If there is no clean bootable disk, you can use the following methods to perform emergency anti-virus:
(1) Make a clean bootable disk on another computer. This boot disk can be made by "Add/Remove Programs" on Windows 95/98/ME system, but it should be noted that the operating system used by the floppy disk must be the same as the operating system you use;
(2) Use this floppy disk to boot the poisonous computer, and then run the following command:
A:\>fdisk/mbr
A:\>sys a: c:
If the poisonous file is in or in the file, then delete it directly. This is a backup file made by the system to the hard disk boot area during installation. It usually has little effect and the virus no longer works in it.
5. The suffix names of poisonous files are .vir, .kav, .kbk, etc.
These files are generally backup files made by some antivirus software to the original toxic files. Generally, if you confirm that these files are useless, then delete the files.
6. Poisoned files are in some email files, such as dbx, eml, box, etc.
Some antivirus software can directly check whether the files in these mail files are poisonous, but often cannot operate directly on these malware files. For some malware letters in mailboxes, you can find the malware letters based on the information provided by the antivirus software, delete the attachments in the letter or delete the letter; if some malware files are poisonous, you can use the relevant mail software to open the letters, confirm the letters and their attachments, and then delete the relevant content. Generally, if there are a large number of venomous files of eml and nws, they are all automatically generated by the virus, and it is recommended to delete them directly.
7. There is residual code for viruses in the file.
This kind of situation is more common with residual codes of CIH, Funlove, macro viruses (including macro viruses in documents such as Word, Excel, Powerpoint, and Wordpro) and individual web viruses. Usually, antivirus software reports virus names suffixes for these files with residual codes usually end with int, app, etc., and are not common, such as W32/,. Generally speaking, these residual codes will not affect the operation of normal programs and will not be contagious. If they need to be completely removed, they must be removed according to the actual situation of each virus.
8. File error.
This situation does not occur in many cases. Usually, some antivirus software does not cleanly remove the virus from the original poisonous files, nor does it repair the files well, causing the files to be unable to be used normally, and causing false alarms from other antivirus software. These files can be deleted directly.
9. Encrypted files or directories.
For some encrypted files or directories, please check and kill them after decrypting them.
10. Share the directory.
There are two situations here: local shared directory and remote shared directory on the network (which also includes mapping disks). When encountering the situation where the poisoned files in the local shared directory cannot be cleared, it is usually that other users on the LAN are reading and writing these files. When anti-virus, it is manifested as being unable to directly clear the viruses in these poisoned files. If there is a virus writing viruses on these directories, it is manifested as if the files are still being infected or virus files are continuously generated after cleaning the shared directory. In both cases above, it is recommended to cancel the sharing and then thoroughly check the shared directory. When resuming the sharing, be careful not to open too high permissions and add a password to the shared directory. When checking for viruses on remote shared directories (including mapping disks), you must first ensure that the operating system of the local computer is clean and also have the highest read and write permissions for shared directories. If the remote computer is infected with a virus, it is recommended to check the virus directly on the remote computer. In particular, if you are clearing other viruses, it is recommended to cancel all local sharing and then perform anti-virus operations. In daily use, you should also pay attention to the security of the shared directory and add a password. At the same time, if necessary, do not directly read the files in the remote shared directory. It is recommended to copy them to the local area and check for viruses before performing operations.
11. Some storage media such as optical disks.
For viruses on the CD, don't try to remove them directly, this is something that even gods can't do. At the same time, for other storage devices to detect viruses, you also need to pay attention to whether they are in write-protected or password-protected states.
The "*" program will try every means to hide itself. The main ways are: hide yourself in the taskbar, which is the most basic way.
As long as the Form's Visible property is set to False and ShowInTaskBar is set to False, the program will not appear in the taskbar when it is running. Invisible in Task Manager: Setting the program to "System Service" makes it easy to disguise yourself. Of course, it will also start silently. Of course, hackers will not expect users to click the "*" icon to run the server after each startup. The "*" will be automatically loaded every time the user starts. The method of automatically loading applications when Windows system starts, and the "*" will be used, such as: startup groups, registry, etc. are all good places for "*s" to hide.
Let’s talk about how the “*” is automatically loaded. In the file, under WINDOWS], "run=" and "load=" are ways to load "*" programs, and you must pay attention to them carefully. Generally speaking, there should be nothing after their equal signs. If you find that the path and file name are not the startup file you are familiar with, your computer may be a "*". Of course, you have to see clearly, because many "* horses", such as "AOL * * horses", disguise themselves as (the real system file is) files. If you are not careful, you may not find that it is not a real system startup file (especially under the Windows window).
In the file, there is a "shell=filename" under [BOOT]. The correct file name should be "". If it is not "", but "shell= program name", then the program followed is the "*" program, which means that you have already been infected with the "*". The situation in the registry is the most complicated. Open the registry editor through the regedit command. Click to the directory "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" to check if there are any unfamiliar automatic startup files in the key value. The extension is EXE. Remember here: the files generated by some "*" programs are very similar to the system's own files. I figured it out. Pass the disguise and miss the level, such as "Acid Battery v1.0 *", it changes the Explorer key value under the registry "HKEY-LOCAL-MACHINESO FTWAREMicrosoft WindowsCurrentVersionRun" to Explorer= "C:". There is only the difference between "i" and "l" between the "*" program and the real Explorer. Of course, there are many places in the registry that can hide "*" programs, such as "HKEY-CURRENTUSERSoftwareMicrosoft WindowsCurrentVersionRun" and "HKEY-USERS****SoftwareMicrosoft WindowsCurrentVersionRun". The best way is to find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoft WindowsCurrentVersionRun" and search in the entire registry.
Once you know the working principle of "*s", it becomes easy to detect and kill "*s". If you find that there is a "*" in it, the most effective way is to disconnect the computer from the network immediately to prevent hackers from attacking you through the network. Then edit the file, change the "run="*" program" or "load="*" program" below [WINDOWS] to "run="and "load=""; edit the file, and change the "shell="" file" below [BOOT] to: "shell="; in the registry, use regedit to edit the registry, first find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then Search and replace the "*" program in the entire registry. Sometimes it is also important to note that some "*" programs do not directly delete the "*" key value under "HKEY-LOCAL-MACHINESoftware Microsoft WindowsCurrentVersionRun", because some "*s" such as: BladeRunner "*s", if you delete it, the "*s" will be added automatically immediately. What you need is to record the name and directory of the "*s", then return to MS-DOS, find this "*s" file and delete it. Restart the computer and then go to the registry to delete the key values of all * files. At this point, we are done.
Previous page12Read the full text