How about, with this group of command-line anti-drug elites waiting to be summoned at any time, it will be more effective and convenient to fight against viruses in the future, and the virus Trojans will not escape the French Internet.
One, TASKLIST—— eye-catching eyes
The virus is getting more and more awkward now, often not seeing the first. But many viruses tend to expose the fox tail in the process, so viewing the process is an important way to kill the virus. The command line provides the command tool ——Tasklist (Windows XP or newer) for process viewing. This command, like the Task Manager, displays a list of active processes. But by using the parameters, you can see the information that the task manager can't see, and you can achieve more powerful functions. Using the parameter “/M”, running “Tasklist /M” will display all the DLL modules loaded by each task; use the parameter “/SVC”, run the “Tasklist /SVC” command will show each process A list of active services, from which you can see the service loaded by the process svchost.exe, through the service can tell whether it is a malicious virus process. In addition, you can use the Tasklist command to view the progress of the remote system, such as entering "ldsklist /s 208.202.12.206 /u friend /p 123456" (without quotes) at the command prompt to see the IP address is 208.202. 12.206 The process of the remote system. The /s parameter 208.202.12.206” refers to the IP address of the remote system to be viewed. After /u, <;friend” refers to the user account used by the Tasklist command, which must be a legal account on the remote system. “123456” after /p refers to the password of the friend account. In this way, it is much more convenient for the network administrator to remotely kill and kill viruses.
Two, TASKKILL & mdash; & mdash; process killer
With Tasklist this eyes, many viruses have appeared, but more important is not to find the virus, but to clear them, then another command — —TASKKIL comes in handy. For example, if you want to end a process, just write down the process name from the task manager and run the following command: <;TASKKILL /F /IM process name”; You can also run the connection first by running the PID. Tasklist” command, write down the PID number of the process, enter "ldskkill /pid PID number" under the command prompt. Speaking of this, I am afraid that some people say that this is not as convenient as using the task manager directly. In fact, the unique trick of the TASKKILL command is that it can end some processes that cannot be directly suspended in the task manager. In this case, the parameter “ld”;/F” is added, so that the process can be forcibly closed, for example, running “TASKKILL”. The /F /pid 1606” command will force the process to end the PID 1656. In addition, the TASKKILL command can also end the process tree, remote processes, and specify the process of filtering into or filtering out the query. The specific operation can be viewed by using the “taskkill/?” command.
Three, Netstat——Port Detective
There are more and more Trojans today, and the threat to users is getting bigger and bigger, so there are many tools dedicated to Trojan killing. In fact, as long as we use the Netstat command under the command line, we can find most of the Trojans hidden in the computer.
We know that most Trojans have a service port after they infect the system, and such service ports are usually in the LISTENING state, so the Trojan trace can be found from the port usage, which can be easily achieved by using the Netstat command. . Run “Netstat –a” on the command line. This command will display a list of all valid connection information, including established connections (ESTABLISHED), as well as those connections that listen for connection requests (LISTENING). Proto stands for the protocol, Local Address represents the local address, the number after the colon is the open port number, and the Foreign Address represents the remote address. If it is communicating with other machines, the address of the other party is displayed, and State represents the status. LISTENING indicates that the port is in the listening state, that is, the port is open. Since the back door is in the LISTENING state after the Trojan is successfully opened, you need to pay attention to the port in the LISTENING state. If the port number is unfamiliar, and the port number is very large, Big, you should be alert.
You can also check the process corresponding to the port to further confirm, this needs to add the parameter “-O”, run “Netstat –ao” command will display a list of all valid connection information, and give The PID number corresponding to the outgoing port.
Four——Bundle of nemesis
I believe that many people have been on the file bundled Trojan, the surface looks like a beautiful MM picture, while the hidden hidden Trojan, this is done by file binding Hidden is the customary trick of the Trojan. The necessary checks and timely processing of suspicious files can often prevent more serious consequences, so some tools for checking bundled documents have appeared on the Internet.
In Windows, you can also perform a simple check on the command line. Here we need to use the string search command ——FIND, its main function is to search for strings in the file, you can use it to check the bundle file. The method is: run "ldIND;CIND/I "This program" the path of the file to be checked" (excluding the outer quotes) on the command line. If it is an EXE file, the return value should be "1" ;, if there is a situation greater than 1, you must be careful; if it is an unexecutable file such as a picture, the return value should normally be "“0”", if there is a situation greater than 0, it should be noted.
5, NTSD & mdash; & mdash; powerful terminator
Today's virus is getting more and more embarrassing, often even if you can find its process, but can not end. There is no way to abort with the Task Manager and the aforementioned TASKKILL command. Of course you can use process management tools such as the powerful Process Explorer. In fact, using a secret tool that comes with Windows can force most processes, including some very stubborn processes, which is the NTSD command.
Run the following command from the command line:
ntsd -c q -p PID
The last PID refers to the ID of the process to be terminated. If you do not know the ID of the process, you can view it through the Tasklist command. With the NTSD command, except for System, SMSS.EXE, and CSRSS.EXE, which rarely kill core processes, other processes can be forced to end.
6, FTYPE—— file association repair expert
Same as file binding, tampering with file association is also a common trick of virus or Trojan. The usual recovery method is mainly by modifying the registry, but the registry operation is usually troublesome. And it's easy to make mistakes. Another convenient way is to use the command line tool ——FTYPE, which makes it very easy to recover file associations. For example, the file association of exefile is the easiest to modify. Its normal file association is: "%1" %* . To recover, simply run the following command from the command line: “ftype exefile="%1" %* ” If you want to fix the file association of txtfile, just type: <;ftype txtfile= %SystemRoot%\\system32\\NOTEPAD.EXE %1 ”
Seven, FC & mdash; & mdash; Registry Monitor
Many virus Trojans use the registry as an attack object, such as the file association tampering mentioned above, and now the so-called rogue software flow of restless software Adding item values that should not be added to the registry makes registry monitoring a necessity. So there are a lot of registry monitoring software, in fact, we can completely use the tools provided by the Windows system to complete this function.
The following is a modification of the registry to monitor the installation software process as an example to introduce how to achieve "monitoring":
First, you can back up the registry before installing the software (stored as a REG file, such as 1.reg ), after the installation, export the registry file (2.reg) and then execute the following command in the Windows XP command prompt:
D:\\>fc /u 1.reg 2.reg>changes.txt< Br> Then open the changes.txt file in the root directory of the D drive, you can clearly see which sub-items the software adds to the registry, and what changes have been made. The installation software in the above example is a specific moment, and you may use this method to analyze changes that may occur in the registry at any one time.