The pride of traditional operations! Anti-Virus elites under the command line

As early as a few years ago, some precognition netizens lamented: How can a person not win a bid if they are online. Nowadays, computer tricks have become commonplace. Anti-virus software and firewall are naturally indispensable in the face of this surging virus and Trojan horses. But sometimes there are still a lot of stubborn elements that just rely on anti-virus software and firewalls. What should we do? You have known that some very useful tools have been provided for us in the command line of the Windows system. Taking full advantage of these tools will become our powerful anti-virus weapon, we can more effectively combat viruses. Let's take a look at the powerful anti-virus weapons under the command line.

I. TASKLIST -- eye-catching

Today's viruses are getting more and more tricky and often disappear without beginning or end. However, many viruses often expose a fox tail in the process. Therefore, viewing a process is an important way to kill the virus. Of course, we can view the analysis process through the system task manager or other more powerful process viewer, in fact, the command tool Tasklist (Windows XP or updated version) for viewing processes is also provided in the command line ). This command is similar to the task manager to display the list of active processes. However, by using parameters, You can see information that cannot be viewed by the task manager. However, by using parameters, we can implement more powerful functions. Run Tasklist/M with the parameter "/M" to display all DLL modules loaded by each task, as shown in 1. Use the parameter "/SVC ", run the "Tasklist/svc?command to display the status of each active service in the process. 2. From the left-side Navigation Pane, we can see the service loaded by svchost.exe to identify whether it is a malicious virus process. In addition, we can also use the Tasklist command to view remote system processes. For example, input "Tasklist/s 208.202.12.206/u friend/p 123456" at the command prompt (excluding quotation marks) you can view the process of the remote system with the IP address of 208.202.12.206 ,. "208.202.12.206" after the/s parameter indicates the IP address of the remote system to be viewed, and "friend" after the/u indicates the user account used by the Tasklist command, it must be a valid account on the remote system, and "123456" after/p indicates the password of the friend account. In this way, it is much easier for the network administrator to remotely scan and kill viruses.

2. TASKKILL-process killer

With the eye-catching eyes of Tasklist, many viruses have appeared, but more importantly, they have to be cleared instead of virus. Then another command, TASKKIL, can be used. For example, to end a process, you only need to record the process name from the task manager and run the following command: "TASKKILL/F/IM process name". You can also connect to the PID, you can run the "Tasklist" command First, write down the PID of the process, and enter "taskkill/pid PID" under the command identifier. 3. Run "taskkill/pid 1656" to end the process with PID 1656. Speaking of this, I am afraid some people will say that this is not as convenient as simply using the task manager. In fact, the only trick of TASKKILL command is that it can end some processes that cannot be directly aborted in the task manager. In this case, the parameter "/F" must be added to force the process to be shut down, for example, run the "TASKKILL/F/pid 1606" command to force the process whose PID is 1656 to end. In addition, the TASKKILL command can end the process tree, remote process, and specify to filter in or out the queried process. For specific operations, you can use "taskkill /?" Command.

　　Iii. Netstat-port Detection

Nowadays, more and more Trojans pose more and more threats. As a result, many tools dedicated to Trojan Horse scanning and removal have emerged. In fact, as long as we properly use the Netstat command under the command line, we can find most Trojans hidden in the computer. We know that most Trojans have service ports after infected with the system, and these service ports are usually in the LISTENING status. Therefore, we can check the trojan trace from the port usage, this can be easily implemented using the Netstat command. Run "Netstat-a" in the command line. This command displays a list of all valid connection information, including the ESTABLISHED connections (ESTABLISHED) and LISTENING) 4. proto indicates the protocol, Local Address indicates the Local Address, and the number after the colon is the open port number. Foreign Address indicates the remote Address. If you are communicating with other machines, the address of the other party is displayed, the State indicates the State, and the LISTENING indicates that the LISTENING State is displayed. That is to say, the port is open, because the backdoor is in the LISTENING State after the Trojan horse opens the backdoor successfully, therefore, you must note the port in the LISTENING status. If the port number is unfamiliar and the number of ports is large, you should be alert. You can also check the process corresponding to the port used for further confirmation, which requires the parameter "-O ", run the "Netstat-ao" command to display a list of all valid connection information and provide the corresponding PID Number of the port.

4. FIND -- bind the nemesis

I believe that many people have used file-bound Trojans. On the surface, they seem to be a pretty mm image, but they are hidden in the dark. This is a common method of hiding Trojans by file bundling. The necessary checks and timely processing of suspicious files can often prevent more serious consequences. Therefore, some tools for checking bundled files are also available on the Internet. In fact, in Windows, you can use command lines to perform simple checks. Here we need to use the string SEARCH Command -- FIND. Its main function is to search for strings in files. We can use it to check the bundled files. Method: Run "FIND/C/I" This program "Path of the file to be queried on the command line (excluding the quotation marks). If it is an EXE file, under normal circumstances, the return value should be "1". If the value is greater than 1, you must be careful. If it is an unexecutable file such as an image, under normal circumstances, the return value should be "0". If the value is greater than 0, you should pay attention to it.

　　5. NTSD-powerful Terminator

Today's virus is getting more and more tricky, and it often appears that even if you can find its process, but it cannot end, the task manager and the TASKKILL command mentioned above cannot be aborted. Of course, we can use Process management tools, such as powerful Process Explorer and IceSword. In fact, using a secret tool that comes with Windows can force most processes, including some very stubborn processes. This is the NTSD command.

Run the following command in the command line:

Ntsd-c q-p PID

The last PID indicates the ID of the process to be terminated. Of course, if you do not know the process ID, you can use the Tasklist command, or simply choose Task Manager> process tab> View> Select column> hook "PID (process identifier) ", then you can see it.

Using the NTSD command, in addition to a few core processes such as System, SMSS. EXE, and CSRSS. EXE, other processes can be forcibly terminated, almost reaching the same level of IceSword.

　　6. FTYPE -- File Association repair expert

Like file bundling, tampering with file associations is also a common trick for viruses or Trojans. The common recovery method is to modify the registry, but registry operations are usually troublesome and error-prone, in fact, in Windows, another more convenient command line tool, FTYPE, can be used to easily restore file associations. For example, the file association of exefile is most easily modified, and its normal file association is: "% 1" % *. You only need to run the following command in the command line: "ftype exefile =" % 1 "%. To fix the File Association of txtfile, enter "ftype txtfile = % SystemRoot % system32NOTEPAD. EXE % 1.

　　VII. FC -- registry Monitor

As we all know, many virus Trojans treat the Registry as an attack object, such as the file association tampering mentioned above, now, the so-called rogue software flow of the restless software in the Registry to add this should not be added to the item value, so registry monitoring becomes very necessary. As a result, many registry monitoring software emerged, in fact, we can use only the tools provided by the Windows system to achieve monitoring (of course, the aforementioned monitoring mainly refers to checking the Registry changes at a specific time point ).

The following describes how to implement "monitoring" based on the changes made to the Registry during the software installation process ":

First, we can back up the registry once (stored as a REG file, such as 1.reg) before installing the software ), after installation, export the Registry File (2.reg) and then execute the following command in the command prompt line of Windows XP:

D:> fc/u 1.reg 2.reg> changes.txt

Open the changes.txt file under the d directory, and you will be able to clearly check which sub-keys and modifications the software has added to the Registry. The software installation in the above example is a specific time point. You may use this method to analyze possible changes to the registry at any time point.

How can you use the seven powerful anti-virus weapons in the command line above? Have you updated your understanding of the command line functions? With this group of anti-virus elites waiting for calls at any time under the command line, it will be more effective and convenient for anti-virus in the future, and virus Trojans will be unable to escape from the French network.