【 Weak current College 】 identify virus file four very good method

We use antivirus software antivirus, often detects a lot of "viruses", many friends holding you "prefer a heap, never let a" attitude will detect all of the "virus". In fact, all-delete is not desirable to have infected the system file is not deleted. Here are several ways to identify virus files, and they hope to everyone to help.
First, the file time
If you feel that the computer is wrong, check with the antivirus software, nothing reflected or clear part of the virus still felt wrong, you can check the suspicious object file time.
File time into creating time, modification time (there is also an access time, do not cares), you can see the file's properties, click the file, right-click, select the menu property to "General" page to see the time.
Usually a virus, a Trojan file created and modified are relatively new, if you found early, basic is the day of the last few days. C:/windows and c:/windows/system32, and sometimes c:/windows/system32/drivers, and if it is 2000 system, the above windows into winnt, these places are viruses Trojans often stay in place, according to the time-of-sequence (see the-details, and then click on the title bar of the "modified"), see the following updated file for several days, with particular attention to the exe and dll files, and sometimes dat, ini, cfg files, but behind the normal file also has a relatively new modification time, cannot be confirmed will be put aside and focus on finding exe and dll, but after three or executable file. Generally speaking, the system files, in particular the exe and dll) does not have such a new modified.
Of course, update or install other applications may have to modify the time, you can then control the creation time, what time they don't have this what software should be aware that really do not know how to use the search feature in the hard drive and find the relevant time have not established what folder to look at is the installation of application software, as long as the time on something that is normal. If you are not satisfied, that is, remove the virus.
Note, as not all the latest files are viruses, nor that all virus time is up to date, some virus file date-time and even show a few years ago.
Of course there are other methods of resolution.
Second, the file name
The file name is the first impression, the primary by file name to determine whether the suspect is the most direct way, the reason behind the time judgment is from a bunch of files in the pickup suspect too difficult, or easy following sequence time line.
We often say random letters (and sometimes the digit, fewer) combination of file name, a favorite with its virus (has found some good software also uses this strange combination of habits, such as Yahoo Internet Assistant, each file name is different, there is a motive of suspicious, cat driver also seemingly random combinations, but fortunately there is information that can help distinguish between manufacturers, the next thing to say).
There is also the length of the file name, and some serious beyond the standard 8-bit file, there are several 10, this should be listed as suspicious objects, especially IE plug-ins have the file name appears.
Of course, that file name weird random combination, does not seem to be a standard, familiar with computer people look at all the English filenames may think is strange, meaningless combinations, so it relies on the file name of the judge, or to the system folder of files, regular file has the certain understanding to better grasp. Initially, the combination of the above time there are other means common judgement, or can find something.
Another is to fake a normal file, system file, it is better to identify, such as svchost.exe and svch0st.exe, obviously the latter impersonates the former, this incident down more easily exposed, the premise is that you are more familiar with the system file name, something that is okay to open Task Manager learning about it.
Corresponds to the file name, service name, the driver name, registry startup item name, relatively speaking, the project name if not indicated a certain meaning, but it is a virus, a few manufacturers are not responsible for their own software to use the services, drivers, and startup items a meaningless and random combination of name, services, drivers, startup item is defective, then the following documents must be used.
Really not sure, put the file name (sometimes you want to include the full file path, a different path of the file with the same name may not be the same, the later said), service name, the driver name, startup key name on the Internet to search for it and see what others say, especially not find, there are also services, drivers, startup items and file name on the to do (as a service name in Internet identifying different files and corresponding, or vice versa), can be classified as suspicious objects.
3. version information
Check the file time is uncertain, with a check for the version of project files, also in view of the properties file, file version, manufacturer information, etc. First of all clear, not all files have the version information, nor is it all without version information of files are virus files, not all display Microsoft information files are really Microsoft 's.
The file name, file date, and then on the file version, the Basic can draw a result, such a strange name, displays the Microsoft vendor information, obviously suspicious; or should have a good system files (such as explorer.exe or userinit.exe) but no version information, might be replaced by a virus or destroyed; soundman.exe manufacturers information turned out to be 1, you can consider deleting it, should not sound card program.
Version information in addition to the original manufacturersThe file name, and sometimes you'll find one here and check the file a different name, it is not there.
4. location
Virus Trojan horse likes to stay in place is the system folder, windows and windows/system32, windows/system32/drivers, and c:/programfiles/internetexplorer/c: c://programfiles/internetexplorer/plugin, programfiles/commonfiles/miscrosoftshared, there is a temporary folder, IE cache
First temporary folder c:/documentsandsettings/your username/localsettings/temp and c:/windows/temp must be clear, and you can boldly deleted, regardless of good or bad, by deleting the okay, IE cache should also be clear, not directly into the folder to delete from the IE menu Tools-internet options, delete file-delete all offline files, preferably at senior it set to close the browser to automatically empty the temporary files easy.
Other folders, see if there is not the existence of the file exist, such as the Windows folder much what rising file (Kaka is there in it), realplayer file, there are definitely suspicious, such as svchost.exe, ctfmon.exe suddenly appears in the windows or any other folder, instead they should be in the system32, can determine is a virus. Of course you can combine the above judgment in several methods. Sometimes it is depends on experience, the other file less folder better judgment, what is very easy to find, such as windows, ie, look, you know the basic who, more than one or two exe or DLL that can be found at once (many rogue software that would fit in here).
There is a general registry startup items, startup item in reference to windws, basic is an input method, sound management, the more suspicious, refers to the System32 of the more eyes, is uncertain, doing things, to the online-search the file name. If you find startup item point to font font folder, that do not have to think about it, we have a problem.
Service-driven, not in system32 or driver will check in (natural or below them, not to mention not to check in).
In addition to the folder location, and registry locations, with the exception of a few RUN startup items, there are image hijack (IFEO) to check the value of a debugger, it's important to be aware of it, except the last one there is a debugger = yourimagefilenameherewithoutapath ntsd-d, the other is not, as long as we have found is hijacked (immunity, immunity is a known virus program name hostage to a nonexistent file, so it can't run), and then find the hijack file is the file after the debugger, found together with the registry key with the deletion. But note that now the hijacking some used is not a virus file, is a system file or a command, such as svchost.exe or ntsd-d, do not delete the file, as long as the registry entry deleted.
Also note that the registry key has the appinit_dlls, generally to a null value (exception, Kaka's one file will be placed on this), if a value is the virus removed by name to find. Another is the userinit, generally also be empty, many things change will look normal.
Recommend using SREng to examine, more convenient, it will automatically prompt the above modifications.
Conclusion:
Really, really want from a bunch of English names identify suspicious file name difficult, integrated use of various methods, combined with tools software category display is the shortest way, for example, service-driven SREng listed names, files, paths, a swing, obviously, has the name is arbitrary, controlled rear filename is clear, and some careful will impersonate system service name, but the contrast with a normal, or even network, or you can find out the problem (hide Microsoft services non-Microsoft service is exposed, and if you have a system service name on top of or near the system service name, you must have a problem, not the normal service changed, is an extra plus came in top legislator highlights IPR protection).