windows system comes with the most humble but most powerful anti-virus tools

windows system comes with the most humble but most powerful anti-virus tools.
Windows systems integrate numerous tools that carry out their duties, to meet different user applications. In fact, these tools "versatile", if you have enough imagination and good at digging, you will find them in addition to the Bank can help us in addition to antivirus. Do not believe? You out!

First, the Task Manager to the virus behind the knife

Windows Task Manager is to manage the process all the major tool in its "process" tab to view the current system process information. In the default setting, generally only see the image name, user name, CPU occupancy, memory usage and other items, and more such as I / O read and write, virtual memory size and other information been hiding. It may not have read the hidden information, when the system appears inexplicable failure, chances are they will be able to find a breakthrough in the middle.

1. Killing the process will go away in two-horse

A while ago a friend's computer in a certain horse, through the Task Manager to identify the Trojan process as "system.exe", terminate it and then refresh, it will revive. Into safe mode to c: \ windows \ system32 \ system.exe deleted, it will reload after reboot, how could not completely remove it. From this phenomenon, the friends should be the dual process trojan. This Trojan has guardianship process, scan regularly, once the process of care were found to be killing it will come to life. And now many pairs of each other to monitor the process of Trojan, another resurrection. So the key is to find this killing, "interdependence" of the two Trojan files. With Task Manager can be found Trojan PID identifies the process.

Bring up Windows Task Manager, first in the "View → Select Columns" in check "PID (Process Identifier)", return to the Task Manager window so you can see the PID of each process ID. So that when we terminate a process after its regeneration can be found through the PID identifies regeneration of its parent process. Start a command prompt window and execute "taskkill / im system.exe / f" command. Refresh computer and re-enter the command shown in Figure 1, you can see the end of the system.exe process PID is 1536, which is PID of a process for the 676. That's system.exe process PID is 1536 to 676 by the PID of the process created. Back to Task Manager, by querying the process PID that it is "internet.exe" process of the process. (Figure)

Be easier to find the culprit, now reboot the system into Safe Mode, use the search function to find Trojan file c: \ windows \ internet.exe, then you can delete them. Front can not delete system.exe, mainly due to not found internet.exe (and do not delete the start key), leading to re-enter the system after the resurrection internet.exe Trojan.

2. Ferret out the hard disk of P2P programs was mad

Unit of a computer hard drive for a boot light has been found online on the roll, the hard disk spin crazy. What is clear is the machine process data being read, but again did not find antivirus viruses, trojans and other malicious programs.

Open the computer and the Internet, press Ctrl + Alt + Del key to start the Task Manager, switch to the "process" tab, click the menu command "View → Select Columns", and check the "I / O write" and "I / O write bytes" 2. Identified and returned to the task manager, found a strange process hidel.exe, although it occupied the CPU and memory is not particularly large, but the I / O write capacity was staggering, is that it appears in the play tricks, they must Right-click it and select "End Process" to terminate, really hard to read and write back to normal.

Second, anti-virus on the invisible system backup tool

I have experienced a virus can not remove the "C: \ Program Files \ Common Files \ PCSuite \ rasdf.exe", but also can not copy the file, how to clear it. I cleared through the system backup tool for the virus, the operation process is as follows:

The first step: Click "Start → All Programs → Accessories → System Tools → Backup" to open the Backup or Restore Wizard window, select the backup program, "Let me choose what to backup the contents", navigate to "C: \ Program Files \ Common Files \ PCSuite ".

Step two: continue the backup wizard operation, the backup file is saved as "g: \ virus.bkf", backup options check the "Use Volume Shadow Copy" operation according to the default settings to complete the remaining backup.

Step Three: Double-click the "g: \ virus.bak", open the Backup or Restore Wizard to restore the backup to the "g: \ virus". Then open the "g: \ virus", use Notepad to open the virus file "rasdf.exe", and then easily remove them and save a few lines of code, so the virus will be destroyed we use Notepad (which can no longer run).

Step Four: Operation Ibid, produced a "k: \ virus" backup for the "k: \ virus1.bkf". Then start the Restore Wizard, select the restore location "C: \ Program Files \ Common Files \ PCSuite \", select the restore option "to replace the existing file." Thus, while the current virus is running, but the backup component can still use the bad file replace the current HIV virus. Restore is complete, the system prompted to restart, after restart the virus will not start up (because it has been damaged Notepad).

Third, notepad Collateral

1. Dual process of killing horse

Now, more and more Trojans guard dual process technology to protect themselves is to have the same function code for the two procedures, continuously detect whether the consortium had been others terminated, if we find each other has been terminated, then they began to create each other, This gives us a great deal of difficulty in killing. However, these Trojans also have "weaknesses", it is only a list of processes by process name to determine whether there is daemon. In this way, we just use Notepad to replace the Trojan process, you can achieve the "deceit" in your purpose.

Following the killing to an example of a variant of Trojan. The trick of the Trojan, the Trojan's "internet.exe" and "systemtray.exe" two processes monitor each other. Of course, most of us do not know when trick horse specific care process. However, through the process name to know, "systemtray.exe" is the exception process, because the system is not the normal course of the process. Use the following method to replace the killing of the Trojan.

The first step: Click "Start → Run", type "Msinfo32" open the System Information window, expand the "System → Summary → software environment running tasks", where you can see "systemtray.exe" path "C: \ Windows \ System32 "next.

Step two: Open the "C: \ Windows \ System32", copy the Notepad program "notepad.exe" to "D: \", also rename "systemtray.exe".

Step Three: open the Notepad program, enter the following code, save it as "shadu.bat", placed on the desktop (in parentheses for the comment, not input):

@ Echo off

Taskkill / f / im systemtray.exe (using the taskkill command to force termination "systemtray.exe" process)

Delete C: \ Windows \ System32 \ systemtray.exe (delete virus files)

Copy d: \ systemtray.exe C: \ Windows \ System32 \ (replace the virus file)

Step four: Now if the desktop running "shadu.bat", the system will "systemtray.exe" process to terminate and delete, and rename the notebook to copy the program to the system directory. This daemon will be "mistaken" is daemon exists, it will immediately launch a Notepad program.

Step Five: Next, we only monitor the process to identify and remove the can, at the command prompt type:

"Taskkill / f / im systemtray.exe", the daemon regeneration "systemtray.exe" termination, you can see "systemtray.exe" process is "PID 3288 of the process" created, open the Task Manager to see "PID 3288 of the process" as "internet.exe", this is the regeneration process of the "culprit."

Step Six: According to the first way, open the System Information window you can see "internet.exe" also in the system directory, terminate "internet.exe" process and into the system directory to delete the two files can be.

2. To fail and remove the virus

As you know, files are composed by the code, Notepad program can open any file in theory (but some would appear garbled). We can open the way the virus associated with Notepad, so that post into Notepad to open by the loss of function of evil. For example, some persistent viruses often in the registry "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" and other hard to remove the start position generated keys, start up a malicious purpose. The following use Notepad to "waste" out the vitality of the virus.

Step One: Start a command prompt, type "ftype exefile = notepad.exe% 1", all related to the EXE program Open the Notepad program, reboot the system later, we will find the desktop automatically start several programs, including the system to normal here programs such as input, volume adjustment procedures, of course, include malicious rogue program started, but now are open in Notepad.

Step Two: Under the title of the Notepad window to find the virus program, such as the example of systemtray.exe program, find the Notepad window, click "File → Save As", we can see the specific path of the virus in "C : \ Windows \ System32 "under. Now turn off the Notepad window, according to the above tips into the system directory path can remove the virus.

The third step: remove the virus after the virus started to delete key, and then restart the computer, hold down F8, and then in Safe Mode menu select "Safe Mode with Command Prompt" and enter the system will automatically open a command prompt. Enter "ftype exefile ="% 1 "% *" means you can restore exe file to open.

4, registry image so that the virus Meipi Qi hijacking

Now the virus will use IFO technology, popular argument is the image taking, use the following registry key value is

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options to change the position of program calls, but the virus is used here to steal the normal anti-virus software to replace virus program. On the contrary, allow us to fool the virus Trojan can be used here, it effectiveness. Indeed, practice deception, but also to govern the people.

Here we screened the Unknown virus KAVSVC.EXE example, methods of operation are as follows:

The first step: first establish the following a text file, enter the following, save as 1.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC.EXE]

"Debugger" = "d: \ \ 1.exe"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC.EXE]

"Debugger" = "d: \ \ 1.exe"

(Note: the first line of code in the next free line.)

Step Two: Double-click the reg file to import, OK.

Third step: point "Start → Run", enter KAVSVC.EXE.

Tip: 1.exe can be any useless file, we will be free to create a text file name suffix. Txt to. Exe's,

Summary: Trojan virus, when we suffer the pain or the feeling of powerlessness in the antivirus software "kill a chicken Yan Yong Jae-chopper", we might use the system tool trojan virus, Avira, and could play an unexpected effect.

分类:OS 时间:2010-04-09 人气:238
blog comments powered by Disqus


  • windows system optimization and speed 2011-03-21

    <! - Google_ad_client = "pub-2416224910262877"; google_ad_width = 728; google_ad_height = 90; google_ad_format = "728x90_as"; google_ad_channel = ""; google_color_border = "E1771E"; google_color_bg = "FFFFFF

  • 防病毒的HTTP代理服务器 HTTP Anti Virus Proxy 2009-04-03

    HTTP Anti Virus Proxy 网站 : HAVP (防病毒的HTTP代理服务器)是一个在同一时间内与几个扫描器( ClamAV ,F-Prot,卡巴斯基, NOD32 , Sophos)扫描下载病毒的代理.主要目标是持续的,无阻塞的下载和顺利扫描的动态和密码保护的HTTP流量.它可以用来与 Squid 一起运行或者是独立运行,支持透明代理模式. 授权协议: 未知 开发语言: C/C++ 操作系统: Linux

  • How to install the Windows operating system, Linux operating system installed on your computer 2010-05-09

    One had to know one thing Most individuals believe that the Chinese used to buy back in when the computer has installed Windows, and we used to use Windows, and many people take for granted that the computer is Windows, run the computer is to run the

  • Access to information about Windows API 2010-05-27

    Access to information about Windows API 1. Window information MS has provided us with a specific desktop and enumerate the desktop to open the window function. hDesk = OpenDesktop (lpszDesktop, 0, FALSE, DESKTOP_ENUMERATE); / / Default to open our de

  • Daquan Windows system running the command 2010-09-29

    Collection of Windows system running the command Collection give it all, hoping to help you. explorer ------- Open the Explorer Nslookup ------- IP address detector logoff --------- cancellation of orders tsshutdn ------- 60 second countdown shutdown

  • Analytical understanding of Windows system memory counters 2010-03-17

    Preamble <br /> memory usage is an important factor in system performance, one of the frequent switching and memory leaks page will affect the performance of the system. This paper is to describe some of the concepts of memory, meaning the counter,

  • windows system environment variable configuration under JDK1.6 2010-04-08

    windows system environment variable configuration under JDK1.6 1, JDK1.6 download Currently the latest version of JDK is JDK1.6, to can download JDK1.6. Second, JDK1.6 installation JDK installation is ve

  • windows system environment variable configuration JDK1.6 2010-04-08

    windows system environment variable configuration JDK1.6 A, JDK1.6 download Currently the latest version of JDK is JDK1.6, to can download JDK1.6. Two, JDK1.6 installation JDK installation is very simple

  • During restart, replace the windows system file protection 2010-03-17

    During restart, replace the windows system file protection Study: ClassyK date :2006-01-25 This is the first to write a 3721 Origin uninstall software, when the system files are deleted, but the search will still be targeted to 3721, for example, whe

iOS 开发

Android 开发

Python 开发



PHP 开发

Ruby 开发






Javascript 开发

.NET 开发



Copyright (C), All Rights Reserved. 版权所有 闽ICP备15018612号

processed in 0.156 (s). 12 q(s)