Note: Windows2000 above system is applicable
In the internet age, viruses are everywhere. In the endless, changeful virus attack, the middle recruit is basically inevitable. Then we will change how to deal with (of course must deal with, otherwise the computer can not work for you)? is to format the system and then reload windows, or ask someone to help .... Because of professional relationship, I have to fight these annoying things, and gradually accumulated some effective methods for everyone's reference.
I. Some manifestations of poisoning
How do we know about the virus in the computer? In fact, computer poisoning and people are sick, there are always some obvious symptoms show. For example, the machine runs very slowly, not on the network, anti-virus software can not be born, Word documents can not open, the computer does not start, hard disk partitions found, data loss and so on, is a number of poisoning symptoms.
Second, poisoning diagnosis
1, press Ctrl+shift+ese (simultaneously press this three key), bring up the Windows Task Manager to see the system running process, find unfamiliar process and write down its name (this requires experience), if these processes are viruses, so as to facilitate the subsequent cleanup. Do not end these processes for the time being, because some viruses or illegal processes may not end here. Click Performance to view the current state of the CPU and memory, if the CPU utilization is close to 100% or memory occupancy value is high, at this time the probability of computer poisoning is 95%.
2. View the service items currently started by Windows, and open services in Administrative Tools in Control Panel. Look at the row in the right column status is the "Start" Start category is the "automatic" item; Generally speaking, a normal Windows service is basically descriptive (except for a handful of hackers or worms), double-click to open the service item that you think has a problem view the path and name of the executable file in its properties. If its name and path is C:\winnt\system32\explored.exe, the computer strokes. There is a situation where the "Control Panel" is not open or all the icons inside the left side, there is a vertical scroll bar, and the right is blank, and then double-click Add/Remove Programs or management tools, the window is empty, this is the characteristics of the virus file Winhlpp32.exe attack.
3, run Registry Editor, command for regedit or regedt32, view all those programs with Windows to start. Mainly look at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and the following several RunOnce, see the form to the right of the item value to see if there are illegal startup items. Windows XP run Msconfig also play the same role. With the accumulation of experience, you can easily judge the start of a virus.
4, in the browser to determine the Internet. A burst of Gaobot virus, can be on yahoo.com,sony.com and other sites, but can not visit such as www.symantec.com,www.ca.com such a well-known security manufacturer's website, installed symantecNorton2004 anti-virus software can not upgrade the Internet.
5, unhide the properties, view the System folder Winnt (Windows) \system32, if opened after the folder is empty, indicating that the computer has been poisoned; after opening the System32, you can sort the icons by type to see if there are any popular virus execution files. By the way, check the folder Tasks,wins,drivers. At present, there are virus execution files hiding in this; drivers\etc under the file hosts are viruses like to tamper with the object, it would have been only about 700 bytes, has been tampered with more than 1Kb, This is caused by the general Web site access and security vendors can not access the site, the famous anti-virus software can not upgrade the reason.
6, by the anti-virus software to determine whether poisoning, if poisoned, anti-virus software will be automatically terminated by the virus program, and manual upgrade failed.
Third, the eradication of drugs
1, in the registration table to remove the illegal program initiated with the system, and then search the registry for all the key value, delete it. As a system service to start the virus program, will be in hkey_local_machine\system\controlset001\services and controlset002\services hiding, found and then destroyed.
2, stop the problem of service, change automatically for the prohibition.
3, if the file system32\drivers\etc\hosts is tampered with, restore it, that is, only one row of valid value "127.0.0.1localhost", the remaining lines are deleted. The host is then set to read-only.
4, restart the computer, press F8 into the "Safe Mode with the network." The goal is to keep virus programs from starting, and to patch Windows upgrades and upgrade antivirus software.
5, search for virus execution files, manual elimination.
6, to the Windows upgrade patching and anti-virus software upgrades.
7, shut down unnecessary system services, such as Remoteregistryservice.
8, the 6th step after the completion of the system with anti-virus software for a comprehensive scan, destroy slip through the network.
9, after the completion of the step, restart the computer, complete all operations.
Iv. recommendations
Protect against viruses far more than killing viruses. Therefore, the establishment of strict preventive measures is very necessary. In the condition of large and medium-sized networks, should be soft and soft, three-dimensional protection. The ideal situation is: Internet access is an extranet firewall, followed by antivirus Gateway (the Panda defender's cost-effective), and then the router, server area, the application server can be configured with a virus server, and then inside the intranet firewall, set up antivirus server, Each user installs the anti-virus software's manageable client.