Trojan hiding place and general investigation technology
Trojan Horse from the ancient Greek mythology, is a remote control based on the hacker tool, has a strong hidden and harmful. In order to achieve the purpose of controlling the server host, Trojans often have to use various means to activate themselves and load the running. Here, we briefly introduce the Trojan common activation way, their hiding place, and through some examples to let you experience the manual removal of Trojan method.
Start Trojan in Win.ini:
In Win.ini's [Windows] section, there are startup commands "load=" and "run=", which are empty after "=" in general, if followed by a program such as:
Run=c:windows Ile.exe
Load=c:windows Ile.exe
Then this file.exe is likely to be a Trojan horse program.
To modify a file association in the Windows XP registry:
Modifying file associations in the registry is a common means of Trojans, how to modify the method has been described in the previous series of the article. For example, under normal circumstances TXT file open way for Notepad.exe (Notepad), but once infected with the file associated Trojan, then txt file into a trojan program opened. such as the famous domestic trojan "Glacier", is the registry HKEY_CLASSES_ROOT Xtfileshellopencommand subkeys under the key value entry "default" key value "c:windows otepad.exe%1" modified to "C: WindowsSystemSysexplr.exe ", So, when you double-click a TXT file, the original should be opened with Notepad file, now became a Trojan horse program. Of course, not only txt file, other types of files, such as HTM, exe, zip, COM and other files are Trojan program goals, be careful.
For this type of Trojan, you can only check the registry HKEY_CLASSES_ROOT file type Shellopencommand sub-branch, to see if its value is normal.
To bundle Trojan files in Windows XP systems:
To achieve this trigger condition, first of all, the control end and the server end have been connected by Trojans. The control end user uses the tool software to use the Trojan file and an application bundle together, uploads to the service end to overwrite the original file, so that even if the Trojan is deleted, as long as the application that runs bundled Trojan, the Trojan will be reinstalled again. If bundled on a system file, the Trojan will start every time Windows XP starts.
Start Trojan in System.ini:
System.ini in the [boot] section of the Shell=Explorer.exe is a Trojan favorite hiding place, the Trojan is the usual way to change the statement into this:
Shell=Explorer.exe File.exe
Here File.exe is the Trojan server program.
In addition, in the [386enh] section, be careful to check the "Driver=path program name" In this section, because it may also be used by Trojans. [Mic], [drivers], [drivers32] These three bars are also to load the driver, so it is also the ideal place to add Trojans.
To load a run with the Windows XP registry:
The following location in the registry is a favorite hiding place for Trojans:
Hkey_current_usersoftwaremicrosoftwindowscurrentversion all key value item data that starts with "run" under the branch of the child key.
Hkey_local_machinesoftwaremicrosoftwindowscurrentversion all key value item data that starts with "run" under the branch of the child key.
HKEY_USERS. Defaultsoftwaremicrosoftwindowscurrentversion all key value item data that starts with "run" under the branch of the child key.
Load the running Trojan in Autoexec.bat and Config.sys:
To establish a connection between the control end and the service end, upload the file with the same name as the launch command to the server to cover two files in order to start the Trojan in this way. But it's not very covert, so it's not uncommon, but it can't be taken lightly.
Start Trojan in Winstart.bat:
Winstart.bat is also a file that can be automatically loaded by Windows XP, most of which are automatically generated by applications and Windows, executed after Win.com or Kernel386.exe are executed, and most drivers are loaded ( This can be learned by pressing F8 at startup to track how the startup process starts. Because the function of Autoexec.bat can be replaced by Winstart.bat, the Trojan can be loaded and run as it is in Autoexec.bat.
Common troubleshooting techniques for trojans and viruses
Now, we already know the hiding place of the Trojan horse, the killing Trojan is naturally easy. If you find that the computer has been in the Trojan, the safest and most effective way is to immediately open with the network segment, to prevent computer hackers through the network to attack you, perform the following steps:
L Edit the Win.ini file and change the "run= Trojan program" or "Load= Trojan Horse program" under [Windows] section to "run=", "load=".
L Edit the System.ini file and change the "shell= Trojan file" under the [Boot] section to "Shell=Explorer.exe".
L in the Windows XP registry to modify: First in the Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun sub-key to find the Trojan horse file name Delete, and find the Trojan horse in the entire registry, delete it or replace it. But the abominable is, not all Trojan program just delete can be all right, some Trojan program is deleted will immediately automatically add, at this time, you need to note the location of the Trojan Horse, that is its path and file name, and then retreated to the DOS system, find this file and delete. Restart the computer, return to the registry again, delete all the key values of the Trojan file.
Computer Trojan Cleanup instance
Ice v1.1 Registry Cleanup instance:
Open the Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun subkey branch in Registry Editor and locate and delete C in the right window: Winntsystem32kernel32.exe,c:winntsystem32sysexplr.exe, and then reboot to MS-DOS, delete C:winntsystem32kernel32.exe and C: WINNTSystem32sysexplr.exe Trojan Horse program.
AOL Trojan Registry Cleanup instance:
First, in the MS-dos mode, delete the following files:
C:command.exe
C:americ~1.0uddyl~1.exe
C:windowssystem orton~1 Egist~1.exe
Open the Win.ini file, and in the Windows section, remove the path to the Trojan Horse and change it to "run=", "load=", and save the Win.ini file.
Then open the Windows XP registry, open the Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun subkey branch, and Winprofile=c the key value entry in the Right table window: Command.exe "Delete, close the registry, restart the computer."
Doly v1.1-v1.5 Registry instance (similar to v1.6 and v1.7):
First into the MS-dos mode, delete the following three Trojans, but v1.35 version of a Trojan file Mdm.exe.
C:windowssystem Esk.sys
C:windwosstart MenuProgramsStartupmstesk.exe
C:Program FilesMStesk.exe
C:Program FilesMdm.exe
Restart Windows, open the Win.ini file, delete "Load=c:windowssystem Esk.exe" under the [Windows] section, change to "load=", and save the Win.ini file.
Then, open the Hkey_current_usersoftwaremicrosoftwindowscurrentversionrun subkey branch in the registry, and "Mstesk=" the key value entry in the right window C:Program FilesMStesk.exe "" Delete, open the branch of the Hkey_current_usersoftwaremicrosoftwindowscurrentversionss subkey, delete all of its contents ( All for the Trojan parameter select and set the server); open HKEY_USERS again. Defaultsoftwaremicrosoftwindowscurrentversionrun the key-value item "mstesk=" C:Program FilesMStesk.exe "" in the right window.
Close the registry, open the C:autoexec.bat file, and delete the following two lines:
@echo off copy c:sys.lon C:windowsstart Menustartup Items
Del C:win.reg
Save and close the Autoexec.exe file.
Indoctrination v0.1-v0.11 Registry Cleanup instance:
Open the following subkey in the registry:
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrunservices
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrunonce
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrunservices Once
Delete the following key value entries in the right window of these subkeys:
Msgsrv16= "Msgsrv16", restart Windows after closing the registry, and delete the C:windowssystemmsgserv16.exe file.
Subseven-introduction v1.8 Registry Cleanup instance:
Open Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun and Hkey_local_ Machinesoftwaremicrosoftwindowscurrentversionrunservices the key-value item data that contains "C:windowssystem.ini" in the right window and deletes it.
Open the Win.ini file, change the "Run=kernel16.dl" to "run=", and save and close the Win.ini file.
Open the System.ini file, change the "Shell=Explorer.exe kernel32.dl" to "Shell=Explorer.exe", save and close the System.ini file, restart Windows, and delete C: WINDOWSKERNEL16.DL files.
Wide outside Girls registry Cleanup instance:
Retire to MS-DOS mode and delete the Diagcfg.exe under the system directory. Since the virus is associated with an EXE file, any EXE files in the Windows environment will not be able to run after it is deleted now. We first found the Registry Editor "Regedit.exe" in the Windows directory and renamed it "Regedit.com".
Back in Windows mode, run "regedit.com". Open Hkey_classes_rootexefileshellopencommand, change its default value to "%1%*", and delete Hkey_local_ The key value item "Diagnostic Configuration" under Machinesoftwaremicrosoftwindowscurrentversionrunservices. Close the registry.
Back to the Windows directory, change "regedit.com" Back to "Regedit.exe".
Netbull (Network Bull) Registry Cleanup instance:
The virus is under Windows 9X: bundled notepad.exe, Writre.exe, Regedit.exe, Winmine.exe, and WinHelp.exe. Bundled under Windows nt/2000: Notepad.exe, Regedit.exe, Regedt32.exe, Drwtsn32.exe, and Winmine.exe. Open it:
Hkey_current_usersoftwaremicrosoftwindowscurrentversionrun
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrunservices
HKEY_USERS. Defaultsoftwaremicrosoftwindowscurrentversionrun
Under these subkeys, delete the key value entry "CheckDll.exe" = "C:windowssystemcheckdll". EXE ".
In addition, to see if your machine has the virus, you can look at the files listed above, and if you find that the file length changes (about a 40K increase), delete them. Then click [Start]| [Attachment]| [System Tools]| [System File Checker], in the pop-up dialog box select "Extract a file from the installation floppy disk," Fill in the box to extract the file (previously deleted), click "OK", click on the screen prompts to restore these files. If it is automatically run when the third party software, such as Realplay.exe, QQ, etc. are bundled on, it must be deleted and then reinstall the files.
Smart Gene Registry Cleanup instance:
Delete the MBBManager.exe and Explore32.exe under C:windows, and then delete the Editor.exe file under C:windowssystem. If the server is already running, the process management software should be used to terminate MBBManager.exe the process before it can be deleted.
Open Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun, delete the key value entry "Mainbroad Backmanager". Change the default value of the HKEY_CLASSES_ROOT Xtfileshellopencommand to "C:windowsnotepad.exe%1" to restore the TXT file association. Change the default value of Hkey_classes_roothlpfileshellopencommand to "C:windowswinhlp32.exe%1" to restore the HLP file association.
These are some of the more typical manual removal of Trojan Horse operation Steps, I hope we can be inspired in the process, slowly groping Trojan hiding and activation of the law to reach the status quo situation.