Clear the pcshare Driver Trojan script

Source: Internet
Author: User

I dare not say it is completely cleared, because it is not completely cleared, but I think it is better to clear it completely. Why?

I used to test the pcshare trojan that day. I got a cracked version that day, but I realized it was a false one. After the configuration, I cannot go online. I am depressed, and worried about other people's sets, so the spirit of killing Trojans. this trojan is known as having no port and no process, and it is very sinister. A keyboard recorder that tested pcshare a long time ago is also hidden by the driver ~ So I used IceSword this time.
IceSword is the best tool to kill Trojans. IceSword uses a large number of novel kernel technologies, so that these backdoors are nowhere to hide, it has the anti-hiding and anti-protection functions (this sentence is copied online:-d). I really admire the author, and the research on the system kernel should be at the forefront in China, so far, no one has announced that the trojan he wrote can escape IceSword. The last time the administrator of pcshare spoke wildly, saying that as long as he wants to write, he can directly HOOK the window of IceSword to escape IceSword, I am looking for teeth with a smile, and I have the ability to write it out. You can catch his window. It's also the first in the world ~ Continue again



You can see that the red process, the program with process protection, delete one will generate one, should be mutual monitoring
So ignore this ~ Find the file source directly. If the exe file source is unknown or not, check the SSDT (System Service Descriptor Table) of IceSword ), here we can see the red drive


I tried. I couldn't see the driver in windows. It's nonsense. People are the first in China.
IceSword has a file management, which is also RING0 level, so there is nothing to hide it, remember the location of the suspicious driver, open the file browser of IceSword, find and delete the suspicious driver, OK


Restart ~ And you will be done.
Then I tested pcshare and clicked the generated Trojan. The Trojan file was not deleted or run by myself ~ Inexplicably, pcsahre is immune.
Since it is killed, I have not found any other files or startup items. If you are interested, you can use the registry monitor to check them.

Note: The Hidden driver file is also valid. For example, click it to hide it. After the file is deleted, it cannot be used ~ So if you are not sure, you can use IceSword to back up and delete it first.

Lala La ~ The following describes my frequently used manual killing techniques.
Killing file sources
The NTFS partition is required to set security and deny access and modification by any user. After the system is restarted, the trojan will not be loaded.
Then you can delete the startup Item and it will be OK (in fact, it will not be affected if you do not delete it, or even a prompt box, because it is rejected)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.