Use Windows PE to check and clear computer viruses and rogue software

Source: Internet
Author: User

In today's network society, computer viruses, Trojans, and rogue software pose a great threat to the security and stability of computer systems. How to effectively detect and remove viruses, Trojans, and rogue software from our computers has always been an important topic in the anti-virus field.
The general methods of Virus Detection and antivirus are dependent on professional virus detection and removal software. These detection and removal software is supported by professional experts and developers in the virus field, and has a certain effect on most popular computer viruses. When using anti-virus software, many people will be grateful for the computer virus list that is full of screens.
But is anti-virus software omnipotent? They spared no effort in promoting their products in anti-virus software advertisements and reminded them to upgrade their virus libraries every day. By doing this, is your computer really safe?
It can be said that no anti-virus software can guarantee this. Almost every day there are new viruses. Many viruses are not even included in the virus database of anti-virus software. There are many ways to make minor changes to a virus so that anti-virus software is no longer considered a virus. There are also some viruses and rogue software that are very reliable. Anti-virus software can detect viruses, but they cannot be cleared. This is often because the file is locked when the virus is running, and the antivirus software cannot modify it. Therefore, we cannot rely solely on anti-virus software.
In addition, many anti-virus software are similar to viruses, occupying a lot of operating resources of the system, collecting your computer information and sending it to their technical center. After the real-time monitoring of many anti-virus software is enabled, it runs like a snail bait.
Therefore, it is necessary to find more effective virus detection and prevention measures. The following methods are commonly used in practice, and I think they are effective in virus detection and removal. These methods often have miraculous effects when your anti-virus software is helpless.

Windows PE

Windows PE is named Windows preinstall enviroment (Windows pre-installation environment ). It was originally a Windows batch deployment tool provided by Microsoft to major customers. However, some people found that this tool is very suitable for Windows system maintenance and recovery. Therefore, there are many maintenance tools similar to Windows PE.
Windows PE has several features: First, it uses Windows XP/2003 system kernel, and naturally supports file systems such as fat/NTFS/CDFs. Second, he does not need to install it. He can boot and run it directly from the CD. In this way, when Windows PE is started, it is equivalent to a micro Windows system. Although the system is automatically restarted every 24 hours, it has basically no impact on computer maintenance.
During windows PE startup, you do not need to use executable files on the hard disk. Therefore, even if the hard disk is infected with a computer virus, it has no effect on Windows PE, the system started with Windows PE is clean and virus-free.

If you can install and run anti-virus software on Windows PE system, it may be perfect. Unfortunately, almost none of the current anti-virus software can be installed and run on Windows PE. However, there is still good news: a command line tool that can be used for virus detection and antivirus is included in the super dat Library released regularly by McAfee. With this tool, you can fully enjoy McAfee's anti-virus capabilities. Therefore, after you start Windows PE, you can use this command line tool to scan and disinfect your hard disk. This tool is completely free, and there is no genuine pirated copy. It is simply a free lunch that falls down from the sky.

To use this free tool, first download and save the McAfee super virus database (File Name: sdatxxxx.exe, where XXXX is a digital number. Then, use Windows PE to start the computer. Open the command line prompt and go to the folder where the virus database is located. Enter the following command:
Sdatxxxx-e
This command decompress the virus detection program and virus database in the virus database. After about 20 seconds, decompress the package. You can view the scan.exe program in this folder.
Then you can run this program to check for viruses and prevent viruses.
The virus checking command is
Scan C:
The command for killing is
Scan C:/clear

Use Windows PE to check for rootkit Trojans and viruses

Currently, some viruses use Rootkit Technology, which prevents you from seeing virus files normally. Even if you add all the options "view system files" and "view hidden files", you cannot view them. There is actually a very simple method for detecting this part of the virus. This method was seen by a Microsoft technician. I will introduce it to you here. The key to this method is a dir command.
First, you do not use Windows PE to start your computer, and then open a command prompt to transfer to a suspicious folder. For example, C:/Windows
Then, enter dir *. */A/S> D:/list1.txt
This command saves the file names and lengths of all files in C:/windows to the D:/list1.txt file.
Next, use Windows PE to start the computer and repeat the above process. However, this time, change the output file name to D:/list2.txt.
Finally, you can use a text file comparison tool to compare the two generated files. Generally, if you find out which tape is used. EXE ,. DLL ,. OCX ,. SCR and other executable files appear in list2.txt, but not in list1.txt, it is almost certainly a problematic file, you can use the Windows PE File Manager to directly delete the file, or move it to another safe place.
This method actually utilizes the features of rootkit Trojans. You cannot view this file in the normal way, but it is not affected by Rootkit in the Windows PE startup environment.

The dir command is also used. Many viruses and Trojans copy themselves to C:/Windows or C:/Windows/system32, and give them system files and hide file attributes. In this case, you only need to start Windows PE and then run the following command at the command prompt:
DIR/A: HS/s c:/Windows
Note: replace C:/Windows with your Windows installation folder.

If you can see that some extensions are DLL or EXE, they are basically Trojans and viruses. Of course, Trojans and viruses are not just hidden in these places. I also see viruses hidden in the temp folder.

This command can list all files in this folder that have hidden or system file attributes. Because normal files in this folder generally do not set this attribute, and most viruses and Trojans will do this, this command will identify such viruses and Trojans.

In addition, some Trojans (such as gray pigeons) using Rootkit Technology cannot view the existence of this file when using this command. However, it is calculated in the final number of files. If the number of files you actually see is inconsistent with the number of files listed after the command, it is likely that this type of Trojans and viruses are involved.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.