1, file time
If you think your computer wrong, with anti-virus software inspection, there is nothing to reflect or removal of part of the virus still feels wrong, you can check suspicious objects depending on the file time.
Time is divided into the file creation time, modify time (there is an access time, do not tube), you can see from the file's properties, click the file, right-click and select Properties on the menu in the "General" page to see that to these time.
Usually viruses, Trojan file creation time and modification time are relatively new, if you find the early, basic is the recent days or the same day. c: / windows and c: / windows / system32, and sometimes c: / windows/system32/drivers, if it is 2000 system, put the above windows into winnt, these places are the places where the virus Trojan often stay, according to Time Paixia sequence (see - more detailed information, and then point under the title bar of the "modification time"), view the next few days the latest documents, special attention to exe and dll files, sometimes dat, ini, cfg files, but behind the These documents also have a normal relatively new modification time, not sure on, then put aside, focus on finding exe and dll, anyway, last three are not executable files. Generally speaking, system files, especially the exe and dll) will not have such a new modified.
Of course, update or installation of other application software may be a new modification time, you can be created under the control of time, while their own are not installed any time what software should know, really do not know to use search function, look for the whole hard disk related to Time has not established any folder to see if is not installed application software, as long as the time to get on is normal. If you do not meet, that is, the virus, and delete.
Make it clear that, as not all the latest files are viruses, nor is it the time that all the virus are up to date, and some virus, the file date and time will even show a few years ago.
Of course, we have other ways to distinguish.
2, the file name
File name is the impression at first glance, through the file name to determine whether the initial suspicious is the most direct way, the reason for the time judged on the back is a lot of documents from the sorting of suspects too difficult, or time spent Paixia sequence convenient.
We often say that the random letters (and sometimes numbers and less) combination of file name, the virus favorite use it (once the software is also found in some of the normal use of this strange combination of habits, such as Yahoo, the Internet assistant, each file name are not the same motives suspect, there is a cat drivers are also seemingly random combination, but fortunately some manufacturers have information can help to distinguish, this next point to say).
There are the file name length, and some seriously beyond the standard 8-bit file names, there are a number of as many as 10, which should be classified as a suspicious object, in particular, IE plug-in these file names appear.
Of course, by saying that the file name weird, random combinations, it seems that there is no one standard, not familiar with the computer people will look at all of the English file names may be considered to be strange, meaningless permutations and combinations, so you really want to rely on the file name to determine, or would like to System folder files, regular files only after a certain understanding of a relatively good grasp. Initially, the combination of the above time, there are other means of co-judge, or you can find something for.
Another is to fake a normal file system file name, this choice is better identification, such as svchost.exe and svch0st.exe, the latter obviously fake the former, that trying to hide something down more easily exposed, provided that your system file names are more familiar with, something happens nothing to open the Task Manager to learn about Bar.
Corresponds to the file name, as well as service name, driver name, the registry startup key name, relatively speaking, the names of these projects have not shown if a certain meaning, is indeed a virus, and several vendors will be irresponsible not to its own software to use the service, driver, start the item from a meaningless, random combinations of names, if the service, driver, start the item name is a problem, then use the following file must be a problem.
Really not sure, put the file name (and sometimes to include the full file path, a different path may from time to file the same name, this one after that), service name, driver name, startup key name into the online search and see how others say , especially for finding out, and there are service-driven, start with the file name items not on the right (as a service name on the Internet found to be different files corresponding or the opposite case), can be classified as suspicious object.
3, the version information
Check the file with periods of uncertainty, coupled with a project file version checking, but also in the file's properties in the view, there is the file version, vendor information. First of all be clear, not all files have version information, nor are all non-version information of the files are virus files, but not all the information documents show that Microsoft is really Microsoft's.
The file name, file time and again on the version of the file can be basically obtained a result, such a strange file name, display information on Microsoft's vendor, obviously suspicious; or should be a normal system file (such as explorer.exe or userinit . exe) has no version information, might be replaced or destroyed by a virus; there soundman.exe information turned out to be a vendor, you can consider deleting, and should not be the sound card program.
Version information in addition to vendors, there are the original file name, and sometimes you will find here a different name and check the file is really no other existence.
4, position
Trojan virus, like a place to stay is the system folder, windows, windows/system32, windows/system32/drivers, there is c: / program files / internet explorer / c: / program files / internet explorer / plugin, c: / program files / common files / miscrosoft shared, there is a temporary folder, IE cache
First, the temporary folder c: / documents and settings / your user name / local settings / temp and c: / windows / temp is a must clear, and I can safely remove, no matter good or bad, delete the phrase all right, IE cache is also must be pure, not directly into a folder deleted from the IE tools-internet options menu entry, delete files - delete all offline files, preferably in the high-level that is set to automatically empty when you close your browser temporary files on the save trouble of.
Other folders, mainly to see if there should not exist in the file exists, such as the windows folder, what is more Rising documents (Kaka's but added that at that), realplayer files, the absolute suspicious, there is such as svchost.exe, ctfmon.exe suddenly appeared in the windows or any other folder, rather than they should in the system32, also determine the virus. Of course, several methods can be combined with the above judgments. Is at times to rely on experience and relatively less file folder better judge what is more easy to find, such as windows, ie the folder, and read more, you know what the basic are those, more than 12 exe or a dll, can be found right away (and many rogue software is a safe haven in here).
There is a combination of registry startup entries, the general reference to windws Startup Items in the small, basically input method, sound management, and more on the suspect, and referring to the system32 to see more of under the two is really not sure The old approach, the web search the file name. If it is found to start entry point font the font folder, then do not want to, and certainly a problem.
The same is true service-driven, not in system32 or the driver I would not check in the next (natural they should also check the following, not to mention not).
In addition to the folder location, as well as the registry location, except for a few RUN startup items, as well as image hijacking (IFEO) to check the value of a debugger should take note of, except the last one your image file name here without a path are a debugger = ntsd-d, the other is not, as long as there is to be hijacked was found (except for immunization immunization is to a known virus program were hijacked and diverted to non-existent file, so that it can not run), and then look for hijack file is the debugger behind the document, locate and remove together with the registry entries. However, note that now is not hijacked by the virus, some files are system files or commands, such as svchost.exe or ntsd-d, which do not delete the file, and as long as the registry entries to delete.
Also to be noted that the registry entries are appinit_dlls, normally an empty value (exception, Kaka, a file will put it), if more value is the virus found by name to delete. There is a userinit, are generally empty, change is necessary to look up many things are normal.
Recommended by SREng to check, more convenient and above will automatically be prompted to change.
Conclusion:
Really, really want a bunch of English name of the file name to identify suspicious hard, the integrated use of various methods, with the tools category shown is the shortcut, for example SREng, the service-driven listed, name, file, path Yi Bai, it's very obvious, and some scribble the name is in control behind the file name is very clear, and some careful posing as system services will be the name, but a comparison with the normal, networking is not to spend, but also possible to identify problems
No comments:
Post a Comment