Norton Smartphone Security

Norton Smartphone Security

Compare Prices:

Vendor	Price	Buy Now	Free Download
symantecstore	$29.99	Buy Now	Download Now

system requirements:
Operating system
- Windows Mobile® 5.0 Pocket PC/Smartphone
- Windows Mobile 6.0 Professional/Standard
- Symbian™ OS 9 (Series 60 Version 3, UIQ 3.0)
Device requirements
- Windows Mobile 5.0 Pocket PC Phone Edition and 6.0 Professional: 1.8 MB of storage
- Windows Mobile 5.0 Smartphone and 6.0 Standard: 1.7 MB of storage
- Symbian OS 9 (Series 60 Version 3, UIQ 3.0): 1.1 MB of storage
PC requirements
- Microsoft® ActiveSync 4.1 or later (for use with Windows Mobile phones)
- Nokia® PC Suite (for use with Symbian OS phones)

Description:
Norton Smartphone Security is a great solution for protecting your phone from all sorts of threats. With antivirus, firewall, and antispam, Norton covers your bases. With automatic scans and quick updates, Smartphone Security is easy to use. The interface is simple to navigate and understand, and allows users to customize their settings for a specified appropriate level of mobile security. Norton Smartphone Security is a great solution for protecting your mobile information. Norton Smartphone Security is a complete phone security solution with effective protection and great features.

Key Features:
- Minimizes SMS spam - Blocks short text and multimedia messages from unknown senders.
- Blocks snoopware from turning on your camera - Prevents intruders from entering and exporting data from the mobile phone.
- Protects against viruses and other threats - Prevents malicious threats from entering your smartphone and compromising your privacy.
- SMS antispam protection: Short messages (text and multimedia) from unknown senders are blocked.
- Advanced protection: Award-winning Norton AntiVirus™ technologies automatically scan, detect, and quarantine harmful viruses, worms, and mobile spyware in individual files, file archives, and applications.
- Real-time protection: Enhanced firewall blocks hackers, intrusions, and denial-of-service attacks.
- The Symbian® and the Microsoft® Windows Mobile® platforms are supported.
- Easy-to-use interface: You can easily manage and schedule antivirus scans and protection updates*, set the firewall protection level, and manage which files are encrypted.

Screenshots:

Remove stubborn virus program approach

As a running program by Windows protected, so the virus even if they are found are often not kill, delete can not. Not kill the virus anti-virus software, how to do? Over the past is generally recommended in safe mode or DOS mode to kill. There is a new method, called "option in the image file specified in the implementation of the debugger," virus in this way should be feasible. Its principle is to modify the registry, so that the virus in the next time you start your computer does not start, and then anti-virus. The steps are as follows:

1. Discovery of the virus. Such as using antivirus software to find, or in the Task Manager (Ctrl, Alt, Del key Qi by three), the suspicious programs.

2. Click "Start", "Run", fill in "regedit", click OK, enter the Registry Editor.

3. In the registry path HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options inside the newly created one item (what is casually called) in subparagraph to create a new character string value named "Debugger", double-click, enter the path of the file to be prohibited.

For example, the discovery process in a Trojan or virus, the path is C: aaa123.exe, while in the Debugger just created, type C: \ aaa \ 123.exe (here, the path with double slash slash).

4. Close the Registry Editor, restart your computer. At this time the virus can not start, and then can be deleted directly.

When you encounter can not uninstall clean more stubborn anti-virus software or other programs, you can disable them through the above methods. This saves system resources and significantly reduce the computer's startup time.

How to manually kill the new virus among

Internet the most horrible thing that a new virus comes out, even though we are equipped with a computer a variety of powerful anti-virus software, but also equipped with automatic updates from time to time the virus database, but the virus is always first on the virus database updates, so in each move are not a minority, Here are some common anti-virus methods, their own hands to bring their own tools to use the system strangling virus:

First, before yourself, remember that being prepared - with the backup system processes TaskList

New viruses have learned to use the process to hide themselves, so we had better correctly in the system when the backup process, look at the list of computers, of course, is best when you just do not run into any Windows programs under backup, like a computer after the abnormal sensory When the list of processes can be compared to identify possible virus process.

At the command prompt type:

TaskList / fo: csv> g: zc.csv

The role of the order is to the current process list to csv format for output to "zc.csv" the document, g: you want to save to disk, you can use Excel to open the file.

Second, his hands must be crystal-clear eyes - compared with the FC process list file an exception if the feeling of a computer, or aware of recent pandemic virus, then it is necessary to check it.

Into the command prompt, type the following command:

TaskList / fo: csv> g: yc.csv

Generate a list of the current process yc.csv files, and then type:

FC g: zccsv g: yc.csy

Enter after a list of documents you can see a different front and rear, by comparison, the computer one more called "Winion0n.exe" (here with this process, for example) is not a "Winionon.exe" abnormal process.

Third, to judge, keep in mind the evidence is clear - to use Netstat view open ports on the suspicious process, such as how to determine whether it is a virus? The majority of viruses (in particular, Trojan) will be carried out through the port for external connection to spread the virus, you can look at the possession of the port.

At the command prompt type:

Netstat-a-n-o

What the parameters are as follows:

a: shows all connections with the host port information

n: display open port process PID code

o: in digital format address and port information

Enter after you can see all open ports and external connection process, where a PID of 1756 (as an example) the process is most suspicious, and its status is "ESTABLISHED", through the Task Manager can be aware of this process is "Winion0n . exe ", by looking at the machine run a network program, you can determine it is an illegal connection!

Connection parameters have the following meanings:

LISTENINC: that in a listening state, that is, the port is open, waiting for connections, but has not yet been connected, only the TCP protocol service port can be in a LISTENINC state.

ESTABLISHED means to establish a connection. Indicate that the two machines is communication. TIME-WAIT means that the end of the connection. Note the port have had access, but the end of the visit, and used to determine whether there is an external computer is connected to this machine.

4: start with antivirus, we must be ruthless - to terminate the process with NTSD

Although he knows that "Winion0n.exe" is an illegal process, but the process of many viruses can not be terminated through the Task Manager, how can I do?

At the command prompt type the following command:

ntsd-c q-p 1756

After the successful completion of the virus can enter the process.

Tip: "1756" as the process PID value, if you do not know the process ID, open the Task Manager, click the "View → Select Columns → hook on the PID (Process Identifier) can be. NTSD can be forced to terminate except Sytem, SMSS. EXE, CSRSS.EXE outside all processes.

"find the hideouts of the document, delete it. But this is only the virus deleted the main file by viewing its properties, based on its file creation date, size of the search again to find its associates and delete. If you're not sure there are those documents are its relatives, to find virus information through the network search for help.

Anti-virus, anti-spyware guide

Computer virus is a computer program in the preparation of or damage to computer functions copyed or destruction of data on power, affecting the use of computing and systems, and can a group of self-replicating computer instructions or program code. The emergence of computer viruses, several reasons are as follows: 1. A joke, a prank. Some love the computer and proficient in computer technology, person to show off their superb skills and wisdom, by virtue of in-depth understanding of hardware and software to prepare these special procedures. These programs spread out through the carrier, after being triggered under certain conditions. If show some animation, play some music, or make some quiz topics, with its only purpose was to look at self-expression. Such viruses are generally benign, there will be no destruction of operation. 2. Arising from the individual person's revenge. 3. For copyright protection. The early days of computers, due to legal copyright protection for software has not improved as it is today. Many commercial software is illegally copied, and some developers in order to protect their own interests has produced a number of special procedures, attached to the product. Such as: Pakistan, the virus, its producers in order to track those users who illegally copy their products. Used for this purpose the virus is now rare. 4. Used for special purposes. An organization or individual to achieve a special purpose, government agencies, units of the special system of propaganda or damage. Or for military purposes.
Computer operating system into the windows of the times and the global Internet → era created a computer virus in the personal computer a large number of outbreaks and the rapid worldwide spread of computer viruses to the computers we use every day causing inconvenience to the whole of social production, commercial and other activities led to increasing losses.
In order to let everyone on computer viruses, and the resulting harm to have more understanding of basic anti-virus knowledge, we specially made this guide.

Computer virus in the windows operating system common types are:
Boot-type virus. Boot-type viruses embedded in the disk master boot record (master boot sector viruses) or the DOS boot record (boot sector viruses), when the system boot into the memory when to control systems for dissemination and sabotage activities. When using a system with a boot disk virus when you start your computer, the virus followed them into the memory, and make the computer's hard drive starts, the virus will automatically enter the memory. In such a machine with a virus on any of read and write disk operation can be operating panel can be infected by the virus to become a new virus sources, and then this floppy disk to start the other computer will be infected with another computer.
File type viruses. Refers to the virus attaches itself to executable files in general on the virus, in order to document infection. Common file-type viruses are: macro viruses. With a variety of Windows, the development of packaged software, many software began offering so-called "macro" function, so that users can use to "create macro" approach with some of the cumbersome process of recording into a simple command to facilitate the own operation. However, this convenient feature, after the design of interested parties, finally have made it "document-type" virus has entered a new milestone: the traditional paper-based viruses that infect only the suffix for the implementation of exe and com files, while the macro virus is can infect Word, Excel, AmiPro, Access and other software, stored data files. Even more exaggerated, this macro virus is cross-platform operation. With Word macro virus, for example, it can infect DOS, Windows 3.1/95/98/NT, OS / 2, Macintosh, etc. Word files on the system, as well as generic templates. While macro viruses have a high infectious, but fortunately it was not too destructive power, and the detoxification easier ways, even without anti-virus software, you can manually detoxification on their own.
"Worm" virus. Through computer networks, communication, does not change the documents and data and information, use the Internet from a machine's memory spread to other machines of memory, computing network address, the virus itself sent over the network. Sometimes they exist in the system in general apart from the memory is not occupied by other resources.
Computer viruses spread primarily through the use of removable disk (floppy disk, U disk, mobile hard disk, etc.), install pirated or software from unknown sources, network and e-mail, etc..
After a computer infected with a virus, there may be some anomalies to help us to determine presence of the virus:
1. System resources have been filled. Open the windows Task Manager (press Ctril + Alt + Del, or point your mouse at the taskbar → Right-click the Task Manager, or click on the Start Menu → Run → type taskmgr), see the CPU use of a long time at 100%;
2. Click Start Menu → Run → type msconfig, look in your startup and found a large number of abnormal start-up projects exist;
3. Computer disk space for no reason a significant reduction in the system folder there are a large number of unknown files, delete the file that the file is being used, can not be deleted, the disk often read and write error;
4. Frequent computer crashes, restart the system corresponding slow;
5. Memory Baocuo frequent phenomenon;
6. Select the disk file, click the right mouse button and found the menu with automatic play option;
7. Click Start Menu → Run → type cmd into the command line mode, enter the netstat command to view network connections conversation, found a large number of suspicious unknown session connections.
Once the discovery of these phenomena described above can be basically sure that your computer has a virus, and users can install anti-virus software or virus names, knowing the circumstances under which the virus Zhuanshagongju to get rid of the virus, it can ask the professional computer maintenance personnel to get rid of the virus.
Second, computer virus protection and basic computer security knowledge.
Mainly through the computer's virus protection computer anti-virus software to complete. Common computer anti-virus software abroad are: Trends, McAfee, Norton, Kaspersky, etc.; China are: Rising, Jiangmin, Jinshan, Panda and so on.
Yun by tender, and finally selected trends in anti-virus software as desktop computers in schools anti-virus system, the user can download via http://ftp.ynu.edu.cn/ used to obtain a user guide. Http://202.203.208.98/housecall/ trends while providing an online antivirus service, users do not need to download the client to the local installation, you can directly on the site on your own computer for virus scanning and killing. Trend installed anti-virus software, if trends do not want to use the uninstall to uninstall when you enter the password: trend to uninstall.
In the use of anti-virus software for virus protection when you have the following two points are worth noting:
1. Regardless of what kind of anti-virus software, requires users to constantly update the software. The principle of anti-virus software, almost all of the computer by scanning every file, and anti-virus software features of its own to carry the virus in the virus signature database to compare, if we find a file in the code and a signature the same, finds that the file as a virus file, since a wide range of computer viruses, and updates very quickly, so only by constantly maintain their own anti-virus software on the computer the characteristics of library is the latest anti-virus software is possible in a timely manner killing computer viruses.
2. Recommended each computer, install only one anti-virus software. As the anti-virus software with real-time monitoring of the computer systems functions, need to occupy a certain degree of computer CPU and memory resources, several anti-virus software to work simultaneously, will result in increased utilization of system resources, which affect performance, it is also a waste of resources .
Anti-virus software is not a panacea, users install anti-virus software can not feel that their computer is safe, but also take other other measures to ensure their own computer security:
1. In time for the computer operating system patches. The world of computer hackers are using the windows operating system itself, a number of security vulnerabilities to write viruses and launch network attacks, of which more well-known as the shock wave (Worm.Blaster), Sasser (Worm.Sasser) Dengjun are loopholes in the use of windows virus. In response to these situations often have to release a number of Microsoft security updates to prevent attacks against these vulnerabilities, the current security patch for windows2000 has been out to the SP4, but for the windowsXP security patches out to the SP2. Users can log into Microsoft's official website (http://www.microsoft.com/china/) download the latest update, users can log http://windowsupdate.ynu.edu.cn large cloud to be updated;
2. Right to download and install the software from the network, games, and open the downloaded music, documents to be careful, many of the virus was deliberately hiding in them, or because the server itself with the virus, so that downloaded files are infected. In the open these files before the first file should be scanned for viruses, while the computer is best view in the Folder Options → remove the "Hide extensions for known file types" option, view the file name suffix for suffix called " . exe "file open should be careful, because. exe is an executable file suffix names, and many virus programs are executable files.
3. E-mail attachments from a document to verify that no virus can only open the case, with particular attention is not to click on with a ". Exe" extension.
3, anti-spyware software knowledge
Spyware (Spyware) is the ability to the user without the knowledge of the user backdoor program installed on your computer software. The user's privacy of data and important information will be captured by those who backdoors, and even these "backdoors" also gives hackers remote control a user's computer. Trojan is a common type of spyware. Protects against spyware, should pay attention to the following aspects:
1. Do not install shareware or "free software", where these software programs often contain advertisements, spyware and other bad software, may pose a security risk.
2. Some spyware installed through malicious Web sites, so do not visit bad sites.
3. The better use of security, Web browser, and note that compensate for vulnerabilities.
Another way to steal user information is called "phishing", the author and some online banking through the production of similar appearance or even the same page on the Internet, a user mistakenly thought it was normal after landing site, resulting in the input account number, intercept passwords and other information after page, the results of the funds in the account have been stolen. Users in the use of online banking services should be alert, and only given by the domain name through a bank Web site to enter.
Rogue software is a cross between viruses and between the formal software software, which is installed without the user permission to the user's computer or with other software (such as browsers) for malicious bundle, the implementation of pop-up window or steal user information, etc. behavior, the use of computer user inconvenience and safety hazard.
Pairs of spyware, malware protection, we have the following recommendations:
1. For the computer to install firewall software, isolation and cut off the back door of the communications link with the network in the world. But bearing in mind that some firewall software will block the normal use by users of the port, affecting the normal use of the software, so pay attention to the firewall rule set, to avoid the normal software and operating systems need to use the port barrier;
2. Do not visit inappropriate Web sites
3. The discovery of a computer Trojan horse or malware is installed on the use of tools to carry out killing and unload. Recommend the use of 360 security guards (local download address) or perfect uninstall (local download address) for killing.
360 security guards is a free safety class online support software, with the killing malicious software, plug-in management, virus killing, diagnosis and repair capabilities, while also providing pop-up plug-in immunization, clean traces, as well as the use of certain auxiliary functions such as System Restore , in particular, the operating system vulnerabilities can be tested and marked with the appropriate patch (see User Guide).
Perfect Uninstall main functions are: installation of monitoring, Trojan horses killing, intelligent software, unloading, garbage collection, registry cleaning, DLL clean-up, system repair, system optimization, memory management, vulnerability scanning, comprehensive system maintenance functions.
The two software are available for free online download. With the anti-virus software and personal firewall software used with personal computers will be able to have a comprehensive protection.

spoolsv.exe Virus

spoolsv.exe found to be infected by a spoolsv.exe Trojan horse virus, how can not afford to kill all kill, kill again, finally to find the next and found that the latest variant of spoolsv.exe is still no software can kill, therefore, will be solution posted here, we want to help spoolsv.exe Trojan horse program is a slow printing, which allows the computer CPU usage to 100%, so that high-speed noisy fan to keep running. Currently available online method may be able to solve the initial problem, but the latest variant of the phenomenon of powerlessness.

Ctrl + Alt + Delete to stop spoolsv.exe Running Process

Restart your computer into Safe Mode, in the C: / windows/system32 / Remove spoolsv.exe (or the available ways to search all of the same name to delete C drive files)

Run regedit, find ways to use to find and delete all spoolsv files.

Right-click My Computer, choose manage, service, disable the print spooler service

Restart the computer into the system normal mode, you will find that your computer or in a high-speed operation, but the search has not found any spoolsv relevant documents.

Ctrl + Alt + Delete, you can find one in the process called inter background run the program, you can turn it off.

Is strongly recommended in the application of the above steps to resolve the problem, run anti-spyware program to scan and delete infected files.

spoolsv.exe is used to Windows printer tasks to a local printer.

Note

spoolsv.exe is also possible that Backdoor.Ciadoor.B Trojan. This Trojan allows an attacker to access your computer, stealing passwords and personal data. The security level of the process is recommended for immediate deletion.

Method 3:

spoolsv.exe

spoolsv.exe and the windows of the print service spoolsv.exe very similar to it will not be confused, and print service spoolsv.exe the directory is the system folder (in XP, for example) system32spoolsv.exe the path of this virus under system32spoolsvsploosv.exe Virus Information provided even get killing method: 1. System32 directory into the system to delete the folder spoolsv and miscn, as well as 11162. Start Menu Run regedit Open the Registry Editor, find

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]

"spoolsv" = "% System% spoolsvspoolsv.exe-printer" to delete the three. In the Registry Editor, open the following branch and use the key combination ctrl + f to search for the following: [HKEY_CLASSES_ROOTCLSID

[HKEY_CLASSES_ROOTwmpdrm.cfsbho

[HKEY_CLASSES_ROOTwmpdrm.cfsbho.1

[HKEY_CLASSES_ROOTTypeLib

[HKEY_CLASSES_ROOTInterface found one to delete 4. Kiyosato software to run the registry clean up registry, this step may or may not enforce system process spoolsv.exe

Method 4:

Spoolsv.exe is a slow printing Trojan program that the computer CPU usage to 100%, so that a noisy fan to maintain high speed operation; the Trojan allows an attacker to access your computer, stealing passwords and personal data.

First, determine if they are poisoned

1, point to Start - Run, type msconfig, enter, open the configuration utility program, select the "Start", after the infection was found in the Startup items is running Spoolsv.exe the boot options, each entry will be NTservice dialog windows.

2, open the system disk, assuming that C drive to see if there is C: WINDOWSsystem32spoolsv folder, which have spoolsv.exe files, the normal spoolsv.exe printer buffer pool files should be C: WINDOWSsystem32 directory.

3, open the Task Manager, you will find spoolsv.exe process, but the high CPU occupancy rate

2, clear the way

1, restart, boot press F8 to enter Safe Mode.

2, point to Start - Run, type cmd, enter the dos, the use of rd command to remove what directory (if it exists)

C: WINDOWSsystem32msibm

C: WINDOWSsystem32spoolsv

C: WINDOWSsystem32bakcfs

C: WINDOWSsystem32msicn

For example, in dos window, enter: rd (space) C: WINDOWSsystem32spoolsv / s, carriage returns, you are prompted, enter y enter, you can delete the entire directory.

Using del command to delete the following files (if it exists)

C: windowssystem32spoolsv.exe

C: WINDOWSsystem32wmpdrm.dll

For example, in dos window, enter: del (space) C: windowssystem32spoolsv.exe, carriage returns, you can delete the infected spoolsv.exe, this file can be other anti-virus after the end of normal reproduction machine normal spoolsv. exe paste it into C: windowssystem32 folder.

3, restart press F8 to enter safe mode again

(1) Desktop Right-click My Computer, select "Management", click on "Services and Applications" - "service", right-click NTservice, select "Properties", change the Startup type to "Disabled."

(2) of Start, Run, type regedit, enter to open the registry, point the menu on the editing, select Find to find items containing spoolsv.exe registry, delete the. Can use the F3 to continue to find, which will contain spoolsv.exe delete all the registry items.

Third, once again to re-start can be a normal

Clear the virus after you file, there is no SPOOLSV.EXE, and in the service where your spool print spooler can not be started, of course, the printer can not run, run inside type "services.msc" after "print spooler "service in the" General "item inside the" executable file path "has become unavailable, such as the launch will be displayed" Error 3: Can not find the system path "error, it is because your registry entries related to and deletions, and

Solution:

1: In the I386 directory on CD-ROM inside the SPOOLSV.EX_ copy files to SYSTEM32 directory changed its name to spoolsv.exe, of course, can also be in someone else's system to copy the file over, you can also use NT / XP file protection function , ie, type CMD where SFC / SCANNOW full restoration, anyway you put this file can be restored by

2: Modify the registry, the next plus one "ImagePath" = "c: windowssystem32spoolsv.exe" can be, and then open look, you can print a bar

Services.exe virus manual removal

First, Registry Repair

Using Registry Repair Tool, or directly using regedit to amend the following sections

1.SYSTEM.INI (NT system in the registry: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon)

shell = Explorer.exe 1 was revised to shell = Explorer.exe

2. The HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run under the

Torjan Program ---------- C: WINNTservices.exe Delete

3. HKEY_Classes_root.exe

Changed to exefile default winfiles

4. Delete the following two keys:

HKEY_Classes_rootwinfiles

HKEY_Local_machinesoftwareclasseswinfiles

5. Open the Registry Editor, and so on were to find "rundll32.com", "finder.com", "command.pif", to find the content inside the "rundll32.com", "finder.com", "command . pif "were changed to" Rundll32.exe "

6. Find "iexplore.com" of information, the content found inside the "iexplore.com" changed to "iexplore.exe"

7. Find "explorer.com" of information, the content found inside the "explorer.com" changed to "explorer.exe"

8. Find "iexplore.pif", should be able to find similar "% ProgramFiles% Common Filesiexplore.pif" of information, this read as "C: Program FilesInternet Exploreriexplore.exe"

9. Remove a virus to add file association information and start the entry:

[HKEY_CLASSES_ROOTwinfiles]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] \

"Torjan Program" = "% Windows% services.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]

"Torjan Program" = "% Windows% services.exe"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]

"Shell" = "Explorer.exe 1"

Changed

"Shell" = "Explorer.exe"

10. These are the viruses released from a VB library file (MSWINSCK.OCX) the relevant information, do not have to delete:

HKEY_CLASSES_ROOTMSWinsock.Winsock

HKEY_CLASSES_ROOTMSWinsock.Winsock.1

HKEY_CLASSES_ROOTCLSID

HKEY_CLASSES_ROOTCLSID

HKEY_CLASSES_ROOTInterface

HKEY_CLASSES_ROOTInterface

HKEY_CLASSES_ROOTTypeLib

Note: Because the virus changes a lot of related information, so that the virus file has not been removed before, please do not do any extra operations to Mian Jihuo virus

2, delete the virus file

Reboot the system, delete the following file section, pay attention to open the partition, first open the "My Computer" after you use the right-click the partition, select "Open" to enter. Or direct the implementation of Annex Kv.bat to delete the following files

c: antorun.inf (if you have multiple partitions, please check whether there are other districts in this document, also be deleted)

% programfiles% common filesiexplore.pif

% programfiles% Internat exploreriexplore.com

% windir%. com

% windir% exeroute.exe

% windir% explorer.com

% windir% finder.com

% windir% mswinsck.ocx

% windir% services.exe

% windir% system32command.pif

% windir% system32dxdiag.com

% windir% system32finder.com

% windir% system32msconfig.com

% windir% system32regedit.com

% windir% system32rundll32.com

Delete the following folders:

% windir% debug

% windir% system32NtmsData

Teach you 10 strokes to thoroughly eradicate the stubborn virus

Some viruses are very stubborn, in wait for you to restart the computer after deletion, it came again, in this, this site teaches you a few small ways, easily and thoroughly destroy your system for viruses.

1, empty the Internet Explorer (IE) temporary files

Anti-virus software reports a virus if you like this path: c: \ Documents and Settings \ Administrator \ Local Settings \ Temporary Internet Files \, which usually means the virus was downloaded through the web browser, when your browser if not install a patch, then you are likely to be poisoned. For such viruses, the simplest way is to clear the IE removal of temporary files.

2, display the file extension

Show View all the files and folders (including protected operating system files), a lot of Trojan viruses using double extensions, hidden attribute camouflage, by looking at this can be no hiding place for the virus.

3, turn off "System Restore"

System Restore is to repair the system, the most convenient and efficient a tool, if you have to create a System Restore Point, the discovery of the system errors or poisoning, back to the earlier restore points are created, they can repair the system.

If you find a similar virus found in c: \ System Volume Information \ directory, note previously created restore points where the backup with a virus, clear way is to turn off or disable System Restore, then restore points will be deleted, the virus also does not exist. Wait a few minutes later, you can re-open System Restore, and then create a drug-free restore points.

4 to end the virus processes

Open the Task Manager to identify abnormal process. End of the process is a method of hand-virus.

5, modify the service "Startup Type" stop / start service

Sometimes, the virus is loaded service mode, you can use this method to close the off-virus program.

6, set the security account password

A simple password is very dangerous, hacking tools can easily be cracked, and then, a hacker can give your computer from a remote implant a Trojan horse. Even if there is anti-virus software is also loudly at things from a remote hacker can easily turn off your antivirus software. For a just a simple password, but also access to the Internet system for example, the risk is too great.

7, open the "Automatic Updates" use Windows Update

Use automatic updates, is a timely fix vulnerabilities in a good way, you can also use the clean-up experts to manually complete the Jinshan patch download and installation. For one did not pass genuine validation of computer systems, cleaning experts, provides a good solution.

8 into Safe Mode

Normal mode can not be cleared the virus, we usually will result in safe mode, killing the virus, others have also cleared the virus even in Safe Mode fails, then you ought to try to boot to Safe Mode with a command line, and

This difference between the two is that the Safe Mode with a command line, only the console (CMD) character interface, there is no resource manager (desktop), need some experience of DOS commands. You can enter the installation path of anti-virus software, the implementation of the command-line anti-virus tools. Kingsoft command line by typing kavdx, carriage return after the anti-virus.

9, close the shared folder

Local area network can be shared to write a serious risk, if not necessary, or turn off the bar.

10, use Registry Editor to simply delete / edit operations

Registry Editor greater risk, if not familiar with the case, recommended that before the amendment to create a System Restore Point, or the backup you want to modify the registry key branch, and then use the Registry Editor to modify.

Notepad allows you to machine with the virus all the useless yard

Computer poisoning, many friends will open the "process manager" will be a few less familiar with procedures for closing out, but sometimes will encounter this situation: Turn off one another when closed Zaiqu just closed that immediately Also running. And then where should first start from the registry entry is deleted, restart try, just remove those startup items again restore. Because computers are only equipped with one operating system, there is no way under another system, remove these viruses. Internet Download Zhuanshagongju later, still can not kill.

So over and over again, the virus does not kill, people have the verge of collapse. Then how should we do? In such cases, to recommend an approach.

The first step: In the "Start → Run", type CMD, Open "Command Prompt" window.

Step two: Enter ftype exefile = notepad.exe% 1, this sentence means that all of the EXE file with "Notepad" to open. That the original virus, can not be started.

Step Three: Restart your computer, you will see the opening number of "Notepad." Of course, this not only by the virus files, as well as some of the original system files, such as: input method program.

Step four: Right-click any file, select "Open With" and then click the "Browse", go to the Windows \ System32, select cmd.exe, so that you can re-open the "Command Prompt" window.

Step five: Run ftype exefile =% 1% *, will restore all of the EXE file association. Now run the antivirus software or directly to change back to the registry, you can kill the virus.

Step Six: In each "Notepad", click the menu "File → Save As", you can see the path and file name of the. To find the virus file, you can manually delete, but be careful, you must determine that the virus can be removed. Proposed to rename these files and make a note to restart, if there is no virus, mischief, and no system problems, and then delete,

Attached: Ftype Usage

In Windows,, Ftype command is used to display and modify the document associated with a different extension, open process. Is equivalent to the Registry Editor to modify the "HKEY_CLASSES_ROOT" part of the contents under the same.

Ftype The basic use of the format: Ftype [file type [= [Open / procedures]]]

For example: Like in the previous example ftype exefile = notepad.exe% 1, said it would all file types such as EXE (exefile expressed as EXE file type) file through "Notepad" program to open, the latter pledged to open% 1 process itself (that is, double the time that process).

ftype exefile =% 1% * indicates all the EXE file itself to run directly (EXE can be run directly, so that the process itself with the% 1 can), the latter procedure% * indicates the order with all the parameters (this is why EXE file can be run with parameters reasons).

Dynamic embedded DLL Trojan discovery and removal

With the MS operating system, the transition from Win98 to the Winnt system (including 2k/xp), MS's Task Manager is also suddenly reborn, becoming eyes that up (in the WINNT Trojan horse could no longer hide under the traditional process of their own), which makes the previously under win98 by the process of registration as a system service on the Task Manager from the invisible Trojans facing an unprecedented crisis, so that timely adjustments Trojan developers of developing ideas, this is why we have today to discuss how to clear the dynamic embedded DLL Trojan article.

First of all, let's look at what is a dynamic embedded Trojan horse, in order to be able to continue to hide under the NT system, process, Trojans, developers have begun to use DLL (Dynamic Link Library Dynamic Link Library) file, initially they only write their own Trojan horse DLL format to replace the system responsible for Win Socket1.x of the function call wsock32.dll (Win Socket2 from WS2_32.DLL in charge), so by convention the function of the operation and the forwarding of unknown function (DLL Trojan replace wsock32.dll pm it will be renamed in order to achieve a function of forwarding the future) to achieve the remote control functions. However, with the MS digital signature techniques and file recovery functions introduced, this DLL horse's vitality is increasingly weak, and thus in the development efforts of those who appeared in the mainstream nowadays Trojan - Dynamic embedded DLL Trojans, the Trojan DLL Embed to the running of the system in the process. explorer.exe, svchost.exe, smss.exe and other systems can not be the end of the key process is the DLL favorite horse, so that in the Task Manager will not appear inside of our DLL files, and DLL is the carrier of EXE files. Of course, by further processing DLL Trojan can also achieve some other, such as port hijack / re-use (that is, the so-called non-port), registered as a system service, open multi-threaded protection, and other functions. In short, that is, DLL Trojans to an unprecedented degree of secrecy.

So how do we find and remove Trojan DLL do?

First, the DLL file from the DLL Trojan to start, we know that system32 is a good place to hide and seek, and many Trojans have 削尖了脑袋 toward that fall in., DLL horse is no exception, to address this point we can install the system and necessary applications after its directory EXE and DLL files to make a record: Run CMD - convert directory to system32 - dir *. exe> exeback.txt & dir *. dll> dllback.txt, so that all of the EXE and DLL files names are recorded separately to the exeback.txt and dllback.txt in the future, such as unusual in the traditional way, but can not find the issue, they should consider whether or not the system has been infiltrated Trojan DLL. That is we use the same command Under the system32 recorded EXE and DLL files exeback1.txt and dllback1.txt another, and then run the CMD - fc exeback.txt exeback1.txt> diff.txt & fc dllback.txt dllback1.txt> diff.txt. (using the FC command twice more before and after the DLL and EXE files, and the results entered into the diff.txt middle), so that we can find some more out of DLL and EXE files, and then by looking at creation time, version, whether compressed and so on will be able to more easily determine not to patronize the Trojan has been DLL. Not be the best, if any, and do not fall directly to DLL, we should first move it to the Recycle Bin where, if the system does not thoroughly and then remove the abnormal reaction to, or submitted to the antivirus software company.

Second, some systems also mentioned above, the key process is the favorite type of Trojan, so once we suspect that the system had been stationed at the DLL Trojans, we of course want to focus on taking care of these key processes, how to take care of? Here to recommend a strong Shelling Tool tool can help you to see Procedump.exe the process, he called in the end those DLL files (Figure 1) However, due to some of the process of calling DLL file is very large, making a check on our own to change is not realistic, So we will use a shotgun to write a NT process / memory module viewer ps.exe, with the command ps.exe / a / m> nowdlls.txt the system call to all of the current name of the DLL file to save nowdlls.txt, and then We then fc will be backed up well in advance of the dllback.txt comparison, so that could also reduce the scope of investigation.

3, I still remember one of the characteristics Trojan Port Mody? All of the Trojan horse as long as the connection, as long as it is received / sent data is bound to open a port, DLL Trojan is no exception, which also found that they provided for us a clue, we can the process of using the port view foundstone tools Fport.exe to view and port corresponding to the process, so the scope can be narrowed to a specific process, and then combined to find the DLL Trojan Procedump relatively easy. Of course, like mentioned above, some of the Trojan will be hijacking or the port through the port reuse approach to communication, 139,80,1443, and other common Trojan ports are favorites. Because even if even if the user to use port scanning software to check their own port, found a similar TCP UserIP: 1026 ControllerIP: 80ESTABLISHED the situation a little bit negligent, you will be thought that his website (firewall would see it that way). So, looking at the port is not enough, we need to monitor the communications of the port, which is the fourth point I would like.

4, we can use sniffer to open ports in the end to understand what the transmission of data. By NIC promiscuous mode can be set to accept all of the IP packet, sniffer program can choose worthy of concern in the analysis, leaving nothing more than a document on the agreement in accordance with RFC decode. This can determine the ports used by Trojans, combined with Fport and Procedump we will be able to find the DLL trojan. As for recommending the use of sniffer IRIS, graphical interface, easy to use.

5, usually killing Trojan said that we will acquire the habit to go to the registry to try his luck, may be quite a previously effective, but if the hit is registered as system services of the Trojan (Principle: In NT/2K/XP these systems, the system boot-up the specified service program) at this time check: Start Unit / registry / autoexec.bat / win.ini / sysytem.ini / wininit.ini / *. inf (for example, autorun.inf) / config.sys, etc. file not found the slightest strange, this time we should look at the system service: the right-click My Computer - Manage - Services and Applications - service, then you will see more than 100 service, (MS is really, in which 75% of the pairs of individuals of no use, can be disabled.) slowly to find it, to see who dislike to put it Eurya out, of course, if you have previously used the service to export list functionality backed up, then use the file comparative approach will be very easy to find what the newcomers, then you can record the service that the file is loaded, and then use Resource Kits provided srvinstw.exe inside to remove the service and clear the loaded file.

Through the above five steps, the basic can be tricky to detect and remove the dynamics of the embedded DLL Trojans, and perhaps you also discovered that, if appropriate to do some backup, would the course of our search for Trojan great help, of course, will reduce the number of Oh the pressure of work.

Manually remove stubborn Trojans, worms, virus, easy manual

The specific situation is this: After the dial-up Internet access, FTP repeatedly reported that China Unicom with the server failed. Upon inspection, the computer installed Norton Personal Edition anti-virus software and Norton firewall has been disabled, try opening Baocuo not normally enabled; open the Task Manager and found the illegal process of five, try to stop, reported "Access Denied" ; restart to safe mode and then try to stop the illegal process, Baocuo remains the same, can not be stopped; then into the computer list of local services and found two unknown auto-start services, try to stop, reported that "Stop Service Failure" In desperation, modify the service attributes to "Disabled", once again restart to safe mode, last known service does not start automatically. So based on the name before the process of discovery of illegal search system disk C drive and found in Winnt directory and Winnt \ system32 \ directory, manually deleted. Then go to Winnt \ system32 \ directory, found a large number of unidentified program files, their common features are: file attributes to hidden, the file name is similar to the "diALoGUe" random name, the icon is similar to the DOS program icon, and search property without the company, version and other information; because I am used to detox for the first set when the folder options 【】 to show all files and display all protected system files in order to facilitate search for files, so easy to find this batch file to run a large number of unknown, random attributes to confirm After the Recycle Bin of all income. Then check the registry, delete the run since the launch of key value of unknown type. Finally run the upgrade SP5, 10 minutes after I kick down all the patches, reboot into normal mode, win2000 showed a normal, start Norton virus, network firewalls success, the success of dial-up FTP.

From these experiences, as well as hear head dye, got wind of its potential, come to such a viral infection and the onset of the possible through: user due to failure to make timely vulnerabilities to install patches, or use the super-user privileges account viewed a malicious Web site, run by unknown programs or files and led to infection with a virus. The Permanent Mission of the system after the self-replicating virus, and automatically connect and download a variety of on-line broiler Trojan planted this new chickens, and crazy to use this chicken with weak passwords try to log onto the other network computers to infect more machines; infection to other machines after the , crazy to send a variety of other Trojans, worms, virus infected for the virus to infect more machines, achievements more chicken. This is bound to take up massive amounts of network bandwidth, and DDOS flood attacks are similar to the wonderful, and will force the network switching, routing equipment, overwhelmed and paralyzed. This most likely is that the network slowed, but the reboot switch or router, the speed can be improved after the root causes. And because the virus take up too much process, leading to system resources to run at full capacity, poisoning the machine to run will be significantly slowed.

The dangers of such viruses is:

1, with high-speed internal network bandwidth, infects a large network of other vulnerable computers, often the virus in a large one.

2, take up a large number of network bandwidth, so that slowed speed.

3, there is a certain intelligence, variants are many anti-virus software is always later than the virus appears to follow the time to be effective principles, may be subject to new variant of the virus.

4, using a similar DDOS tools, read the other network computer SAM account concurrent use of force weak passwords try to log onto the other computer, resulting in not infected with the virus to other computers log the number of accounts exceeds the limit, account locked, affecting normal use.

Summary manual anti-virus, follow these steps:

1, manual downloads and collection of all SP5 single small file (on win2k is concerned, a total of nearly 100M)

2, disconnected from the network

3, restart into Safe Mode

4, check and clear 【HLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items

5, check and clear 【HCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run *】 key of all unknown startup items

6, Chuck unknown service and prohibited, if not, proceed to step 7; if so, to prohibit it, and return to Step 3.

7, focusing on search 【% SystemRoot% \ system32 \】 directory of all hidden exe, com, check its properties, of unknown origin were deleted without mercy (which can first put the Recycle Bin, and then restart nothing to clear).

8, after updating the latest virus database may wish to use antivirus software to scan all files once the system tray.

9, confirm SP4 has been installed on the basis of all the SP5 patch to play the whole

10, reboot into normal mode to use

Note: Due to determine whether the illegal program requires some experience, special offers a simple way: Click on a suspicious program access 【Properties】, the normal version of the program are in 【】 bar comes with company name, version, copyright and other information, even 3721, sepsis and other rubbish also carry the appropriate information, and worms, Trojans and other programs will most likely not available for inspection any information, reference, whereby the majority of the illegal procedure can be judged.

Maintain the "no drugs" a few tips:

1, using Proxy or NAT isolate the LAN and external network seamless Unicom

2, all machines in the LAN to prevent super-user password is blank, the same username and password, the password super simple acts such as the mentally handicapped.

3, the distribution of competences strictly follow the principle】 【enough to prevent the unnecessary super-user-generated.

4, use the Enterprise Edition anti-virus software to install anti-virus central server, set up so that timely and automatically check, download the updated virus database and automatically distributed to the client, the latest virus database.

5, using SUS to automatically download patches and other similar services, software, windows, set up so that it can be automatically distributed to all clients and install the latest patches.

6, a timely reminder of my colleagues attention to online safety, not to unnecessarily website, do not perform any unknown file, pay attention to online health.

7 empty Multi-Task Manager to check whether there is an unknown process, multi-center landing windows automatic update checks for the latest patch update.

Web page of the coup to kill Trojan

If you are using a Windows XP system, then went to C: \ Program Files \ Internet Explorer this directory to find IE's main file, then right-click, I have to manipulate us look, first sent to the desktop shortcut, and then Click the Start button, select Run and then open CMD, type the command net user hxhack 123456 / add to add a named hxhack ordinary user (no need to go here, it escalated into administrator privileges) Select just IE shortcut, right-select operation mode and then select the following user and enter the new user and then we have to determine on the OK then, as long as you use hxhack this account open IE windows are not afraid of any page on the Trojan horse, let us explain this method can Juesha Trojan horse principle of all the Web, Windows XP system is a single-user system, so there is only one current active users, but just using a browser hxhack the non-active account, so that web pages through the Trojan hxhack operation of this account is denied by the system, that is, that were not implemented, we can see in Task Manager where there is only one currently active users, that is the current logged-on user is the administrator so that the horse is not in the network

20 years, the 10 most destructive computer viruses

The United States "Techweb" website has named its 20 years, the 10 most destructive computer viruses:

1. CIH (1998 years)

The computer virus belongs to the W32 family of infections Window * 95/98 in order to ** E as a suffix in the feasibility of the file. It is devastating, you can override the BIOS to make it useless (as long as the computer's microprocessor is the Pentium Intel 430TX), its consequences is to make the user's computer does not start, the only solution is to replace the original system chip (chip), the computer virus in the April 26 attack, it will also undermine the computer's hard drive so the information. The computer virus does not affect the MS / DOS, Windows 3.x and Windows NT operating system.

CIH can be used all possible means to spread: a floppy disk, CD-ROM, Internet, FTP downloads, e-mail. Is recognized as the most dangerous in history, one of the most damaging computer viruses. In June 1998 broke out in China Taiwan, causing a worldwide 20 million -8,000 million dollars in damages.

2. Melissa (Melissa, 1999 years)

The virus specifically for Microsoft's e-mail server and e-mail software, it is hidden in a Word97 file format in order to attachment via e-mail communication, good attack with Word97 or Word2000 computer. It can attack Word97's registrar and modify its security settings to prevent macro viruses, infected files that it has a macro virus warning by the loss of function effect.

Melissa virus was found a short span of a few hours, the virus that is transmitted via the Internet around the world millions of computers and tens of thousands of servers, the Internet in many parts of the paralysis. March 26, 1999 outbreak of infection by 15% -20% of the commercial PC, has brought 300 million to the global -6 billion in damages.

3. I love you (2000 years)

May 3, 2000 outbreak in Hong Kong, China, is a preparation to use VBScript can be spread via E-Mail viruses, infected computers platform to Win95/98/2000 based. To bring 10 billion to the global loss of -150 million U.S. dollars.

4. Code Red (Code Red, 2001 years)

The virus can spread rapidly and cause a wide range of access speeds down or even block. The virus typically begins with the attack on computer networks, servers, the server will attack the virus in accordance with the instructions to send large amounts of data to the government web sites, eventually leading to paralysis site. The damage caused is mainly altered pages, there are signs that this worm has the ability to modify the file. July 13, 2001 outbreak, bringing to the global loss of 2.6 billion U.S. dollars.

5. SQL Slammer (2003 years)

The virus using SQL SERVER 2000 analytic port 1434 buffer overflow attack its services. January 25, 2003 outbreak, a total of 50 million servers worldwide were attacked, but the resulting economic loss, but smaller.

6. Blaster (Blaster, 2003 years)

The virus will continue with the use of run-time scanning technology for IP network systems for Win2K or XP computer, locate after the DCOM RPC buffer overflow attacks on the use of the system, once the attack is successful, the virus body will be transferred to other computers to infection, so that system operation exception, ever reboot, or even cause system crashes. In addition, the virus will be an update on Microsoft's Web site denial of service attacks, leading to the site blocked, so that users can not upgrade the system through the Web site. The summer of 2003 broke out, hundreds of thousands of computers were infected, causing the global loss of 2.0 billion -100 billion dollars.

7. Great Promise. F (Sobig.F, 2003 years)

Sobig.f is a use of the Internet to spread the virus, when its program is executed, it will own in the form of an e-mail sent to it from the infected computer to find all the e-mail address. Being executed, Sobig.f virus itself to attachment via e-mail sent to it from the infected computer to find all the e-mail address, it uses its own SMTP engine to set the message. This worm virus in the infected system directory is C: \ WINNT \ WINPPR32.EXE. August 19, 2003 broke out, for the previous Sobig variants, has brought to the global loss of 5.0 billion -100 billion dollars.

8. Bagle (Bagle, 2004 years)

The virus spreads via e-mail, running in the system generates its own copy of the directory, modify the registry keys. The virus also has backdoor capabilities. January 18, 2004 broke out, bringing millions of dollars to the global loss.

9. MyDoom (2004 years)

MyDoom is a kind of via e-mail attachments and P2P network Kazaa spread of the virus, when the user opens the attachment and run the virus within the process, the virus will be within the user mailbox e-mail address as the goal, the source of forged e-mail address, external to send a large number of e-mail with virus attachments, while the user leaves the host can upload and execute arbitrary code on the back door (TCP 3127

To the 3198 range). January 26, 2004 broke out, during peak periods, resulting in slow loading time the network more than 50%.

10. Sasser (2004 years)

The virus is an operating system using Microsoft Lsass Buffer Overflow Vulnerability (MS04-011 vulnerability information) to the spread of worms. As the worm will be launched in the dissemination process of a large number of scans, so individual users and network operations will cause a huge impact. April 30, 2004 broke out, bringing millions of dollars to the global loss.

A computer virus, E drive not open how to do?

Start System Restore bar. Into the C: Windowssystem32restore directory, right-click rstrui files (this is the System Restore background process), select "Send To → Desktop shortcut", the future can only double-click the shortcut to the Quick Launch System Restore. In the command line prompt or "Run" box, enter "rstrui" after the carriage return, you can also achieve the same effect. Second, the system restore point is also the "health" when the computer for various reasons, was an unexpected error or failure, the System Restore to put to the big handy. Click "Start" / "procedure" / "attachment" / "System Tools" / "System Restore" command, select "Restore my computer to an earlier time", and then click "Next" buttons to select a restore point, In the left calendar, select a restore point created after the date on the right side there will be created on this day all the restore points, select the restore point to restore, for example, Figure 2 in the "savior" restore points (the name, of course is my own take of a). Click "Next" start System Restore, this process, the system will restart. If you can not run WinXP in normal mode to carry out System Restore, then enter through the safe mode to restore the operating system, restore the normal mode method and the method used in the same. If the system has collapsed even in Safe Mode can not enter, but it can enter the "Take Command Prompt Safe Mode", then back at the command prompt type "C: windowssystem32restorerstrui" and the carriage return (the actual input without the quotes) This can also open the System Restore interface to carry out System Restore. Third, local System Restore by default, the "System Restore" will drive the change for all save the corresponding information and data, but this will certainly increase with the use of time consumed an alarming amount of disk space. How to make System Restore work better without taking up too much disk space? In fact, if only the operating system partition is located open the System Restore feature can save a lot of disk space. Enter "System Restore" settings window, you can restore the partition on the system set up. In the "on all drives off System Restore" key to play in front of hook, point "application", so that it will delete the backup WinXP system restore points, the release of a hard disk space. Subsequently, the re-cancel "on all drives off System Restore" before the hook to start System Restore, and then one by one, select non-system partition, point "Settings", select "Turn off the System Restore on the drive," so that the System Restore partition functions will be banned. In addition, zoning restrictions can also be given to restore the disk space used, select the partition you want to set the use of space, point the "Settings" pop-up settings window, drag the slider which you can adjust the size of space. How like? With the operating system and "revived" the unique skills, there is nothing to fear from the future?

Do not try to format the Windows hard disk partition, because the corresponding partition of the file is likely being used (especially the system partition), format will result in an application or system crashes, Windows prohibited from doing so. In addition the so-called low-level formatting the entire hard drive itself is concerned, and it will be clear that the hard disk 0, and to retain the physical hard disk master boot record (not an ordinary software, said that MBR) recorded on the hard disk of the relevant information, and add Bad Track Record. This operation is very low, does not involve the concept of partition, it is impossible for low-level format a separate partition. Generally speaking, is not recommended for the present low-level formatting the hard disk because it is now generally have a hard drive to automatically diagnose and repair bad sectors the ability to simply do not need to manually low-level formatting. And now the physical boot record of hard disk storage methods and differs from the previous, and the data is stored in the disc, rather than the chip inside, and different vendors have different definitions. Forced low-level format the hard disk capacity is likely to lead to significant changes, and other serious problems. DM's low grid is just a completely clear 0 and bad sectors check only, has not really low-level formatted. If your C partition size, this could be your temporary files too, you can use super-Rabbit class software clean-up; can also be stored in System Restore restore points, this can be through the System Restore tool to remove the extra restore point, or simply disable it (auto-delete all restore points, in the control panel of the system). You can also use Paragon Partition Manager zoom and move partitions to the C more space, while not commonly used software is not installed in the C, they should not be C set to download software (Flashget) the default download partition (Flashget, you can right-click Software interface, "the download is complete", modify its properties inside the directory to move it) Do not the format.

Clever from the process to determine whether there is a virus Trojan

Any viruses and Trojan horses exist in the system, and processes can not completely break off relations, even with hidden technology, but also was able to find clues from the process, therefore, view the process of becoming active in the system that we detect viruses, Trojan horses of the most direct method. However, the process of the system to run it ...
Any viruses and Trojan horses exist in the system, and processes can not completely break off relations, even with hidden technology, but also was able to find clues from the process, therefore, view the process of becoming active in the system that we detect viruses, Trojan horses of the most direct method. However, the system processes to run so much, what is the normal system process, which is the Trojan process, and often the fake Trojan virus system process in the system, what role do they play? See this article.

The virus hides the process of three methods

When we have confirmed the virus present in the system, but through "Task Manager" View system processes Shi You can not find strange the process, indicating the virus used a number of hidden measures, summed up with three methods:

1. Confused as real ones

System, the normal process is: svchost.exe, explorer.exe, iexplore.exe, winlogon.exe, etc., maybe you found the existence of such a process system: svch0st.exe, explore.exe, iexplorer.exe, winlogin.exe . Compare found differences begin? This is a virus commonly used tactic aimed at confusing the user's eyes. Usually they will be the normal process of the system o change the name of 0, l replaced by i, i replaced by j, and then became its own process name, just one word, the meaning is completely different. Or more or less a one letter alphabet, such as explorer.exe and iexplore.exe already easy to confuse, again a iexplorer.exe even more confused. If the user is not careful, generally ignored, and the virus process is dodged a bullet.

2. Perpetrating a fraud

If the user more cautious, then the above, this mode of no use, and the virus will be Jiudezhengfa. Ever since, the virus has to wise up, and learned that replacing this trick. If a process named svchost.exe, and normal system process name Folks. Well, this process is not on the safe out? Definitely not, in fact it is only the use of the "Task Manager" can not view the process of the executable file corresponding to this defect. We know that svchost.exe process, the corresponding executable file is located in "C: WINDOWSsystem32" directory (Windows2000 is C: WINNTsystem32 directory), if the virus copies itself to "C: WINDOWS" in and renamed the svchost.exe, to run , we in the "Task Manager" is also seen in svchost.exe, and normal system process is no different. Can you identify which of the virus's process?

3. Reincarnated

In addition to the two above methods, the virus, there is still one ultimate Dafa - reincarnated. The so-called zombie virus is inserted using a process technology, the required dll files to run the virus into the normal system process, on the surface without any suspicious circumstances, in essence, the virus has been controlled system process, and unless we help the process of professional detection tool, or want to find the virus hidden in them is very difficult.

System Process FAQ

Mentioned above, a lot of system processes, in the end, what is the process of these systems, their operation principle, then what is? Here we will explain each of these systems process, I believe in the familiar process of these systems, the virus will be able to successfully break the "confused as real ones "and" perpetrating a fraud "of the.

svchost.exe

Often the process who have the virus, posing as: svch0st.exe, schvost.exe, scvhost.exe. With the growing number of Windows system services, in order to save system resources, Microsoft has made many services share the way, by the svchost.exe process to start. The system service is a dynamic-link library (DLL) form of realization, they point to the executable program scvhost, call the appropriate service from the cvhost dynamic-link library to start the service. We can open the "Control Panel" → "Administrative Tools" → service, double-click them "ClipBook" service in its property panel can be found in the corresponding executable file path "C: WINDOWSsystem32clipsrv.exe". And then double-click the "Alerter" service, you can find the executable file path "C: WINDOWSsystem32svchost.exe-k LocalService", and "Server" service's executable file path "C: WINDOWSsystem32svchost.exe-k netsvcs". It is through this call, you can save a lot of system resources, so the system appears in multiple svchost.exe, is only the system services only.

Normally exist in the Windows2000 system, svchost.exe process, one RPCSS (RemoteProcedureCall) service process, while the other is shared by many services, one svchost.exe; while in WindowsXP, then in general there are more than 4 svchost.exe service process. If the system xp and before the number of svchost.exe processes more than five, we must be careful, there may be a fake virus. But by the Vista and Windows7 age ,8-12 svchost process is normal! Whether the normal process for the system test method is very simple, using some process management tools, such as Vista optimized master's process management functions, see svchost.exe in executable file path, if the "C: WINDOWSsystem32" directory outside, it can be determined that the virus has.

Identifying the virus file four very good way to

We use anti-virus software, anti-virus, when often detect a lot of "virus", a lot of friends to come to "prefer victimizes a pile and never miss an" attitude, will detect the "virus" all deleted. In fact, the whole deletion is not desirable, some infected system files, can not be struck down. Here I introduce a few identified the virus file, and I hope all of us help.

1, file time

If you think your computer wrong, with anti-virus software inspection, there is nothing to reflect or removal of part of the virus still feels wrong, you can check suspicious objects depending on the file time.

Time is divided into the file creation time, modify time (there is an access time, do not tube), you can see from the file's properties, click the file, right-click and select Properties on the menu in the "General" page to see that to these time.

Usually viruses, Trojan file creation time and modification time are relatively new, if you find the early, basic is the recent days or the same day. c: / windows and c: / windows / system32, and sometimes c: / windows/system32/drivers, if it is 2000 system, put the above windows into winnt, these places are the places where the virus Trojan often stay, according to Time Paixia sequence (see - more detailed information, and then point under the title bar of the "modification time"), view the next few days the latest documents, special attention to exe and dll files, sometimes dat, ini, cfg files, but behind the These documents also have a normal relatively new modification time, not sure on, then put aside, focus on finding exe and dll, anyway, last three are not executable files. Generally speaking, system files, especially the exe and dll) will not have such a new modified.

Of course, update or installation of other application software may be a new modification time, you can be created under the control of time, while their own are not installed any time what software should know, really do not know to use search function, look for the whole hard disk related to Time has not established any folder to see if is not installed application software, as long as the time to get on is normal. If you do not meet, that is, the virus, and delete.

Make it clear that, as not all the latest files are viruses, nor is it the time that all the virus are up to date, and some virus, the file date and time will even show a few years ago.

Of course, we have other ways to distinguish.

2, the file name

File name is the impression at first glance, through the file name to determine whether the initial suspicious is the most direct way, the reason for the time judged on the back is a lot of documents from the sorting of suspects too difficult, or time spent Paixia sequence convenient.

We often say that the random letters (and sometimes numbers and less) combination of file name, the virus favorite use it (once the software is also found in some of the normal use of this strange combination of habits, such as Yahoo, the Internet assistant, each file name are not the same motives suspect, there is a cat drivers are also seemingly random combination, but fortunately some manufacturers have information can help to distinguish, this next point to say).

There are the file name length, and some seriously beyond the standard 8-bit file names, there are a number of as many as 10, which should be classified as a suspicious object, in particular, IE plug-in these file names appear.

Of course, by saying that the file name weird, random combinations, it seems that there is no one standard, not familiar with the computer people will look at all of the English file names may be considered to be strange, meaningless permutations and combinations, so you really want to rely on the file name to determine, or would like to System folder files, regular files only after a certain understanding of a relatively good grasp. Initially, the combination of the above time, there are other means of co-judge, or you can find something for.

Another is to fake a normal file system file name, this choice is better identification, such as svchost.exe and svch0st.exe, the latter obviously fake the former, that trying to hide something down more easily exposed, provided that your system file names are more familiar with, something happens nothing to open the Task Manager to learn about Bar.

Corresponds to the file name, as well as service name, driver name, the registry startup key name, relatively speaking, the names of these projects have not shown if a certain meaning, is indeed a virus, and several vendors will be irresponsible not to its own software to use the service, driver, start the item from a meaningless, random combinations of names, if the service, driver, start the item name is a problem, then use the following file must be a problem.

Really not sure, put the file name (and sometimes to include the full file path, a different path may from time to file the same name, this one after that), service name, driver name, startup key name into the online search and see how others say , especially for finding out, and there are service-driven, start with the file name items not on the right (as a service name on the Internet found to be different files corresponding or the opposite case), can be classified as suspicious object.

3, the version information

Check the file with periods of uncertainty, coupled with a project file version checking, but also in the file's properties in the view, there is the file version, vendor information. First of all be clear, not all files have version information, nor are all non-version information of the files are virus files, but not all the information documents show that Microsoft is really Microsoft's.

The file name, file time and again on the version of the file can be basically obtained a result, such a strange file name, display information on Microsoft's vendor, obviously suspicious; or should be a normal system file (such as explorer.exe or userinit . exe) has no version information, might be replaced or destroyed by a virus; there soundman.exe information turned out to be a vendor, you can consider deleting, and should not be the sound card program.

Version information in addition to vendors, there are the original file name, and sometimes you will find here a different name and check the file is really no other existence.

4, position

Trojan virus, like a place to stay is the system folder, windows, windows/system32, windows/system32/drivers, there is c: / program files / internet explorer / c: / program files / internet explorer / plugin, c: / program files / common files / miscrosoft shared, there is a temporary folder, IE cache

First, the temporary folder c: / documents and settings / your user name / local settings / temp and c: / windows / temp is a must clear, and I can safely remove, no matter good or bad, delete the phrase all right, IE cache is also must be pure, not directly into a folder deleted from the IE tools-internet options menu entry, delete files - delete all offline files, preferably in the high-level that is set to automatically empty when you close your browser temporary files on the save trouble of.

Other folders, mainly to see if there should not exist in the file exists, such as the windows folder, what is more Rising documents (Kaka's but added that at that), realplayer files, the absolute suspicious, there is such as svchost.exe, ctfmon.exe suddenly appeared in the windows or any other folder, rather than they should in the system32, also determine the virus. Of course, several methods can be combined with the above judgments. Is at times to rely on experience and relatively less file folder better judge what is more easy to find, such as windows, ie the folder, and read more, you know what the basic are those, more than 12 exe or a dll, can be found right away (and many rogue software is a safe haven in here).

There is a combination of registry startup entries, the general reference to windws Startup Items in the small, basically input method, sound management, and more on the suspect, and referring to the system32 to see more of under the two is really not sure The old approach, the web search the file name. If it is found to start entry point font the font folder, then do not want to, and certainly a problem.

The same is true service-driven, not in system32 or the driver I would not check in the next (natural they should also check the following, not to mention not).

In addition to the folder location, as well as the registry location, except for a few RUN startup items, as well as image hijacking (IFEO) to check the value of a debugger should take note of, except the last one your image file name here without a path are a debugger = ntsd-d, the other is not, as long as there is to be hijacked was found (except for immunization immunization is to a known virus program were hijacked and diverted to non-existent file, so that it can not run), and then look for hijack file is the debugger behind the document, locate and remove together with the registry entries. However, note that now is not hijacked by the virus, some files are system files or commands, such as svchost.exe or ntsd-d, which do not delete the file, and as long as the registry entries to delete.

Also to be noted that the registry entries are appinit_dlls, normally an empty value (exception, Kaka, a file will put it), if more value is the virus found by name to delete. There is a userinit, are generally empty, change is necessary to look up many things are normal.

Recommended by SREng to check, more convenient and above will automatically be prompted to change.

Conclusion:

Really, really want a bunch of English name of the file name to identify suspicious hard, the integrated use of various methods, with the tools category shown is the shortcut, for example SREng, the service-driven listed, name, file, path Yi Bai, it's very obvious, and some scribble the name is in control behind the file name is very clear, and some careful posing as system services will be the name, but a comparison with the normal, networking is not to spend, but also possible to identify problems

How to remove the virus services

1 What is Windows Service
Windows Service, also known as Windows Service, it is the Windows operating system and Windows-based networks, part of the core part of the system, which supports a variety of operating the entire Windows. Such as the DNS client, print programs, Windows Update Services, Scheduled Tasks, Windows Time Service, alarm devices and other services, whether they relate to the machine correctly. If you can not properly manage these services, will affect the normal operation of the machine.
A service first and foremost a Win32 executable program, or yes yes rundll32.exe to run one. Dll way of the formation process. Not the same as an ordinary application, such as opening WORD, there is an interface for it, but service is not user interface. Nor can double-click to run directly to the appropriate. Exe program to run. That is how to control a Windows service?
Service is provided by Windows, even on the level services.exe this service to manage, which it has managed to carry out service to start, stop, run, pause and so on. We are the most common operation is through the Windows services MMC interface to complete the relevant operations.
Second, how to remove the Windows Service
Now rogue software, more and more himself registered as a service. In the Hijackthis scan log, the general will of non-Windows system services to 023 ways listed, as the following period:
O23 - Unknown - Service: BKMARKS [transport protocol to provide data security protection mechanisms to effectively safeguard the security of data transmission and integrity. ] - C: \ WINDOWS \ SYSTEM32 \ RUNDLL.EXE
O23 - Unknown - Service: ewido anti-spyware 4.0 guard [ewido anti-spyware 4.0 guard] - D: \ Program Files \ ewido anti-spyware 4.0 \ guard.exe
O23 - Unknown - Service: KSD2Service [KSD2Service] - C: \ WINDOWS \ system32 \ SVCH0ST.exe
For these rogue software, need to remove the relevant. Exe files, so that it can no longer running, or directly remove the service itself, so that when the computer is restarted, it will not re-start.
There are two ways to delete:
Approach one: The sc.exe the Windows command
Start - Run - cmd. Exe, and then enter the sc can be seen. Method to use is very simple:
sc delete "Service Name" (if there are spaces in the middle of the service name, you need to add quotation marks before and after)
As for the above: sc delete KSD2Service
.
Method 2: Direct to the Registry Editor (not recommended)
Open the Registry Editor, locate the following key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services General Services with the same name will be shown here a primary key, simply delete the relevant keys will be.

3, special circumstances
1, if the service shows rundll32.exe, and this file is located in system32 directory, then it can not delete this rundll32.exe file, which is the Windows system files. At this time-related services as long as the removal can be a
2, if a service they immediately removed automatically created, and explain the background there are processes to monitor and protect. Need to kill in the process manager in the corresponding process, or to start and press F8, to safe mode to delete.

4, other references
Remove third-party tools such as using ICEWORD

Teach you to identify common virus names

Abstract: In many cases we have already identified themselves with the anti-virus software, computer, for example Backdoor.RmtBomb.12, Trojan.Win32.SendIP.15 and so on are a bunch of English also brings the number of virus names, when some people are stupid , then a long string of names, how to know what the virus ah? This article describes some of the common knowledge of the virus. Very often we have already identified themselves with the anti-virus software, computer, for example Backdoor.RmtBomb.12, Trojan.Win32.SendIP.15 and so on are a bunch of English also brings the number of virus names, when some people stupid, and such a long string of names, how to know what the virus ah?

In fact, as long as we have some virus naming convention, we can through the anti-virus software, virus, arising from the reports of the virus were to determine the characteristics of some of the public.

The world, so many viruses, anti-virus companies in order to facilitate management, they will in accordance with characteristics of the virus, named after the virus classification. Although each anti-virus companies are not the same naming rules, but generally are based on a uniform naming names.

The general format is: ...

Virus prefix refers to a type of virus, he is used to distinguish the virus of racial classification. Different types of viruses, their prefixes are different. For example, our common prefix Trojan Trojan, worm prefix is Worm, etc. There are others.

Virus name refers to a virus family characteristics, is used to distinguish and identify the virus family, such as the CIH virus, previously known family names are unified "CIH", there are recent AP is the Sasser worm virus Huan the family name is "Sasser".

Virus suffix refers to the characteristics of a variant of the virus, is used to distinguish a family of specific variants of a virus. Are generally used in English to represent the 26 letters, such as the Sasser worm Worm.Sasser.b refers to a variant B, it is generally known as "Sasser variant B" or "Sasser variant B". If the mutation of the virus is very much (also shows the great vitality of the virus) can be expressed using numbers and letters mixed-variant identity.

To sum up, a virus of the prefix for our rapidly determine whether the virus belongs to the type of virus is a very big help. By judging the type of virus, you can right that the virus has a rough assessment (of course this requires some common virus types accumulate knowledge, this is not the scope of this paper). Through the virus name we can use other means to find information on a better understanding of the detailed characteristics of the virus. Virus suffix let us know now hang out in your yard machine which variant of the virus.

Here some of the common viruses with the interpretation of the prefix (for we are the most widely used Windows operating system):

1, the system virus

System, the virus prefix: Win32, PE, Win95, W32, W95 and so on. Of these viruses is characterized by the general public can infect Windows operating system *. exe and *. dll files, and through these documents and spread. Such as the CIH virus.

2, the worm virus

Worm prefix is: Worm. Characteristics of the virus through the public network or system vulnerabilities to spread, the majority of worms are carriers of the virus sends out e-mail, blocking the network features. Such as shock waves (blocking network), Small Postman (hair carriers of the virus e-mail), etc..

3, Trojan viruses, hackers, virus

Trojan, the prefix is: Trojan, Hacker and Virus prefix name generally Hack. Trojan virus, characterized by the public through the network or system vulnerability to access the user's system and hide, then reveal the user's information to the outside world. The hacker virus, there was a visual interface that can remotely control a user's computer. Trojan horses, hackers, virus, often in pairs, that Trojan horse virus is responsible for the user's computer intrusion, while the hackers of the Trojan virus, the virus will be passed to control. Both types are now a growing tendency to integrate. Trojan general information, such as QQ tail Trojan Trojan.QQ3344, there are more people may encounter online game against a Trojan horse viruses such as Trojan.LMir.PSW.60. Add here that the virus name or what there PSW like PWD in general have indicated that the virus has to steal the password feature (these letters are generally for the "password" in English "password" abbreviation) Some hacker programs, such as: Network fierce and ambitious (Hack.Nether.Client) and so on.

4, the script virus

Script Virus prefix is: a script-virus feature is the use of public written in scripting languages, through the pages spread viruses, such as Code Red (. Redlof). Script viruses also have the following prefixes: VBS, JS (shows what kind of script written in), such as Happy Hour (VBS.Happytime), on the 14th (Js.Fortnight.cs), etc.
5, macro virus

In fact, the script macro virus is a virus, because of its specificity, and therefore counted as a separate category here. The prefix is a macro virus: Macro, the second prefix is: Word, Word97, Excel, Excel97 (and perhaps other) one of them. Where only the infection and previous versions of WORD document WORD97 virus using Word97 as a second prefix, the format is: Macro.Word97; those who were infected later WORD97 virus WORD document using Word as a second prefix, the format is: Macro.Word ; those who were infected EXCEL97 and previous versions of the virus using EXCEL documents Excel97 as a second prefix, the format is: Macro.Excel97; those who were infected later version of the EXCEL document EXCEL97 the virus uses Excel as a second prefix, the format is: Macro. Excel, and so on. The public characteristics of the virus is able to infect OFFICE series of documents, and then spread through the OFFICE generic templates, such as: the famous beauty of Lisa (Macro.Melissa).

6, backdoor virus

Backdoor virus prefix is: Backdoor. The public characteristics of the virus is transmitted through the Internet, open a backdoor to the system, giving the user's computer a security risk. As many of my friends encountered the IRC backdoor Backdoor.IRCBot.

7, the virus cultivation Virus

Characteristics of this virus is to run the public will be released from the body of one or several new virus into the system directory, by the release of new viruses created out of destruction. Such as: Glacier sower (Dropper.BingHe2.2C), MSN striker (Dropper.Worm.Smibag) and so on.

8. Destructive Virus

Destructive virus program prefix is: Harm. Public properties of this virus is inherently attractive to entice users to click on the icon when the user clicks on these viruses, the virus directly to a user's computer will be devastating. Such as: Format C drive (Harm.formatC.f), killer command (Harm.Command.Killer) and so on.

9. Joke virus

Joke virus prefix is: Joke. Also known virus hoaxes. Public properties of this virus is inherently attractive to entice users to click on the icon when the user clicks on the virus, the virus will make a sabotage operation to frighten the user, in fact, the virus did not carry out any damage a user's PC. Such as: the ghost (Joke.Girlghost) virus.

10. Bundling machine virus

Bundling machine virus prefix is: Binder. The public characteristics of this virus is a virus author will use a specific procedure of the virus with a number of bundled applications such as QQ, IE tied up, the surface is a normal file, when users run these bundled virus will run these applications on the surface, and then run the bundled hidden viruses, which cause harm to the user. Such as: bundling QQ (Binder.QQPass.QQBin), the system killers (Binder.killsys) and so on.

The above viruses more common prefixes, and sometimes we will see some others, but more rare, brief mention here:

DoS: will focus on a particular host or server to DoS attacks;

Exploit: will automatically overflow or other vulnerabilities to spread their own, or he himself is an overflow for Hacking tools;

HackTool: hacking tools, perhaps in itself does not destroy your machine, but it will be used by others to use you to do stand-in to destroy others.

You can identify a virus after the above mentioned methods to the preliminary judging the basic situation of the virus, to know ourselves and our results. In the anti-virus can not automatically killing, intend to adopt a time when this information manually will give you a great help.

How do I know he is not the Trojan

"Trojan horse" program will be tried every means to hide themselves, main ways: in the task bar hide themselves, as long as it is the most basic Form of the Visible property to False, ShowInTaskBar set to False, the program is running will not appear in the task bar of the. Invisible in Task Manager: The program is set to "system service" can easily camouflage himself. Of course, it will quietly start, you certainly would not expect to start after each time a user click on "Trojan horse" icon to run the services side, "Trojan horse" will be loaded automatically each time a user starts the server, Windows boot time automatically loads the application of the method, "Trojan horse" will spend, for example: start the group, win.ini, system.ini, registry and so are "Trojan horse" a good hiding place. The following more specific about "Trojan horse" is how the auto-loaded.

In the win.ini file, in the [WINDOWS] below, "run =" and "load =" it is possible to load the "Trojan horse" program means that they must be carefully pay attention. Under normal circumstances, they have nothing after the equal sign, if they followed a path and file name are not you are familiar with the startup files, your computer may be in the "Trojan horse" of. Of course, you have to look carefully, because a lot of "Trojan horse", such as "AOLTrojan Trojan horse", which put itself disguised as command.exe file, if not pay attention may not find that it is not really a system startup files.

In the system.ini file, in the [BOOT] here are a "shell = file name." The correct file name should be "explorer.exe", if not "explorer.exe", but the "shell = explorer.exe program name", then that procedure is followed by a "Trojan horse" program, that you have the " Trojan horse "of.

In the registry of the most complex, through the regedit command to open the Registry Editor, in the Click to: "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory, view the keys in there that they are not familiar with the automatic startup files with the extension EXE Here remember: some of the "Trojan horse" program generated the file like the file system itself, wanted to camouflage under false pretenses, such as "AcidBatteryv1.0 Trojan horse," it will registry "HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" under the Explorer key to change for the Explorer = "C: WINDOWSexpiorer.exe", "Trojan horse" program with the real Explorer only between the "i" and the "l" difference. Of course, there are still many places in the registry can be hidden "Trojan horse" program, such as: "HKEY-CURRENT-USERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS **** SoftwareMicrosoftWindowsCurrentVersionRun" directory are likely the best way is to "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" find "Trojan horse" program file name, and then you can search the entire registry.

Know that a "Trojan horse" of the working principle of killing "Trojan horse" becomes very easy, if we find a "Trojan horse" exists, the safest and most effective way is to immediately disconnect the computer network to prevent hackers through the network for you attack. And then edit the win.ini file will be [WINDOWS] below, "run =" Trojan horse "program" or "load =" Trojan horse "program" changed to "run =" and "load ="; edit system.ini file will be [ BOOT] The following "shell = 'Trojan' document", change: "shell = explorer.exe"; in the registry, use regedit to edit the registry, first in "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" found under the "Trojan "program file name, and then the entire registry search and replace" Trojan horse "program, and sometimes need to note: some of the" Trojan horse "program is not directly" HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun "under the" Trojan horse "key to delete the line, because some of the" Trojan horse "if: BladeRunner" Trojan horse ", if you delete it," Trojan horse "will automatically and immediately add, you need is a note of" Trojan horse "in the name and directory, and then returned to to the MS-DOS, find this "Trojan" file and remove it. Restart the computer, and then to the registry will be all the "Trojan horse" key to delete the file. At this point, we're done

With the Task Manager ferret out hidden Trojan horse

Windows Task Manager is our right to manage the process of the main tools in its "process" tab to view the current system process information. In the default setting, generally only see the image name, user name, CPU occupation, memory use of a few, and more, such as I / O read and write, virtual memory size and other information been hiding. May not sound like the hidden information, when the system appears inexplicable failure, until you find out from their breakthrough in the middle.

1. Killing the process will go away pairs of Trojan

Some time ago a friend's computer in a certain Trojans, through the Task Manager found the Trojan process as "system.exe", to terminate it and then refresh, it will revive. Access to safe mode to c: \ windows \ system32 \ system.exe deleted, it will re-load after restart, how could not completely remove it. Since then, the phenomenon of view, should be the pairs of friends in the process of Trojan. This Trojan has custody of the process of regularly scanning, once the process of care has been found to have been killing it will be resurrected. And now many pairs of each other to monitor the process of Trojan, another resurrection. The key is to find, therefore killing the "interdependence" of the two Trojan files. With Task Manager Trojans PID identifies the process can be found.

Bring up Windows Task Manager, first in the "View → Select Columns" and check "PID (Process Identifier)", so return to the Task Manager window, I can see the PID of each process ID. So that when we terminate a process, which identifies regeneration can be found through the PID of its parent process of regeneration. Start a command prompt window, and implementation of the "taskkill / im system.exe / f" command. Refresh your computer and re-enter the above command, you can see the end of the system.exe process PID for 1536, it belongs to a process PID for the 676. That PID is 1536's system.exe process is a process by PID for the 676 created. Back to the task manager, by querying the process PID that it is "internet.exe" process.

Be easier to find the culprit, and now re-start the system into Safe Mode, use the search function to find Trojan file c: \ windows \ internet.exe, and then you can delete them. Front can not be removed system.exe, mainly due to not found internet.exe (and did not remove its startup key), leading to re-enter the system after the resurrection internet.exe Trojan.

2. Ferret out mad P2P program to write the hard drive

Unit of a computer hard drive found the Internet a boot flash lights have been non-stop, hard disk spin mad. What is clear is the machine to read the data process is ongoing, but the repeated anti-virus also did not find viruses, Trojan horses and other malicious programs.

Open the computer and the Internet, press Ctrl + Alt + Del key to start the Task Manager, switch to the "process" tab, click the menu command "View → Select Columns", and check the "I / O to write" and the "I / O write bytes" 2. After the return to Task Manager to determine and found a strange process hidel.exe, although it is occupied by the CPU and memory is not particularly large, but the I / O write traffic is staggering, it appears that it is mischief, they must Right-click it and select "End Process" to terminate, it really hard to read and write back to normal.