The anti-drug elite at the command line

First, the tasklist--piercing eyes

Today's viruses are becoming more and more cunning, often missing the head or tail. But many viruses often expose fox in the process, so viewing processes is an important way to remove viruses. The command line provides a command tool--tasklist (Windows XP or later) that the process views. This command, like Task Manager, displays a list of active processes. But by using parameters, you can see the information that Task Manager cannot see, and you can achieve more powerful functionality. With the parameter "/M", Running "tasklist/m" displays all the DLL modules loaded for each task; using the parameter "/svc", running the tasklist/svc command displays a list of the active services in each process. From this, you can see that the process is svchost.exe loaded, and the service can tell if it is a malicious virus process. In addition, you can use the Tasklist command to view the process of a remote system, such as entering "tasklist/s 208.202.12.206/u friend/p 123456" (excluding quotes) at a command prompt You can view the process of a remote system with an IP address of 208.202.12.206. The "208.202.12.206" after the/s parameter refers to the IP address of the remote system to be viewed, and the "friend" after/U refers to the user account that the tasklist command uses, it must be a legal account on the remote system, and the "123456" after/p Refers to the password of the friend account. In this way, the network management remote killing virus is also more convenient.

Second, taskkill--process killer

With tasklist This pair of eyes, many viruses appear, but more important is not to find the virus, but to clear them, then another command--taskkil to come in handy. For example, to end a process, simply note the process name from Task Manager, run the following command: "taskkill/f/im process name", or by connecting the PID, you can run the "Tasklist" command, note the PID number of the process, and then enter " Taskkill/pid PID Number "can be. Speaking of which, I'm afraid someone will say it's better to use Task Manager directly. In fact, the TASKKILL command's unique feat is that it can end some process in Task Manager can not be directly aborted, then add the parameter "/F", so that the process can be forced to shut down, such as running "taskkill/f/pid 1606" command to force the end of the PID 1656 process. In addition, the Taskkill command can end a process tree, a remote process, a process that specifies filtering or filtering out of a query, and can be done using the taskkill/? command for viewing.

Third, netstat--Port detective

Nowadays, more and more Trojans, the threat to users is also more and more large, so there are many dedicated Trojan killing tools. In fact, as long as we reasonably use the command line netstat command can detect most of the Trojan hidden in the computer.

We know that most Trojans infected with the system after the service port, and such service ports are usually in the listening state, so from the use of the port can be traced to the Trojan, and this use of netstat command can be easily achieved. Run "Netstat–a" on the command line, which displays a list of all valid connection information, including established connections (established), and those connections that listen for connection requests (listening). Where Proto represents the protocol, the local address represents the native addresses, the number after the colon is the open port number, Foreign address represents the remote location, if and other machines are communicating, the display is the address of the other side, state representative status, The listening indicated is in the listening state, that is, the port is open, because the backdoor is in listening state after the Trojan is opened, so you need to pay attention to the port in the listening state, if the port number is unfamiliar, and the port number is very large, You should be on your toes.

You can also view the process used by the port for further confirmation, which requires the parameter "-O", and running the "Netstat–ao" command displays a list of all valid connection information and gives the corresponding PID number for the port.

Four, find--bundle nemesis

Believe that many people have been on file bundled Trojan, the surface looks like a beautiful picture of the MM, while secretly hiding the Trojan horse, this through the file bundle to hide is a trojan trick. The need for suspicious documents to be checked in a timely manner can often prevent more serious consequences, so the Internet also appeared some tools to check the bundled files.

In Windows, you can also use the command line to perform a simple check. This uses the string Search command--find, whose main function is to search the file for a string that can be used to check for bundled files. To do this: Run the "FIND/C/I" program "path to the document of the Order" (excluding the outside quotes) at the command line. If the exe file, the normal return value should be "1", if more than 1 of the situation, you have to be careful; if it is a picture of an executable file, Normally the return value should be "0" and should be noticed if more than 0 is present.

V. ntsd--powerful Terminator

Today's virus is becoming more and more cunning, often appearing even if you can find it in the process, but can not end the situation. There is no way to abort with Task Manager and the Taskkill command mentioned earlier. Of course, you can use process management tools, such as powerful process Explorer. In fact, a secret tool that uses Windows itself can enforce most processes, including some very stubborn processes, which is the NTSD command.

Run the following command on the command line:

Ntsd-c q-p PID

The last PID refers to the ID of the process to terminate. If you do not know the ID of the process, you can view it by using the tasklist command. Use the NTSD command, except system, SMSS. The few core processes, such as EXE and CSRSS.EXE, cannot be killed, and other processes can be forced to end.

Vi. ftype--file association repair Specialist

As with file bundling, tampering with file associations is also a common trick of viruses or trojans, usually by modifying the registry, but registry operations are often cumbersome and error prone, and another convenient approach is to use command-line tools--ftype, which makes it easy to recover file associations. For example, the Exefile file association is easiest to modify, and its normal file association is: "%1"%*. To recover, simply run the following command on the command line: "Ftype exefile="%1 "%*" is fine. If you want to fix a txtfile file association, simply type: "Ftype txtfile=%systemroot%system32notepad.exe%1".

Vii. fc--Registry Monitor

Many virus Trojans treat the registry as an object of attack, as mentioned above file association tampering, and now the so-called rogue software flow of the restless software in the registry add this should not add value, so registry monitoring becomes very necessary. So there are many registry monitoring software, but we can only use the tools provided by the Windows system to complete the function.

The following is an example of how to implement "monitoring" by modifying the registry with the monitoring installation software process:

First, you can back up the registry (stored as a reg file, such as 1.reg) before you install the software, export the registry file (2.reg) after installation, and then execute the following command at the Windows XP command prompt:

d:>fc/u 1.reg 2.reg>changes.txt

Then open the Changes.txt file in the D-packing directory to see exactly what subkeys the software has added to the registry and what changes have been made. The installation software in the example above is a specific moment, and you may use this method to analyze the changes that may occur in the registry at any one time.