How to use some gadgets to quickly determine if a computer is poisoned

In this age of online payments, the most feared thing is a computer virus. Previously not installed anti-virus software "naked run" is a more common thing. Now it is estimated that very few people dare to do so, for fear that the money in the net silver was stolen by other gods. Today, I wrote a novice little Bai Wenlai to tell you how to quickly determine whether your computer has been poisoned.

Before discussing how to tell if a computer is poisoned, let's start by talking about some of the common characteristics of viruses.

1. The various programs running in the calculator we can find the corresponding process. The process name of the virus is usually quite strange. For example, a bunch of strange random names, such as disguised as some system process names. For a chestnut, svchost.exe is a system process, and many viruses are often named Scvhost.exe to disguise themselves.

2. In order to ensure the normal operation of the virus, it will usually add itself to the boot autorun program. I'll introduce you to this section later.

3. Self-replicating, at this time a typical characteristic of the worm, in order to ensure that it can still be carried out later and infect other machines. The virus replicates itself and executes automatically.

4. Download other programs or open the local listening port.

5. A more advanced virus hides itself through rootkit technology. Includes the registry, processes, and files.

Let's start by introducing tools. :)

1. Process Explorer

: https://technet.microsoft.com/en-us/sysinternals/bb896653/

Process Explorer is a Microsoft official release of the Processes view tool, able to view the current system's process tree and process-related calls.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/C3/wKioL1YGpADBjt8kAAT-2IJJoOc338.jpg "title=" pe.jpg "alt=" Wkiol1ygpadbjt8kaat-2ijjooc338.jpg "/>

This is an example of a normal scenario for the number of Windows XP processes. Here I opened the Wireshark program, so there is a wireshark.exe in the number of processes. What we can focus on here is the "Company Name" column. Many times virus developers will ignore the details here. Microsoft's process, for example, is called "Microsoft Corporation". The virus program may be named "Microsoft Corp." or "Microsoft Corporation, Inc." Be careful when you encounter such a process name.

Now let's give you an example of a virus program.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/C3/wKioL1YGprGRlJgCAAVasEb04zc695.jpg "title=" Mal3.jpg "alt=" Wkiol1ygprgrljgcaavaseb04zc695.jpg "/>

In this example, we see that there is a process called: Malware3.exe, the most suspicious part of this process is the description bar and company name is empty. Many virus program writers often ignore these details. When you see these clues, you often need to conduct in-depth analysis.

2. Autoruns

: https://technet.microsoft.com/en-us/sysinternals/bb963902

Autoruns is also a Microsoft official release of a tool, as I said before, the virus in order to ensure that they can run normally, will often put themselves into the boot automatically run the program. and Microsoft boot can be started on a lot of projects. There are many projects on the light registry. At this point, if a search is undoubtedly a vast project, at this time, the use of autoruns tools is a good choice.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/C6/wKiom1YGsD_Q7-QOAAZmSz68EoE921.jpg "title=" Qq20150926222954.jpg "alt=" wkiom1ygsd_q7-qoaazmsz68eoe921.jpg "/> If a program is found to have self-initiated items added to it, and is in the system directory, You can search for this file name on Google to find clues, most likely not a system program.

3. Virus Total

Web address: https://www.virustotal.com/

This page can scan the file sample to see if the file is a virus, or you can upload the file hash value to query. For example, the suspicious program just mentioned, in Autoruns we see that the program directory is C:\WINDOWS\SYSTEM32\SVCHOST.SCR. We can submit it to the VirusTotal for query.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/C3/wKioL1YGs3HxIiccAAOLK_QU26M910.jpg "title=" Qq20150926230141.jpg "alt=" wkiol1ygs3hxiiccaaolk_qu26m910.jpg "/> can see the vast majority of anti-virus software manufacturers to determine the software as malware, then sorta.

4. TCPview

: https://technet.microsoft.com/en-us/sysinternals/bb897437

TCPView is also a Microsoft-provided tool to view local network connectivity. You can use it to view information such as local port monitoring and outward connection conditions. This is usually a feature of Trojan and botnet networks. Here is an example:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/C3/wKioL1YGtZHSxKjQAALtifif4n4774.jpg "title=" Qq20150926231030.jpg "alt=" Wkiol1ygtzhsxkjqaaltifif4n4774.jpg "/>

Here you can see the network access of all the processes, through a simple search can be found that the boot.ext process here to listen to the local port 1234 is a very suspicious behavior. Then you can find the process and its location using Process Explorer and upload virustotal for analysis.

5. Finally, we introduce a advanced virus self-concealment technique: Rootkit. Rootkits are a technique for the virus to hide itself. The principle is so dubious. The operating system can be divided into two modes: User mode and Kernel mode. We look at the files, the process and the registry, in fact, a call from user mode to kernel mode, and accept the return result of kernel mode to display the information on our screen.

If the virus uses rootkit technology, it will hide itself by embedding kernel mode, which is not so easy to find, and we can help with the following tools.

rootkitbuster:http://free.antivirus.com/us/rootkit-buster/

In this case, a Trend Micro provides a publicly available, free rootkit scanning software that allows him to determine if his computer is infected with a rootkit virus.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/C6/wKiom1YGufOTo8CKAALoJAqiPZ0373.jpg "title=" Qq20150926232924.jpg "alt=" Wkiom1ygufoto8ckaalojaqipz0373.jpg "/>

You can see that the virus hides many files and registry. You can clear these tools by selecting them and clicking "Fix Now".

Note: This tool is not available for WIN8 and above operating systems.

Finally, to introduce several free portable anti-virus tools (with 360 please bypass):

1. Housecall: http://housecall.trendmicro.com/apac/

Light free virus killing tool, easy to use.

2. hijackthis:http://sourceforge.net/projects/hjt/

Requires a certain operating system knowledge, the tool can list system processes, registry, services, network actions and other related information, but need to manually analyze.

3. rubotted:http://free.antivirus.com/us/rubotted/

Free Zombie network kill gadget.

Today will be here first, and later will be free to write more about the system security related articles, I hope to bring you help.

This article is from the "Scarecrow" blog, please be sure to keep this source http://shjrouting.blog.51cto.com/4390576/1698502

How to use some gadgets to quickly determine if a computer is poisoned