Chapter 1 Process
First close all irrelevant programs, and then we start to check the current process. What is the current process? The current process is all the programs that are running now! Checking the current process means checking which programs are running now. What if there are unknown programs? It may be a Trojan horse, because usually a Trojan horse also exists as a program.
How to check the current process? Please use professional tools. If you really don't have any tools, press Ctrl + Alt + Delete keys at the same time to bring up the Task Manager to check.
What kind of program is an unknown program?
Here, I would like to emphasize again that you must find a process viewing tool that can perform digital signature verification on process files. Otherwise, you will not be able to distinguish whether a certain process is a suspicious process. Just rely on the file name. Totally insufficient.
If a process is not a system process or a process of a program you are running, then this process is what we call a suspicious process. (Things that cannot pass digital signature verification are non-system processes)
What if a suspicious process is found? Delete after killing?
NO, don’t kill it ~ There are three reasons for not killing it:
1. It is difficult to predict the result of killing it. If it is interacting with other programs or kernel drivers, To interact with it, if you kill it, you will probably commit suicide and destroy the system.
2. Killing and deleting it will not clear the startup items it writes to the registry. In this way, it will still try to load the program every time you turn on the computer. Although the file is no longer there, the Trojan cannot run. But each attempt to load takes time, which is also one of the reasons why the system slows down.
3. Finally, the above detection alone can only indicate that this process is suspicious, but it cannot be confirmed that it is a Trojan. Therefore, if you kill it now, you may kill it by mistake~
What should we do? The answer is to ignore it. After you find it, write down the file name, and then proceed to the next step of checking. Ignore it for the time being.
What if it is not found?
That means your machine may be clean and free of Trojans.
Alternatively, the Trojan is a process-hiding or processless Trojan.
What should I do if the process is hidden?
Let’s first understand some of the methods used by Trojans to hide processes~
The currently popular methods used by Trojans to hide processes are as follows:
0. Elementary hiding, search for Task Manager Use the window enumeration sub-window to find the list box where processes are listed, and erase your own name. This can be checked with general professional tools.
1. Intermediate level hiding, HOOK Win32API filters out Ma'er's own processes. As long as it is a driver-level process management tool, you can basically check it.
2. Intermediate and advanced hiding, HOOK SSDT NtQuerySystemInformation, filter out Ma'er's own process, and driver-level tools with the function of restoring SSDT can be found.
3. Sub-advanced hiding, INLINE HOOK SSDT, filters out own processes, restores INLINE or directly enumerates the process chain for query.
4. Quasi-advanced hiding, removing one's own process from the active process chain, and tools based on thread scheduling linked list detection technology can be found.
5. Advanced hiding, bypassing the kernel scheduling linked list to hide the process, and the detection tool based on HOOK-KiReadyThread technology can be found.
For hidden processes, please use inspection tools with corresponding functions to check~
Of course, we are not necessarily obsessed with finding the processes hidden by Trojans. , if you really can’t find it, just treat it as a Trojan that does not exist or has no process, and just proceed to the next step of inspection.
Because process inspection is only one of the means of inspection. The process of not being able to see or kill the Trojan does not prevent us from clearing the Trojan.
OK, no matter what the result of the process check is, we have to start the next step of the check, the module check!
The reference picture is as follows:
The picture below is a process check picture (please judge based on the results of digital signature verification mainly, and the file path name as a supplement, Rising Anti-Virus Software The process is not a system process, but through the file name and path, we can know that this is the main control program of Rising. Haha, don't be stubborn, you need to combine multiple aspects to judge ~ ^-^):
Chapter 2 Module
What is a module? Module refers to a special function module with a certain kind or type of function. Its external manifestation is usually various dynamic library files (usually with .dll extension) or plug-in files (usually with .OCX extension). name). They are loaded by applications to provide a specific functionality to the program.
Just like our TV, if we add a satellite antenna, we can receive more programs. The satellite antenna itself has nothing to do with the TV, but once it is used by the TV, It can provide additional functions for the TV.
The satellite dish is relative to the television, which is equivalent to the module relative to the program.
Each process has several to hundreds of modules, and each module has its own specific purpose. Of course, if a module is a Trojan, it also has its own Trojan purpose.
When process checking became popular and the checking became more and more in-depth, Trojan makers began to create processless Trojans. The Trojan appeared as a module so that it would not exist in the process list. middle. No matter how advanced process detection technology you use, you cannot detect the existence of module Trojans.
In a computer, there may be a dozen or dozens of processes, but there are hundreds of modules. The increase in number also increases the difficulty of our detection.
The requirement for detection tools is still to have the ability to verify digital signatures. Otherwise, it is really tiring to manually select Trojans from hundreds of module files ~ (For the inspection of Trojan modules, please see below (picture)
What should I do after I find it?
Haha, a friend encountered this problem last time, and the result was that he uninstalled and deleted it using violent means~ Should this be handled like this?
The answer is still no!
Don’t violently uninstall and delete it~~Why? Let’s talk about the reasons for a moment. Let’s first understand the startup and operation mechanism of the module Trojan, and then explain why we should not violently uninstall and delete it.
Module Trojans are divided into two types: one is statically loaded and the other is dynamically injected.
Static loading means registering your own Trojan file under a certain key in the registry. In this way, the system will automatically load all the files registered under this key when starting up or running a certain program. module, in this way, the Trojan achieves its purpose of entering the program and performing its illegal activities. (Which keys in the registry can be registered under to allow the system to load, which will be explained later in the startup item check)
Dynamically loaded, this type of Trojan is the so-called process injection Trojan, and its implementation Not only do you need a module file, you also need an injection program that injects the module file into the process. Start the injection program first, and then the injection program injects the module Trojan into other processes. After the injection is completed, the injection program ends running, so you still cannot see the process.
Do you understand now why you can’t violently uninstall and delete it?
After violent uninstallation and deletion, if it is statically loaded, the add-on will still be left in the registry, and the module will still be tried to be loaded every time the computer is turned on or the relevant program is run. If there are too many, Will cause the system to run slower.
If it is dynamically loaded, then what you uninstall and delete is only the module Trojan, but the injected program still remains on your machine. If the design of this Trojan is reasonable, it should have module file backup. In this way, when you turn on the computer again, you will find that the module file you violently deleted has returned to your machine, and you will never be able to delete it cleanly. If the design of this Trojan is unreasonable or vicious, then only God and the creator of the Trojan know what will happen~~ -_-!
Since it cannot be deleted violently, what should you do after you find it? Woolen cloth? Just like the process, copy down the path and name of the module file, and then start the next step of checking, ignoring it for now.
Now that we are talking about processless Trojans, we have to talk about "thread injection Trojans". Process injection Trojans inject a module into the process, that is to say, there must be a module file. exists, so that we can find this module and find out the injected Trojan by performing signature verification on its file; for thread-injected Trojans, only a piece of code is injected into the process, and no file exists. Although you can view each Each thread of a process, but I want to discover and find out which thread is a Trojan horse. I can’t say it is absolutely impossible, but it is almost impossible. The only one who can find out is a very high-level expert, not me ~ Look Look at the second picture below, which is the thread list of EXPLORER.exe. Can you see anything?
(By the way, that picture is a screenshot of ProcessExplorer, a very, very famous and very, very easy-to-use process management tool. You can download it here: www.sysinternals.com)
What should we do about this kind of thread injection Trojan?
Fortunately, thread injection Trojans also need an injection program to cooperate. It is difficult for us to find the thread, but it is much easier to find its injection program.
Now, no matter whether you find a suspicious module or thread, we have to start the next step of inspection, startup item inspection!
Chapter 3 Self-starting items
What is a self-starting item? A self-starting item means that after the program is registered somewhere in the system, the system will automatically run the program every time it is turned on. The items registered by the program are called self-starting items.
A Trojan will not be willing to run it just once. If it wants to settle in your computer, it must run it every time you turn it on. Only in this way can it achieve self-protection and function normally. Purpose of work.
General Trojans will have one or more self-starting items, which has become a must-check when looking for Trojans.
(This is only talking about general Trojans. Of course, there are two general Trojans that do not require self-starting items. We will talk about this later)
It is very important and important to find the self-starting items of Trojans. Important, the requirements for tools are relatively high.
How many places in the system can the program run automatically? Khan~~I don’t know, I can only say that there are N many~~So, you need to find a comprehensive tool to check, and you need to find several tools to check, so combined, it should be enough. No one dares to say that it can list all the startup locations in the system. Therefore, the first requirement for a startup item checking tool is that it must be complete!
Is just all of them enough? Of course it is not enough. Another point is the same as above, it must also be able to perform digital signature verification, so as not to confuse it with the name of a system file.
There is also the need to be able to detect hidden startup items. Similarly, we first understand the technology used by Trojans to hide startup items:
0. The Trojan is not hidden, it just finds a It's just a hidden location. It depends on whether the enumerated items of the tool program used are complete enough.
1. The Trojan is hidden at the application level and hooks the relevant registry enumeration functions in Win32API. Such a Trojan is easy to detect and any driver-level detection program can do the job.
2. The Trojan horse is hidden in the kernel layer and hooks the SSDT. Such a horse will not work normally. You need to find a professional detection program that can restore the SSDT.
3. Trojans are hidden in the kernel layer and are very shameless. INLINE-HOOK has related service functions. Most of the detection programs for such horses will not work. You need to find a program that can restore INLINE-HOOK.
4. The Trojan is hidden at the bottom. It INLINE-HOOKs Microsoft's undisclosed bottom-level functions such as the Cm* series of functions by searching for signatures. Hey, it's hard to get any lower than it. Such a horse can only be found using HIVE file scanning detection programs or tools that specifically restore the underlying INLINE-HOOK.
These four hiding methods have already been used by rogue software or Trojans, so don’t take chances and think that Trojans will not use this advanced technology. Therefore, it is best to check the startup items. It is necessary to use several tools to check together. The powerful ones are usually not comprehensive enough. Hey, maybe the experts are lazy~
OK, let’s start checking~ First restore HOOK and INLINE-HOOK. Run the tool again to start checking. Remember the suspicious modules and suspicious processes we found earlier? They will be used at this time. Compare the found startup items with those to see if their startup items are included.
Yes? OK, back up the registry and delete the startup items. Can't delete it? Did you forget to restore HOOK? After it has been restored, open the registry editor and see if you have permission to delete the key. Right-click on the key you want to delete, select permissions, and then select "Full Control" to delete it. Haha, this is just for fun. A little trick.
After deleting it, it appears again? It doesn't matter. You have two options at this time. One is to end its process first and uninstall its modules so that it loses the ability to be rewritten. The second is to turn on the "system lock" function to temporarily lock the system and not allow any program to write to the registry. It's no problem to delete it at this time.
After the deletion is complete, restart the computer.
Didn’t you write down the suspicious processes and modules? Check again to see if they are still there? No more. Congratulations, you have completed your Trojan killing work.
Still there?
Haha, don’t be afraid. If it is still there, it proves that you have not completely cleared its startup items; the possible reasons are:
1. This Trojan also takes Triggered starting mechanism.
2. It also has other protection mechanisms, such as shadow programs or drivers;
Let us continue to dissect the trigger-activated Trojan~~
Chapter 4 Triggered Trojans
I mentioned above the general Trojan killing methods. Through the above killing methods, most Trojans can be eliminated. (I forgot to write it last time. After restarting, if the Trojan can no longer be started, the next step is of course to delete all the Trojan files written down)
Let me talk about the trigger Trojan, what What about a trigger Trojan? A triggered Trojan is a startup mechanism that triggers the Trojan when you perform a certain operation, causing the Trojan to start. If you never perform this operation, the Trojan will never start. Generally, Trojans are started and run automatically, and security check tools and anti-virus software mostly check for Trojans that are actively started. For example, when checking self-starting items, they check for those that run automatically after the computer is turned on. Only a few common items that can trigger the startup of Trojans are checked, but there are many operations that trigger the startup of Trojans. This is why it is difficult to kill such Trojans.
The performance is that the system was normal after being cleared, and the machine was also very clean when checked. However, it did not take long for the Trojan to reappear and reappear.
Now we start to actually hunt down these difficult guys!
It should be noted that in order to be organized and clear and easy to understand, they are discussed here separately. When it comes to actual killing, of course they can be done together. (When checking processes and startup items, you can check the following easily)
The most common thing and the first thing we need to check is of course Autorun.inf. What is this? This is a configuration file. Looking at the name, doesn’t it translate to “automatic run”? Yes, this normal purpose is for automatic playback of the CD. That is, after inserting the CD into the CD-ROM drive, the system will automatically run the instructions specified in Autorun.inf. program.
It was later used by some people on hard disks. When you place this file in the root directory of the hard disk partition and right-click on the drive letter, you will find that the default operation is "autoplay" instead of opening. . At this time, when you double-click a drive letter, you no longer open and browse the folder, but directly run the specified program (you also need to change somewhere in the registry, which we won’t go into since it has nothing to do with our killing). So as not to be taken advantage of by bad people).
If you use violent deletion when checking for Trojan viruses, then after the program is deleted, the Autorun.inf file is still there, and there will be sequelae, such as being unable to double-click to open the disk. (By the way, Panda Burning Incense uses this triggering method combined with the self-starting item)
Since double-clicking the disk will trigger the startup of the Trojan, so when killing, you need to right-click. Then select "Open" or use "Explorer" to view it, and delete the file after finding it.
Usually this file will appear as a hidden file. Some even more vicious ones will add "registry monitoring and writeback" to hide the file. Once you change the system to "show all files", It will immediately change to "Don't show hidden files" again. How to break this registry write-back protection has been described in the above post, so I won't repeat it here.
Another way to trigger is to modify the file association. What is a file association? File association is the corresponding relationship between a certain type of file and a certain program. You must know that there are countless file formats in our system, such as: picture files (with extensions of .bmp, .jpg, .gif, etc.), music files ( mp3 mp4, etc.)... When you double-click a picture, the system will call the picture viewing program to open and display the picture instead of calling the player to play the picture. Why does the system know to call the picture viewing program instead of calling What about the player? This is because of the existence of file associations. In the registry, picture files have been associated with image viewing programs. Correspondingly, music files have been associated with players. Most types of files are associated with a specific program. association. In this way, the system knows what program needs to be called to open what kind of file.
If you are smart, you already know how Trojans use file associations to trigger, right? Yes, the cunning Trojan changes the association of a specific type of file to be associated with itself. At this time, once you open this type of file, it will trigger the startup of the Trojan. Since after the Trojan is started, it will call the normal associated program, so the file will still be opened normally, and you will not know that your operation has actually started the Trojan.
What kind of file associations will the Trojan change? Hey, how do I know this? Only the author of God and the Trojan Horse knows this.
How many file associations are there in the system that it can change? You can see how many subkeys there are by opening the registry editor and looking at the subkeys under the first major key. There must be thousands of them.
How to check and kill it?
General Trojans will change the associations of some files that you will often use, such as text files, program files, web page files, etc. There are many file association recovery programs or registry export files on the Internet that can recover these common file associations.
But this check is obviously not enough. If you are the author of the Trojan, and you know that these common file associations will be checked and restored, will you change them? Not really, because there are so many for you to choose from. For example: choose to modify the association of .rar files, which are compressed files. Many programs available for download on the Internet exist in this type of file format, so the probability that Internet users will open compressed files is very high, and recovery There are almost no programs associated with this file, because the direct result after recovery is that the compressed file cannot be opened, because the author of the recovery program is not a god, he does not know which compression software you are using, and your compression software is installed in Where, so, he will not restore this to you.
In this way, as long as you open the compressed file, the Trojan will be triggered. If the file associated with the Trojan is a shadow program, then since the shadow program does not have virus characteristics, the full file scan will not detect it. It finds and removes all the releases of this program, but the source is still there. From then on, the Trojan horse will become your lingering nightmare ~ (We will talk about the shadow program in detail next time)
How to check file association? There are two methods. One is to monitor which file association has been modified, and then change it back. The second is to use professional software to scan all file associations.
How to check whether the file association is correct through monitoring?
First of all, find a thread monitoring tool program, open "Thread Monitoring", and then continuously open various files you commonly use, and check the running status of the program when opening the file, for example: you Find a .rar file and the process monitor should show, "WinRAR.exe is started and run by Explorer.exe". That is normal. If it shows that other programs are run by Explorer.exe, and WinRAR.exe is started by that other program, it has been changed. Of course, you can also open the registry to check each file association to see if it is normal.
The second method is to use professional software to scan and filter out the system files. Then there will be very few non-system file associations. After a little judgment, the result will come out. It is very simple. Not much to say, just look at the picture below to understand.
What to do after you find it?
Don’t just clear it. After clearing it, find a normal machine to export a normal copy, or tell a friend about the file association you deleted and ask the friend to export a normal copy from his machine, and then Just import it on your own machine.
If it is a non-system file association, such as: .rar compressed file, delete it directly. Then when you find .rar again, you will be prompted to choose a program to open this type of file. At this time, select WinRar.exe, and then check Always use this program to open files of this type.
Or use other methods... Hey, in fact, as long as the Trojan is found, everything else will be easy~~
In addition, it should be noted that there are some triggers and File operations that are not very obvious. For example, when you open a website, you may need to interpret and execute a script language. But what is used to interpret and execute it? The system also looks for corresponding programs in the registry, such as VBS, JScript and other keys, which are basically under the HKEY_CLASSES_ROOT primary key.
Anti-virus programs such as Kabbah and Kingsoft will use their own DLLs to register under these keys so that they can first check whether these script languages ??have virus characteristics when executing script languages. However, Trojans will also use these keys. A key that allows you to execute the Trojan as soon as you open the website.
Okay, let’s talk about shadow programs (drivers) next~ Because they often cooperate with these trigger-type startup mechanisms, the reason why they always cooperate is because the trigger-type ones can evade the target. Startup items, processes, and modules are checked, but shadow programs can evade file scanning by anti-virus software. How they cooperate closely to avoid our inspection, let us talk about it next time~~~ ^-^
Chapter 5 Shadow Program (Driver)
What is a shadow program? ? Everyone knows about shadows~~ Since there is a shadow, of course there must be a body. The shadow only exists for the existence of the body and does not do any other work. And what about shadow programs? That is, it exists for the existence of Trojan horse programs, and it does not engage in any Trojan work itself.
Why does the Trojan create a shadow program or shadow driver? The only purpose is to "protect the main Trojan program from being removed."
How does the shadow protect the main Trojan program? Before understanding this, we must first understand how anti-virus software kills viruses.
After understanding how anti-virus software kills viruses, it will be easier to understand how shadows escape the detection and killing of anti-virus software.
Most anti-virus software relies on virus signatures for anti-virus, so they all come with a virus database. Most of our usual upgrades are actually upgrading the virus database, which stores virus signatures. Just like a virus file (height, weight, measurements, facial features, etc... ^-^ almost similar) if a program matches the characteristics of a certain virus in the virus database, it will be considered a certain virus. Being investigated and killed. How do virus characteristics come from? It is extracted by a virus analyst after analyzing the virus. Therefore, this killing method only kills people with criminal records, that is, those who have committed crimes before. If they have a criminal record, they will become street rats after they come out. Everyone Shout out.
This kind of killing based on characteristics is a hard characteristic. As long as it matches, it will be OK~~ Although there are accidental killings, they are relatively rare. After all, there are not many that are exactly the same. Whether the detection is accurate or not, and whether the accidental killing rate is high, largely depends on the extraction level of the virus analyst. Haha, we have seen a well-known company report a driver framework as a ROOTKIT Trojan. Obviously, there are serious problems with its feature code.
There is also the so-called active anti-uninstallation type. While comparing the signatures, it also analyzes the behavioral characteristics of virus and Trojan horses. If the number of behaviors of a program that matches a specific behavior reaches a certain value, it is considered as It is considered to be a virus. Of course, the false positive rate increases accordingly. This kind of investigation can be done without a criminal record. Just like although you have never committed any crime before and have no criminal record, but you chase people with a knife and slash them, of course you will be caught because your behavior is in line with the law. the behavioral characteristics of the virus.
The current epidemic of viruses is becoming more and more popular, and it is not difficult to obtain the source code of the virus. Some kids can copy a piece of code to distribute a virus, but they do not have the ability to change the code characteristics to make it hidden. Checked by anti-virus software.
So, some people began to desperately look for new shells to add different shells to the virus. However, the unpacking technology of anti-virus software is getting better and better, and they want to find a shell that is not removed by anti-virus software. It’s also getting difficult.
Then some people came up with other ways to evade anti-virus software.
Shadow program is one of them~~
The main program of virus Trojan has to work, so some characteristics are difficult to remove. However, the shadow program does not have to engage in Trojan horse work, so it is essentially a normal program. It does not use any virus technology and does not have any virus characteristics, so it will not be detected by anti-virus software.
This is the purpose of virus Trojans using shadow programs, because shadow programs do not have virus characteristics and can evade full file scanning by anti-virus software.
Then how does it protect the main program? Generally, it puts the main program of the virus into itself as a resource. The safe point is to compress and encrypt the main program and then put it into its own program in the form of resources. (Resources are some data~~For example, pictures used in a program are picture resources.) Anti-virus software usually only checks the code, not the data resources. In fact, nothing can be found~With pure data Resources that exist in form can be changed in N ways.
In this way, the shadow program solves the problem of the Trojan horse program's survival in the computer by storing resources, leaving a spark for the Trojan horse in your computer.
After the Trojan virus is removed, once the shadow program finds that the main Trojan program is missing, it will release a new copy from its own resources. Let the Trojan virus regenerate, making you unable to kill until you are exhausted and give up.
How did the shadow program discover that the main Trojan program had been cleared?
There are two ways. One is to add yourself to a certain startup position, and it will start automatically every time you turn on the computer. After startup, if you find that the main program of the Trojan is no longer there, release a copy and replace the Trojan. Started, then exited by itself. If it is, the shadow program will exit directly.
Second, use the trigger mechanism to wait. After you trigger the shadow program, the shadow program will check whether the Trojan exists. If it does not exist, release and start it and then exit by itself. If it does, it will exit directly. .
Since the shadow program only runs for a few tenths of a second, your process check is of no use to it, because it usually does not run.
Dealing with shadows Programs can only start with startup items, and shadow programs have also noticed this, so many have adopted triggering mechanisms. Therefore, when we check, we should also pay attention to checking for triggering Trojans.
Hehe, the conclusion is out. Dear friends, don’t rush over and kill them all when you see a suspicious process~~ Killing processes, deleting files, and uninstalling modules are just treating the symptoms and not the root cause~~ Everything must be rooted out and "cured"~~ Otherwise, the viruses and Trojans will not be completely killed~~The system will be killed more and more slowly~~In the end, you will have to reinstall the system to finish the job. Son~~~
Recovery is also very fast using GHOST? Hehe, don’t you know that panda burning incense will delete GHOST’s backup files? Panda can delete it~~ Of course others can also delete it~~ It is not difficult for them to delete a file~~
Is it safe to reinstall the system? Not necessarily~~ Search the Internet to see how risky the operating systems provided for download are. Many Trojans are put in when making the operating system installation disk~~
Why are they included? Can't find it?
This is another topic~~File modification and replacement Trojan~~A very depressing type of Trojan~~Let’s talk about it next time~~
Sweat~~I think It's a big headache~
Reference picture: CNNIC's shadow driver. The blue circle is the main driver, and the red one is the shadow driver. The name of the shadow driver is random and is different every time it is turned on.
Use this picture to answer the remaining questions about clearing CNNIC that a friend asked last time:
Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root key there is If you use other cleaning tools for some keys that match the driver service, remember to clear them as well. If you are using 5.0.0.7, you don’t need it. That key will be automatically cleared when clearing the driver.
(Note: Version 5.0.0.6 does not have the corresponding function. It may not have the function of automatically detecting shadow drivers. Delete it manually or find other tools. If it doesn’t work, just wait for the trial version of 5.0.0.7 to be released.)
Clean it up when you clean it up~~ Otherwise~~Hey~~That’s what it means to revive after death~~
CNNIC also has the function of shutdown notification~~Don’t forget it~~Otherwise even if After cleaning it, it was written back when the computer was shut down~~
What? I don’t know how to deal with it~~Sweat~~~I haven’t found a suitable tool for this guy yet. Although it is easiest to write a program to deal with it, it has no versatility and it is not worth writing a program for this guy.
There are two ways to solve it for the time being:
One is a stupid way.
Isn't it notified by the system when shutting down? We don't even notify the system and it's over. Just press the RESET key to cold start the machine and it's OK~~ -_-!
The second one is to restore the FSD's HOOK and INLINE-HOOK first, and then Delete all relevant program files, driver files, and DLL files, then restart, delete the startup items again, and it will be OK~ (Note that the locking system does not seem to be easy to use for CNNIC~depressing~)
In addition, friends who are accustomed to using AutoRuns.exe, please note that the AutoRuns.exe I use is version 8.22 and cannot find the CNNIC driver startup item~ If you want to kill CNNIC, please use another one~