People who have used Windows 9x have seen the following prompts:
Please wait while Setup updates your configuration files.
This may take a few minutes ......
This is a normal phenomenon after a software or hardware driver is installed and Windows is restarted as required by the installation program. It will never be associated with viruses. This article will tell you the truth, if the above information appears for no reason when your machine is started, hurry to find the latest anti-virus softwa
How can we delete the files in use by the system? In addition to DOS deletion, is there any easier way to save trouble?
In fact, apart from executing the DELETE command in DOS, you can still delete them in Windows. Specifically, the Wininit. ini file is used.
People who have used Windows 9x have seen the following prompts:Please wait while Setup updates your configuration files.This may take a few minutes ......
This is a normal phenomenon after a sof
is loaded. Specifically, enter msconfig and press enter in "run" in the menu, and then follow the text instructions. Note:1.different from win.ini files, system.inican only start a specified file. Replacing shell‑policer.exe file.exewith shell‑file.exe will paralyze Windows!2. This startup method is earlier than Registry Startup. Therefore, if you want to restrict the startup of files in the registry, use this method.3. Start WININIT. INI:The
, MOVEFILE_DELAY_UNTIL_REBOOT);
TheMoveFileExAPI moves a file to a new location. when you pass NULL as the second parameter, this causes the file to be moved "nowhere", please tively deleting the file. now, ordinarily this wowould fail if you tried this with the path to the current executable. however, if we specifyMOVEFILE_DELAY_UNTIL_REBOOTIn the dwFlags parameter, this tells Windows not to move (or delete) the file until the system is shutdown or rebooted.
There are a few problems with this
, MOVEFILE_DELAY_UNTIL_REBOOT);
TheMovefileexAPI moves a file to a new location. when you pass null as the second parameter, this causes the file to be moved "Nowhere", please tively deleting the file. now, ordinarily this wowould fail if you tried this with the path to the current executable. however, if we specifyMovefile_delay_until_rebootIn the dwflags parameter, this tells windows not to move (or delete) the file until the system is shutdown or rebooted.
There are a few problems with this
format to destroy hard disk data. For example, the "drive C killer" uses the "deltree/y c:/*. *" command to allow the computer to automatically delete all files on the drive C as soon as it is started, causing countless harm.
Tips
★In Windows 98, autoexec. bat also has a buddy -- winstart. BAT file, which is located in the Windows folder and automatically executed at startup.
★In Windows ME/2000/XP, neither of the above two batch files will be executed by default.
4. Common Startup-System C
appearance of the program. Be sure to check whether it is a disguised Trojan shell or a bundle! If necessary, you can recover the registry based on the backup. There are a lot of such registry programs on the Internet, so we will not be so arrogant here.
We can also manually check the corresponding location in the registry. Although many of them are the same as the positions mentioned above, it is never too much for network security!
Pay attention to the comparison with the corresponding keys o
software is installed or new programs are running, do not be confused by the beautiful appearance of the program. Be sure to check whether it is a disguised Trojan shell or a bundle! If necessary, you can recover the registry based on the backup. There are a lot of such registry programs on the Internet, so we will not be so arrogant here.
We can also manually check the corresponding location in the registry. Although many of them are the same as the positions mentioned above, it is never too m
as 4), and then unmapviewoffile the image of the EXE file in the memory, then, the handle of the current program is passed to deletefile () through the stack to realize the auto-deletion of the program.
Gary nebbett is indeed the top bottom-layer expert in the win system. Is there any other way to implement the auto-deletion of programs? The answer is yes.
In Win9x/Me, some features of wininit. ini can also be used. In
This flag is generally used by the installer. For example, if you want to install a new driver, it cannot be deleted or overwritten because the old driver is still used by the system. In this case, the installer can copy the new driver to a temporary directory and use the movefile_delay_until_reboot flag to call movefileex ,. After the system is restarted, the system replaces the old driver with a new driver before it starts. This flag can be used to overwrite a file after restart.
It can also
(xxx.exe is the name of the file to be started ):[Windows]Load=xxx.exe [this method will run in the background]Run=xxx.exe [This method file will be run by default]
2) Start system. ini:Startup location (xxx.exe is the name of the file to be started ):Default Value:[Boot]Shelljavaser.exe is a Windows program manager or Windows Resource Manager, which is normal]After the file can be started:[Boot]Shell = assumer.exe xxx.exe [many viruses use this startup method now. It is well concealed when ex
be run by default]
2) Start system. ini:Startup location (xxx.exe is the name of the file to be started ):?? Default Value:?? [Boot]?? Shelljavaser.exe is a Windows program manager or Windows Resource Manager, which is normal]?? After the file can be started:?? [Boot]?? Shell = assumer.exe xxx.exe [many viruses use this startup method now. It is well concealed when explorer is started]Note: Because the system.iniand win.ini files are different, system.inican only start a specified file, but do
\ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce][HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices]
6. c: \ windows \ wininit. iniOnce running, it is deleted by windows.Example: (content of wininit. ini)[Rename]NUL = c: \ windows \ picture.exeExample: set c: \ windows \ picture.exe to NUL, which means to delete it and execute it completely concealed!
7. Autoexec.
\ Winlogon] and [HKEY_LOCAL_MACHINE \SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]. Note that the values of notify, userinit, and shell can also be self-started, and their key values can be separated by commas, this allows you to start multiple programs during logon.
8. Other registry locationsThere are also some other key values, and some programs will often run automatically here, such as: [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Sy
system administrator privileges.
To solve this potential problem, several Vista and 2008 system processes have been redesigned. SMSs. EXE is the first user-state process to be created. The difference is that SMSs. EXE runs its second instance to configure session 0, which is also used by system processes. Starting the SMSs. EXE instance of session 0 starts a CSRSS. EXE instance, and then starts Windows Startup Program (wininit. EXE) after the CSRSS.
. dllWanpacket. dllWin1268.exeWin2232.exe-------------------------------/
C:/Windows/system32:/-------------------------------Java. dll (Kaspersky reportedWorm. win32.agent. o)Kernel32.sys (the value of Kaspersky isWorm. win32.agent. o)Mfc48.dll (indicated by KasperskyWorm. win32.agent. o)Mswdm.exeSvvosts.exe (the value of Kaspersky isTrojan-PSW.Win32.Agent.ja)-------------------------------/
For more information about the analysis of Java. dll and kernel32.sys, see:Http://de.trendmicro-europe.c
is executed.30. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ userinitExecuted when a user logs in.31. HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ curr entversion \ shellserviceobjectdelayload \Executed by assumer.exe as soon as it has loaded.32. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows \ RunExecuted when the user logs in.33. HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows
In my previous article: getting the process PID in the process performancecounter, I demonstrated using the ID process performance counter in the process type to return the process ID in the performance counter. WMI has one type: win32_perfformatteddata_perfproc_process. It can also be used to return the normalized information in the process performance counter, and a WMI class with unnormalized information: win32_perfrawdata_perfproc_process.
The name attribute of this WMI class is equivalen
need to open a specific port, and the DLL backdoor is no exception. No matter how hidden it is, you need to open the port during the connection. We can use netstat-An to view all TCP/UDP port connections to find illegal connections. You usually need to know the port you open and understand the state attribute in netstat-. Of course, you can also use fport to display the process corresponding to the port. In this way, you can see all the unknown connections and ports in the system.
4. regularly
user to choose from.
3. When you select the following actions in the Startup Menu:
4. Load the core file to the logon screen --
After selecting the win7 startup Item, start and load the core files ntoskrnl.exe and Hal. dll in win7-read the settings from the registry and load the driver. Next, you will run the windows session manager (smss.exe) and start the Windows Startup Program (wininit exe, firewall security validation (lsass.exe)and s
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.