First, check whether a trojan exists on your computer.
1. integrate into the program
In fact, a Trojan is also a server-client program. To prevent users from easily deleting it, it is often integrated into the program. Once the user activates the trojan program, then, the trojan file is bundled with an application and uploaded to the server to overwrite the original file. Even if the trojan is deleted, you only need to run the application bound with the Trojan, the trojan will be installed again. Bind to an application. If it is bound to a system file, every Windows Startup starts a Trojan.
2. Hide it in the configuration file
The trojan is really tricky. I know that cainiao usually use a graphical interface operating system. Most configuration files that are not very important are ignored, this provides a hiding place for Trojans. In addition, with the special functions of the configuration file, Trojans can easily run and attack on everyone's computers to gain a peek or monitor everyone. However, this method is not very concealed and easy to detect. Therefore, loading Trojans in autoexec. BAT and config. sys is rare, but it cannot be ignored.
3. lurking in win. ini
To control or monitor a computer, a Trojan must run. However, no one is stupid enough to run it on his own computer. Of course, Trojans are also prepared to know that humans are highly intelligent animals and will not help them. Therefore, they must find a safe and automatic place to run during system startup, so it lurks in win. INI is a pleasant place for Trojans. You may wish to open win. INI. In its [windows] field, the startup commands "load =" and "run =" are included. In general, "=" is followed by a blank space, for example, run = c: \ windows \ file.exe load = c: \ windows \ file.exe
At this time, you have to cancel it. This file.exe may be a Trojan.
4. Disguise in common files
This method appeared late, but it is very popular now. It is easy to be fooled by unskilled windows operators. The specific method is to disguise the executable file as an image or text-change the icon to the default image icon for windows in the program, and then change the file name to * .jpg.exe, because the default value of Win98 is "do not display the known file suffix", the file will be displayed *. JPG. If you don't pay attention to it, this icon will be a Trojan (if you embed an image in the program, it will be more perfect ).
5. built-in to the Registry
The above method made the trojan really comfortable for a while. No one can find it and it can run automatically. It's so fast! However, it is not a long time for humans to immediately hack it out and severely punish it! However, after summing up the lessons of failure, he thought that the hiding place above was easy to find. Now he must hide in a location that is not easy to be found, so he thought of the Registry! Indeed, due to the complexity of the Registry, Trojans often like to hide in the fun. Check out what programs are under them and read them carefully with wide eyes. Don't let the Trojans go: all key values starting with "run" in HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion; all key values starting with "run" in HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion; HKEY-USERS \. all the key values starting with "run" under Default \ Software \ Microsoft \ Windows \ CurrentVersion.
6. Hiding in system. ini
Trojans are everywhere! There is nothing left to do, so it will drill somewhere! This is not the case. system. ini in the Windows installation directory is also a place where Trojans like to hide. When file.exe, if such content exists, you are not lucky, because the file.exe here is a Trojan server program! In addition, in the [Program ENH] field of system. ini, check "driver = path \ program name" in this section, which may also be used by Trojans. Then, in system. the [MIC], [Drivers], and [drivers32] fields in INI also play the role of loading drivers, but they are also a good place to add Trojans, now you should know that you should also pay attention to this.
7. invisible to the Startup Group
Sometimes a Trojan does not care about its whereabouts. It pays more attention to whether it can be automatically loaded into the system, because once the trojan is loaded into the system, in any way you use, you cannot rush it (ah, this trojan face is too thick). Therefore, according to this logic, the Startup Group is also a good place for Trojans to hide, this is indeed a good place for automatic loading and running. The folder corresponding to the animation group is c: \ windows \ Start Menu \ Programs \ Startup, and the location in the registry is HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \
Explorer \ shellfolders startup = "C: \ WINDOWS \ Start Menu \ Programs \ Startup ". Check the Startup Group frequently!
8. Hidden in winstart. bat
According to the above logic theory, all Trojans are fond of staying where Trojans can be automatically loaded. This is not the case, winstart. bat is also a file that can be automatically loaded and run by windows. It is automatically generated for applications and windows in most cases, after win.com is executed and most drivers are loaded, run the command. (you can press the F8 key at startup and select the start mode to track the startup process step by step ). Because the autoexec. Bat function can be replaced by winstart. bat, the Trojan can be loaded and run as it is in autoexec. bat, which is dangerous.
9. bundled in the Startup File
That is, the application startup configuration file. The control end uploads the file with the same name as the trojan startup command to the server to overwrite the file with the same name, in this way, the Trojan can be started.
10. Set it in the super connection
The trojan owner places malicious content on the webpage.CodeTo lure users into clicking. The user clicking result is self-evident: the door is stolen! I advise you not to click the link on the webpage unless you understand it, trust it, and want to wait for it to die.
Next, let's look at the trojan clearing method.
1. Check Run, runserveice, and other items in the registry. Back up the items, write down the addresses of the items that can be started, and delete the items that are suspicious.
2. Delete the execution file of the above suspicious key on the hard disk.
Upload,. com or. BAT files. If yes, delete them.
4. Check the items in the Registry HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER \ Software \ Microsoft \ Internet Explorer \ main (such as local page). If the items are modified, modify them.
5. Check whether the default open programs of common file types such as hkey_classes_root \ INIFILE \ shell \ open \ command and hkey_classes_root \ txtfile \ shell \ open \ command are changed. This must be changed back. A lot of viruses have been modified. txt,. ini, and Other Default open programs to make the virus "inactive, never killing.
6. If possible, disassemble the mother file of the virus, for example, the virus in my last time, by using IDA disassembly, it also steals the system password and creates % SystemRoot % \ System \ mapis32a. the DLL file sends the password to a mailbox. Because I use w2k, it certainly does not work.
Now, the virus is completely deleted! I suggest you always pay attention to system changes, strange ports, suspicious processes, and so on. Today's viruses do not have much damage to system data as they used to, or discover more, so try your best to eliminate viruses (simple viruses and Trojans ).