For beginners, it is very difficult to manually check the computer comprehensively, because it is necessary to open the registry to check one by one. Then we use a simple method-using SRE software, whose full name is system repair engineer. After opening the software, click Smart Scan on the left side of the software, and then click Scan to scan the computer comprehensively.
For beginners who don't want to analyze themselves, please post the log on the forum and someone will help you solve it.
Secondly, analyze the scan log.
This is the most critical step. For many novices, they choose to post their blogs in the forum for experienced experts to analyze, which saves time and effort. But if everyone learns to analyze blogs, more people can help newcomers and reduce the labor of moderators and forum experts. It is difficult to learn to analyze the log because you need to accumulate experience. Only the simple method is introduced here (if there is a better method, I hope to discuss it in the forum or email).
1, understand the log
SRE log scans registry startup items, startup folders, services, drivers, browser add-ins, processes, file associations, Winsock providers, autorun.inf, host files and API hooks. I will focus on some items commonly used in testing.
Step 2 look at the process
Look at the progress. What are you looking at? Look at whether there are other processes besides the basic process of the system and the process generated by software, paying special attention to the files under c:windows and C:windowssystem32. Maybe some novices don't know what is the basic process of the system and what is the process of software installation, and this is where they need to accumulate experience.
For the DLL loaded by the system process, this needs to be analyzed in detail. Many pilfer date trojan have used this method, and improved it through the following three steps.
3. Look at the startup items (including registry startup items, startup folders, services and drivers).
After reading the process and having a certain understanding of those suspicious documents, look at the startup project. SRE is very suitable for beginners because it hides the startup items signed by Microsoft in the services and drivers. For service and drivers, moving requires experience. Let me introduce them one by one.
Step 4 compare
Compare all suspicious start-up projects with all suspicious processes to see if they can correspond one by one. If not, it depends on where the problem lies and where further research is conducted. See if it's because of the virus's running mode or protection mode, or there are other viruses. Of course, there are more than these reasons, but we still need to accumulate experience. Practice is fundamental.
5. Look at the rest of the projects
The first thing to look at is the autorun.inf project. If one disk has this file, or every disk has it, it means that there is a virus in your computer, and there are many ways to deal with it. Here are a few. Of course, when dealing with it, make sure there is no virus running in the system.
The first one: use WinRAR. Specific methods: open the infected hard disk and delete the corresponding files. Explain that it will not infect the computer, which is convenient and practical.
The second type: use the resource manager. Specific methods: On the premise of opening and displaying hidden files and system files, use the resource manager to select the infected drive letter on the left side of the resource manager and delete the corresponding files on the right side. Explain the risk of reinfection of some viruses.
The third type: use the command prompt. The specific method uses DOS command, as follows:
attrib–s–h–r–a X:autorun . INF
Attrib–s–h–r–a x: corresponding startup file (EXE or PIF).
Del X:autorun.inf
Del X: corresponding startup file (EXE or PIF)
Where x represents the infected drive letter.
Description can be deleted completely, and you need to know some DOS commands and the use of CMD.
The fourth type: use ice skates. Specific methods After opening the ice blade, click the file below, and the following processing is like a resource manager. Description completely deleted, recommended for beginners.
The second thing to look at is the HOSTS file. The view here is that according to the line, the IP address of DNS resolution corresponding to URL is written in front of the log. If all IP addresses are the same or different from those parsed by other computers, then there is a problem. The most important thing is that they are the same or all 127.0.0. 1. The treatment method is simple. Use Notepad to open the file host, which passes through C:WINDOWSsystem32driversetc. This treatment is best done after the virus is deleted.
Third, deal with all suspicious files (remove virus files)
This is the most critical step, which is about to delete the virus. When I saw someone deleting a forum with a log scanner like SRE, I was very angry because this program could not completely solve the problem. Now explain the reason first. First, if the virus runs, it will automatically detect whether the startup item has been modified from time to time. After being deleted with SRE, the virus will be detected immediately, added automatically, and will come back after restarting. There is a solution. This can be done in safe mode, but some viruses will still run in safe mode. The next point illustrates this point. Second, there are many viruses that choose Winlogon to start or initialize the dynamic link library to start or drive to start. All three types of startup have a common feature, that is, the virus will run in safe mode, so SRE has no effect on them at all. So what do we do? The most reliable way is to use ice skates.
Of course, there is also a little ice blade that is not omnipotent. Now there is a virus that ends the ice blade through the process. What will happen in the future? There is an article in "Defense of Hackers" that specifically introduces the loopholes of the ice blade. Using this loophole, the virus can end the ice blade.
Enough of this nonsense. Let's look at the specific treatment. The ice blade needs pretreatment when it is disinfected. Click Settings under the file above, and select No Thread Creation. Then you can do the following processing.
Delete method:
In the first case, there is a real EXE process. After opening the ice blade, click on the process to end this suspicious process, so that this process will not be created. According to the results of the above comparison, if it is in the registry, you can see the registry under the ice blade and modify it directly. take notice of
In the second case, there is no clear EXE process. At present, many Trojans like to sneak in with DLL, such as Jianghu Trojans and Journey Trojans. The startup project corresponding to these Trojans is an EXE file, and what finally works is a DLL that sneaks into the process. The method of finding this DLL is also experienced. The virus deletion method is to first process the EXE file, open the ice blade, enter the corresponding startup item, and delete the startup item according to the method described in the first case. Then forcibly delete the corresponding file, and finally forcibly delete the DLL file. After restarting, antivirus can be completed. If you can't find the corresponding DLL, you can delete it. This DLL will become system garbage and put it where it belongs, not effective.
The third situation, which is also the most difficult to deal with, is that the antivirus software has reported the virus, but no trace of the virus can be found in the log. Here, we should start the ice blade first, and do a thorough search in the process, kernel program, startup group and service (the second question will be explained later). If there is still no virus, this is the case. This situation is extremely complicated to delete. You can use the ice blade to forcibly delete the corresponding files (this step is not needed if the anti-virus software is successfully deleted), and open my computer, find the corresponding location, create a folder with the same name (including the extension), so that no more viruses will be generated, and then monitor it with the file monitoring software Filemon. In the process of monitoring, run the software one by one to see which software wants to create files deleted by Ice Blade or antivirus software. After finding it, delete all files in this software.
Registry startup entry
In SRE, the startup items of this volume include Winlogon startup, universal registry startup and so on. I can only look at the Windows XP log and say that I just installed a version of SP2 under the virtual machine. Of course, because each system (pirated or genuine, etc. ) it's different, maybe not just the same, and the rest needs everyone's experience.
[HKEY _ Current _ User Software Microsoft Windows Safe Edition Running]
[(Verify) Microsoft] (Start Input Method)
Super rabbit, MSN Messenger, etc. It all started with this project.
[HKEY _ Current _ User Software Microsoft Windows NTCurrentVersionWindows]
& lt& gt[ not applicable]
[HKEY _ Local _ Machine Software Microsoft Windows Security Edition Running]
& lt" C:windowsimeijmp 8 _ 1 imjpmig。 EXE "/Spoil/RemAdvDef/migration 32 & gt; [(verified) Microsoft] (Microsoft input method startup item)
[(verified) Microsoft] (Microsoft input method startup item)
[(verified) Microsoft] (Microsoft input method startup item)
Storm Video, NVIDIA Graphics Card, Sound Card, Super Jieba, Rising Antivirus Software, Rising Personal Firewall, Kaka Internet Assistant, Kingsoft Internet Security, Jiang Min Antivirus Software, Emule, Kingsoft Internet Security, Nero, Real Series and Cool Dog all started through this project.
[HKEY _ Local _ Machine Software Microsoft Windows NTCurrentVersionWinlogon]
[(verified) Microsoft Corporation]
[(Verified) Microsoft Corporation] (Winlogon startup item, if anything after comma is 90% virus)
[(verified) Microsoft Corporation]
[HKEY _ Local _ Machine Software Microsoft Windows NTCurrentVersionWindows]
& lt& gt[N/A] (Initialize dynamic link library, if 90% of it is virus)
The above is just an overview.
Startup folder
This is the best. Only some software has been modified here, such as the startup items of QQ and the toolbar startup items of OFFICE. This kind of virus is rarely used, and the early "comparable community" is used (the introduction of comparable community is presented on the desktop). Need patience.
service
This is so beautiful. First, look at the status behind the service name. The format of the scanned SRE log is (latest version) [service name] [current running status/startup status], where the current running status indicates whether the computer was running the service at the time of scanning, running means running, and stopping means not running; Start status, indicating how the service is started, automatic start means automatic, disabled means disabled, and manual start means manual start. Pay attention to running and auto-started projects. If this project has nothing to do with the software and drivers you installed, it may be a virus.
drive
With five years of anti-virus experience, I dare not touch this project easily. I can only introduce one experience, that is, if a driver is full of numbers, it may be a virus file. Because the driving force of each brand is different now, others can't be remembered clearly.
In view of the difficulty in determining the startup items, I hope that novices can make a scan backup after installing the computer, and we can see whether the startup items are added by comparison. If drivers and software are not installed during this period, it may not be a normal file, so check it carefully.