How to clean up computer viruses
本文中文链接:https://docs.google.com/document/d/1Fv_8Yxu11KwvNEWgx-OVR73Hb1wd5L0ps-iQSrRjBA4
With the increase of network users, the format virus Trojan horse hacking program naturally also regards it as delicious. When network users accidentally infect their virus Trojans, they should be cleaned out of their computers as soon as possible, according to their respective computer emergency virus processing capabilities. Here are some common anti-virus methods. I personally used the system's own tools to kill the virus:
一 、 Before you start, do n’t forget to prepare for anything—Back up system processes with TaskList
New viruses have learned to hide themselves with processes, so we'd better back up the computer's process list when the system is normal. Of course, it's best to back up without running any programs when you first enter Windows, so you feel the computer is abnormal When you can compare the process list, find out the process that may be a virus.
Enter at the command prompt:
TaskList /fo:csv>g:zc.csv
The function of the above command is to output the current process list to the "zc.csv" file in csv format, g: for the disk you want to save, you can open the file with Excel.
Twenty-two, when you do it yourself, you must be jealous—Compare the process list files with FC. If you feel that your computer is abnormal, or you know that there is a recent virus, it is necessary to check it.
Enter the command prompt and enter the following commands:
TaskList /fo:csv>g:yc.csv
Generate a list of yc.csv files for the current process, then enter:
FC g: zccsv g: yc.csy
After you press Enter, you can see the difference between the front and back list files. Through comparison, it is found that the computer has an extra process named "Winion0n.exe" (here this process is taken as an example) that is not "Winionon.exe".
3. When making judgments, remember that the evidence is conclusive-use Netstat to view open ports for such suspicious processes, how to determine whether it is a virus? According to most viruses (especially Trojans), external viruses are transmitted through ports to spread viruses. You can Check the port occupation.
Enter at the command prompt:
Netstat -a-n-o
含义 The meaning of the parameters is as follows:
A: Display information about all ports connected to this host
N: show PID code of open port process
O: Display address and port information in digital format
After you press Enter, you can see all open ports and external connection processes. Here, a process with a PID of 1756 (take this as an example) is the most suspicious. Its status is "ESTABLISHED". You can know from the task manager that this process is "Winion0n." .exe ", by looking at the network program running on this machine, you can determine that this is an illegal connection!
含义 The meaning of the connection parameters is as follows:
LISTENINC: indicates that it is in the listening state, that is, the port is open and waiting for a connection, but has not yet been connected. Only the service port of the TCP protocol can be in the LISTENINC state.
ESTABLISHED means establishing a connection. Indicates that the two machines are communicating. TIME-WAIT means the connection was ended. It indicates that the port has been accessed but the access is over. It is used to determine whether an external computer is connected to the machine.
24: When you start antivirus, you must be ruthless-Terminate the process with NTSD
Although I know that "Winion0n.exe" is an illegal process, many virus processes cannot be terminated through the task manager. What should I do?
输入 Enter the following command at the command prompt:
Ntsd --c q-p 1756
After entering, you can end the virus process smoothly.
Tip: "1756" is the PID value of the process. If you do not know the process ID, open the task manager and click "View → Select Columns → Tick PID (Process Identifier). NTSD can forcibly terminate except for System, SMSS. All processes except EXE, CSRSS.EXE.
Fifth, after the virus is determined, we must cut the grass and root out. Search the original virus file. For the "Winion0n.exe" file that has been determined to be a virus file, search for "local partitions", "search system folders and hidden files and folders." ", Find the hiding place for the file, and delete it. However, only the virus's main file is deleted in this way. By looking at its properties, it searches again based on its file creation date and size to find its associates and delete it. If you're not sure what other files are relatives, search the web for virus information for help.
Tips: The above operations can be performed manually in the registry editor, but the REC command has the advantage that even if the registry editor is set to be disabled by a virus, you can also export / delete / import operations through the above command, and the speed will also be Faster. The manual anti-virus system commands we introduced, in fact, as long as these commands are used well, we can basically kill most viruses, but remember to remember to do a good job of backup.
Information from: http://www.xitongzhijia.cc/xtjc/20120813/11228_3.html
With the increase of network users, the format virus Trojan horse hacking program naturally also regards it as delicious. When network users accidentally infect their virus Trojans, they should be cleaned out of their computers as soon as possible, according to their respective computer emergency virus processing capabilities. Here are some common anti-virus methods. I personally used the system's own tools to kill the virus:
一 、 Before you start, do n’t forget to prepare for anything—Back up system processes with TaskList
New viruses have learned to hide themselves with processes, so we'd better back up the computer's process list when the system is normal. Of course, it's best to back up without running any programs when you first enter Windows, so you feel the computer is abnormal When you can compare the process list, find out the process that may be a virus.
Enter at the command prompt:
TaskList /fo:csv>g:zc.csv
The function of the above command is to output the current process list to the "zc.csv" file in csv format, g: for the disk you want to save, you can open the file with Excel.
Twenty-two, when you do it yourself, you must be jealous—Compare the process list files with FC. If you feel that your computer is abnormal, or you know that there is a recent virus, it is necessary to check it.
Enter the command prompt and enter the following commands:
TaskList /fo:csv>g:yc.csv
Generate a list of yc.csv files for the current process, then enter:
FC g: zccsv g: yc.csy
After you press Enter, you can see the difference between the front and back list files. Through comparison, it is found that the computer has an extra process named "Winion0n.exe" (here this process is taken as an example) that is not "Winionon.exe".
3. When making judgments, remember that the evidence is conclusive-use Netstat to view open ports for such suspicious processes, how to determine whether it is a virus? According to most viruses (especially Trojans), external viruses are transmitted through ports to spread viruses. You can Check the port occupation.
Enter at the command prompt:
Netstat -a-n-o
含义 The meaning of the parameters is as follows:
A: Display information about all ports connected to this host
N: show PID code of open port process
O: Display address and port information in digital format
After you press Enter, you can see all open ports and external connection processes. Here, a process with a PID of 1756 (take this as an example) is the most suspicious. Its status is "ESTABLISHED". You can know from the task manager that this process is "Winion0n." .exe ", by looking at the network program running on this machine, you can determine that this is an illegal connection!
含义 The meaning of the connection parameters is as follows:
LISTENINC: indicates that it is in the listening state, that is, the port is open and waiting for a connection, but has not yet been connected. Only the service port of the TCP protocol can be in the LISTENINC state.
ESTABLISHED means establishing a connection. Indicates that the two machines are communicating. TIME-WAIT means the connection was ended. It indicates that the port has been accessed but the access is over. It is used to determine whether an external computer is connected to the machine.
24: When you start antivirus, you must be ruthless-Terminate the process with NTSD
Although I know that "Winion0n.exe" is an illegal process, many virus processes cannot be terminated through the task manager. What should I do?
输入 Enter the following command at the command prompt:
Ntsd --c q-p 1756
After entering, you can end the virus process smoothly.
Tip: "1756" is the PID value of the process. If you do not know the process ID, open the task manager and click "View → Select Columns → Tick PID (Process Identifier). NTSD can forcibly terminate except for System, SMSS. All processes except EXE, CSRSS.EXE.
Fifth, after the virus is determined, we must cut the grass and root out. Search the original virus file. For the "Winion0n.exe" file that has been determined to be a virus file, search for "local partitions", "search system folders and hidden files and folders." ", Find the hiding place for the file, and delete it. However, only the virus's main file is deleted in this way. By looking at its properties, it searches again based on its file creation date and size to find its associates and delete it. If you're not sure what other files are relatives, search the web for virus information for help.
Tips: The above operations can be performed manually in the registry editor, but the REC command has the advantage that even if the registry editor is set to be disabled by a virus, you can also export / delete / import operations through the above command, and the speed will also be Faster. The manual anti-virus system commands we introduced, in fact, as long as these commands are used well, we can basically kill most viruses, but remember to remember to do a good job of backup.
Information from: http://www.xitongzhijia.cc/xtjc/20120813/11228_3.html
评论
发表评论