Alternative way to find a Trojan horse

Although the Trojan Horse is crazy, but there are many ways to deal with it, I think the best way is to master the method of killing Trojan horse. The following is an example of the use of the system itself with the "Program installation event record file" to find a Trojan horse, hoping to play a role (this method only applies to Windows 2000/xp/2003).

The file name of the program installation event log file is SETUPAPI.LOG, which, depending on the partition of your system, is recorded in the Windows or Winnt directory for machine-installed hardware and software, whether or not it is successfully installed. Because these records are very detailed, so the file volume is big, the content is multifarious. But as long as careful, patience, you will become a "horse" master. The following is my computer was infected with the Trojan, intercepted SETUPAPI.LOG part of the content.

[2004/11/10 14:01:54 180.1]

#-198 processing command line: "E:\Program files\internet Explorer\iexplore.exe"-nohome

#-024 the file "E:\Documents and settings\administrator\local settings\temporary the Internet files\content.ie5\uve9o9o5\ Icyfox[1].exe "Copy to E:\windows\downloaded program Files\#.exe".

#W361 a file that is unsigned, incorrectly signed, or Authenticode (TM) signed "E:\Documents and settings\administrator\local Settings\Temporary Internet Files\content.ie5\uve9o9o5\icyfox[1].exe "will be installed (policy = ignored). Error 87: The parameter is incorrect.

It is not difficult to see from these fragments that the virus is entered through IE, reached the IE temporary folder and then copied to the IE default download folder for installation. The whole process is done through a script file, including its autorun.

This trojan in the system's process name is HWS.EXE, the file is stored under Windows System folder. The file time can be seen in accordance with the SETUPAPI.LOG record time. It runs in the system, IE and the registry is changed, and can no longer open the Registry Editor, and can not import the registry files, the last use of tools to remove the registry disabled, but also back to the original state. All sorts of indications are that HWS. EXE is not a normal process.

After that, you will terminate the HWS.EXE in Task Manager, delete the HWS.EXE file under the System folder, and then use the tool to fix IE and the registry, and finally drive the horse out of the system.

This trojan is in the process of running in the system, relatively easy to be found. And for some of the Trojans inserted into the process, it is necessary to search the SETUPAPI.LOG file to call the System Registration Service command REGSVR32.EXE.

Above I said the use of SETUPAPI.LOG file to find the Trojan process. In fact, it also has a lot of useful places, such as looking for software and hardware failures also have great use.