First, before yourself, remember that being prepared - with the backup system processes TaskList
New viruses have learned to use the process to hide themselves, so we had better correctly in the system when the backup process, look at the list of computers, of course, is best when you just do not run into any Windows programs under backup, like a computer after the abnormal sensory When the list of processes can be compared to identify possible virus process.
At the command prompt type:
TaskList / fo: csv> g: zc.csv
The role of the order is to the current process list to csv format for output to "zc.csv" the document, g: you want to save to disk, you can use Excel to open the file.
Second, his hands must be crystal-clear eyes - compared with the FC process list file an exception if the feeling of a computer, or aware of recent pandemic virus, then it is necessary to check it.
Into the command prompt, type the following command:
TaskList / fo: csv> g: yc.csv
Generate a list of the current process yc.csv files, and then type:
FC g: zccsv g: yc.csy
Enter after a list of documents you can see a different front and rear, by comparison, the computer one more called "Winion0n.exe" (here with this process, for example) is not a "Winionon.exe" abnormal process.
Third, to judge, keep in mind the evidence is clear - to use Netstat view open ports on the suspicious process, such as how to determine whether it is a virus? The majority of viruses (in particular, Trojan) will be carried out through the port for external connection to spread the virus, you can look at the possession of the port.
At the command prompt type:
Netstat-a-n-o
What the parameters are as follows:
a: shows all connections with the host port information
n: display open port process PID code
o: in digital format address and port information
Enter after you can see all open ports and external connection process, where a PID of 1756 (as an example) the process is most suspicious, and its status is "ESTABLISHED", through the Task Manager can be aware of this process is "Winion0n . exe ", by looking at the machine run a network program, you can determine it is an illegal connection!
Connection parameters have the following meanings:
LISTENINC: that in a listening state, that is, the port is open, waiting for connections, but has not yet been connected, only the TCP protocol service port can be in a LISTENINC state.
ESTABLISHED means to establish a connection. Indicate that the two machines is communication. TIME-WAIT means that the end of the connection. Note the port have had access, but the end of the visit, and used to determine whether there is an external computer is connected to this machine.
4: start with antivirus, we must be ruthless - to terminate the process with NTSD
Although he knows that "Winion0n.exe" is an illegal process, but the process of many viruses can not be terminated through the Task Manager, how can I do?
At the command prompt type the following command:
ntsd-c q-p 1756
After the successful completion of the virus can enter the process.
Tip: "1756" as the process PID value, if you do not know the process ID, open the Task Manager, click the "View → Select Columns → hook on the PID (Process Identifier) can be. NTSD can be forced to terminate except Sytem, SMSS. EXE, CSRSS.EXE outside all processes.
"find the hideouts of the document, delete it. But this is only the virus deleted the main file by viewing its properties, based on its file creation date, size of the search again to find its associates and delete. If you're not sure there are those documents are its relatives, to find virus information through the network search for help.
No comments:
Post a Comment