Clear the Trojan starts from its parasitic ground

Source: Internet
Author: User

Trojan Virus parasite: Registry

Now most of the Internet users headache, in addition to Trojans, viruses, and the registry has been a lot of trojans and viruses "favor" of the parasitic sites, in addition I am afraid that is the kind of malicious code to modify the registry, they are not only tamper with the user's various properties of IE browser, such as the title Even sometimes in the registry to add some special key values to disable the registry to edit or limit the operation of the program, the most abominable is that some trojans you through a variety of ways to eliminate it first to kill it, but you restart your machine, the Trojan came to life, For example, said that many netizens have hated the 7939 Trojan virus. In the face of such rampant malicious code, we can not wait, then how do we do a person defending million people (Trojan virus and rogue software, etc. with destructive stuff) difficult to attack it?

One day when we open our computer or on the Internet, find their own machine like a snail crawling, and even the same Web page constantly dancing in front of their eyes, within a minute can jump 100 consecutive dance music, and finally until the exhaustion of resources, said here, I think the conscious people should be aware of, My computer is poisoned. Some people can not help but ask, I am a computer blind, I still use the computer for the first time, what should I do to catch the virus? This question is good, for some novice computer, the registry is a difficult to understand a group of words, in short, the registry is the operating system of the database, the equivalent of a country's treasury, which contains a lot of gold and silver and state secrets, then how do we enter it? In the xp/2000/2003 and so on Windows family of operating systems, we can see the computer in the lower left corner of a "Start" menu, and then we click on it with the mouse, and then click "Run" this option, we enter the "run" work environment, We enter the letter in the blank box, regedit, and finally click OK to enter the Registry Editor warehouse, then we can go to the next link.

Check the registry and set the registry

First, check the registration form

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and Hkey_current_user\software\microsoft\windows\ CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Nt\windows\currentversion\winlogon and hkey_local_machine\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run and hkey_local_machine\software\microsoft\windows\currentversion\ RunOnce

To see if there are any automatic startup files in the key value that are not familiar to you. Extension General for EXE, and then remember the file name of the Trojan, and then the entire registry search, all see the same file name of the key value will be mercilessly deleted, and then to the computer to find the Trojan file hiding place to remove it completely.

Check several entries in the registry HKEY_LOCAL_MACHINE and Hkey_current_user\software\microsoft\internetexplorer\main (such as Localpage), If you find that the key value has been modified, just change it back according to your judgment.

Iii. inspection of Hkey_classes_root\inifile\shell\open\command and Hkey_classes_ Root\txtfile\shell\open\command, and so on. The default open programs for several common file types are changed. This must be changed back, many viruses are by modifying the. txt,. ini, and so on the default open program and can not be cleared.

Iv. Some viruses prevent users from viewing and modifying the registry by modifying the following key values:

Hkey_current_user\software\microsoft\windows\currentversion\policies\system\

DisableRegistryTools =

In order to prevent users from using. REG file modifies the registry key value, the following key values are also modified to display a Memory access error window

For example, the WIN32.SWEN.B virus modifies the default health value to:

hkey_classes_root\regfile\shell\open\command\ (Default) = "Cxsgrhcl.exe

ShowError "

Five, cancel the "default sharing"

Security risks: We all know that in windows2000/xp/2003, the system opens some "shares" by default, which are ipc$, C $, d$, e$, and admin$. A lot of hackers and viruses are sharing the intrusion system through this default.

Workaround: To prevent ipc$ attacks, you should set the RestrictAnonymous entry for "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" in the Registry to "1". This prevents ipc$ connections.

For default shares of types such as C $, d$, and admin$, you need to find "Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters" in the Registry Item If the system is windows2000server or windows2003, add the key value "AutoShareServer" (Type "REG_DWORD" and a value of "0") to the item. If the system is Windows2000pro, you should add the key value "AutoShareWks" (Type "REG_DWORD" and the value "0") in the entry.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.