windows system comes with the most humble but most powerful anti-virus tools

windows system comes with the most humble but most powerful anti-virus tools.
Windows systems integrate numerous tools that carry out their duties, to meet different user applications. In fact, these tools "versatile", if you have enough imagination and good at digging, you will find them in addition to the Bank can help us in addition to antivirus. Do not believe? You out!

First, the Task Manager to the virus behind the knife

Windows Task Manager is to manage the process all the major tool in its "process" tab to view the current system process information. In the default setting, generally only see the image name, user name, CPU occupancy, memory usage and other items, and more such as I / O read and write, virtual memory size and other information been hiding. It may not have read the hidden information, when the system appears inexplicable failure, chances are they will be able to find a breakthrough in the middle.

1. Killing the process will go away in two-horse

A while ago a friend's computer in a certain horse, through the Task Manager to identify the Trojan process as "system.exe", terminate it and then refresh, it will revive. Into safe mode to c: \ windows \ system32 \ system.exe deleted, it will reload after reboot, how could not completely remove it. From this phenomenon, the friends should be the dual process trojan. This Trojan has guardianship process, scan regularly, once the process of care were found to be killing it will come to life. And now many pairs of each other to monitor the process of Trojan, another resurrection. So the key is to find this killing, "interdependence" of the two Trojan files. With Task Manager can be found Trojan PID identifies the process.

Bring up Windows Task Manager, first in the "View → Select Columns" in check "PID (Process Identifier)", return to the Task Manager window so you can see the PID of each process ID. So that when we terminate a process after its regeneration can be found through the PID identifies regeneration of its parent process. Start a command prompt window and execute "taskkill / im system.exe / f" command. Refresh computer and re-enter the command shown in Figure 1, you can see the end of the system.exe process PID is 1536, which is PID of a process for the 676. That's system.exe process PID is 1536 to 676 by the PID of the process created. Back to Task Manager, by querying the process PID that it is "internet.exe" process of the process. (Figure)

Be easier to find the culprit, now reboot the system into Safe Mode, use the search function to find Trojan file c: \ windows \ internet.exe, then you can delete them. Front can not delete system.exe, mainly due to not found internet.exe (and do not delete the start key), leading to re-enter the system after the resurrection internet.exe Trojan.

2. Ferret out the hard disk of P2P programs was mad

Unit of a computer hard drive for a boot light has been found online on the roll, the hard disk spin crazy. What is clear is the machine process data being read, but again did not find antivirus viruses, trojans and other malicious programs.

Open the computer and the Internet, press Ctrl + Alt + Del key to start the Task Manager, switch to the "process" tab, click the menu command "View → Select Columns", and check the "I / O write" and "I / O write bytes" 2. Identified and returned to the task manager, found a strange process hidel.exe, although it occupied the CPU and memory is not particularly large, but the I / O write capacity was staggering, is that it appears in the play tricks, they must Right-click it and select "End Process" to terminate, really hard to read and write back to normal.

Second, anti-virus on the invisible system backup tool

I have experienced a virus can not remove the "C: \ Program Files \ Common Files \ PCSuite \ rasdf.exe", but also can not copy the file, how to clear it. I cleared through the system backup tool for the virus, the operation process is as follows:

The first step: Click "Start → All Programs → Accessories → System Tools → Backup" to open the Backup or Restore Wizard window, select the backup program, "Let me choose what to backup the contents", navigate to "C: \ Program Files \ Common Files \ PCSuite ".

Step two: continue the backup wizard operation, the backup file is saved as "g: \ virus.bkf", backup options check the "Use Volume Shadow Copy" operation according to the default settings to complete the remaining backup.

Step Three: Double-click the "g: \ virus.bak", open the Backup or Restore Wizard to restore the backup to the "g: \ virus". Then open the "g: \ virus", use Notepad to open the virus file "rasdf.exe", and then easily remove them and save a few lines of code, so the virus will be destroyed we use Notepad (which can no longer run).

Step Four: Operation Ibid, produced a "k: \ virus" backup for the "k: \ virus1.bkf". Then start the Restore Wizard, select the restore location "C: \ Program Files \ Common Files \ PCSuite \", select the restore option "to replace the existing file." Thus, while the current virus is running, but the backup component can still use the bad file replace the current HIV virus. Restore is complete, the system prompted to restart, after restart the virus will not start up (because it has been damaged Notepad).

Third, notepad Collateral

1. Dual process of killing horse

Now, more and more Trojans guard dual process technology to protect themselves is to have the same function code for the two procedures, continuously detect whether the consortium had been others terminated, if we find each other has been terminated, then they began to create each other, This gives us a great deal of difficulty in killing. However, these Trojans also have "weaknesses", it is only a list of processes by process name to determine whether there is daemon. In this way, we just use Notepad to replace the Trojan process, you can achieve the "deceit" in your purpose.

Following the killing to an example of a variant of Trojan. The trick of the Trojan, the Trojan's "internet.exe" and "systemtray.exe" two processes monitor each other. Of course, most of us do not know when trick horse specific care process. However, through the process name to know, "systemtray.exe" is the exception process, because the system is not the normal course of the process. Use the following method to replace the killing of the Trojan.

The first step: Click "Start → Run", type "Msinfo32" open the System Information window, expand the "System → Summary → software environment running tasks", where you can see "systemtray.exe" path "C: \ Windows \ System32 "next.

Step two: Open the "C: \ Windows \ System32", copy the Notepad program "notepad.exe" to "D: \", also rename "systemtray.exe".

Step Three: open the Notepad program, enter the following code, save it as "shadu.bat", placed on the desktop (in parentheses for the comment, not input):

@ Echo off

Taskkill / f / im systemtray.exe (using the taskkill command to force termination "systemtray.exe" process)

Delete C: \ Windows \ System32 \ systemtray.exe (delete virus files)

Copy d: \ systemtray.exe C: \ Windows \ System32 \ (replace the virus file)

Step four: Now if the desktop running "shadu.bat", the system will "systemtray.exe" process to terminate and delete, and rename the notebook to copy the program to the system directory. This daemon will be "mistaken" is daemon exists, it will immediately launch a Notepad program.

Step Five: Next, we only monitor the process to identify and remove the can, at the command prompt type:

"Taskkill / f / im systemtray.exe", the daemon regeneration "systemtray.exe" termination, you can see "systemtray.exe" process is "PID 3288 of the process" created, open the Task Manager to see "PID 3288 of the process" as "internet.exe", this is the regeneration process of the "culprit."

Step Six: According to the first way, open the System Information window you can see "internet.exe" also in the system directory, terminate "internet.exe" process and into the system directory to delete the two files can be.

2. To fail and remove the virus

As you know, files are composed by the code, Notepad program can open any file in theory (but some would appear garbled). We can open the way the virus associated with Notepad, so that post into Notepad to open by the loss of function of evil. For example, some persistent viruses often in the registry "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" and other hard to remove the start position generated keys, start up a malicious purpose. The following use Notepad to "waste" out the vitality of the virus.

Step One: Start a command prompt, type "ftype exefile = notepad.exe% 1", all related to the EXE program Open the Notepad program, reboot the system later, we will find the desktop automatically start several programs, including the system to normal here programs such as input, volume adjustment procedures, of course, include malicious rogue program started, but now are open in Notepad.

Step Two: Under the title of the Notepad window to find the virus program, such as the example of systemtray.exe program, find the Notepad window, click "File → Save As", we can see the specific path of the virus in "C : \ Windows \ System32 "under. Now turn off the Notepad window, according to the above tips into the system directory path can remove the virus.

The third step: remove the virus after the virus started to delete key, and then restart the computer, hold down F8, and then in Safe Mode menu select "Safe Mode with Command Prompt" and enter the system will automatically open a command prompt. Enter "ftype exefile ="% 1 "% *" means you can restore exe file to open.

4, registry image so that the virus Meipi Qi hijacking

Now the virus will use IFO technology, popular argument is the image taking, use the following registry key value is

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options to change the position of program calls, but the virus is used here to steal the normal anti-virus software to replace virus program. On the contrary, allow us to fool the virus Trojan can be used here, it effectiveness. Indeed, practice deception, but also to govern the people.

Here we screened the Unknown virus KAVSVC.EXE example, methods of operation are as follows:

The first step: first establish the following a text file, enter the following, save as 1.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC.EXE]

"Debugger" = "d: \ \ 1.exe"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC.EXE]

"Debugger" = "d: \ \ 1.exe"

(Note: the first line of code in the next free line.)

Step Two: Double-click the reg file to import, OK.

Third step: point "Start → Run", enter KAVSVC.EXE.

Tip: 1.exe can be any useless file, we will be free to create a text file name suffix. Txt to. Exe's,

Summary: Trojan virus, when we suffer the pain or the feeling of powerlessness in the antivirus software "kill a chicken Yan Yong Jae-chopper", we might use the system tool trojan virus, Avira, and could play an unexpected effect.
  • del.icio.us
  • StumbleUpon
  • Digg
  • TwitThis
  • Mixx
  • Technorati
  • Facebook
  • NewsVine
  • Reddit
  • Google
  • LinkedIn
  • YahooMyWeb

Related Posts of windows system comes with the most humble but most powerful anti-virus tools

  • At Windows on the installation of Redmine

    10. libiconv 1.9.1: ftp://mirrors.kernel.org/gnu/libiconv/libiconv-1.9.1.bin.woe32.zip. Take into account when running rake Installation and Configuration 1. Ruby 1.8.7 will unzip the installation package to a directory (for example: C: \ ruby-1.8.7), and

  • Hibernate framework for understanding

    Only enough experience in order to better understand the role of a framework. For example: before, know hibernate framework is used to persistent data. But think that using jdbc I can achieve, and why should we use hibernate framework Troublesome do ...

  • fastcgi init script on centos

    fastcgi init script on centos

  • Ruby on rails on my Mistakes feelings.

    I started Ruby on rails only 3 months, give me are their own employees to write their own procedures. May be a more objective stand point. My view is based on their own to write the code, and access to a large number of video, blog and tutorials base ...

  • 20 principles of needs analysis

    1, analysis of staff in line with the client to use the expression language habits The discussion focused on the needs of business needs and mission, and therefore the use of the term. Customers should be on the terms (for example: mining price of me ...

  • Project manager qualities

    / ** Disclaimer: the text content from the network ** / Lot of people think that the project manager is always associated with "the ideal and the glorious" concomitant, in fact, as a interested in improving the flow of Chinese software deve ...

  • The performance of the seven best free antivirus software rankings

    Dr.Web, the full name of Dr.Web Antivirus for Windows, that is, Janice Fletcher "big spider," This is a Russian produced a powerful anti-virus anti-virus tools, using a new type of heuristic scanning methods to provide multi-level protectio ...

  • Software development sunflower Baodian [reprint]

    Master the ability to reuse code very familiar with the new API's fast. This is because, he once used a lot of the API, have a lot of reusable code. He knows what is available and what is deficient. He has been using Qt, also used by gtk +, also used

blog comments powered by Disqus
Recent
Recent Entries
Tag Cloud
Random Entries