All kinds of viruses are still blooming, which makes people panic. Once they find that their computer is abnormal, they will be considered to be the virus that is causing trouble. They look for antivirus software everywhere, but one can't do it, and then one more. In short, it seems that they will never give up until the "culprit" is found. As a result, the virus software is used one after another. Perhaps because of this, whether the RMB has been used one after another, or there is no trace of the "culprit". In fact, this may not be the virus that is causing trouble.
Such examples are not uncommon, especially for some beginner computer users. Below, I will introduce to you how to determine whether you have been infected with a virus based on personal computer usage and corporate network maintenance experience from the following aspects. I hope it will be of some help in helping to identify "real poison"!
The difference and connection between viruses and software and hardware failures
Computer failure is not only caused by virus infection. Various failures occur during the use of personal computers are mostly caused by software and hardware failures of the computer itself, and most of the network are caused by permission settings. Only by fully understanding the differences and connections between the two can we make correct judgments and discover them in time when the real virus comes. Below I will briefly list some common computer failure symptoms caused by virus, software and hardware failures.
Symptoms Possibility of virus invasion Possibility of software and hardware failure
Frequently crashed: The virus opens many files or occupies a lot of memory; is unstable (such as poor memory quality, poor hardware overclocking performance, etc.); running large-capacity software occupies a lot of memory and disk space; using some test software (with many bugs); insufficient hard disk space, etc.; often crashes when running software on the network. Maybe it is because the network speed is too slow, the running programs are too large, or the hardware configuration of your own workstation is too low.
The system cannot start: The virus has modified the boot information of the hard disk, or deleted some startup files. For example, boot file of the boot type virus is damaged; hard disk is damaged or parameter settings are incorrect; system files are deleted manually, etc.
File cannot be opened: The virus has modified the file format; the virus has modified the file link location. File corruption; hard disk corruption; link location corresponding to file shortcuts has changed; original software for editing files has been deleted; if it is in the LAN, it is mostly manifested that the file storage location in the server has changed, and the workstation does not use the contents of the server in time (the Explorer has been opened for a long time).
Frequently report insufficient memory: The virus illegally occupies a large amount of memory; opens a large amount of software; runs software that requires memory resources; the system configuration is incorrect; the memory is not enough (the current basic memory requirement is 128M), etc.
It indicates that the hard disk space is not enough: The virus copied a large number of virus files (this has been encountered in several cases. Sometimes, a WIN98 or WINNT 4.0 system is installed on a good nearly 10G hard disk and it says there is no space. Once the software is installed, it indicates that the hard disk space is not enough. Each partition of the hard disk is too small; a large number of large-capacity software is installed; all software is centrally installed in one partition; the hard disk itself is small; if the system administrator sets the "private disk" usage space limit for each user in the LAN, because it is checking the size of the entire network disk, the capacity on the "private disk" has been used up.
Read and write signals when floppy disks and other devices are not accessed: Virus infection; the floppy disk takes away the files that were still opening in the floppy disk.
A large number of documents of unknown origin have appeared: Virus copy files; may be temporary files generated during installation of some software; or may be configuration information and operation records of some software.
Start the black screen: Viral infection (the most remembered was 4.26 in 1998. I paid thousands of yuan for CIH. That day, the screen crashed when I turned on the first time I started the Windows screen, and there was nothing left when I turned on the second time); monitor failure; display card failure; motherboard failure; overclocking; CPU damage, etc.
Data loss: The virus deleted the file; the hard disk sector was damaged; the original file was overwritten due to recovery of the file; if it was a file on the network, it might also be due to other users' mistakenly deleted.
Keyboard or mouse locks for no reason: Viruses are caused by, so pay special attention to "*s"; the keyboard or mouse is damaged; the keyboard or mouse interface on the motherboard is damaged; a keyboard or mouse lock program is running, and the program runs is too large and the system is very busy for a long time, indicating that pressing the keyboard or mouse does not work.
The system runs slowly: The virus occupies memory and CPU resources and runs a large number of illegal operations in the background; the hardware configuration is low; too many or too large programs are opened; the system configuration is incorrect; if you run programs on the network, it is mostly caused by your machine configuration too low, and it is also possible that the network is busy at this time, and many users open a program at the same time; there is another possibility that your hard disk space is not enough for temporary exchange of data when running programs.
The system performs operations automatically: The virus performs illegal operations in the background; the user sets the automatic running of relevant programs in the registry or startup group; some software needs to automatically restart the system after installation or upgrade.
Through the above analysis and comparison, we know that most faults may actually be caused by human or software or hardware failures. When we find an abnormality, we should not rush to make assertions. When the anti-virus cannot be solved, we should carefully analyze the characteristics of the fault and eliminate the software, hardware and human possibility.
Virus classification and their respective characteristics
To truly identify viruses and promptly detect viruses, we still need to have a more detailed understanding of the virus, and the more detailed the better!
Because viruses are written separately by many scattered individuals or organizations, and there is no standard to measure or divide, the classification of viruses can be roughly divided from multiple angles.
If divided by infectious targets, viruses can be divided into the following categories:
a. Boot Virus
The target of this type of virus attacks is the boot sector of the disk, which allows the system to obtain priority execution rights when booting, thereby achieving the purpose of controlling the entire system. Because this type of virus is infected with the boot sector, the losses caused are relatively large. Generally speaking, it will cause the system to fail to start normally, but it is easier to detect and kill such viruses. Most antivirus software can detect and kill such viruses, such as KV300, KILL series, etc.
b. File virus
Early viruses were generally infected with executable files with executable extensions such as exe and com. In this way, the virus program will be activated when you execute an executable file. Recently, some viruses have also infected files with extensions such as dll, ovl, sys, etc., because these files are usually configuration and link files of a certain program, so the virus will automatically load when executing a certain program. Their loading method is to insert entire paragraphs of virus code or scatter them into blank bytes of these files. For example, CIH viruses split themselves into 9 segments and embed them into executable files with PE structures. After infection, the number of bytes in the file usually does not increase, which is its hidden side.
c. Network virus
This virus is the product of the rapid development of the network in recent years. The infected objects are no longer limited to a single pattern and a single executable file, but are more comprehensive and hidden. Now some network viruses can infect almost all OFFICE files, such as WORD, EXCEL, email, etc. Its attack methods have also changed. From the original deletion and modification of files to the current file encryption, stealing user useful information (such as hacker programs), the transmission process has also taken a qualitative leap. It is no longer limited to disk, but is carried out through more hidden networks, such as emails, electronic advertisements, etc.
d. Complex virus
It is classified as "complex viruses" because they have certain characteristics of "boot type" and "file type" viruses. They can infect the boot sector files of the disk or infect a certain executable file. If this type of virus is not fully removed, the residual virus can be restored by itself, and it will also cause infection of the boot sector files and executable files. Therefore, it is extremely difficult to detect and kill such viruses. The antivirus software used must have the function of checking and killing two types of viruses at the same time.
The above is divided according to the target of virus infection. If the degree of virus damage is determined, we can divide the virus into the following types.:
a. Benign virus
The reason why these viruses call them benign viruses is because their purpose of invasion is not to destroy your system, but just to play. Most of them are primary virus enthusiasts who want to test their own level of developing virus programs. They don't want to destroy your system, they just make some sound or some prompts, which do not harm other than taking up a certain amount of hard disk space and CPU processing time. This is the case for some * virus programs, just want to steal some communication information from your computer, such as passwords, IP addresses, etc., in case of need.
b. Malignant virus
We classify viruses that only cause serious consequences such as interference to the software system, steal information, modify system information, and do not cause serious consequences such as hardware damage or data loss as "malignant viruses". After this virus invasion, the system will not suffer any other losses except that it cannot be used normally. After the system is damaged, it is generally necessary to reinstall a part of the system files and restore it. Of course, it is necessary to kill these viruses and reinstall the system.
c. Extremely malignant virus
This type of virus is more damaged than the above-mentioned B viruses. Generally, if you are infected with this type of virus, your system will completely crash and cannot start normally. The useful data you keep on the hard disk may not be obtained. The lightest thing is to delete system files and applications.
d. Catastrophic virus
From its name, we can know the degree of damage it will cause to us. This type of virus generally destroys the boot sector files of the disk, modifys the file allocation table and hard disk partition table, causing the system to be unable to boot at all, and sometimes even formats or locks your hard disk, making it impossible for you to use the hard disk. If you get infected with this type of virus, it will be difficult to recover your system, and the data retained on the hard drive will be difficult to obtain, and the losses caused are huge. Therefore, when should our evolutionary theory make the worst plan, especially for enterprise users, we should make full disastrous backups. Fortunately, most large enterprises have now realized the significance of backup and spend a lot of money on daily system and data backup. Although everyone knows that such disastrous consequences may not have encountered in a few years, it is still easy to relax. This is what Nestlé, where I am, and I attach great importance to this issue. For example, the CIH virus that occurred on April 26 in 2019 can be classified as this because it not only causes damage to the software, but also directly damages hardware such as hard disk and motherboard BIOS.
For example, it is divided into the following types according to its invasion:
a. Source code embed attack type
From its name, we know that this type of virus invades mainly source programs in high-level languages. Viruses insert virus code before the source program is compiled, and finally compiled into an executable file with the source program. In this way, the newly generated file is a poisonous file. Of course, this type of file is very rare, because these virus developers cannot easily obtain source programs before compilation by software development companies. Moreover, this intrusion method is difficult and requires a very professional programming level.
b. Code replaces attack type
This type of virus mainly uses its own virus code to replace the entire or part of the module of an invading program. This type of virus is also rare. It mainly attacks specific programs and is highly targeted, but it is not easy to be discovered and is difficult to remove.
c. System modification
This type of virus mainly uses its own programs to overwrite or modify certain files in the system to call or replace some functions in the operating system. Since it is directly infected with the system, it is more harmful and is also the most common type of virus, mostly file-type viruses.
d. Housing additional type
This type of virus usually attaches its virus to the head or tail of a normal program, which is equivalent to adding a shell to the program. When the infected program is executed, the virus code is executed first, and then the normal program is called into memory. Currently, most file-type viruses fall into this category.
With some basic knowledge of viruses, we can now check whether your computer contains viruses. To know these, we can judge them according to the following methods.
1. Anti-virus software scanning method
This is probably the first choice for most of our friends, and it is probably the only choice. Now there are more and more types of viruses, and the hidden means are becoming more and more clever, which brings new difficulty to detecting and killing viruses and challenges to anti-virus software developers. However, with the improvement of the technicality of computer program development language and the increasing popularity of computer networks, the development and spread of viruses is becoming easier, and therefore more and more anti-virus software development companies are also developing and spreading them. But the most famous anti-virus software of several systems are currently, such as Kingsoft Antivirus, KV300, KILL, PC-cillin, VRV, Rising, Norton, etc. As for the use of these anti-virus software, there is no need to say that. I believe everyone has this level!
2. Observation method
This method can only be accurately observed if you understand some symptoms of virus attacks and where you live. For example, when the hard disk boots, the system boots for a long time, the running speed is very slow, the hard disk cannot be accessed, the special sound or prompts appear, the first thing we need to consider is that the virus is causing trouble, but we cannot go to the end. Didn’t I talk about the above-mentioned failures of software and hardware that may also cause symptoms! For viruses, we can observe from the following aspects:
a. Memory observation
This method is generally used for viruses found in DOS. We can use the "mem/c/p" command under DOS to view the memory occupied by each program, and find out that the memory occupied by viruses (usually not occupied separately, but are attached to other programs). Some viruses occupy memory relatively hidden, and using "mem/c/p" to find it, but we can see that the total basic memory is less than 1k or a few K.
b. Registry observation method
This type of method is generally applicable to the so-called hacker programs that have emerged recently, such as * programs. These viruses are generally automatically started or loaded by modifying the startup and loading configuration in the registry. They are generally implemented in the following places:
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
For details, please refer to my other article - "Looking at *s through the *s", which will provide a more detailed analysis of possible appearances in the registry.
c. System configuration file observation method
This type of method is generally applicable to hacker programs. This type of virus is generally hidden in , (Win9x/WinME) and startup groups. There is a "shell=" item in the file, and there is a "load= " and "run= " items in the file. These viruses generally load their own programs in these projects. Note that sometimes modify the original program. We can run programs in Win9x/WinME to view them one by one. For details, please refer to my article "Looking at *s through the *s".
d. Feature string observation method
This method is mainly aimed at some more special viruses. When these viruses invade, they will write corresponding feature codes. For example, CIH viruses will write strings like "CIH" in the invaded file. Of course, we cannot easily discover that we can use the hexadecimal code editor to edit the main system files (such as) to discover. Of course, it is best to back up before editing, after all, it is the main system file.
e. Hard disk space observation method
Some viruses will not destroy your system files, but only generate a hidden file. This file generally has very little content, but it takes up a lot of space in the hard disk. Sometimes it is so large that your hard disk cannot run general programs, but you can't see it. At this time, we have to open the Explorer and set the content properties to files that can view all attributes (I don't need this method?). I believe this behemoth will definitely appear at that time, because the virus generally sets it to a hidden attribute. You can delete it at that time. I have seen a few examples in this regard during my computer network maintenance and personal computer repair. I have only installed a few common programs, so why is there no display of a few G hard disk space in the C drive? Through the above methods, the virus can usually be quickly revealed.
Such examples are not uncommon, especially for some beginner computer users. Below, I will introduce to you how to determine whether you have been infected with a virus based on personal computer usage and corporate network maintenance experience from the following aspects. I hope it will be of some help in helping to identify "real poison"!
The difference and connection between viruses and software and hardware failures
Computer failure is not only caused by virus infection. Various failures occur during the use of personal computers are mostly caused by software and hardware failures of the computer itself, and most of the network are caused by permission settings. Only by fully understanding the differences and connections between the two can we make correct judgments and discover them in time when the real virus comes. Below I will briefly list some common computer failure symptoms caused by virus, software and hardware failures.
Symptoms Possibility of virus invasion Possibility of software and hardware failure
Frequently crashed: The virus opens many files or occupies a lot of memory; is unstable (such as poor memory quality, poor hardware overclocking performance, etc.); running large-capacity software occupies a lot of memory and disk space; using some test software (with many bugs); insufficient hard disk space, etc.; often crashes when running software on the network. Maybe it is because the network speed is too slow, the running programs are too large, or the hardware configuration of your own workstation is too low.
The system cannot start: The virus has modified the boot information of the hard disk, or deleted some startup files. For example, boot file of the boot type virus is damaged; hard disk is damaged or parameter settings are incorrect; system files are deleted manually, etc.
File cannot be opened: The virus has modified the file format; the virus has modified the file link location. File corruption; hard disk corruption; link location corresponding to file shortcuts has changed; original software for editing files has been deleted; if it is in the LAN, it is mostly manifested that the file storage location in the server has changed, and the workstation does not use the contents of the server in time (the Explorer has been opened for a long time).
Frequently report insufficient memory: The virus illegally occupies a large amount of memory; opens a large amount of software; runs software that requires memory resources; the system configuration is incorrect; the memory is not enough (the current basic memory requirement is 128M), etc.
It indicates that the hard disk space is not enough: The virus copied a large number of virus files (this has been encountered in several cases. Sometimes, a WIN98 or WINNT 4.0 system is installed on a good nearly 10G hard disk and it says there is no space. Once the software is installed, it indicates that the hard disk space is not enough. Each partition of the hard disk is too small; a large number of large-capacity software is installed; all software is centrally installed in one partition; the hard disk itself is small; if the system administrator sets the "private disk" usage space limit for each user in the LAN, because it is checking the size of the entire network disk, the capacity on the "private disk" has been used up.
Read and write signals when floppy disks and other devices are not accessed: Virus infection; the floppy disk takes away the files that were still opening in the floppy disk.
A large number of documents of unknown origin have appeared: Virus copy files; may be temporary files generated during installation of some software; or may be configuration information and operation records of some software.
Start the black screen: Viral infection (the most remembered was 4.26 in 1998. I paid thousands of yuan for CIH. That day, the screen crashed when I turned on the first time I started the Windows screen, and there was nothing left when I turned on the second time); monitor failure; display card failure; motherboard failure; overclocking; CPU damage, etc.
Data loss: The virus deleted the file; the hard disk sector was damaged; the original file was overwritten due to recovery of the file; if it was a file on the network, it might also be due to other users' mistakenly deleted.
Keyboard or mouse locks for no reason: Viruses are caused by, so pay special attention to "*s"; the keyboard or mouse is damaged; the keyboard or mouse interface on the motherboard is damaged; a keyboard or mouse lock program is running, and the program runs is too large and the system is very busy for a long time, indicating that pressing the keyboard or mouse does not work.
The system runs slowly: The virus occupies memory and CPU resources and runs a large number of illegal operations in the background; the hardware configuration is low; too many or too large programs are opened; the system configuration is incorrect; if you run programs on the network, it is mostly caused by your machine configuration too low, and it is also possible that the network is busy at this time, and many users open a program at the same time; there is another possibility that your hard disk space is not enough for temporary exchange of data when running programs.
The system performs operations automatically: The virus performs illegal operations in the background; the user sets the automatic running of relevant programs in the registry or startup group; some software needs to automatically restart the system after installation or upgrade.
Through the above analysis and comparison, we know that most faults may actually be caused by human or software or hardware failures. When we find an abnormality, we should not rush to make assertions. When the anti-virus cannot be solved, we should carefully analyze the characteristics of the fault and eliminate the software, hardware and human possibility.
Virus classification and their respective characteristics
To truly identify viruses and promptly detect viruses, we still need to have a more detailed understanding of the virus, and the more detailed the better!
Because viruses are written separately by many scattered individuals or organizations, and there is no standard to measure or divide, the classification of viruses can be roughly divided from multiple angles.
If divided by infectious targets, viruses can be divided into the following categories:
a. Boot Virus
The target of this type of virus attacks is the boot sector of the disk, which allows the system to obtain priority execution rights when booting, thereby achieving the purpose of controlling the entire system. Because this type of virus is infected with the boot sector, the losses caused are relatively large. Generally speaking, it will cause the system to fail to start normally, but it is easier to detect and kill such viruses. Most antivirus software can detect and kill such viruses, such as KV300, KILL series, etc.
b. File virus
Early viruses were generally infected with executable files with executable extensions such as exe and com. In this way, the virus program will be activated when you execute an executable file. Recently, some viruses have also infected files with extensions such as dll, ovl, sys, etc., because these files are usually configuration and link files of a certain program, so the virus will automatically load when executing a certain program. Their loading method is to insert entire paragraphs of virus code or scatter them into blank bytes of these files. For example, CIH viruses split themselves into 9 segments and embed them into executable files with PE structures. After infection, the number of bytes in the file usually does not increase, which is its hidden side.
c. Network virus
This virus is the product of the rapid development of the network in recent years. The infected objects are no longer limited to a single pattern and a single executable file, but are more comprehensive and hidden. Now some network viruses can infect almost all OFFICE files, such as WORD, EXCEL, email, etc. Its attack methods have also changed. From the original deletion and modification of files to the current file encryption, stealing user useful information (such as hacker programs), the transmission process has also taken a qualitative leap. It is no longer limited to disk, but is carried out through more hidden networks, such as emails, electronic advertisements, etc.
d. Complex virus
It is classified as "complex viruses" because they have certain characteristics of "boot type" and "file type" viruses. They can infect the boot sector files of the disk or infect a certain executable file. If this type of virus is not fully removed, the residual virus can be restored by itself, and it will also cause infection of the boot sector files and executable files. Therefore, it is extremely difficult to detect and kill such viruses. The antivirus software used must have the function of checking and killing two types of viruses at the same time.
The above is divided according to the target of virus infection. If the degree of virus damage is determined, we can divide the virus into the following types.:
a. Benign virus
The reason why these viruses call them benign viruses is because their purpose of invasion is not to destroy your system, but just to play. Most of them are primary virus enthusiasts who want to test their own level of developing virus programs. They don't want to destroy your system, they just make some sound or some prompts, which do not harm other than taking up a certain amount of hard disk space and CPU processing time. This is the case for some * virus programs, just want to steal some communication information from your computer, such as passwords, IP addresses, etc., in case of need.
b. Malignant virus
We classify viruses that only cause serious consequences such as interference to the software system, steal information, modify system information, and do not cause serious consequences such as hardware damage or data loss as "malignant viruses". After this virus invasion, the system will not suffer any other losses except that it cannot be used normally. After the system is damaged, it is generally necessary to reinstall a part of the system files and restore it. Of course, it is necessary to kill these viruses and reinstall the system.
c. Extremely malignant virus
This type of virus is more damaged than the above-mentioned B viruses. Generally, if you are infected with this type of virus, your system will completely crash and cannot start normally. The useful data you keep on the hard disk may not be obtained. The lightest thing is to delete system files and applications.
d. Catastrophic virus
From its name, we can know the degree of damage it will cause to us. This type of virus generally destroys the boot sector files of the disk, modifys the file allocation table and hard disk partition table, causing the system to be unable to boot at all, and sometimes even formats or locks your hard disk, making it impossible for you to use the hard disk. If you get infected with this type of virus, it will be difficult to recover your system, and the data retained on the hard drive will be difficult to obtain, and the losses caused are huge. Therefore, when should our evolutionary theory make the worst plan, especially for enterprise users, we should make full disastrous backups. Fortunately, most large enterprises have now realized the significance of backup and spend a lot of money on daily system and data backup. Although everyone knows that such disastrous consequences may not have encountered in a few years, it is still easy to relax. This is what Nestlé, where I am, and I attach great importance to this issue. For example, the CIH virus that occurred on April 26 in 2019 can be classified as this because it not only causes damage to the software, but also directly damages hardware such as hard disk and motherboard BIOS.
For example, it is divided into the following types according to its invasion:
a. Source code embed attack type
From its name, we know that this type of virus invades mainly source programs in high-level languages. Viruses insert virus code before the source program is compiled, and finally compiled into an executable file with the source program. In this way, the newly generated file is a poisonous file. Of course, this type of file is very rare, because these virus developers cannot easily obtain source programs before compilation by software development companies. Moreover, this intrusion method is difficult and requires a very professional programming level.
b. Code replaces attack type
This type of virus mainly uses its own virus code to replace the entire or part of the module of an invading program. This type of virus is also rare. It mainly attacks specific programs and is highly targeted, but it is not easy to be discovered and is difficult to remove.
c. System modification
This type of virus mainly uses its own programs to overwrite or modify certain files in the system to call or replace some functions in the operating system. Since it is directly infected with the system, it is more harmful and is also the most common type of virus, mostly file-type viruses.
d. Housing additional type
This type of virus usually attaches its virus to the head or tail of a normal program, which is equivalent to adding a shell to the program. When the infected program is executed, the virus code is executed first, and then the normal program is called into memory. Currently, most file-type viruses fall into this category.
With some basic knowledge of viruses, we can now check whether your computer contains viruses. To know these, we can judge them according to the following methods.
1. Anti-virus software scanning method
This is probably the first choice for most of our friends, and it is probably the only choice. Now there are more and more types of viruses, and the hidden means are becoming more and more clever, which brings new difficulty to detecting and killing viruses and challenges to anti-virus software developers. However, with the improvement of the technicality of computer program development language and the increasing popularity of computer networks, the development and spread of viruses is becoming easier, and therefore more and more anti-virus software development companies are also developing and spreading them. But the most famous anti-virus software of several systems are currently, such as Kingsoft Antivirus, KV300, KILL, PC-cillin, VRV, Rising, Norton, etc. As for the use of these anti-virus software, there is no need to say that. I believe everyone has this level!
2. Observation method
This method can only be accurately observed if you understand some symptoms of virus attacks and where you live. For example, when the hard disk boots, the system boots for a long time, the running speed is very slow, the hard disk cannot be accessed, the special sound or prompts appear, the first thing we need to consider is that the virus is causing trouble, but we cannot go to the end. Didn’t I talk about the above-mentioned failures of software and hardware that may also cause symptoms! For viruses, we can observe from the following aspects:
a. Memory observation
This method is generally used for viruses found in DOS. We can use the "mem/c/p" command under DOS to view the memory occupied by each program, and find out that the memory occupied by viruses (usually not occupied separately, but are attached to other programs). Some viruses occupy memory relatively hidden, and using "mem/c/p" to find it, but we can see that the total basic memory is less than 1k or a few K.
b. Registry observation method
This type of method is generally applicable to the so-called hacker programs that have emerged recently, such as * programs. These viruses are generally automatically started or loaded by modifying the startup and loading configuration in the registry. They are generally implemented in the following places:
[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
For details, please refer to my other article - "Looking at *s through the *s", which will provide a more detailed analysis of possible appearances in the registry.
c. System configuration file observation method
This type of method is generally applicable to hacker programs. This type of virus is generally hidden in , (Win9x/WinME) and startup groups. There is a "shell=" item in the file, and there is a "load= " and "run= " items in the file. These viruses generally load their own programs in these projects. Note that sometimes modify the original program. We can run programs in Win9x/WinME to view them one by one. For details, please refer to my article "Looking at *s through the *s".
d. Feature string observation method
This method is mainly aimed at some more special viruses. When these viruses invade, they will write corresponding feature codes. For example, CIH viruses will write strings like "CIH" in the invaded file. Of course, we cannot easily discover that we can use the hexadecimal code editor to edit the main system files (such as) to discover. Of course, it is best to back up before editing, after all, it is the main system file.
e. Hard disk space observation method
Some viruses will not destroy your system files, but only generate a hidden file. This file generally has very little content, but it takes up a lot of space in the hard disk. Sometimes it is so large that your hard disk cannot run general programs, but you can't see it. At this time, we have to open the Explorer and set the content properties to files that can view all attributes (I don't need this method?). I believe this behemoth will definitely appear at that time, because the virus generally sets it to a hidden attribute. You can delete it at that time. I have seen a few examples in this regard during my computer network maintenance and personal computer repair. I have only installed a few common programs, so why is there no display of a few G hard disk space in the C drive? Through the above methods, the virus can usually be quickly revealed.