How to delete a trojan at a time

Q: There are many types of Trojans, and some of them are stubborn and cannot be killed. Is there any way to effectively prevent Trojans and clear them?

A:

What is a trojan?

What you call a Trojan is a remote control program that can lurks in the victim's computer and secretly opens one or more data transmission channels. Generally, it consists of two parts: clients and servers are also called control terminals.

The spread and infection of Trojans actually refer to the server. Intruders must send the server program to the victim through various means to achieve the purpose of Trojan propagation. When the server is executed by the victim's computer, it will copy itself to the system directory and add the Running code to the region that will be automatically called when the system starts, so as to run following the system startup, this region is usually called a "startup item ". After the trojan completes this operation, it enters the incubation period-secretly opening the system Port and waiting for the intruder to connect.

Prevent trojans from running-more thorough detection and removal

Any operating system will automatically run some programs at startup to initialize the system environment or additional functions, these programs that are allowed to run following system startup are placed in special areas for loading and running during system startup. These areas are "startup items ", different systems provide different "Boot items". For Win9x, it provides at least five "Boot items": Autoexec in DOS environment. bat, Config. sys, the "Start" Program Group in Windows, two Run items in the registry, and one RunServices item, respectively:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices

In the 2000/XP system era, the DOS environment was canceled, but a new starting area called "service" was added, the Registry also adds two "startup items" while keeping the original project unchanged ":

Project key name

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows AppInit_DLLs

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows run

With so many boot entries, Trojans will naturally not be missed, So we often find strange program names in some computer boot items. At this time, we can only tell them by you or the virus firewall, after all, the system itself will place some necessary initialization programs here, as well as some normal tools, including virus firewalls and network firewalls. They must also follow the system startup through the startup items.

In addition, there is also a mean way to follow the system startup without the need to use the startup Item, that is, "System Path Traversal priority spoofing ", when searching for a file without path information in a Windows system, the system follows a "from the outside to the inside" rule. It will start from the root directory of the drive letter where the system is located to the system directory for progressive search, this means that if two files with the same name are stored in C: And C: Windows, Windows will execute the program under C: instead of C: windows. This search logic provides an opportunity for intruders to change themselves to a certain file name that will be called when the system starts, and copy it to a directory that is more than a level lower than the original file, windows will take the trojan program for granted, and the system's nightmare starts. This method is often used in javasinternat.exe, because no path is set in any Windows Startup item.

You must be aware of the Automatic Running Trojans that occupy the startup items. You must understand all the normal startup items on your machine to see if the Trojans are mixed. As for Trojans that exploit System Path vulnerabilities, users can only be careful.

Eradicate Trojans-detection and removal of file-connected Trojans

Some users are often very depressed. They have already deleted the trojan file and the corresponding startup items, but they do not know when they will return intact, what's even more tragic is that after a trojan is killed, the system also fails: All applications cannot be opened. At this time, if the user's understanding of computer technology is limited to the use of anti-virus software, it can only be a cry to reinstall the system!

Why? Is this trojan still maliciously modifying the system core? In fact, the answer is very simple, because this Trojan modifies the parallel mode of the application (EXE file.

What is "Parallel Connection? In Windows, the file opening operation is performed through the application specified by the corresponding key value in the registry. This part is located in the "HKEY_CLASSES_ROOT" primary key of the Registry, when the system receives a file name request, it identifies the file type based on its suffix and calls the corresponding program to open it. The application itself is regarded as a file, which also belongs to a file type and can be enabled in other ways, however, in Windows, the calling program is set to "" % 1 "% *", so that the system kernel can be understood as "executable requests ", it will create a process for the file using this open method, and the final file will be loaded and executed. If another program changes this key value, windows will call the specified file to enable it. Some Trojans have changed the "open mode" of the exefile type corresponding to the EXE suffix to "Trojan program" % 1 "% *", when running the program, the system will first create a process for the "Trojan program" and pass the followed file name as a parameter to it for execution. Therefore, the program is started normally. Because the trojan program is used as the calling program for all EXE files, it can stay in the memory for a long time and restore its own files every time. Therefore, in the opinion of general users, this trojan is "never dead ". However, once the trojan program is deleted, the corresponding calling program cannot be found in Windows, and the normal program cannot be executed. This is the source of the so-called "all programs cannot run, it is not a trojan that changes the system core, so it is not necessary to reinstall the entire system.

The simplest way to eradicate this trojan is to view the program pointed to by the open method of the EXE file and immediately stop the process of the program. If other trojan files are generated, also stop together, and then delete all the trojan files when the Registry Editor is enabled (otherwise, all your programs cannot be opened, change the "open mode" item (HKEY_CLASSES_ROOTexefileshellopencommand) of exefile back to the original "" % 1 "%.

If you forget to change the parallel mode back before deleting the trojan, you will find that the program cannot be opened. Do not worry. If you are a Win9x user, use the "shell replacement method": large, after restarting the system again, you will find that there is only one Registry Editor in Windows. Change the parallel connection mode! Do not forget to restore the original assumer.exe.

For Win2000/XP users, this operation is simpler, as long as you press F8 at startup to enter the Startup menu, select "safe mode of command prompt ", the system will automatically call the command prompt interface as the shell, and enter REGEDIT in it to open the Registry Editor! XP users do not even need to restart. Simply browse CMD. EXE in "open mode" to open the "command prompt" interface and run the Registry Editor REGEDIT. EXE.