How cainiao can kill Trojans

I installed Windows XP and Norton 2002 Chinese anti-virus software on my machine. Recently, the Internet virus has been rampant. Although I have not been "impacted" by the shock wave, I have been hit by a Trojan ".

　　I. Shocking Trojans

When I opened a plain text file after I went offline that day, Norton suddenly reported a virus and refused to access the file (figure 1 ). How does a plain text file contain viruses? The virus-infected program is E: WinNTSystem32 oteped.exe.

Figure 1

　　Ii. Analysis

When pwsteal.trojanuary looks at the name, it should be a Trojan. Naturally, we can forcibly associate the open format of the TXT file with noteped.exe. Right-click any text file to open the Properties window. From this context, we can clearly see that the file opening method has changed to "noteped", but this type of file cannot be opened as long as Norton is not closed. Isn't noteped.exe a notepad?

Open the E: winntsystem32directory and find that the two notepad.exe?noteped.exe programs are tied together (figure 2). Then, you can find that they have a word difference. So I immediately updated the virus database to the latest version and checked the computer for virus. The results showed three virus files (outlook.exe%winet.exe%explorer.exe) in the E: winntsystem32directory ).

Figure 2

　　Iii. Solution

When we use Norton to scan and kill this trojan, We are prompted that they cannot be deleted or isolated. It seems that we only rely on ourselves. In order to see if there are any friends who have missed the trojan horse, I searched again on the computer based on the trojan creation date (2000100001.01) and file size (147KB, the result is that there are only four infected files.

Go to E: winntsystem32to find these four files. The system prompts that the zookeeper er.exe file is in use and cannot be deleted. So I press Ctrl + Alt + Del to open the task manager and check the process to see the two explorer Processes (Figure 3 ), one of them must be a Trojan process. Its process path should be E: WinNTSystem32explorer.exe, and the real desktop process path is E: WinNTexplorer.exe. Remove "cmd.exe ..

Figure 3

After the machine was restarted, the four "associates" of the Trojan came back. Flash, you will find that the hard drive lights are flashing and the restoration function items will switch between "restore this project" and "Restore all projects" (figure 4 ). Ah! The hacker (which is already a trojan program) is deleted so that the file can be opened smoothly. After copying the program, you can rename outlook.exeappswinetexe‑assumer.exe and replace the four infected files.

Figure 4

The machine is repaired, but every time you open the opportunity to run four notepad programs (E: winntsystem32explorer.exe, actually notepad.exe ).

Note: The source program used for replacement is preferably a small program that can be copied to any folder, such as Notepad and drawing.

Because Trojans are not thoroughly scanned and killed, after analysis, the Trojan process is automatically loaded at startup, so they cannot be deleted directly. Run the html "> Registry Editor to expand [HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsload]. You can see 5 information to delete it. After restarting the computer, the trojan is completely eliminated.

Figure 5

　　Iv. Restore File Association

Because noteped.exe is deleted and the TXT file is not associated with an application, I will restore it. Open "My Computer → tools → Folder Options → file type if no TXT file exists → new extension → enter 'txt '→ OK → select txt extension → change → select from List program → notepad → OK "(if the notepad is not displayed in the list, you can browse and select EWinNT otepad.exe ).