus mainly uses its own virus code to replace an intrusion program whole or partial module, this kind of virus is also rare, it is mainly attacks the specific procedure, the pertinence is stronger, but is not easy to be discovered, clears up also more difficult.

C, System modification type

This type of virus is mainly using its own program to overwrite or modify some files in the system to achieve the call or replace some of the functions of the operating system, because it is a direct infection system, more harmful, is also the most common type of virus, mostly file-type virus.

D, Shell additional type

This type of virus usually attaches its virus to the head or tail of the normal program, which is equivalent to adding a shell to the program, and when the infected program executes, the virus code is executed before the normal program is transferred into memory. Most file-type viruses now fall into this category.

With some basic knowledge of the virus, we can now check your computer for viruses, and know that we can judge them in the following ways.

1, anti-virus software scanning method

This is probably our most preferred friend, I am afraid is the only choice, now more and more virus species, concealment means more and more sophisticated, so to kill the virus has brought new difficulties, but also to anti-virus software developers to bring challenges. However, with the technical improvement of computer programming language and the more and more popular computer network, the development and spread of virus is becoming more and more easy, so anti-virus software development company is more and more. But at present more well-known or so several systems anti-virus software, such as Jinshan poison PA, KV300, KILL, Pc-cillin, VRV, Rising, Norton and so on. As for the use of anti-virus software in this will not have to say, I believe we all have this level!

2. Observation method

This method can be accurately observed only in the understanding of the symptoms of some viral seizures and the place where they are often housed. such as hard disk boot often occurs when the panic, the system boot time is longer, the speed is very slow, cannot access the hard disk, appears the special sound or the prompt and so on above in the first big point appears the breakdown, we first must consider is the virus in the mischief, but also cannot a Dong Ying pan go to the end, above I did not speak the soft, Hardware failure also may appear those symptoms! In the case of viruses, we can observe from the following aspects:

A, Memory observation

This method is commonly used for viruses found in DOS, we can use the "mem/c/p" command under DOS to view the memory of each program, found that the virus occupied memory (generally not alone, but attached to other programs), some viruses occupy memory is also relatively covert, with "mem/c/p "We can't find it, but we can see that the total basic memory 640K is less than 1k or a few K."

b, Registration Form observation method

Such methods are generally applicable to the recent emergence of the so-called hacker programs, such as Trojans, these viruses are generally through the registry to modify the startup, load configuration to achieve automatic start or load, generally in the following several places to achieve:

[Hkey_current_usersoftwaremicrosoftwindowscurrentversion

And so on, specific reference to my another article-"All through the Trojan Horse", in which the registry may appear in a more detailed analysis of the place.

C, System configuration file observation method

Such methods are generally applicable to hacker programs, such viruses are generally hidden in System.ini, Wini.ini (Win9x/winme) and startup groups, in the System.ini file has a "shell=" item, and in the Wini.ini file has " Load= "," run= ", these viruses are generally in these projects to load their own programs, note that sometimes it is to modify the original program. We can run the Msconfig.exe program in Win9x/winme to see one item. Specific can also refer to my "all through the look of the Trojan" a article.

D, feature string observation method

This approach is mainly targeted at some of the more specific viruses, these viruses will write the corresponding characteristics of the code, such as the CIH virus will be in the intrusion file to write "CIH" such a string, of course, we cannot easily find that we can be on the main system files (such as Explorer.exe) Using the 16 code editor to edit can be found, of course, before editing the best to back up, after all, the main system files.

E, hard disk space observation method

Some viruses don't damage your system files, but only to generate a hidden file, this file generally very little, but the space is very large hard disk, sometimes large to make your hard drive can not run the general program, but you look and see it, then we will open the resource manager, You then set the content properties you view to a file that can view all of the properties (does this not need me?) , it is believed that this leviathan will come to the visible, because the virus generally set it to hide properties. To delete it, this example in My Computer network maintenance and repair of personal computers to see a few examples, obviously only installed a few common programs, why in the C disk a few g of the hard disk space display is not, after the above method can quickly let the virus visible.