Use the built-in Windows command to kill the virus (1)

The most horrible thing about surfing the Internet is when the new virus comes out. Although we have all kinds of powerful anti-virus software installed on the computer, we also configure the automatic update of the virus periodically. Library, but the virus always has to be updated before the virus database, so each time it is not a minority, here are some common anti-virus methods, you can use the system's own tools to kill the virus: Before you do it yourself, remember to be prepared - use TaskList to back up the system process. The new virus has learned to hide itself with the process, so we better back up the list of processes of the computer when the system is normal, of course, it is best not to enter Windows. Back up when running any program. When you feel that the computer is abnormal, you can find out the process that may be a virus by comparing the process list. At the command prompt, type: TaskList/fo:csv>g:zc.csv The above command is to output the current process list to the "zc.csv" file in csv format, g: for the disk you want to save to. You can open the file with Excel.
Second, you must be eye-catching when you start your own hands - use FC to compare the process list file. If you feel that the computer is abnormal, or you know that there is a recent virus, then it is necessary to check it. Go to the command prompt and enter the following command: TaskList /fo:csv>g:yc.csv Generate a list of yc.csv files for the current process, then type: FC g:\\zccsv g:\\yc.csy You can see the difference between the front and back list files. By comparison, the computer has an abnormal process named "Winion0n.exe" (here, this process is not an example) and is not "Winionon.exe". Third, when making judgments, remember that the evidence is conclusive - use Netstat to view the open port. For such a suspicious process, how to judge whether it is a virus? According to most viruses (especially Trojans), the virus will be transmitted through the port to connect to the virus. You can check the port occupancy. At the command prompt, type: Netstat-ano The parameters have the following meanings: a: Display all port information that establishes a connection with the host. n: Display the open port process PID code o: Display the address and port information in numeric format. To all open ports and external connection processes, a process with a PID of 1756 (as an example) is the most suspicious. Its state is "ESTABLISHED". The task manager can know that the process is "Winion0n.exe". This machine runs the network program and can judge that this is an illegal connection! The meaning of the connection parameters is as follows: LISTENINC: indicates that the port is in the listening state, that is, the port is open, waiting for the connection, but has not been connected, only the service port of the TCP protocol. Can be in the LISTENINC state. ESTABLISHED means to establish a connection. Indicates that two machines are communicating. TIME-WAIT means ending the connection. The port has been accessed, but the access is over. It is used to determine if an external computer is connected to the unit. Four: When you start anti-virus, you must be ruthless - use NTSD to terminate the process. Although you know that "Winion0n.exe" is an illegal process, but many virus processes cannot be terminated by the task manager, what should I do? Enter the following command at the command prompt: Ntsd–cq-p1756 After the carriage return, the virus process can be successfully ended. Tip: “1756” is the process PID value. If you don't know the process ID, open the task manager and click “View→Select Column→Check PID (Process Identifier). NTSD can forcibly terminate except Sytem, ​​SMSS. EXE, all processes outside CSRSS.EXE. 5. After the virus is determined, it is necessary to remove the roots - search for the original file of the virus for the "Winion0n.exe" file that has been judged to be a virus file, by searching all local partitions", "search system Folders and hidden files and folders", find the hiding place of the file and delete it. However, only the virus master file is deleted. By viewing its properties, it searches again according to its file creation period and size, finds its associates and deletes them. If you are not sure which files are their relatives, use the web search to find virus information for help. Sixth, after cleaning the virus, you must clean the battlefield. Manually repair the registry. Although the virus file is deleted, the virus will leave the garbage key value in the registry, and you need to clean up the garbage. 1. Start with regexport backup. Since the self-starting key value is very large, it is inconvenient to manually find the virus when it is found. Here use the regexport+ batch command to back up. Start Notepad and enter the following command: regexportHKLM\\software\\Microsoft\\Windows\\ CurrentVersion\\Runfo:\\hklmrun.reg regexportHKCU\\Software\\Microsoft\\Windows\\ CurrentVersion\\Policies\\Explorer\\Runf:\\hklcu.reg regexportHKLM\\SOFTWARE\\Microsoft\\Windows \\ CurrentVersion\\Policies\\Explorer\\Runhklml.reg Note: Only a few backups of common key values ​​are listed here. For other key values, please refer to the above method. Then save it as ziqidong.bat and run it at the command prompt, you can back up all the self-starting key values ​​to the corresponding reg file, and then type: copyf:\\*.regziqidong.txt The purpose of the command is to The backup reg file is output to "ziqidong.txt", so if you find that the virus has been added from the startup item, and the same self-starting value was exported, use the FC command described above to compare the two txt files before and after, you can quickly find out the new one. Self-starting project. 2. Use regdelete to delete the newly added self-start key. For example: through the above method in [HKER_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run], find a "Logon" self-starting item, the startup program is "c:\\windows\\winlogon.exe", now enter the following command Delete the virus self-starting key value: regdeleteHKLM\\software\\Microssoft\\Windows\\ CurrentVersion\\Run/f 3. Restore the registry with regimport. Regde-lete delete is the entire RUN key value, now use the backup reg file to restore, you can quickly restore the registry by entering the following command: regimportf:\\hklmrun.reg The above describes several system commands for manual antivirus, in fact As long as we use these commands, we can basically KILL off most of the virus, of course, we must do a good job of backup. Tip: The above operation can also be manually operated in the Registry Editor, but the REG command has the advantage that even if the Registry Editor is disabled by the virus, you can export/delete/import through the above commands, and the speed is even faster. Fast! Seven, bundled wooden mark star - FIND The above describes the use of system commands to kill the general virus, the following describes a "FIND" command to detect the bundled Trojan. I believe that many worms have encountered bundled wooden knives. These "wolf-raised wolves" often hide behind pictures, FLASH, and even music files. When we open these files, although the current window is indeed a picture (or FLASH), the abominable Trojan has quietly run in the background. For example, I received a super girl wallpaper from a friend, but when I opened the picture, I found that the picture has been opened with the "picture and fax viewer", and the indicator light of the hard disk has been flashing. Obviously, while I open the image, there are unknown programs running in the background. Now use the FIND command to check if the image is bundled with a Trojan. At the command prompt, type: FIND/c/I〝Thisprogram〞g:\\chaonv.jpe.exe where: g:\\chaonv.jpe.exe indicates that the file to be detected is returned by the FIND command. The prompt is "___G:CHAONV.EXE:2", which means that "G:, CHAONV.EXE" is indeed bundled with other files. Because of the detection of the FIND command: if it is an EXE file, the return value should be "1" under normal circumstances; if it is an unexecutable file, the return value should be "

0" under normal circumstances. It is. Hint: In fact, many bundled Trojans use Windows' default "hide known type file extensions" to confuse us, such as "chaonv.jpe.exe" in this example. Because this file uses the icon of the JPG file, it is fooled. Open "My Computer", click "Tools → Folder Options", "Click" "View", remove the small tick before "Hide the known type of file extension", you can see the true face of "Wolf". Summary Finally, let's summarize the manual poisoning process: Back up the process list with TSKLIST → Find the virus by comparing the files with FC → Determine the process with NETSTAT → Terminate the process with FIND → Search for the virus and delete → Use the REG command to repair the registry. This completes the entire manual virus detection and antivirus process by discovering viruses, deleting viruses, and repairing the registry.