Comments: Windows systems integrate numerous tools that perform their respective duties to meet different application requirements of users. In fact, these tools are "versatile". If you have enough imagination and are good at mining, you will find that they can also help us to counter viruses in addition to the industry. I. The task manager gives a knife to the virus
Windows Task Manager is the main tool for you to manage processes. You can view the current system process information on its processes tab. By default, you can only view the image name, user name, CPU usage, memory usage, and other items, more information such as I/O read/write and virtual memory size is hidden. Don't underestimate the hidden information. When the system encounters an inexplicable fault, you may be able to find a breakthrough from them.
1. Scan and kill dual-process Trojans that will automatically disappear
In the previous period, a trojan was found on the computer, and the task manager found the trojan as system.exe ". After terminating the trojan, the computer refresh and the trojan will be revived. In safe mode, delete c: \ windows \ system32 \ system.exe. After the system is restarted, it will be reloaded. From this point of view, the two-process Trojan should be among friends. This trojan has a monitoring process and will be scanned regularly. Once it is found that the monitored process is killed, it will be revived. In addition, many dual-process Trojans are mutually monitored and revived. Therefore, the key to killing is to find the two trojan files that "depend on each other. You can find the Trojan process by using the pid id of the task manager.
To call up the Windows Task Manager, check "PID (process identifier)" in "View> Select column". Then, the pid id of each process is displayed in the Task Manager window. In this way, when we terminate a process, it will be regenerated and then identified by the PID to find its parent process. Start the Command Prompt window and run the "taskkill/im system.exe/f" command. Refresh the computer and input the Statement 1. You can see that the PID of the final system.exe process is 1536, which belongs to a process with PID 676. In other words, the system.exe process with pidas 1536is created by a process with PID 676. Return to the task manager and query the process PID to find that the process is a worker internet.exe process. ()
Figure 1 PID process query
After finding the culprit, You can restart the system to enter the safe mode. Use the search function to find the trojan file c: \ windows \ internet.exe and delete it. The main reason is that internet.exe is not found (and its startup key value is not deleted). As a result, internet.exe restarts the trojan after it enters the system.
2. Find out P2P programs that write hard disks.
Once a computer is connected to the Internet, it finds that the hard drive lights keep flashing and the hard drive is spinning. It is clear that there are programs on the machine that are reading data, but no virus, Trojan, or other malicious programs have been detected repeatedly.
Open the computer and access the internet. Press Ctrl + Alt + Del to start the task manager. Switch to the process tab and click View> Select column in the menu ", select "I/O write" and "I/O write Byte. After confirmation, the task manager will find a strange process, hidel.exe. Although the CPU and memory occupied by it is not very large, the I/O write volume is astonishing, it seems to be a zombie, right-click it and select "Stop process" to terminate. The hard disk read/write has been restored to normal.
Ii. Anti-Virus and invisible system backup tools
I have encountered a virus "C: \ Program Files \ Common Files \ PCSuite \ rasdf.exe" that cannot be deleted. At the same time, I cannot copy the file and how to clear it. The system backup tool is used to clear the virus. The procedure is as follows:
Step 1: Click Start → all programs → attachments → System Tools → backup. In the backup or restoration wizard window, select "let me select the content to back up" for the backup project ", go to C: \ Program Files \ Common Files \ PCSuite ".
Step 2: continue with the backup wizard and save the backup file as "g: \ virus. "bkf", select "use Volume Shadow Copy" for the backup option, and complete the Backup Based on the default settings for the remaining operations.
Step 3: Double-click "g: \ virus. bak" to open the backup or restoration wizard and restore the backup to "g: \ virus ". Next, open "g: \ virus.exe, use the virus script to open the virus file named rasdf.exe", and delete several lines of code and save the Code. In this way, the virus is damaged by the notepad (it can no longer run ).
Step 4: perform the same operation as above. Recreate the "k: \ virus" backup to "k: \ virus1.bkf ". Start the restore wizard, select "C: \ Program Files \ Common Files \ PCSuite \" as the restore location, and select "replace existing Files" as the restore option ". In this way, although the current virus is running, the backup component can still Replace the current virus with a bad virus file. After the restoration is complete, the system prompts you to restart. After the restart, the virus will not start (because it has been damaged by notepad ).
3. Murder with a knife in Notepad
1. Dual-process trojan detection and removal
Nowadays, more and more Trojans use the dual-process daemon technology to protect themselves. They are two code programs with the same function, constantly checking whether the other party has been terminated. If the other party has been terminated, then we started to create the other party, which made it very difficult for us to scan and kill. However, this type of Trojan horse also has a weakness. It only uses the process list process name to determine whether the daemon process exists. In this way, we only need to use the Notepad program to replace the Trojan process, so that we can "cheat" the daemon process.
The following uses the trojan detection and removal of a variant as an example. After the trojan is recruited, the two processes of the Trojan will monitor each other. Of course, most of us do not know the specific monitoring process of Trojans. The process name can be used to tell you that running systemtray.exe is an abnormal process because it is not in a normal process. The following describes how to use the replacement method to kill the Trojan.
Step 1: configure the path to C: \ Windows \ System32.
Step 2: Open "C: \ Windows \ system32.pdf, copy the program" notepad.exe "to" D: \ ", and rename" systemtray.exe "at the same time ".
Step 3: Open the Notepad program, enter the following code, save it as "shadu. bat", and place it on the desktop (the brackets are comments and do not need to be entered ):
@ Echo off
Taskkill/f/im systemtray.exe (use the taskkillcommand to force the process to stop running systemtray.exe)
Delete C: \ Windows \ System32 \ systemtray.exe (Delete virus files)
Copy d: \ systemtray.exe C: \ Windows \ System32 \ (replace the Virus File)
Step 4: Now you only need to run mongoshadu.bat”on the desktop. The system will terminate and delete the "cmdsystemtray.exe" process, and copy the renamed Notepad program to the system directory. In this way, the daemon will mistakenly think that the daemon still exists, and it will immediately start a Notepad program.
Step 5: Find the monitoring process and delete it. at the command prompt, enter:
The "taskkill/f/im systemtray.exe cute" process was created by the "PID 3288 process". Open the task manager and you can see that "PID 3288's process is always internet.exe", which is the culprit of the regeneration process ".
Step 6: follow the instructions in step 1 to open the system information window. You can see that the specified internet.exegion is also in the system directory, and then stop the internet.exe process and go to the system directory to delete the above two files.
2. invalidate and delete the virus
As you know, all files are encoded. In theory, the Notepad program can open any file (but some files are garbled ). We can associate the virus opening method with notepad to enable it to be opened by notepad, and thus the function of evil is lost. For example, some stubborn viruses often generate hard-to-delete key values at startup locations such as "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" in the Registry to enable malicious startup. Next we will use NotePad to "discard" the vitality of the virus.
Step 1: Start the command prompt and enter "ftype exefile1_notepad.exe % 1" to associate all open methods of EXE programs with notepad programs. After restarting the system, we will find that several programs are automatically started on the desktop, this includes the system's normal programs, such as the input method and Volume Adjustment Program, and of course malicious startup rogue programs, but now they are all opened by notepad.
Step 2: Find the virus program according to the title of the notepad window, such as the systemtray.exe program in the previous example. Find the notepad window and click "File> Save ", we can see that the specific virus path is under "C: \ Windows \ System32. Close the notepad window and follow the prompts above to go to the system directory to delete the virus.
Step 3: After the virus is deleted, you can delete the virus startup key, restart the computer, press F8, and select "safe mode with command prompt" in the security mode menu ", after entering the system, the command prompt is automatically opened. Enter "ftype exefile =" % 1 "% *" to restore the open exe file.
Iv. Registry image hijacking makes viruses unfit
Currently, all viruses use the IFO technology. The common method is image hijacking, which uses the following key values in the registry.
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options to change the location of the program call, but the virus uses this to steal normal anti-virus SOFTWARE into a virus program. On the contrary, we can use the trojan here to deceive the virus and make it practical. It can be said that the sky passes through the sea, and the governance of its people.
The following uses KAVSVC. EXE as an example to shield an unknown virus. The procedure is as follows:
Step 1: first create the following text file, enter the following content, and save it as 1.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC. EXE]
"Debugger" = "d: \ 1.exe"
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC. EXE]
"Debugger" = "d: \ 1.exe"
(Note: The first line of code has a blank line .)
Step 2: Double-click to import the reg file and click OK.
Step 3: click "Start> Run" and enter KAVSVC. EXE.
Tip: 1.execan be a useless file. After creating a new file, we will change the suffix .txtto .exe,
Conclusion: When we are suffering from viruses and Trojans, we may wish to use system tools to scan and kill viruses and trojans when anti-virus software is powerless or we feel like "killing chickens and running a virus and Trojan", which may have unexpected results.