How can Trojans survive? Introduction to the universal trojan detection and removal method

Source: Internet
Author: User

Many cainiao who do not know much about security will be helpless after the computer becomes a Trojan. Although many new anti-virus software versions on the market can automatically clear most of the Trojans, they cannot prevent new Trojans. Therefore, the most important thing to do is to know how a trojan works. I believe that after reading this article, you will become a master of trojan detection and removal.

The trojan program tries its best to hide itself by hiding itself in the taskbar. This is the most basic method. As long as you set the Form's Visible attribute to False and ShowInTaskBar to False, the program will not appear in the taskbar when running the program. Stealth in Task Manager: setting a program as a "system service" can easily disguise itself. Of course, it will also start quietly, and hackers will not expect users to click the "Trojan" icon to run the server after each startup. The "Trojan" Will

It is automatically loaded every time the user starts. When a Windows System starts, the System automatically loads the application. All Trojans are used, such as Startup Group, Win. ini, System. ini, and registry.

The following describes how a trojan is automatically loaded. In the Win. ini file, under [WINDOWS], "run =" and "load =" are possible ways to load the "Trojan" program. You must pay attention to them carefully. Generally, there should be nothing behind their equal signs. If you find that there are paths and file names behind them not a STARTUP file that you are familiar with, your computer may be "Trojan. Of course, you have to see clearly, because many "Trojans", such as the "AOL Trojan", disguise themselves as command.exe (the real system file is command.com) files, if you do not pay attention, you may not find that it is not a real System Startup File (especially in Windows ).

In the System. ini file, there is a "shell = file name" under [BOOT ". The specified file name should be "assumer.exefolder. If it is not" assumer.exe "but" shell = assumer.exe program name ", the program that follows is a" Trojan "program, that is, you are already in the" Trojan. The situation in the registry is the most complex. Open the Registry Editor using the regedit command, and click the "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory to check whether the key value contains an unfamiliar Automatic startup file, the extension is EXE. Remember: some files generated by the "Trojan" program are similar to those of the system. They want to pass through disguise, such as the "Acid Battery v1.0 Trojan ", it changes the Explorer key value under the Registry "HKEY-LOCAL-MACHINESO FTWAREMicrosoftWindowsCurrentVersionRun" to Explorer = "C: WINDOWSexpiorer.exe ", there is only a difference between the trojan program and the real Explorer between "I" and "l. Of course, there are many places in the registry that can hide the "Trojan" program, such as: "HKEY-CURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS *** SoftwareMicrosoftWindowsCurrentVersionRun" directory is possible, the best way is to find the name of the Trojan program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then search the entire registry.

Knowing how a trojan works, it is easy to scan and kill a trojan. If a trojan exists, the most effective way is to immediately disconnect the computer from the network, prevent hackers from attacking you through the network. Edit win. INI file. Under [WINDOWS], change "run =" Trojan "program" or "load =" Trojan "program" to "run =" and "load =". Edit system. in the INI file, change "shell = 'Trojan file" under [BOOT] To mongoshell‑policer.exe ". In the registry, use regedit to edit the registry, find the file name of the Trojan program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", search for and replace the "Trojan" program in the entire registry, and note that: some "Trojan" programs do not directly Delete the "Trojan" key value under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", because some "Trojan" such as: BladeRunner "Trojan ", if you delete it, the trojan will be automatically added immediately, What you need is to write down the trojan name and directory, then return to the MS-DOS, find the trojan file and delete it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.