Teach you to easily and anti-drug sharing the anti-drug elite under the command line

How about, with this group of command lines waiting for the summoned anti-drug elite, it will be more effective and more convenient to fight the virus in the future, the virus Trojans It is also difficult to escape the law network.

First, TASKLIST—— eye-catching eyes

Nowadays, the virus is getting more and more embarrassing, often not seeing the first. But many viruses tend to expose the fox tail in the process, so viewing the process is an important way to kill the virus. The command line provides the command tool ——Tasklist (Windows XP or newer) for process viewing. This command, like the Task Manager, displays a list of active processes. But by using the parameters, you can see the information that the task manager can't see, and you can achieve more powerful functions. Using the parameter “/M”, running “Tasklist /M” will display all the DLL modules loaded by each task; use the parameter “/SVC”, run the “Tasklist /SVC” command will show each process A list of active services, from which you can see the service loaded by the process svchost.exe, through the service can tell whether it is a malicious virus process. In addition, you can use the Tasklist command to view the progress of the remote system, such as entering "ldsklist /s 208.202.12.206 /u friend /p 123456" (without quotes) at the command prompt to see the IP address is 208.202. 12.206 The process of the remote system. The /s parameter 208.202.12.206” refers to the IP address of the remote system to be viewed. After /u, <;friend” refers to the user account used by the Tasklist command, which must be a legal account on the remote system. “123456” after /p refers to the password of the friend account. In this way, it is much more convenient for the network administrator to remotely kill and kill viruses.

Second, TASKKILL—— process killer

With Tasklist's eyes, many viruses have appeared, but more importantly, not to find out the virus, but to clear them, this Another command ——TASKKIL came in handy. For example, if you want to end a process, just write down the process name from the task manager and run the following command: <;TASKKILL /F /IM process name”; You can also run the connection first by running the PID. Tasklist” command, write down the PID number of the process, enter "ldskkill /pid PID number" under the command prompt. Speaking of this, I am afraid that some people say that this is not as convenient as using the task manager directly. In fact, the unique trick of the TASKKILL command is that it can end some processes that cannot be directly suspended in the task manager. In this case, the parameter “ld”;/F” is added, so that the process can be forcibly closed, for example, running “TASKKILL”. The /F /pid 1606” command will force the process to end the PID 1656. In addition, the TASKKILL command can also end the process tree, remote processes, and specify the process of filtering into or filtering out the query. The specific operation can be viewed by using the “taskkill/?” command.

Third, Netstat——Port Detective

Today's Trojans are getting more and more, and the threat to users is getting bigger and bigger, so there are many tools dedicated to Trojan killing. In fact, as long as we use the Netstat command under the command line, we can find most of the Trojans hidden in the computer.

We know that most Trojans have a service port after they infect the system, and such service ports are usually in the LISTENING state, so the Trojan trace can be found from the port usage, and this uses the Netstat command. Can be easily implemented. Run “Netstat –a” on the command line. This command will display a list of all valid connection information, including established connections (ESTABLISHED), as well as those connections that listen for connection requests (LISTENING). Proto stands for the protocol, Local Address represents the local address, the number after the colon is the open port number, and the Foreign Address represents the remote address. If it is communicating with other machines, the address of the other party is displayed, and State represents the status. LISTENING indicates that the port is in the listening state, that is, the port is open. Since the back door is in the LISTENING state after the Trojan is successfully opened, you need to pay attention to the port in the LISTENING state. If the port number is unfamiliar, and the port number is very large, Big, you should be alert.

You can also check the process corresponding to the port for further confirmation. This requires adding the parameter “-O”, running “Netstat –ao” command will display a list of all valid connection information. And give the PID number corresponding to the port.

Fourth, FIND—— bundled nemesis

I believe that many people have been on the file bundled Trojan, the surface looks like a beautiful MM picture, but hidden inside the Trojan, This kind of hiding by file bundling is a customary trick for Trojans. The necessary checks and timely processing of suspicious files can often prevent more serious consequences, so some tools for checking bundled documents have appeared on the Internet.

In Windows, you can also perform a simple check on the command line. Here we need to use the string search command ——FIND, its main function is to search for strings in the file, you can use it to check the bundle file. The method is: run "ldIND;CIND/I "This program" the path of the file to be checked" (excluding the outer quotes) on the command line. If it is an EXE file, the return value should be "1" ;, if there is a situation greater than 1, you must be careful; if it is an unexecutable file such as a picture, the return value should normally be "“0”", if there is a situation greater than 0, it should be noted.

V. NTSD—— Powerful Terminator

Today's viruses are getting more and more rampant, and often there are situations where you can find it even if you can find it. There is no way to abort with the Task Manager and the aforementioned TASKKILL command. Of course you can use process management tools such as the powerful Process Explorer. In fact, using a secret tool that comes with Windows can force most processes, including some very stubborn processes, which is the NTSD command.

Run the following command from the command line:

ntsd -c q -p PID

The last PID refers to the ID of the process to terminate. If you do not know the ID of the process, you can view it through the Tasklist command. With the NTSD command, except for System, SMSS.EXE, and CSRSS.EXE, which rarely kill core processes, other processes can be forced to end.

Six, FTYPE—— file association repair expert

Like file binding, tampering with file associations is also a common trick for viruses or Trojans. The usual recovery method is mainly by modifying the registry, but Registry operations are often cumbersome and error-prone. Another convenient method is to use the command line tool ——FTYPE, which makes it very easy to recover file associations. For example, the file association of exefile is the easiest to modify. Its normal file association is: "%1" %* . To recover, simply run the following command from the command line: “ftype exefile="%1" %* ” If you want to fix the file association of txtfile, just type: <;ftype txtfile= %SystemRoot%\\system32\\NOTEPAD.EXE %1 ”

VII, FC & mdash; & mdash; registry monitor

Many virus Trojans use the registry as an attack object, such as the file association tampering mentioned above, and now the so-called rogue software The flow of restless software adds item values ​​that should not be added to the registry, so registry monitoring becomes necessary. So there are a lot of registry monitoring software, in fact, we can completely use the tools provided by the Windows system to complete this function.

The following is a modification of the registry to monitor the installation software process as an example to introduce how to achieve "monitoring":

First, you can back up the registry before installing the software (stored as REG) Files, such as 1.reg), then export the registry file (2.reg) and then execute the following command in the Windows XP command prompt:

D:\\>fc /u 1. Reg 2.reg>changes.txt

Then open the changes.txt file in the root directory of the D drive, you can clearly see which subkeys the software added to the registry, and what changes have been made. The installation software in the above example is a specific moment, and you may use this method to analyze changes that may occur in the registry at any one time.