Run 360 security guard, advanced-network connection status, you can see which programs of this machine are connected to the network.
As for whether to run a Trojan horse, you need detailed information!
Diagnose with 360, diagnostic reports are everywhere @! Then analyze whether there is a Trojan horse one by one!
O2- low risk -BHO:(cnshock Class)-[ network real name]-{d157330a-9ef3-49f8-9A67-414/AC 41Add 4}-C:.
O4- High Risk -HKLM \ ... Run: [cnsmin][ Yahoo Assistant related programs. ]Rundll32.exe C:\ WINDOWS \ DOWNLO ~ 1 \ cns min . dll,Rundll32
O4- High Risk -HKLM \ ... Running: [helper.dll][ Suspected malicious programs or viruses, please use anti-virus software to kill them. ]C:\ WINDOWS \ system32 \ rundll32 . exec:\ PROGRA ~ 1 \ 372 1 \ helper . dll,rundll 32
If there are items marked as high risk or low risk in the log, it is recommended that you use comprehensive diagnosis to repair them.
If the repair is unsuccessful, you can use a shredder to shred the files in the above path according to the path.
Like the above files, the files that can be deleted are:
c:\ WINDOWS \ DOWNLO ~ 1 \ cnshock . dll
c:\ WINDOWS \ DOWNLO ~ 1 \ cns min . dll
C: \ progra ~1\ 3721\ helper.dll (pay attention to this item! ! The file c: \ progra ~1\ 3721\ helper.dll was deleted instead of deleting the file c: \ windows \ system32 \ Rundll32.exe. Rundll32.exe in directory C: \ Windows \ System32 is a normal system file, while rundll32.exe in other directories is nine times out of ten.
If the file no longer exists, you can use "360 Advanced-Startup Item Status" to delete useless startup items.
-
100- unknown-process: 9.exe []-c: \ program files \ windows update \ 9.exe.
100- unknown-process: winlog0n.exe []-c: \ Windows \ winlog0n.exe.
100- unknown-process: qq.exe [QQ]-d: \ QQ \ qq.exe.
360 log hides the security process of the system, but records and shows the unknown process. As mentioned above, we must pay special attention to the unknown process. From the above three processes, we can judge:
c:\ Program Files \ windows update \ 9 . exe
C:\WINDOWS\winlog0n.exe
These two files are malicious and must be deleted, while D:\QQ\QQ.exe is a normal QQ program file. Here is a little trick to improve the speed of reading logs, that is, generally we only need to pay attention to the progress of the system disk, and generally we don't need to pay attention to the progress of other disks, unless you move the temporary folder directory of the system to other disks, that needs to be considered.
-
O 1- unknown-host: 58.25438+05.65+036 www.hyap98.com.
O 1- unknown-host: 58.5438+05.74.70 my.dianz.cn.
360 also scanned the host file and recorded the modified host file. As mentioned above, if you find that the parsed address points to a strange IP address instead of editing the HOSTS file yourself, it is likely that the virus changed the orientation and forced you to go to the website specified by him. (Some immunization programs will write host, which is directed to 127.0.0. 1, which is safe. )
The solution is simple:
1, open 360- Repair-Check to restore the host file to the default state-Repair immediately.
-
O4- Unknown -HKLM \ ... Run: [MPPDS] [] C: \ Windows \ mppds.exe.
O4- unknown -HKLM \ ... Run: [s new peek] [] C: \ program files \ Windows Update \ 9.exe.
HKLM .. running: the self-startup item of the system has always been a battleground for most Trojan malicious programs. You need to make your own judgment here. Generally, except CTFMON.exe, software killing, video card and sound card driver, other suggestions should not be allowed to start by yourself.
Solution:
Turn on 360 advanced startup item status and disable unused items.
-
O22- Unknown-File extension:. HLP-winhlp32.exe% 1
360 also recorded the file association error of the system. If the above prompt appears in the log, there is a problem with the file association of the system.
Solution:
Use 360- Repair-File Association-Repair Now.
-
O 10- unknown-Winsock LSP: [] [{144323b7-20c3-4b5f-B2A5-1cd0d6996dbc}] C: \ Windows \ System32 \ idmmbc.dll.
O 10- unknown-Winsock LSP: [] [{179619ba-deeb-4436-ABAF-82eeeaf2f3816}] C: \ Windows \ System32 \.
Network protocol kidnapping, this depends on whether the files behind it are safe. Some antivirus software can monitor the network by kidnapping. If it is found that the file is not soft kill, there is something wrong.
Solution:
1. Delete the last file, and then open the 360-Repair-Repair LSP connection.
-
O23- Unknown-Service: NetSys[ Manage system network connection, and you can view system network connection. ]-C:\ WINDOWS \ system32 \ netsys . exe
O23- Unknown-Service: RSC Center [Rising Process Communication Center] --" e:\ program files \ Rising \ rav \ ccenter.exe"- (running)
O23- Service: service startup project.
Now many virus files begin to value this place. 360 logs generally list non-windows digital signature services, so we should also pay attention to the services that appear here, and don't be deceived by his Chinese explanation or file name.
Solution:
1. Use 360 file shredder to delete service files. For example, the first C:\WINDOWS\system32\NetSys.exe needs to be deleted, and the second one is Rising's service, which is secure.
2.360- Tools-System Service Status, select and repair.
(Hint: If you don't know the service, you can search the file path online. )
-
100-security-process: smss.exe [This process is used by the session management subsystem to initialize system variables. The ms-dos driver, whose name is similar to lpt 1 and com, calls the win32 shell subsystem and runs in the windows login process. ]- C:\WINDOWS\System32\smss.exe
Generally, this kind of safety sign can be skipped, but it should not be taken lightly. Malicious Trojans such as robot dogs will replace the system file path and confuse people.
-
o40-Explorer.EXE--C:\ WINDOWS \ DOWNLO ~ 1 \ cns min . dll--
O40- Explorer. EXE- Beijing 3721 Technology Co., Ltd.-C: \ Windows \ Downlo ~1\ cnshoot.dll-3721cnmodule-6D6A7A32cb01b8c41d665438+.
O40-Explorer.EXE- Xunlei Network Technology Co., Ltd. -C:\ Program Files \ thunder network \ Xunlei \ COM DLL \ Xunleibho _ 002.DLL-Xunleibho-8915c81B9c015cf5550.
O40- sensitive process module information.
Nowadays, in order to hide themselves, increase the difficulty of deletion and start with high authority and priority, Trojans and advanced rogue software inject files into some key processes of the system and become a part of the system process. This is a cover-up.
Judgment skills:
1. Look at its own description. Generally, there is no most suspicious description information. Priority should be given to whether he has any problems.
2. Having a description is not necessarily a problem. Like the second one, it is clearly described in Chinese itself, but it is the real name of the malware network.
3. The third security plug-in is Thunder, which can also be deleted.
4. anyone can write a self-description, which is unreliable, can't be believed completely, and can only be used as a reference.
-
O4 1-kdkgna-sys application-c: \ Windows \ System32 \ drivers \ kdkgna. SYS- (running) -SYS application-Beijing 3721 Technology Co., Ltd.-C096DC989756C7 6A 57F3 FDC9BC3B9CF
O 41-msnet-msnet-c: \ Windows \ System32 \ Drivers \ msnet.sys-(running)-8990c58656697bf71E756D74B6D2a
O 41-klif-spider-ptor-c: \ Windows \ System32 \ Drivers \ klif.sys-(running)-spider-ptor-Kaspersky Lab-2985985b39e13643f94/kloc-0.
O 41-NPF-NPF-C: \ Windows \ System32 \ Drivers \ NPF.sys-(not running)-NPF-cace technologies-D 21fee8db254ba762656878168ac
O 4 1- Now many Trojan rogue softwares adopt drivers (sys files), which makes them more vital, and the anti-security software is more powerful, with the highest priority of anti-detection, anti-deletion and startup.
For example, the first and second files are files that need to be deleted, which depends on our own knowledge base, and the third file is the driver of Kabbah. Similarly, the self-description here is not reliable, and more judgment and online search are needed.
It is difficult to delete the driver, so it is generally recommended to use a 360 file shredder.
-
According to experience:
In order to make you read the log faster, write a few more experiences:
1, remember some common processes, such as some soft kill process names and some program installation directory names, which can help you quickly filter out normal files.
2. The contents marked as not running in the report can usually be ignored. The flag does not run or the actual file no longer exists. If there is still a problem waiting for repeated killings, then consider him.
3. When you encounter a file that you don't know, search it with Baidu. If Baidu can't find it, just cut it. Even if you cut it wrong, at most it is some remote or new software, and at most it is reinstalled. The cleanliness of the system is the most important. For security reasons, you can back up files before deleting them.
4. Always use the "Help" and "Export Diagnostic Report" functions to check whether the system is clean.