First, tasklist--eyesNow the virus is becoming more and more cunning, often missing the first and not the tail. But many viruses often expose fox tail in the process, so viewing the process is an important way to remove the virus. The command line provides a command tool for the process to view--tasklist (Windows XP or later). This command can display the list of active processes as in Task Manager. But by using parameters, you can see information that the task Manager cannot see, and you can achieve more powerful functionality. Using the parameter "/M", Running "tasklist/m" will display all the DLL modules loaded by each task, using the parameter "/svc", Running "tasklist/svc" command will display the list of active services in each process. From there, you can see the services that the process Svchost.exe loads, and the service can tell if it is a malicious virus process. In addition, you can use the Tasklist command to view the process of a remote system, such as entering "tasklist/s 208.202.12.206/u friend/p 123456" at a command prompt (not including quotation marks) to see the process of a remote system with IP address 208.202.12.206. Where the/s parameter "208.202.12.206" refers to the IP address of the remote system to be viewed,/u "friend" means the user account used by the tasklist command, it must be a legitimate account on the remote system, the "123456" after/p Refers to the password of the friend account. In this way, network management for remote killing virus is also more convenient.
Second, the taskkill--process killerWith tasklist these eyes, many viruses appear, but more importantly not to find the virus, but to clear them, then another command--taskkil come in handy. For example, to end a process, simply note the process name from Task Manager, run the following command: "taskkill/f/im process name", or by connecting the PID, you can run the "Tasklist" command, note the PID number of the process, enter " Taskkill/pid PID Number "can be. Speaking of which, I'm afraid someone will say this is not as easy as using the task Manager directly. In fact, the TASKKILL command's unique feat is that it can end some of the tasks in the Task manager can not be directly aborted process, then add the parameter "/F", so that the process can be forced to shut down, such as running "taskkill/f/pid 1606" command to force an end to the PID 1656 process. In addition, the Taskkill command can also end the process tree, remote process, specify the process to filter in or filter out queries, and take advantage of the "taskkill/?" command to view.
Third, netstat--port detectiveToday's Trojan more and more, the threat to the user is also more and more large, so there are many dedicated Trojan killing tools. In fact, as long as we reasonably use the command line under the netstat command can detect most hidden in the computer Trojan. We know that most Trojan infected system has a service port, and this type of service port is usually in the listening state, so from the use of the port can be traced to the Trojan, and this can be easily achieved using the netstat command. Running "Netstat–a" on the command line, this command displays a list of all valid connection information, including established connections (established), and those that listen for connection requests (LISTENING). Where Proto represents the agreement, the local address represents the local location, the number after the colon is the open port number, the Foreign address represents the remote addresses, if and other machines are communicating, the other's address is displayed, the state represents the status, The displayed listening indicates the listening state, that is, the port is open, because the backdoor is in the listening state after successful backdoor, so you need to be aware of the port in the listening state, if the port number is unfamiliar, and the number of port numbers is very large, You should be on your toes. You can also see the process using the port to further confirm, this need to add the parameter "-O", run the "Netstat–ao" command will display a list of all valid connection information, and give the port corresponding PID number.
Iv. find--Bundle BusterBelieve that many people have been on the file bundled Trojan when, the surface looks like a beautiful mm picture, while secretly hidden Trojan horse, this through the file bundle to hide is the usual trick of the Trojan Horse. And the necessary examination of suspicious documents in a timely manner can often prevent more serious consequences, so there are some tools on the Internet to check bundle files. In Windows, a simple check can also be done smartly through the command line. This is to use the string Search command--find, its main function is to search for strings in the file, it can be used to check the bundle file. The method is: Run "find/c/i" on the command line "the path of the unknown origin file" (excluding the outside quotation marks), if it is an EXE file, the normal return value should be "1", if there is more than 1, you must be careful, if it is a picture, such as non-executable files, The return value should normally be "0" and should be noticed if there is a case greater than 0.
v. ntsd--strong TerminatorToday's virus is becoming more and more cunning, often appearing even if you can find its course, but can not end the situation. There is no way to abort with the Task Manager and the previously mentioned Taskkill command. Of course, you can use process management tools like powerful Process Explorer. And actually using a secret tool that comes with Windows can force most of the process, including some very stubborn processes, which is the NTSD command. Run the following command at the command line: Ntsd-c q-p pid The last PID is the ID of the process to be terminated. If you do not know the ID of the process, you can view it through the tasklist command. Use the NTSD command except system, SMSS. EXE and CSRSS.EXE, such as very few core processes can not kill, other processes may be forced to end.
vi.. ftype--file association repair expertAs with file bundles, tampering with file associations is also a common tactic of viruses or trojans, and the usual way to recover is primarily by modifying the registry, but registry operations are often cumbersome and error-prone, and another more convenient way is to use the command-line tool--ftype, which makes it very easy to recover file associations. For example, Exefile file association is most easily modified, its normal file association is: "%1"%*. When recovering, simply run the following command on the command line: "Ftype exefile="%1 "%*" is OK. If you want to repair txtfile file associations, simply enter: "Ftype txtfile=%systemroot%\system32\notepad.exe%1".
Vii. fc--Registry MonitorMany virus Trojans take the registry as an attack object, such as the above mentioned file association tampering, and now the so-called rogue software flow of the restless software in the registry to add a value that should not be added, so registry monitoring becomes very necessary. So there are many registry monitoring software, in fact, we can only use the tools provided by the Windows system to complete this function. The following is an example of how to implement "Monitoring" by monitoring the registry modifications to the installation software process: First, you can back up the registry (stored as a reg file, such as 1.reg) before installing the software, and then export the registry file (2.reg) before the Windows On the command prompt line of XP, execute the following command: d:\>fc/u 1.reg 2.reg>changes.txt then open the Changes.txt file in the D-packing directory to see clearly what subkeys the software has added to the registry and what modifications have been made. The installation software in the example above is a specific moment, and you may use this method to analyze the changes that may occur in the registry at any one time. How, with this group of command line at any time waiting for the call of the anti-poison elite, later against the virus will be more effective and more convenient, virus Trojans are also difficult to escape the French.
Windows Virus-search-kill-monitor
