The most terrible thing about surfing the internet is when new viruses come out. Although we have installed various powerful anti-virus software on our computers, we also configured regular and automatic updates to the virus database, however, the virus is always updated before the virus database, so the number of attacks won't be a minority each time. Here we will list some common anti-virus methods and manually use the tool that comes with the system to kill the virus:
1. Be sure to back up the system process with tasklist before you do it yourself.
All new viruses have learned to use processes to hide themselves, so we 'd better back up the computer process list while the system is normal, of course, it is best not to run any program when you first enter windows to back up the data. If you feel that your computer is abnormal, you can compare the process list to find out the process that may be a virus.
Enter:
Tasklist/FO: CSV> G: zc.csv
The preceding command output is in the format of csvcsv to the latest zc.csv file. G: the disk you want to save. You can open the file in Excel.
2. When you do it yourself, you must be eye-catching-use FC to compare the process list file
If you feel that your computer is abnormal or you know that there is a virus recently, check the computer.
Enter the command prompt and enter the following command:
Tasklist/FO: CSV> G: yc.csv
Generate a previous yc.csv file list, and enter:
Fc g: \ zccsv G: \ YC. CSY
Abnormal process.
3. Make sure that the evidence is conclusive. Use netstat to view open ports.
How can we determine whether a suspicious process is a virus? According to most viruses (especially Trojans), the virus is transmitted through external connections through the port. You can check the port occupation.
Enter:
Netstat-a-n-o
The parameter description is as follows:
A: displays information about all ports that are connected to the host.
N: displays the PID code of the port opening process.
O: Display address and port information in digital format
By viewing the network program running on the local machine, you can determine that this is an illegal connection!
The connection parameters are as follows:
Listeninc: indicates that the listener is in the listener State. That is to say, the port is open and is waiting for connection, but it is not connected yet. Only the TCP Service port can be in the listeninc state.
Established means to establish a connection.
The two machines are communicating.
Time-Wait indicates that the connection has ended.
It indicates that the port has been accessed but the access is over. It is used to determine whether an external computer is connected to the local computer.
4. Be sure to stop the process with ntsd.
Although “winion0n.exe is an illegal process, many virus processes cannot be terminated through the Task Manager. What should I do?
Enter the following command at the command prompt:
Ntsd-C q-P 1756
After you press enter, the virus process can be successfully ended.
Tip: "1756" is the process PID value. If you do not know the process ID, open the task manager and click "View> Select column> check PID (process identifier.
Ntsd can forcibly terminate all processes except sytem, SMSs. EXE, and CSRSS. EXE.
5. After determining the virus, you must cut the root and find the original file of the virus.
Find the hidden location of a virus file, and delete it by searching "all local partitions", "search system folders and hidden files and folders.
However, in this case, the main Virus File is deleted. By viewing its attributes, the file is searched again based on the Creation period and size of the file, and its associates are found and deleted.
If you are not sure that there are other files that are related to them, search for the virus information on the Internet for help.
6. the battlefield must be cleaned after viruses are cleared.
Manual repair of the Registry although the virus file is deleted, but the virus will leave a junk key value in the registry, you also need to clear the garbage.
1. Use Reg export for backup.
Because of the large number of self-boot key values, it is inconvenient to manually search for viruses.
Here, we use Reg export + Batch Processing Command for backup.
Start notepad and enter the following command:
Reg export HKLM \ Software \ Microsoft \ Windows \
CurrentVersion \ Run FO: \ hklmrun. Reg
Reg export hkcu \ Software \ Microsoft \ Windows \
CurrentVersion \ Policies \ Explorer \ Run f: \ hklcu. Reg
Reg export HKLM \ Software \ Microsoft \ Windows \
CurrentVersion \ Policies \ Explorer \ Run hklml. Reg
Note: Only a few copies of common key values are listed here. For other key values, refer to the above method.
Save it as ziqidong. BAT and run it at the command prompt to back up all the self-boot key values to the corresponding reg file, and then enter:
Copy F: \ *. Reg ziqidong.txt
The command outputs all the corresponding regfiles to “ziqidong.txt. In this way, if you find that the virus has added a self-starting item, export the self-starting value the same time, and use the FC command described above to compare the two TXT files before and after, you can quickly find the newly added auto.
2. Use Reg Delete to delete the new auto-START key value.
For example, in [hker_current_user \ Software \ Microsoft \
Windows \ CurrentVersion \ Run], find a "Logon" auto-start item, start the program as "C: \ WINDOWS \ winlogon.exe", and enter the following command to delete the virus auto-START key value:
Reg Delete HKLM \ SOFTWARE \ microssoft \ windows \
CurrentVersion \ Run/F
3. Use Reg import to restore the registry.
Reg de-Lete Delete is the entire run key value. Now you can use the backed up reg file to restore the registry quickly by entering the following command: Reg import F: \ hklmrun. Reg
The above describes several system commands for manual antivirus. In fact, as long as these commands are used, we can kill most of the viruses. Of course, we must back up the virus at ordinary times.
Tip: the above operations can also be performed manually in the Registry Editor, but the reg command has the advantage that even if the Registry Editor is set to disabled by viruses, you can also use the preceding command to export, delete, or import data, which is faster!
7. Bind a wooden marker-find
The above section describes how to use system commands to kill common viruses. Next we will introduce a "find" command to detect bundled Trojans.
I believe that many online worms have suffered from bundling wooden knives. These "wolves with sheepskin" often hide behind pictures, Flash files, and even music files.
When we open these files, although it is indeed an image (or flash) displayed in the current window, the hateful Trojan has been quietly running in the background.
For example, I received a Super Girl wallpaper from my friend from QQ, but when I opened the image, I found that the image was already opened with the "image and fax viewer, the hard drive indicator has been flashing.
Apparently, while I opened the image, some unknown programs were running in the background.
Now, run the find command to check whether the image is bound with a Trojan. at the command prompt, enter:
Find/C/I "this program" G: \ chaonv.jpe.exe, where:
G: \ chaonv.jpe.exe indicates the file to be detected.
The prompt returned by the find command is "___ G: chaonv. EXE: 2", which indicates that "G:, chaonv. EXE" is indeed bundled with other files.
Because the find command detects: if it is an EXE file, the return value should be "1" under normal circumstances; if it is a non-executable file, the return value should be "0" under normal circumstances ", pay attention to other results.
Tip: success. This file is fooled only when the JPG file icon is used.
Open "my computer", click "Tools> Folder Options", and click "View" to remove the marker before "hide the file extensions of known types, you can see the true colors of "Wolf.
VIII. Summary
Finally, let's summarize the manual virus process:
Back up the process list with tsklist → identify the virus through the FC comparison file → judge the process with netstat → terminate the process with find → search for the virus and delete → use Reg command to repair the registry.
In this way, the entire manual virus detection and antivirus process is completed from virus detection, virus deletion, and registry repair.