windows system comes with the most humble but most powerful anti-virus tools

windows system comes with the most humble but most powerful anti-virus tools.
Windows systems integrate numerous tools that carry out their duties, to meet different user applications. In fact, these tools "versatile", if you have enough imagination and good at digging, you will find them in addition to the Bank can help us in addition to antivirus. Do not believe? You out!

First, the Task Manager to the virus behind the knife

Windows Task Manager is to manage the process all the major tool in its "process" tab to view the current system process information. In the default setting, generally only see the image name, user name, CPU occupancy, memory usage and other items, and more such as I / O read and write, virtual memory size and other information been hiding. It may not have read the hidden information, when the system appears inexplicable failure, chances are they will be able to find a breakthrough in the middle.

1. Killing the process will go away in two-horse

A while ago a friend's computer in a certain horse, through the Task Manager to identify the Trojan process as "system.exe", terminate it and then refresh, it will revive. Into safe mode to c: \ windows \ system32 \ system.exe deleted, it will reload after reboot, how could not completely remove it. From this phenomenon, the friends should be the dual process trojan. This Trojan has guardianship process, scan regularly, once the process of care were found to be killing it will come to life. And now many pairs of each other to monitor the process of Trojan, another resurrection. So the key is to find this killing, "interdependence" of the two Trojan files. With Task Manager can be found Trojan PID identifies the process.

Bring up Windows Task Manager, first in the "View → Select Columns" in check "PID (Process Identifier)", return to the Task Manager window so you can see the PID of each process ID. So that when we terminate a process after its regeneration can be found through the PID identifies regeneration of its parent process. Start a command prompt window and execute "taskkill / im system.exe / f" command. Refresh computer and re-enter the command shown in Figure 1, you can see the end of the system.exe process PID is 1536, which is PID of a process for the 676. That's system.exe process PID is 1536 to 676 by the PID of the process created. Back to Task Manager, by querying the process PID that it is "internet.exe" process of the process. (Figure)

Be easier to find the culprit, now reboot the system into Safe Mode, use the search function to find Trojan file c: \ windows \ internet.exe, then you can delete them. Front can not delete system.exe, mainly due to not found internet.exe (and do not delete the start key), leading to re-enter the system after the resurrection internet.exe Trojan.

2. Ferret out the hard disk of P2P programs was mad

Unit of a computer hard drive for a boot light has been found online on the roll, the hard disk spin crazy. What is clear is the machine process data being read, but again did not find antivirus viruses, trojans and other malicious programs.

Open the computer and the Internet, press Ctrl + Alt + Del key to start the Task Manager, switch to the "process" tab, click the menu command "View → Select Columns", and check the "I / O write" and "I / O write bytes" 2. Identified and returned to the task manager, found a strange process hidel.exe, although it occupied the CPU and memory is not particularly large, but the I / O write capacity was staggering, is that it appears in the play tricks, they must Right-click it and select "End Process" to terminate, really hard to read and write back to normal.

Second, anti-virus on the invisible system backup tool

I have experienced a virus can not remove the "C: \ Program Files \ Common Files \ PCSuite \ rasdf.exe", but also can not copy the file, how to clear it. I cleared through the system backup tool for the virus, the operation process is as follows:

The first step: Click "Start → All Programs → Accessories → System Tools → Backup" to open the Backup or Restore Wizard window, select the backup program, "Let me choose what to backup the contents", navigate to "C: \ Program Files \ Common Files \ PCSuite ".

Step two: continue the backup wizard operation, the backup file is saved as "g: \ virus.bkf", backup options check the "Use Volume Shadow Copy" operation according to the default settings to complete the remaining backup.

Step Three: Double-click the "g: \ virus.bak", open the Backup or Restore Wizard to restore the backup to the "g: \ virus". Then open the "g: \ virus", use Notepad to open the virus file "rasdf.exe", and then easily remove them and save a few lines of code, so the virus will be destroyed we use Notepad (which can no longer run).

Step Four: Operation Ibid, produced a "k: \ virus" backup for the "k: \ virus1.bkf". Then start the Restore Wizard, select the restore location "C: \ Program Files \ Common Files \ PCSuite \", select the restore option "to replace the existing file." Thus, while the current virus is running, but the backup component can still use the bad file replace the current HIV virus. Restore is complete, the system prompted to restart, after restart the virus will not start up (because it has been damaged Notepad).

Third, notepad Collateral

1. Dual process of killing horse

Now, more and more Trojans guard dual process technology to protect themselves is to have the same function code for the two procedures, continuously detect whether the consortium had been others terminated, if we find each other has been terminated, then they began to create each other, This gives us a great deal of difficulty in killing. However, these Trojans also have "weaknesses", it is only a list of processes by process name to determine whether there is daemon. In this way, we just use Notepad to replace the Trojan process, you can achieve the "deceit" in your purpose.

Following the killing to an example of a variant of Trojan. The trick of the Trojan, the Trojan's "internet.exe" and "systemtray.exe" two processes monitor each other. Of course, most of us do not know when trick horse specific care process. However, through the process name to know, "systemtray.exe" is the exception process, because the system is not the normal course of the process. Use the following method to replace the killing of the Trojan.

The first step: Click "Start → Run", type "Msinfo32" open the System Information window, expand the "System → Summary → software environment running tasks", where you can see "systemtray.exe" path "C: \ Windows \ System32 "next.

Step two: Open the "C: \ Windows \ System32", copy the Notepad program "notepad.exe" to "D: \", also rename "systemtray.exe".

Step Three: open the Notepad program, enter the following code, save it as "shadu.bat", placed on the desktop (in parentheses for the comment, not input):

@ Echo off

Taskkill / f / im systemtray.exe (using the taskkill command to force termination "systemtray.exe" process)

Delete C: \ Windows \ System32 \ systemtray.exe (delete virus files)

Copy d: \ systemtray.exe C: \ Windows \ System32 \ (replace the virus file)

Step four: Now if the desktop running "shadu.bat", the system will "systemtray.exe" process to terminate and delete, and rename the notebook to copy the program to the system directory. This daemon will be "mistaken" is daemon exists, it will immediately launch a Notepad program.

Step Five: Next, we only monitor the process to identify and remove the can, at the command prompt type:

"Taskkill / f / im systemtray.exe", the daemon regeneration "systemtray.exe" termination, you can see "systemtray.exe" process is "PID 3288 of the process" created, open the Task Manager to see "PID 3288 of the process" as "internet.exe", this is the regeneration process of the "culprit."

Step Six: According to the first way, open the System Information window you can see "internet.exe" also in the system directory, terminate "internet.exe" process and into the system directory to delete the two files can be.

2. To fail and remove the virus

As you know, files are composed by the code, Notepad program can open any file in theory (but some would appear garbled). We can open the way the virus associated with Notepad, so that post into Notepad to open by the loss of function of evil. For example, some persistent viruses often in the registry "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" and other hard to remove the start position generated keys, start up a malicious purpose. The following use Notepad to "waste" out the vitality of the virus.

Step One: Start a command prompt, type "ftype exefile = notepad.exe% 1", all related to the EXE program Open the Notepad program, reboot the system later, we will find the desktop automatically start several programs, including the system to normal here programs such as input, volume adjustment procedures, of course, include malicious rogue program started, but now are open in Notepad.

Step Two: Under the title of the Notepad window to find the virus program, such as the example of systemtray.exe program, find the Notepad window, click "File → Save As", we can see the specific path of the virus in "C : \ Windows \ System32 "under. Now turn off the Notepad window, according to the above tips into the system directory path can remove the virus.

The third step: remove the virus after the virus started to delete key, and then restart the computer, hold down F8, and then in Safe Mode menu select "Safe Mode with Command Prompt" and enter the system will automatically open a command prompt. Enter "ftype exefile ="% 1 "% *" means you can restore exe file to open.

4, registry image so that the virus Meipi Qi hijacking

Now the virus will use IFO technology, popular argument is the image taking, use the following registry key value is

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options to change the position of program calls, but the virus is used here to steal the normal anti-virus software to replace virus program. On the contrary, allow us to fool the virus Trojan can be used here, it effectiveness. Indeed, practice deception, but also to govern the people.

Here we screened the Unknown virus KAVSVC.EXE example, methods of operation are as follows:

The first step: first establish the following a text file, enter the following, save as 1.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC.EXE]

"Debugger" = "d: \ \ 1.exe"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ KAVSVC.EXE]

"Debugger" = "d: \ \ 1.exe"

(Note: the first line of code in the next free line.)

Step Two: Double-click the reg file to import, OK.

Third step: point "Start → Run", enter KAVSVC.EXE.

Tip: 1.exe can be any useless file, we will be free to create a text file name suffix. Txt to. Exe's,

Summary: Trojan virus, when we suffer the pain or the feeling of powerlessness in the antivirus software "kill a chicken Yan Yong Jae-chopper", we might use the system tool trojan virus, Avira, and could play an unexpected effect.

分类:OS 时间:2010-04-09 人气:221
分享到:
blog comments powered by Disqus

相关文章

  • System comes with the most modest, but very powerful anti-virus program 2010-06-29

    First, the Task Manager to the virus behind the knife Windows Task Manager is to manage the process all the major tool in its "process" tab to view the current system process information. In the default setting, generally only see the image name

  • 杀毒软件 Dr.Web Anti-virus for Windows Vista 4.44.0 Beta 2014-05-11

    一种新型的基因式扫描杀毒软件.可以预防并清除22000种以上的病毒及特洛伊木马,其中包括各种高复杂多变异型的病毒.曾在1994年做为第一个可以根除OneHalf病毒的杀毒软件而享誉欧洲.Dr.Web可以对各类 Word病毒做出快速反应,并进行隔离和清楚. What's new in Dr.Web Anti-virus 4.44.0 Beta : Doctor Web, Ltd. launches beta-testing of Windows Vista compatible version o

  • McAfee Anti-Virus Scanning Engine 5.2.00 RC 2014-09-13

    期待已久的5200引擎RC版终于于今天发布了,官方消息,正式版于8月发布! 安装好后需要重新启动电脑,升级后的引擎版本号为 5200.2160 McAfee Anti-Virus Scanning Engine 5.2.00 RCProduct Overview To aid continuous improvement of our Anti-Virus Engine we will be releasing regular Beta Engines throughout the develo

  • After installing 360 anti-virus installed sql server 2000 report pending error 2010-03-17

    When you install sqlserver2000 reported a pending issue, depressed for a long time. To solve the problem now to share, we want a little help After installing 360 anti-virus in the registry will have the following items + HKEY_LOCAL_MACHINE \ SYSTEM \

  • Anti-virus finishing the theory and practice 2010-02-18

    Keyword: WU Da-ji (the first woolen mill Shanghai, Shanghai 200442) a virus spread and harm between different species under normal circumstances, such as between man and animal, the virus between different animals in terms of an almost insurmountable

  • A piece of code testing anti-virus software is good or bad 2010-06-01

    Copy the following code into Notepad, the Save as a text file, and then observing the change anti-virus software. If response, then you can rest assured that a preliminary ...... be careful not to save the desktop ~. Note The virus code will not hurt

  • Install Anti-Virus Software on Ubuntu 2011-05-11

    Install Anti-Virus Software on Ubuntu 1. Clamav website: http://www.clamav.net/lang/en/ > Sudo apt-cache search clamav Install the software > Sudo apt-get install clamav Install the GUI > Sudo apt-get install clamtk 2. Use this software in comman

  • mysql service was 360 after the operation to kill anti-virus software 2011-09-28

    Colleagues found that after using the 360 ​​anti-virus software, mysql services is blown away. After the thought of approach: mysqld-nt-install net start mysql So that you can restart the mysql service. Without the need to re-install mysql!

  • 防病毒的HTTP代理服务器 HTTP Anti Virus Proxy 2009-04-03

    HTTP Anti Virus Proxy 网站 : http://freecode.com/projects/havp HAVP (防病毒的HTTP代理服务器)是一个在同一时间内与几个扫描器( ClamAV ,F-Prot,卡巴斯基, NOD32 , Sophos)扫描下载病毒的代理.主要目标是持续的,无阻塞的下载和顺利扫描的动态和密码保护的HTTP流量.它可以用来与 Squid 一起运行或者是独立运行,支持透明代理模式. 授权协议: 未知 开发语言: C/C++ 操作系统: Linux

iOS 开发

Android 开发

Python 开发

JAVA 开发

开发语言

PHP 开发

Ruby 开发

搜索

前端开发

数据库

开发工具

开放平台

Javascript 开发

.NET 开发

云计算

服务器

Copyright (C) codeweblog.com, All Rights Reserved.

CodeWeblog.com 版权所有 黔ICP备15002463号-1

processed in 0.505 (s). 12 q(s)