Comprehensive Analysis of Windows Security Protection Trojan types and their clearing methods

Origin of Trojan name

Trojan viruses intrude into computer Trojans. The name is from the ancient Greek legend (the Trojan horse in the Epic of HOMA, the Trojan horse in the word Trojan was originally of the Trojan horse, that is, the Trojan horse on behalf of the Trojan horse, that is, the Trojan horse story ).

Basic Trojan Concept

It is a remote control-based hacker tool that features concealment and non-authorization. A Trojan is a popular Virus File. Unlike a common virus, it does not multiply itself or infect other files, it attracts users to download and execute their own camouflage, and provides the hacker with a portal to open the computer of the victim, so that the hacker can destroy and steal files of the victim, even remotely manipulate the computer of the victim.

Traditional Trojan

Traditional Trojans are composed of two parts: the Client and the Server, that is, the C/S (Client/Server) type. The client is executed on the local host to control the server. The server is executed on the remote host. Once the execution is successful, the remote host is equipped with a Trojan and can be controlled or cause other damages.

New Trojan

The biggest difference between a bounce Port Trojan and a traditional Trojan is that the server will actively connect to the client once it is executed. Because the firewall is generally not allowed, the bounce Port Trojan uses the firewall feature to penetrate the firewall.

DLL Trojans were also born to prevent antivirus software from being detected and killed. Any program running must call its own DLL program. Because the DLL file itself cannot be executed, anti-virus software will not list it in the scan range. Using the features that many DLL files need to be called by application processes, DLL Trojans insert themselves into common application processes, so that users cannot find any traces of Trojans in the task manager. So the DLL Trojan is also called a non-process Trojan, which is quite concealed.

Thanks to the prevalence of online games and IM software, all kinds of Trojan horses can take root quickly in the face of huge interests. Never underestimate these Trojan horses. Technically, they are no less powerful than classic Trojans, and even some places are more powerful than old Trojans.

General Solutions for Trojans

1. Trojan discovered

No matter what Trojan horse, we want to destroy the network required by the system. Therefore, we can use the "netstat-nao" command to view the current network connection and port number of the local machine.

If the path is a dlltrojan, we can see that the path can be a normal system path. You can use the command line tool listdlls.exe and type "listdlls exe file name" to view the DLL corresponding to this exe program.

2. End the Trojan process

If a common Trojan is encountered, you can right-click the task manager to end the Trojan process. If it is a dlltrojan, you can still use the help of listdlls.exe to end the dll process after you type "listdlls-d DLL file name.

3. Restore the modified registry key value of the Trojan

The key value of the registry most favored by Trojans is File Association in the system, because File Association has a particularly important impact on the system, because if a trojan is associated with a file type, once you open this type of file, the trojan will be executed. Hosts file.

4. Delete the virus startup Item

After the trojan is cleared, why does the computer restart and the trojan returns? The root cause is that the trojan loads itself into the startup Item. Although the user clears the trojan, once the system restarts, the trojan will be loaded again, so we must clear the trojan in the system startup Item.

1. Almost all Trojans like to use the registry to start with the system.

2. Modify System. ini. This file is located in the system folder and is required for system startup. Normally, only assumer.exe should be available after shellbench. If it is found that other programs are added, it is likely that the trojan is infected.

Trojan will modify the following items in the registry:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnceEX]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServicesOnce]

3. Modify Win. ini. This file records the basic information of the system and is also one of the files that must be executed at startup. In its Windows Field, the backend of load and run is empty by default. If any program address is added to the backend, the trojan is in progress, this is the trojan startup address.

4. Modify Autoexec. bat. This batch file is used to execute programs that need to be executed at startup, which is located in the root directory of the system disk. If you do not need to use the file to execute certain programs during startup, you can delete the file. By default, there is no executable program in the file. If you find other statements in the file, you need to pay attention to it. It may have infected the Trojan.

5. Modify the "Start" group. The "start" group is a system directory that exists as a folder and cannot be deleted. Any program that is located in this folder will run automatically at startup without any conditions. Therefore, this has become one of the good startup methods for Trojans. Open "Start> program" in sequence, and you will find a "start" folder. If an unknown program is found, it is probably a Trojan.

6. Modify the service. This is a very concealed startup method. A Trojan registers itself as a system service and sets the service attribute to "automatic ". Because all services whose attributes are "automatic" will be executed at startup, Trojans are no exception. Enter services. msc and press enter to open the "service" window. If you find that there is a service that is not described in it, you need to note that most of the programs are also Trojans.

Finally, the simplest step is to search for the trojan file name in the system. After finding the original Trojan file, delete it.