First: What is the process of
Process running instance of the application is the application of a dynamic execution. Seemingly profound, we can simply be interpreted as: it is the implementation of the operating system currently running program. Zai system is currently running in the implementation procedures to include in: the individual computer systems management and completed the necessary procedures for various operations; user to open, the implementation of additional procedures, including, of course Yong Hu Bu 知道, but Zidong running illegal procedure (it is possible to is the virus program).
Similarly, against a larger executable virus to "process" form within the system (some viruses may not be the process list displays, such as the "macro virus"), then the accurate and timely view and kill the illegal process has played for the manual antivirus pivotal role.
Second: What is Trojan
Trojan virus originated from the ancient Greek Trojan War famous "Trojan horse" named after the name suggests is a disguised virus latent network, waiting for the time is ripe to harming people.
Mode of transmission: via e-mail attachments sent, bundled in other programs.
Virus Characteristics: will modify the registry, in-memory, install backdoors in the system, boot loaded with a Trojan.
Destructive Trojan: Trojan virus attack to the user's machine to run the client program, once the attack, you can set the back door, time to send the user's privacy to the Trojans specified address, usually the same time can be built into the user computer ports, and can be any control of the computer, for files to delete, copy, change passwords and other illegal operations.
Preventive measures: user vigilance, not to download and run programs of unknown origin, for the e-mail attachments from unknown sources and do not attempt to remove.
Third: What is a computer virus
Computer virus is a program, a section of executable code. Like biological viruses, computer viruses have the unique ability to replicate. Computer viruses can quickly spread, and also often difficult to eradicate. They can attach themselves in various types of documents. When the file is copied or sent from one user to another user, they spread with the accompanying documents.
In addition to replication, certain computer viruses and some other common characteristics: a program able to send contaminated virus vector. When you see the performance of viral vectors appear only in text and images on, they may have destroyed documents, then format your hard drive or other types of disasters triggered. If the virus does not parasitic on a pollution program, it is still able to occupy the storage space for your trouble, and reduce all of the performance of your computer. From different angles gives the definition of computer viruses. A definition by the disk, tape and network communication media such as proliferation, can be "infected" other program program. The other is to achieve self-replication and the carrier with the existence of a certain latent, infectious and destructive process. There is a man-made definition of the procedure, which means hidden or through different parasitic storage media (such as disk, memory) or the procedure in. When certain conditions or the time is ripe, it will self replicate and spread, so the computer's resources are subject to different procedures damaged. These claims, in a sense borrowed the concept of biological viruses, computer viruses have similarities with biological viruses is the ability to invade computer systems and networks to work against the normal "pathogens." It can sabotage the computer system, while self-replication, is contagious.
Therefore, the computer virus that is able to some way hidden in the computer storage medium (or program), when the reach is activated when certain conditions with the role of the computer resources to destroy a group of procedures or instruction set.
Fourth: What is a worm
Worm is a computer virus. Transmission mechanism is the use of its copying and distribution network, is spread through the network and e-mail.
In recent years, such as harm to the "Nimda" virus is a worm. The virus uses the Microsoft Windows operating system vulnerabilities, computer infected with this virus, will continue to automatically dial-up Internet access, and use file sharing or network address information to spread and eventually destroyed most of the important user data.
The general method of worm control are: the use of real-time monitoring of the antivirus software, and pay attention Do not open unfamiliar e-mail attachments.
Fifth: What is Adware Adware
Adware (Adware) is without the user permission to download and install, or bundled with other software through pop-up ads or other forms of commercial advertising program. After the installation of advertising software often causes the system to run slow or system anomalies.
Prevention adware, should note the following:
1, Do not install shareware or "free software", they often contain advertising program in the software, spyware and other bad software, it may pose a security risk.
2, some adware installed by a malicious Web site, so not bad sites.
3, with relatively good safety web browser, and note that holes make up the system.
Sixth: What is Spyware Spyware
Spyware (Spyware) is the ability to the user without the knowledge of the user backdoor program installed on your computer's software. The user's privacy data and important information will be captured by those back doors, and even these "backdoors" could allow an attacker to remotely control a user's computer.
Spyware prevention and treatment should pay attention to the following:
1, Do not install shareware or "free software", they often contain advertising program in the software, spyware and other bad software, it may pose a security risk.
2, some spyware installed by malicious Web sites, so do not bad sites.
3, with better security Web browser, and note that holes make up the system.
Seventh: Dll file is what
DLL Dynamic Link Library is the acronym means dynamic link library. In Windows, many applications is not a complete executable files, they are divided into a number of relatively independent of the dynamic link library, or DLL files, placed in the system. When we execute a certain procedure, the corresponding DLL file will be called. An application can have multiple DLL files, a DLL file may also be shared by several applications, such a DLL file is shared DLL file called. DLL files are generally stored in C: WindowsSystem directory.
1, how to understand what an application uses DLL files
Right-click the application shortcut menu and select "Quick View" command, in the subsequent "quick view" window "into table" column you will see the situation of the use of DLL files.
2, How do I know DLL file used by several programs
Run Regedit, enter HKEY_LOCAL_MACHINESoftwareMicrosrftWindowsCurrent-
ersionSharedDlls sub-key view, the right side window will show all the DLL files and related data, including data on the right of small figures in brackets shows the number of procedures to be used, (2) that the two procedures were used, (0) said no program to use, you can remove it.
3, how to resolve the situation DLL file is missing
Sometimes the uninstall file will remind you delete a DLL file may affect other applications running. So when you uninstall the software, it may mistakenly delete shared DLL files. Once the missing DLL files, and if you can determine its name, you can Sysbckup (system backup folder) to find the DLL file, copy it to the System folder. If this is not, the computer starts Shi You always appear "*** dll file is missing ... ..." message box, you can "Start / Run" to run Msconfig, enter the System Configuration Utility dialog box later, click the Select "System.ini" tab, find the missing DLL file tips, it is not selected, it will not boot error suggests.
rundll command line functionality is the way Windows dynamic link library call.
Rundll32.exe and Rundll.exe difference is that the former is called 32-bit link libraries, which is the link for the 16-bit libraries. rundll32.exe is designed to call the dll file.
If you are using Win98, rundll32.exe generally exist in the Windows directory;
If you are using WinXP, rundll32.exe WindowsSystem32 generally exist in the directory.
If the other directory, it could be a Trojan horse program that masquerades as rundll32.exe.
Eighth: What is the system process
Process is in the system is running an application; thread is a system of resources allocation of the basic unit of processor time, or within the process of implementation of a separate unit. For the operating system, its scheduling unit is the thread. A process that includes at least one thread, the thread is usually referred to as the main thread. A process starting from the main thread of execution and then create one or more additional threads, the so-called multi-threaded multi-tasking.
That the difference between process and thread in the end is what? Process is the implementation of the process instance. For example, when you run the Notepad program (Nodepad), you would create a composition of Notepad.exe to accommodate the necessary code and DLL in the process. Each process runs in its private and are protected address space. So if you run two copies of Notepad, the program is using the data in their respective instances are independent of each other. In Notepad will not see a copy of the program to open a second instance of the data.
Set an example to Sandbox. A process like a sandbox. Threads as children in the sandbox. The children running around in the sand box in, and may be busy movement of sand to the eyes of other children, they kicked each other or biting. However, these slight differences between the sandbox is that each of the sandbox completely enclosed by the walls and ceiling together, no matter how blasted box kids to busy movement of sand, they will not affect the other in the other children in the sandbox. Therefore, each process up as a protected sandbox. Without permission, no one can access.
In fact the thread runs while the process is not running. Between two processes or memory access to private data only way is through an agreement to share the memory block. This is a collaborative strategy. Let us take a look in Task Manager's Processes tab.
The process here is a series of processes, these processes are running by them to identify instances of an executable program, which is the Processes tab in the first column gives the reasons for the mapping name. Please note that the process name is not listed here. Process does not have a separate instance of the mapping their ownership of the name. In other words, if you run 5 copies of Notepad, you will see 5 as Notepad.exe process. How they are different from each other it? One way is through their process ID, because each process has its unique code. The process ID from the Windows NT or Windows 2000 generation, and can be recycled. Therefore, the process ID will not been growing larger, they can be recycled. The third column is the process of thread are occupied by the percentage of CPU time. It is not a CPU number, but by the process of the percentage of time occupied by the CPU. At this point my system is basically idle. Although the system seems to use every second or so only a small portion of CPU time, but the system idle process still consumes about 99% of the CPU time.
Fourth column, CPU time, is the CPU is in the process of accumulated occupation thread hours, minutes and seconds. Please note that I am in the process of thread used the word occupation. This does not necessarily mean that the process has spent the sum of CPU time, because, as we will see a while, NT timing means is that, when excited by a particular clock interval, no matter who happens in the current thread, It will be calculated to within the CPU cycles. Typically, in most NT systems, the clock is running at 10 millisecond intervals. Every 10 milliseconds on the pulse at the heart of NT. Some drivers who run and display the code fragment is the current thread. CPU time, we will remember the last 10 ms in its bill. Therefore, if a thread is running, and continue to run after the completion of 8 milliseconds, then the second thread starts running and lasted 2 ms, time, clock inspired, please guess the clock past 10 ms cycle in the end note in the accounts on which thread? Answer is the second thread. Therefore, NT There are some inherent inaccuracies, but NT is exactly the time this way, the reality is also true that most 32-bit operating system, there exists a interval-based timing mechanism. Please keep this in mind, because sometimes when you look at the total CPU consumed by the thread, the thread may occur even though the look has been running several hundred thousand times, but the amount of CPU time occupation might be zero or very short phenomenon, then, the explanation is the reason. This is what we in the Task Manager's Processes tab in the column can see basic information.
IX: What is the application
Application refers to application developers to develop a database application management system, it can be a unit of financial management system, personnel management system. (All the features a complete set of Windows applications for distribution to all end-user is an application.
10th: How to look at the running processes
This method of running processes there are many, the easiest is to use Windows built-in process manager look at the running processes: while pressing "Ctl Alt Del" to open Windows Process Manager. Click the Process tab, you can look at the system for the process list. Or the right point of the system status bar, "System Manager" into the system process manager
XI: How to force an end to a running process
1. Open the "Terminal Services Manager (Task Manager)."
2. In the "process" tab on the "User" column, right-click to end the process, and then click "End Process."
Note:
(1). Must have Full Control permissions to the end of the process.
(2). To open the "Terminal Services Manager", please click "Start" and "Control Panel", double-click "Administrative Tools", then double-click "Terminal Services Manager."
(3). Please note: there is no warning at the end of the process will result in the user session data loss.
(4). May need to end the process, because the application is not responding.
(5). Tskill command can also use the end of the process.
Terminates the process of the command line
Windows operating systems only System, SMSS.EXE and CSRSS.EXE can not kill. The first two are pure kernel mode, and the last that is the Win32 subsystem, ntsd themselves need it. ntsd beginning from 2000, the system comes with user mode debugging tools. By the debugger attached (attach) the process will exit together with the debugger, it can be used to terminate the process at the command line. Use ntsd automatic permission to access the debug, which can kill most of the process. ntsd debugger will open a new window, the original pure command line can not control, but if only a simple command, such as quit (q), passed from the command line with the-c parameter on the line. Ntsd by practice to software developers. Only system developers use this command. For more information, please see the help file attached to NTSD. Usage: open a cmd.exe window, type:
ntsd-c q-p PID
The last that PID, you change the process to terminate the ID. If you do not know the process ID, Task Manager -> Processes tab -> View -> select columns -> hook on the "PID (Process Identifier)" and then be able to see.
Under XP there are two useful tools tasklist and tskill. tasklist to list all of the process, and the corresponding information. tskill to killing the process, the syntax is simple: tskill program name!
Using the end of the process some of the tips:
VCD files mistakenly deleted an alternative recovery
Now many people will directly copyed some good hard VCD saved. But you never get tired mistake to delete these classic then? So how can we not restore the software in the case of manually restore them?
I found an alternative recovery methods, and results were pretty good. First of all, to know the VCD file mistakenly deleted the file name and path of the original files are stored. Under normal circumstances the main VCD VCD video file is the root directory Mpegav folder, the file name usually Avseq0? . Dat or Music0? . Dat, where "?" Represents the number (1 ~ 9). Some of the formal elements of VCD prologue and a document, Avseq01.dat or Music01.dat; also contents some VCD off and were the two official documents, namely, the prelude to Avseq01.dat or Music01.dat, formal content Avseq02. dat or Music02.dat.
First, find one and delete files error file the same name (for the time being referred to as A), then the A copy of the original document mistakenly deleted the same folder. In a "Copying ..." window, press Ctrl + Alt + Del end of the "Copying ..." task, if the "Copying ..." window does not disappear, once again, press Ctrl + Alt + Del end of the "Copying ..." task. It's that simple, to the deleted file is stored on the original wrong place to look, is not it regained it? With media player software to open, only the first few seconds the content of the file A, the latter not stop watching. (
Save copy of part of the document.
If you will frequently MP3, CD, VCD, MPEG, RM such as audio, video files (or other types of files) from the CD to your hard drive, then copy may experience only a small amount of time, Windows prompt " Error copying files ", then just press the Enter key or click the" OK "button, then the hard copy of the file will be lost.
In fact, immediately activated as long as the "Task Manager", the "error dialog" and "Copying" tasks are closed off. Then the file will be saved in the original file size, and of course this is flawed, when such documents play to the place where the breakpoint will stop
Qiao games
I am using a Windows XP Home Edition, running some support but not support Windows 2000 Windows XP, games, mouse, keyboard lose response. One day, found a solution: open the "Task Manager" to end the EXPLORER.EXE process, click "new task" to find the game run the file can be run. In addition, the end of the SVCHOST.exe (for the current user name) process can remove the Windows XP style.
12th: Some of the common process
Process Name Description
smss.exe Session Manager
csrss.exe subsystem server process
winlogon.exe Management Login
services.exe contains a lot of system services
lsass.exe Management IP security policy and starts ISAKMP / Oakley (IKE) and IP security driver.
svchost.exe Windows 2000/XP file protection system
SPOOLSV.EXE file loaded into memory for later printing after.
explorer.exe Explorer
internat.exe tray icon Pinyin
mstask.exe allowed to run in the specified time.
regsvc.exe allows remote registry manipulation. (System Services) → remoteregister
tftpd.exe realized TFTP Internet standards. The standard does not require a user name and password.
llssrv.exe certificates of service
ntfrs.exe multiple servers to maintain file directory contents of the file synchronization.
RsSub.exe control to remote storage media.
locator.exe management RPC name service database.
clipsrv.exe support "Clipboard Viewer" so that you can cut and paste pages from a remote Scrapbook Search
msdtc.exe tie affairs, was distributed in two or more databases, message queues, file systems, or other transaction protected resource managers.
grovel.exe scan Instance Storage (SIS) on the volume of duplicate files and duplicate files will point to a data storage point, to save disk space (NTFS file system only useful).
snmp.exe containing agent can monitor the activities of network devices and report to the network console workstation.
These processes are critical since the computer is running, do not always "kill", or it may directly affect the normal operation of the system.
13th: What is Phishing
What is phishing?
Phishing (Phishing) attacker to use fraudulent e-mails and fake Web sites to the network of fraud, were fooled often disclose their private information, such as credit card numbers, bank card account, ID number and so on. Fraudsters will usually disguised themselves online banking, online retailers and credit card companies and other credible brands to cheat the user's private information.
How to guard against phishing?
Do not leave the Internet can prove the identity of any information, including phone numbers, ID numbers, bank card numbers.
Do not put your private information over the network, including the bank card number, ID number, e-commerce sites do not account for such information through QQ, MSN, Email software such as communication, these channels are likely to be used by hackers to carry out fraud.
Do not believe the news circulated on the Internet, unless the authority of the means of proof. Such as web forums, newsgroups, QQ and so often it was published rumors, waiting for an opportunity to steal the user's identity information.
Do not register on the site, revealed their true information. Such as home address, home phone, cell phone numbers, their use of bank accounts, they usually go to places such as the consumer. Fraudsters who may use such information to deceive your friends.
If related to financial transactions, commercial contracts, work and other important matters, not only through the network to complete, shenanigans and the fraudsters who may know by these means the user's information, opportunistic fraud.
Do not believe e-mail, web forums and other information published winning, promotions, etc., unless other means of proof. Formal company generally will not send a prize to the user via e-mail messages and promotional information, and fraudsters are often like this fraud.
14th: What is browser hijacking
Browser hijacking is a malicious program, through the DLL plug-in, BHO, Winsock LSP and other forms of tampering with the user's browser, allowing users to access the normal web browser appears to be turning to when a malicious Web page, IE browser homepage / search page, etc. the software is modified to hijack the website address of the specified exception.
How to prevent browser hijacking, was hijacked after what measures should be taken?
Browser hijacking is divided into a variety of different ways, from the simplest changes the default search page of IE to the most complex and by the virus to modify the system settings daemon to set the virus to hijack the browser, people can use. In view of this, users should take the following measures:
Do not bad sites.
Do not install sharing software, pirated software.
Recommend the use of relatively high security browsers, and can address their needs on the browser's security settings adjusted accordingly.
If you install a browser plug-ins, as far as possible from the browser provider's official website.
15th: What is malicious shareware
Malicious sharing software (malicious shareware) is bundled with improper or non-transparent manner to force the installation on the user's computer, and use some common techniques resulting virus software difficult to uninstall, or use illegal means to force users to buy free, shareware. Sharing software installed, they should note the following: Note carefully read the software provides the "Installation Agreement" Do not point "next" to install it.
Do not install from bad sources of pirated software, these software are often incomplete because crack, installed a security risk.
Destructive capabilities of the software used, such as hard disk collation, partition software, we must carefully understand its functionality before use, to avoid misuse produce irreparable loss.
16th: How to better prevent computer viruses
Cure disease prevention is one of life's most basic health requirements of the most important, prevention is more important than treatment. On the computer, the same is also true of the virus, for computer virus develop a good application management practices to protect your computer from a computer virus-free is particularly important. In order to reduce viruses, suggest that you normally can do, "three-three."
"Three strikes" is to install new computer systems, we must pay attention to playing the system patch, Sasser worm, a type of malignancy are usually spread through vulnerabilities, and lay the patch can prevent such infections; user access time To open the antivirus software, real-time monitoring, in order to avoid the virus into your computer through the network; play online games to open the personal firewall, firewall, virus can be isolated from contact with the outside world and prevent data theft Trojans.
"Three defenses" is the e-mail anti-virus, the user receives the message to scan for viruses first, should not open e-mail carrying the annex; anti-Trojan viruses, Trojan horses generally spread through malicious websites, users download any file from the Internet , make sure to run virus scan again; against malicious "friends", many Trojans can MSN, QQ and other instant messaging software or e-mail communication, if your online friends infected with the virus, all friends will be was the invasion of the virus.
17th: How to cleanly remove the virus
1, in safe mode or pure DOS mode virus.
When the computer virus when handling infected most of the normal mode can be completely rid of the virus, the normal pattern here that accurate to say that the real mode (Real Mode), where said common point. The normal mode of Windows, including the normal mode of Windows under the "MS-DOS mode" or "Command Prompt." But some viruses the use of a more hidden and subtle means of attack are antivirus software will remove the system and even the practice of anti-virus software for this virus most antivirus software is designed to be installed in safe mode, use, implementation of the anti-virus treatment.
In Safe Mode (Safe Mode) or removal under pure DOS cleared, for now most popular viruses, such as worms, Trojans and web code virus, both in safe mode communication over Lu Gui mode Huai Cloud Chu Yun O Ke plaque them must guanidine concrete Tang Meng Jing bad times fanny Miscellaneous brag disappointed ┮ mind "fishy race through the study raise Mu Shao onion-shaped" static weighbridges deceive sentence? DOS under the anti-virus (suggested a clean floppy boot virus). Moreover, when the computer originally infected with a virus, that will need to install anti-virus software (upgrade to the latest virus database), in safe mode (Safe Mode) or pure DOS, the virus had cleared it again!
2 infected files in the Temporary Internet Files directory
Since the directory file, Windows will have a certain protective effect, so the infected files in this directory even under even in Safe mode can not be removed, in this case, please close some other program software, and then Open IE, select the IE toolbar "Tools" "Internet Options", select "Delete Files" to delete you can, if prompted "Delete all offline content", please select the be deleted.
3 infected files in the _Restore directory, *. cpy files
This is the System Restore to restore files stored only in the installed Windows Me / XP operating system will have the catalog, because the system has a protective effect of this directory.
For this situation need to abolish the "System Restore" feature, then delete the infected file, or even delete the whole directory is also possible.
4, infected files. Rar,. Zip,. Cab files and other compressed
For the vast majority of anti-virus software is now killing the virus in compressed file functionality has been basically completed, and one is for some special type of compressed file or password-protected compressed file may be directly removed.
To clear the compressed files for virus, after the removal of the proposed extract, or using compression tools anti-virus software plug-in program functions, compressed files on the infected virus.
5, the virus in the boot file or SUHDLOG.DAT or SUHDLOG.BAK
The virus is usually boot sector virus, the virus report the name of the general with boot, wyx words. If the virus is present in the mobile storage devices (such as floppy disk, flash disk, mobile hard disk) on the local hard disk, you can help the anti-virus software directly killing.
If this virus is on the hard disk, you need a bootable disk with a clean start for killing. Proposals for such a clean floppy boot viruses were killing, but must be backed up before the killing the original boot sector, especially the original operating system with other conditions, such as Japanese Windows, Linux, etc.. If there is no clean bootable disk, you can use the following method antivirus emergency response:
(1) in the other computer can do a clean boot disk, the boot disk in Windows 95/98/ME system, the "Add / Remove Programs" in production, but noted that the production of floppy disks operating system to operating system they are using and the same;
(2) boot floppy disk infected with this computer, and then run the following command:
A:> fdisk / mbr
A:> sys a: c:
Framework for the NT operating system can first install the "admin console", after installation using the administrator console, and then to execute the fixmbr (recovery master boot record) and fixboot (recovery boot disk on the boot) command on the boot area and start the repair information.
If the infected file is in SUHDLOG.DAT or SUHDLOG.BAK file, then delete it directly. This is the system installed on the hard disk boot sector when doing a backup file, usually not very effective, the virus which has not work.
6, infected files in some e-mail file, such as dbx, eml, box, etc.
Most antivirus software can check the mail file in the file is infected, the infected mail in the letter, according to the user's settings, or delete infected e-mail anti-virus, but due to the composite file structure of such mail, prone to post-mail anti-virus can still detect the virus, and this is because there is no compression release mail for reasons of space, you can try in Outlook Express, select "Tools" -> "Options" -> "Maintenance" - > "Clear Now" -> "compression"
7, the document has left the virus code
This situation is more prevalent with the CIH, Funlove, macro viruses (including Word, Excel, Powerpoint and Wordpro such document macro viruses), and residual virus code individual pages, usually those with the virus, antivirus software, residue code The paper reports the virus name suffix is usually int, app, etc. at the end, but not common, such as W32/FunLove.app, W32.Funlove.int. In general, these residues will not affect the normal procedures of code operation, it will not spread, if the elimination of the case, according to the actual situation of the various virus removal.
8, file error
This situation is not much, usually because of some virus on the key file system modifications caused the exception of the file can not be normal use, also easy to cause other system errors for such cases to repair the proposed installation method to restore the key file system.
9, the encrypted file or directory
For some encrypted files or directories, in the killing viruses after decryption.
10, shared directory antivirus
Including two cases here: the local network shared directory, and remote shared directory (which also includes the map disc).
Encountered local shared directory of the virus file can not be removed, usually are other LAN users to read and write these files, when the virus showed no direct removal of these infected files for viruses, if there is virus in the The catalog operation was writing the virus, showing the shared directory to clear the virus, operation, or there have been generated files are infected or the virus file. In both cases above, have suggested that cancellation of share, and then share the directory for a thorough killing, restore to share time careful not to open too much authority, and the shared directory to install the password. Shared directory on the remote (including the map disc) killing the virus, the first operating system to ensure the local computer is clean while on the shared directory also has the highest read and write permissions. If the remote computer is infected with the virus, I suggest a remote computer or directly killing the virus.
In particular, if you remove other viruses have suggested that when Hou eliminate all local share, and then to anti-virus operations. In ordinary usage, the shared directory also should pay attention to the security of, additional password and, not necessarily Qingkuang Xia, do not directly read remote shared directory in the Wen Jian, proposed to the local copy and then check off Bingdu to Caozuo.
11, CD-ROM and some other storage medium
The CD-ROM with the virus, do not try to directly clear, because the files on the CD are read-only causes. Meanwhile, some other storage device killing the virus, also need to pay attention to whether it is write-protected or password protected.