Manual removal of the entire Trojan horse process

specific do not know from which day, my Maxthon Browser does not seem to be able to intercept some of the ads on the site, the bottom right corner of the screen also appears from time and again, such as QQ ads like things, the first thought is the website and QQ ads. But the more with the more wrong, look carefully, the bottom right corner is not QQ Advertising, out of the entire advertising is a link, unlike QQ ads there is a box, the mouse on the top is not to become a hand-shaped, and this advertisement, regardless of where the mouse is hand-shaped. The following is my whole process of manual removal of the trojan, write to share with you.

1. General Operation

Open Task Manager, review the process, and find no bad processes.

2. Deep excavation

Run Regedit, expand

There 's a new guy, too. ADVAPI32, a look at the key value, unexpectedly loaded is a Dll file, and this file is located in the C:\WINDOWS\Downloaded program Files directory _is_0518 the directory. Find the root is good to do, first delete the startup item, and then delete the corresponding Trojan file on the line, but to the C:\WINDOWS\Downloaded program Files directory A look, found that these files do not see (open the Show hidden files). And after restarting the startup item appears again, it is clear that this Trojan monitors the registry and the file is hidden. In order to be completely wiped out, the following steps are performed after entering safe mode (press and hold the F8 key or Ctrl key on boot until the boot menu appears).

Before the third step, I tried to delete the Trojan file directly with the fourth step, but found that the Trojan did not disappear after the reboot, so the preliminary judgment of the Trojan exists backup file.

3. Clear Trojan Backup files

Open“My Computer”EnterC:\Windowsdirectory, find a suspicious directoryBackup, in a look, sure enough. Start Item loadedDllThe file is also inside, but the startup item loaded is not the file in this directory, it is obvious that this directory is the backup of the Trojan, first delete the backup directory, but just deleted, about a two seconds time this directory was re-established. This trojan is really cunning, unexpectedly in safe mode can also automatically load and monitor the backup file, once the backup file is deleted, will be established immediately. is called“in the way of the other body”, it can monitor and can automatically set up a backup directory, if I can delete the directory first, and then grab in front of it to create a directory is not OK? BecauseWindowsIt is not allowed to have two files or directories with the same name in the same directory. But the interval from the backup directory being removed to being re-established is too short to be done by hand, so useDosBatch of times! First create the following batch file, namedKill.bat, the double slash is followed by a comment, and the actual operation does not require input. Move c:\windows\backup C:\windows\bak//will beBackupdirectory renamed toBakmdc:\windows\backup//in theC:\windowsunder the establishmentBackupdirectory then open again“My Computer”, enterC:\windowsdirectory that willBakdirectory deletion, that is, the completion of the Trojan backup file deletion.

4. Clear Trojan Files

re-establish a batch file named Kill2.bat, the contents are as follows. CD \ c//Change the current path to the root of the C: Disk CD C:\WINDOWS\Downloaded program Files// Change the current path to C:\WINDOWS\ Downloadedprogram filesmove _is_0518 c:\bak//Move the _is_0518 directory under the current directory to the C: root directory and rename to Bak Open " My Computer ", enter c \, delete the Bak directory, then go to the C:\windows directory, delete the Backup directory , which completes the removal of the Trojan file.

5. Clean up the registration form

Run Regedit, respectively, to delete the keys listed below.

Hkey_local_machine\software\microsoft\windows\currentversion\run\advapi32

Hkey_current_user/software/advapi32

at this point, ADVAPI32 Trojan (because the name of the Trojan is not found on the internet, so it is replaced by its self-starter key name) manual cleanup completed. Note:

1. The third step and the fourth step must not be reversed, because only the first delete the backup file, and then delete the Trojan file, then because the Trojan file is not, backup files are not, so the Trojan will not be able to re-establish the file.

2. previously also in the press to see the manual removal of the Trojan, but most of the use of the process to see the end of the process to achieve, because of this Trojan process disguised concealment, the author used IceSword to view, although can initially judge the Trojan hidden in Svchost.exe process, but because of Windows XP Svchost.exe process More, so it is not good to judge its specific hidden location, the method of ending the process is not good to achieve, Instead, the Trojan horse can be easily consumed by the method mentioned in this article.

more relevant to clear the browser or QQ advertising Trojan information, please visit QQ security .

Manual removal of the entire Trojan horse process