Powerful anti-virus weapons under the command line

Source: Internet
Author: User

As early as a few years ago, some precognition netizens lamented: How can a person not win a bid if they are online. Nowadays, computer tricks are common. In the face of the surging virus and Trojan horses, anti-virus software and firewall are naturally indispensable. But sometimes there are still a lot of stubborn elements that just rely on anti-virus software and firewalls. What should we do? In fact, some very useful tools have been provided in the command line of the Windows system, and the full use of them will become our powerful anti-virus weapon. Let's take a look at the powerful anti-virus weapons under the command line.
I. tasklist -- eye-catching

Today's viruses are getting more and more tricky and often disappear without beginning or end. However, many viruses often expose a fox tail in the process. Therefore, viewing a process is an important way to kill the virus. The command line provides the tasklist (Windows XP or later) command tool for viewing processes ). This command is similar to the task manager to display the list of active processes. However, by using parameters, You can see information that cannot be viewed by the task manager, which provides more powerful functions. When the parameter "/M" is used, running "tasklist/M" will display all DLL modules loaded by each task. When the parameter "/svc" is used, running the "tasklist/svc”command will display the services loaded by the upstream service, through services, we can identify whether a virus process is malicious or not. In addition, the tasklist command can be used to view remote system processes. For example, enter "tasklist/s 208.202.12.206/u friend/P 123456" at the command prompt (excluding quotation marks) you can view the process of the remote system with the IP address of 208.202.12.206. "208.202.12.206" after the/S parameter indicates the IP address of the remote system to be viewed, and "friend" after the/u indicates the user account used by the tasklist command, it must be a valid account on the remote system, and "123456" after/P indicates the password of the friend account. In this way, it is much easier for the network administrator to remotely scan and kill viruses.
2. taskkill-process killer

With the eye-catching eyes of tasklist, many viruses appeared, but more importantly, they were not detected, but to be cleared. Another command, taskkil, came in handy. For example, to end a process, you only need to record the process name from the task manager and run the following command: "taskkill/f/IM process name". You can also connect to the PID, you can run the "tasklist" command First, write down the PID of the process, and enter "taskkill/PID" under the command identifier. Speaking of this, I am afraid some people will say that this is not as convenient as simply using the task manager. In fact, the only trick of taskkill command is that it can end some processes that cannot be directly aborted in the task manager. In this case, the parameter "/F" must be added to force the process to be shut down, for example, run the "taskkill/f/PID 1606" command to force the process whose PID is 1656 to end. In addition, the taskkill command can end the process tree, remote process, and specify to filter in or out the queried process. For specific operations, you can use "taskkill /?" Command.
3. netstat-port Detection

Today, more and more Trojans pose more and more threats to users. As a result, many tools dedicated to Trojan Horse scanning and removal have emerged. In fact, as long as we properly use the netstat command under the command line, we can find most Trojans hidden in the computer.

We know that most Trojans have service ports after infected with the system, and these service ports are usually in the listening status. Therefore, we can check the trojan trace from the port usage, this can be easily implemented using the netstat command. Run "netstat-a" in the command line. This command displays a list of all valid connection information, including the established connections (established) and listening). PROTO indicates the protocol, local address indicates the local address, and the number after the colon is the open port number. Foreign Address indicates the remote address. If you are communicating with other machines, the address of the other party is displayed, the State indicates the State, and the listening indicates that the listening state is displayed. That is to say, the port is open, because the backdoor is in the listening state after the Trojan horse opens the backdoor successfully, therefore, you must note the port in the listening status. If the port number is unfamiliar and the number of ports is large, you should be alert.
You can also view the process corresponding to the port used for further confirmation, which requires the parameter "-o ", run the "netstat-ao" command to display a list of all valid connection information and provide the corresponding PID Number of the port.
4. Find-bind a kstar

I believe that many people have used file-bound Trojans. On the surface, they seem to be a pretty mm image, but they are hidden in the dark. This is a common method of hiding Trojans by file bundling. The necessary checks and timely processing of suspicious files can often prevent more serious consequences. Therefore, some tools for checking bundled files are also available on the Internet.

In Windows, you can also use command lines to perform simple checks. The string SEARCH Command -- find is used here. Its main function is to search for strings in files, which can be used to check bundled files. Method: Run "find/C/I/" this program/"Path of the file to be queried" on the command line (excluding the quotation marks). If it is an EXE file, under normal circumstances, the return value should be "1". If the value is greater than 1, you must be careful. If it is an unexecutable file such as an image, under normal circumstances, the return value should be "0". If it is greater than 0, it should be noted.
5. ntsd-powerful Terminator

Today's virus is getting more and more tricky. It often happens that even if you can find its process, it cannot end. Neither the task manager nor the taskkill command mentioned above can be aborted. Of course, you can use process management tools, such as powerful process explorer. In fact, using a secret tool that comes with windows can force most processes, including some very stubborn processes. This is the ntsd command.
Run the following command in the command line:

Ntsd-C q-P PID

The last PID indicates the ID of the process to be terminated. If you do not know the process ID, you can use the tasklist command to view it. Using the ntsd command, few core processes, such as system, SMSs. EXE, and CSRSS. EXE, cannot be killed. Other processes can be forcibly terminated.
6. FTYPE-File Association repair expert

Like file bundling, tampering with file associations is also a common trick for viruses or Trojans. The common recovery method is to modify the registry, but registry operations are usually troublesome and error-prone, another more convenient method is to use the command line tool FTYPE to easily restore file associations. For example, the file association of exefile is the easiest to modify. Its normal file association is/"% 1/" % *. You only need to run the following command in the command line: "FTYPE exefile =/" % 1/"%. To fix the txtfile File Association, enter "FTYPE txtfile = % SystemRoot % \ system32 \ notepad. EXE % 1.

VII. FC-Registry Monitor

Many virus Trojans treat the Registry as an attack object, such as file association tampering mentioned above, now, the so-called rogue software flow of the restless software in the Registry to add this should not be added to the item value, so registry monitoring becomes very necessary. As a result, many registry monitoring software emerged. In fact, we can use only the tools provided by windows to complete this function.

The following describes how to implement "monitoring" based on the changes made to the Registry during software installation ":

First, you can back up the registry once (stored as a reg file, such as 1.reg) before installing the software ), after installation, export the Registry File (2.reg) and then execute the following command in the command prompt line of Windows XP:

D: \> FC/u 1.reg 2.reg> changes.txt

After you open the changes.txt file under the ddisk root directory, you can clearly check which sub-keys and modifications the software has added to the Registry. The software installation in the above example is a specific time point. You may use this method to analyze possible changes to the registry at any time point.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.