Windows virus Trojan Basic defense and Solutions _ network security

A Basic defensive thinking: backup is better than remedy.
1. Backup, after loading the machine, first back up the C disk (System disk) WINDOWS inside, and C:\WINDOWS\system32 the file directory.
Run, CMD commands as follows;
dir/a C:\WINDOWS\system32 >c:\1. Txt
dir/a C:\Windows >c:\2. Txt
This backs up the list of files under Windows and System32, and if one day you feel the computer is having problems, the same command lists the files, and then cmd below, the FC command comparison, the format is, if you have a problem that day system32 list is 3. TXT, then FC 1. TXT 3. TXT >C:/4. Txt
Because Trojan virus most want to invoke dynamic connection library, can carry on more detailed list backup to System32, the following
CD C:\WINDOWS\system32
dir/a >c:\1. Txt
DIR/A *. DLL >c:\>2. Txt
DIR/A *. EXE >c:\>3. Txt
And then keep these backups in a place, in addition to the problem of comparison list to see what the more out of the DLL or EXE file, although some of the software is installed when the production, is not a virus trojan, but can still mention a good reference.
2. DLL in backup process, cmd command below
Tasklist/m >c:/dll. Txt
The list of DLLs for the running process will appear below the C root directory. Can be compared later, the comparison method, such as not to say, for a DLL, a check DLL is too troublesome. directly more convenient.
3. Back up the registry,
Run regedit, file--Export--all, and then find a place to save.
4. Back up C disk
Start menu, all Programs, accessories, System Tools, Backup, and then click here to explain the next step, select the content I choose to back up, and then back up the system in one of your chosen locations.
Out of the question, the same open, select Restore, and then find your backup, restore the past just.
Second, the basic defensive thinking, prevention is better than cure.
1. Turn off sharing. Close 139. 445 port to terminate XP default sharing.
2. Turn off service server,telnet, Task Scheduler, Remote registry these four. (Note that after the shutdown scheduled antivirus timing upgrades, such as scheduled tasks can not be implemented.) ）
3. Control Panel, management tools, local security policies, security policies, local policies, security options for administrators and guest users to rename, preferably a Chinese name, if the administrator's default empty command to modify the better. But the general change a name for the general game mentality of hackers is enough to deal with. A master is generally not interested in personal computers.
4. Network connection properties In addition to the TCP/IP protocol all the other disable, or simply uninstall.
5. Close remote connection, desktop, My Computer, properties, remote, just cancel inside. You can also turn off the Terminal Services service, but after the shutdown, the user name is not visible in Task Manager.
Three, the basic solution, the Process Service registry.
1. First of all, there should be a simple understanding of the Process Service registry, which takes about 3 hours to see the relevant knowledge on the Web.
2. Check the startup project and do not recommend running the Msconfig command, but take a good look at the registry's Run project, the file association, the Userinit, and the explorer behind the shell. EXE is not being altered. Related not to say more, online data a lot, have detailed startup project related articles. I'm just saying the idea. The following simple 35 common startup associated projects
1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \windows\curr entversion\run\
2. Hkey_local_machine\software\microsoft\windows\currentversion\runonce\
3. Hkey_local_machine\software\microsoft\windows\currentversion\runservices\.
4. Hkey_local_machine\software\microsoft\windows\currentversion\runservicesonce\
5. Hkey_current_user\software\microsoft\windows\currentversion\run\
6. Hkey_current_user\software\microsoft\windows\currentversion\runonce\
7. Hkey_current_user\software\microsoft\windows\currentversion\runonce\setup\
8. Hkey_users\. Default\software\microsoft\windows\currentversion\run\
9. Hkey_users\. Default\software\microsoft\windows\currentversion\runonce\
10. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
11. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
12. Hkey_local_machine\system\currentcontrolset\servic es\vxd\
13. HKEY_CURRENT_USER\Control Panel\Desktop
14. Hkey_local_machine\system\currentcontrolset\contro l\session Manager
15. Hkey_classes_root\vbsfile\shell\open\command\
16. Hkey_classes_root\vbefile\shell\open\command\
17. Hkey_classes_root\jsfile\shell\open\command\
18. Hkey_classes_root\jsefile\shell\open\command\
19. Hkey_classes_root\wshfile\shell\open\command\
20. Hkey_classes_root\wsffile\shell\open\command\
21. Hkey_classes_root\exefile\shell\open\command\
22. Hkey_classes_root\comfile\shell\open\command\
23. Hkey_classes_root\batfile\shell\open\command\
24. Hkey_classes_root\scrfile\shell\open\command\
25. Hkey_classes_root\piffile\shell\open\command\
26. Hkey_local_machine\system\currentcontrolset\services\
27. Hkey_local_machine\system\currentcontrolset\services\winsock2\parameters\protocol_catalog\catalog_en tries\
28. Hkey_local_machine\system\control\wow\cmdline
29. Hkey_local_machine\system\control\wow\wowcmdline
30. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\userinit
31. Hkey_local_machine\software\microsoft\windows\curr entversion\shellserviceobjectdelayload\
32. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
33. HKEY_CURRENT_USER\Software\Microsoft\Windows Nt\currentversion\windows\load
34. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntversion\policies\explorer\run\
35. Hkey_local_machine\software\microsoft\windows\curr entversion\policies\explorer\run\
3. Check the service, the simplest bar, the service list is too long, I guess you may not be able to remember all. Say a simple, run Msconfig, service, "Hide all Microsoft services" Check, and then see the service is not the system itself, to see clearly ah, and finally look at the service inside the property to see the associated files. Now general anti-virus to add services, I actually hate antivirus add services, but seems to be to anti-virus.
4. Process, this online information more, only two points, 1. Open Task Manager, select "pid" in "View", "option column", so that you can see the PID. 2. When you click on a process, there is an option to "open the Directory," which is obvious, but a lot of buddies ignore it, this can see the folder where the process files are located for easy diagnosis.
5. CMD will use, Netstat–ano command, feel that this command for simple use, you can view the protocol port connection and remote IP.
6. Delete Registry {f935dc22-1cf0-11d0-adb9-00c04fd58a0b}
{0d43fe01-f093-11cf-8940-00a0c9054228}
Two items, search to the future you will see is two and script-related, backup after deletion, mainly to prevent the Internet malicious code
Four, give a simple example of elimination.
1. The object is contained in a popular BT green software inside the Trojan, the antivirus can be killed, but the wrong judgment for the gray Pigeon. Some antivirus kill not come out. The following is not the use of any tools to determine and remove, of course, any tool including antivirus.
2. Poisoning judgment: When used, suddenly the hard drive lights flashing violently without reason. The system has a transient speed and slows down. There is a reflection of the abnormal procedure and there is doubt as to the problem.
2. Check, service found an unknown service, file point to C:\Program files\internet Explorer under the server. EXE file, obviously this is not the system from the file, the command line to see the port, there is a common no port connection. The process found an unknown process. Start the project Add server. Exe OK is a Trojan horse.
4. Clear: Open the registry, close the process, delete the Startup items, registry Search related service names, delete, delete source files. Also check the Temp folder and find a new folder with a "kill-free" inside. EXE "file, delete, clean cache. Of course it's best to do it in safe mode.
5. In contrast to the list of DLLs below the system32 of the original backup, the suspect DLL file is found, deleted, or selected on "Select Details" option on the View select "Create Date" (This system is not added by default), and then view the details and, by creation date, discover the newly created file. This trojan is relatively simple, did not modify the file date.
There, sometimes forget to clean, if the virus is associated with this file, it will appear after deletion. ）