Forwarded from UNDERCODE SECURITY
π¦The role of the command is to output all the backed up reg files to "ziqidong.txt", so that if a virus is found to add a self-starting item, the self-starting value is exported with the last time. Use the FC command introduced above to compare the two txt files before and after, Can quickly find new self-starting items.
1οΈβ£Use reg delete to delete the newly added self-starting key.
For example: through the above method in [HKER_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run], find a "Logon" self-starting item, the startup program is "c:\windows\winlogon.exe", now enter the following command to delete the virus self-starting key value:
reg delete HKLM\software\Microssoft\Windows\
CurrentVersion\Run /f
2οΈβ£ Use reg import to restore the registry.
Reg de-lete delete is the entire RUN key value, now you can use the backup reg file to restore, enter the following command to quickly restore the registry: reg import f:\hklmrun.reg
3οΈβ£The above introduces several system commands for manual antivirus. In fact, as long as these commands are used well, we can basically kill most of the viruses. Of course, we must do backup work normally.
#Tip: The above operations can also be operated manually in the registry editor, but the REG command has the advantage that even if the registry editor is disabled by a virus, you can use the above commands to export/delete/import operations at a faster speed fast!
4οΈβ£bundled wooden mark-FIND
The above introduces the use of system commands to kill and kill general viruses, and the following introduces a "FIND" command to detect bundled Trojans.
It is believed that many networms have encountered bundled wooden knives. These "wolves with sheepskins" are often hiding behind pictures, FLASH, and even music files.
When we opened these files, although what was displayed in the current window was indeed a picture (or playing FLASH), the abominable Trojan was already quietly running in the background.
#Forexample, recently I received a super girl wallpaper from my friends from QQ, but when I opened the picture, I found that the picture had been opened with the "Picture and Fax Viewer", but the hard disk indicator kept flashing.
Obviously, when I open the picture, there are unknown programs running in the background.
Now use the FIND command to check whether the picture is bundled with a Trojan, and type:
FIND /c /I "This program" g:\chaonv.jpe.exe where:
g:\chaonv.jpe.exe indicates the file to be detected
The prompt returned by the FIND command is "___G:CHAONV.EXE: 2", which indicates that "G:, CHAONV.EXE" does indeed bundle other files.
Because of the detection of the FIND command: if it is an EXE file, the return value should be "1" under normal circumstances; if it is an unexecutable file, the return value should be "0" under normal circumstances, and other results should be noted.
π¦Tip: In fact, many bundled Trojans use Windows' default "hide file extensions of known types" to confuse us, such as "chaonv.jpe.exe" in this example, because this file uses the icon of the JPG file, it is fooled.
Open "My Computer", click "Tools β Folder Options", "Click" and "View", remove the check mark in front of "Hide file extensions of known types" to see the true face of "Wolf".
#Summary
Finally, let's summarize the process of manual poisoning:
Use TSKLIST to back up the process list β find the virus through the FC comparison file β use NETSTAT to determine the process β use FIND to terminate the process β search to find the virus and delete it β use the REG command to repair the registry.
In this way, from discovering viruses, deleting viruses, and repairing the registry, have you completed the entire manual virus detection and antivirus process, have you learned? For more exciting tutorials, please pay attention to Script House!
FULL MALWARE GUIDE WRITTEN BY UNDERCODE
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
1οΈβ£Use reg delete to delete the newly added self-starting key.
For example: through the above method in [HKER_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run], find a "Logon" self-starting item, the startup program is "c:\windows\winlogon.exe", now enter the following command to delete the virus self-starting key value:
reg delete HKLM\software\Microssoft\Windows\
CurrentVersion\Run /f
2οΈβ£ Use reg import to restore the registry.
Reg de-lete delete is the entire RUN key value, now you can use the backup reg file to restore, enter the following command to quickly restore the registry: reg import f:\hklmrun.reg
3οΈβ£The above introduces several system commands for manual antivirus. In fact, as long as these commands are used well, we can basically kill most of the viruses. Of course, we must do backup work normally.
#Tip: The above operations can also be operated manually in the registry editor, but the REG command has the advantage that even if the registry editor is disabled by a virus, you can use the above commands to export/delete/import operations at a faster speed fast!
4οΈβ£bundled wooden mark-FIND
The above introduces the use of system commands to kill and kill general viruses, and the following introduces a "FIND" command to detect bundled Trojans.
It is believed that many networms have encountered bundled wooden knives. These "wolves with sheepskins" are often hiding behind pictures, FLASH, and even music files.
When we opened these files, although what was displayed in the current window was indeed a picture (or playing FLASH), the abominable Trojan was already quietly running in the background.
#Forexample, recently I received a super girl wallpaper from my friends from QQ, but when I opened the picture, I found that the picture had been opened with the "Picture and Fax Viewer", but the hard disk indicator kept flashing.
Obviously, when I open the picture, there are unknown programs running in the background.
Now use the FIND command to check whether the picture is bundled with a Trojan, and type:
FIND /c /I "This program" g:\chaonv.jpe.exe where:
g:\chaonv.jpe.exe indicates the file to be detected
The prompt returned by the FIND command is "___G:CHAONV.EXE: 2", which indicates that "G:, CHAONV.EXE" does indeed bundle other files.
Because of the detection of the FIND command: if it is an EXE file, the return value should be "1" under normal circumstances; if it is an unexecutable file, the return value should be "0" under normal circumstances, and other results should be noted.
π¦Tip: In fact, many bundled Trojans use Windows' default "hide file extensions of known types" to confuse us, such as "chaonv.jpe.exe" in this example, because this file uses the icon of the JPG file, it is fooled.
Open "My Computer", click "Tools β Folder Options", "Click" and "View", remove the check mark in front of "Hide file extensions of known types" to see the true face of "Wolf".
#Summary
Finally, let's summarize the process of manual poisoning:
Use TSKLIST to back up the process list β find the virus through the FC comparison file β use NETSTAT to determine the process β use FIND to terminate the process β search to find the virus and delete it β use the REG command to repair the registry.
In this way, from discovering viruses, deleting viruses, and repairing the registry, have you completed the entire manual virus detection and antivirus process, have you learned? For more exciting tutorials, please pay attention to Script House!
FULL MALWARE GUIDE WRITTEN BY UNDERCODE
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β ο½ππ»βΊπ«Δπ¬πβ β β β