Dangers of Trojans

Through extensive media publicity and reports, we know the dangers of Trojans. Once a powerful Trojan is implanted into your machine, attackers can control your machine as they operate on it, and even remotely monitor all your operations. In fact, this is not only harmful to Trojans. Some Trojans, such as file-related Trojans, have other "secondary" roles ?? Change File Association! Especially after the trojan is manually cleared, if the file association is not restored, the associated file cannot be opened, and many operations cannot be performed. Are you angry with others?
I. Basic Concepts 1. What is file association? Simply put, when you click a file of different types, you can right-click the associated project on the menu. For registered files, they are displayed with different icons. When you double-click them, different associations are started. Program All these settings are stored in the registry. Therefore, you only need to master the basic structure and the settings of key-value items, and you can define file associations as you like. 2. file-related Trojans generally copy two files on the Trojan server. Here I set the file name to numbers 1 and 2, file 1 is used to open the connection port immediately when the machine starts up. File 2 is usually connected to the open txt or EXE file (that is, associated )! When the trojan finds itself in the Trojan and deletes the No. 1 file under DOS, the server is temporarily disabled, that is, the trojan is temporarily deleted, when he runs the "Notepad" or any EXE file, the hidden Trojan file No. 2 is attacked to generate another file No. 1, that is, the trojan is planted!
II. Specific instance analysis (we use the famous wooden horse glacier as an example). Instead, we call the Log service program to open it, so that the trojan is loaded and run (Pandora's box is opened ). If the server program is manually deleted, the file cannot be opened because the program cannot be found when the file is opened. Hacker ("" is the system directory), so that the computer loads the running Trojan every time it starts (the ghost appears again ......); Second, if you delete this key value and think you are proud to drink tea, the glaciers will not disappear! What's going on? The Log Service of the original glacier will generate a file named sysexplr.exe under C: Windows (it is too powerful to crack the Overlord, it's a good drug, glacier !), This file is associated with a text file, which changes the association of TXT files in the Registry, as follows: under the Registry hkey_classes_roottxtfileshellopencommand, change the key value to C: keystore
% 1 "), as long as you open the text file (which day does not open the text file ?), The sysexplr.exefile will be re-generated into krnel32.exe, and you will be controlled by the glaciers again. (Glaciers occupy valuable system resources of the needy and working people for a long time, 555555) III. Document-related restoration methods 1. 1. if it is less than five days, you can use Windows to boot your own backup registry to restore every day! Step: restart to DoS (not the MS-DOS in Windows), then type scanreg/restore, select a restore registry closest to the current date, and then restart as prompted. 2. If you have used the previously backed-up registry for more than five days, import the Registry to restore it (I will not ask how to import it? Double-click the previously backed up registry ). Method 2: First Open "my computer" on the desktop, and then select "View"> "folder option"> "file type" on the menu bar to select the file type associated with the Trojan. Take the text file associated with glaciers as an example: Find the text file and see it. It is not a notepad (Notepad), but another program. Change it and select "edit ", click "open"> "edit"> "Browse" in the Action box, find the notepad, which is in the Windows directory, and click "OK. The other types follow this method in sequence. Method 3: directly create a registry file and import it. ① First, we will take the restoration of associated applications as an example. Open notepad and type the following value: regedit4 [hkey_classes_rootcomfile] @ = "MS-DOS
Application "" editflags "= HEX: D8, 07,00, 00 [hkey_classes_rootcomfileshell] @ =" "[hkey_classes_rootcomfileshellopen] @ =" editflags "= HEX: 00,00, [hkey_classes_rootcomfileshellopencommand] @ = "" % 1"
% "" [Hkey_classes_rootcomfileshellex] [delimiter] [delimiter {delimiter}] @ = "" [hkey_classes_rootcomfiledefaulticon] @ = "C: windowssystemshell32.dll, 2" save, save it as a Registry File suffixed with Reg, and double-click it to import it! Note that there must be a blank line after "regedit4", and there must be no space between "4" and "T" in "regedit4"; otherwise, the previous achievements will be abandoned! ② Next we will explain how to restore the associated text file. Open notepad and enter the following values:
Regedit4 [hkey_classes_roottxtfile] @ = "Text Document" [delimiter] @ = "shell32.dll,-152" [hkey_classes_roottxtfileshell] [delimiter] [delimiter] @ = "notepad.exe
% 1 "[hkey_classes_roottxtfileshellprint] [hkey_classes_roottxtfileshellprintcommand] @ =" C: windowsnotepad. exe
/P
% 1 ", save it, and save it as a Registry File suffixed with Reg. Double-click to import it! Note. Finally, we recommend that you immediately remove the Trojan and disconnect it, and then use anti-virus and anti-Black software to scan and kill it (of course, you can also manually scan and kill it ). Do not forget to check the registry for file association Trojans to see if the file association has been changed (txt, EXE, zip, COM, htm and other files may be changed by Trojans ), if it is changed, try the method described in this article and keep it effective!