Seven kinds of common Trojan removal methods

Network Bull (Netbull)

Network Bull is a homemade Trojan, the default connection port 23444. Service-side program Newserver.exe run, will automatically shell into Checkdll.exe, located under C:windowssystem, the next boot Checkdll.exe will automatically run, so very covert, very harmful. At the same time, the following files are automatically bundled when the server is running:

Under Win2000: Notepad.exe;regedit.exe,reged32.exe;drwtsn32.exe;winmine.exe.

When the server is running, it will also bundle up with the third party software (such as: Realplay.exe, QQ, ICQ, etc.) running automatically on the boot, and the network bull in the registry is also quietly rooted.

The network bull uses the file bundle function, and the files listed above are bundled together, it is very difficult to clear. There is also a drawback: it is easy to expose yourself! As long as the user is slightly experienced, you will find that the file length has changed, thus suspecting that they were in the Trojan.

Purge method:

1. Remove the network bull from the Start program C:windowssystemcheckdll.exe.

2. Remove all key values created by the network bull in the registry.

3. Check the files listed above, if found that the length of the file changes (about 40K increased, can be compared with other machines on the normal file comparison and know), delete them! Then click "Start → accessories → system tools → system information → tools → system File Checker", in the pop-up dialog box select " Extract a file from the installation floppy (E), fill in the box with the file you want to extract (the file you deleted earlier), click OK, and then follow the on-screen prompts to restore the files. If it is when the automatic operation of the third party software such as: Realplay.exe, QQ, ICQ, etc. are tied up, it is necessary to delete these files, and then reinstall.

Netspy (Network Elf)

Netspy also known as the Network Wizard, is a domestic trojan, the latest version of 3.0, the default connection port is 7306. In this version of the new addition of registry editing and browser monitoring capabilities, the client can now do without netmonitor, through IE or navigate can be remote monitoring. When a server-side program is executed, a Netspy.exe file is generated in the C:windowssystem directory. At the same time, create a key value Cwindowssystemnetspy.exe under Registry Hkey_local_machinesoftwaremicrosoftwindowscurrentversion Run, which is used to load automatically when the system starts.

Purge method:

1. Reboot the machine and press F5 to enter the command line status when the Staringwindows prompt appears. In the C:windowssystem directory, enter the following command: Del Netspy.exe;

2. Enter HKEY_LOCAL_MACHINE

Softwaremicrosoftwindowscurrentversionrun, delete the Netspy key value to safely clear netspy.

SubSeven

The function of SubSeven is more than bo2k can say. The latest version is 2.2 (the default connection port 27374), the server is only 54.5k, it is easy to bundle to other software without being found. The latest version of Jinshan Poison PA and other anti-virus software to find it. Server-side program Server.exe, client program Subseven.exe. The SubSeven server is executed, the process name changes every time it is started, so it is difficult to check.

Purge method:

1. Open the registry regedit, click to: Hkey_local_machinesoftware

Under Microsoftwindowscurrentversionrun and Runservice, if there is a load file, delete the item on the right: Loader = "c:windowssystem***". Note: The loader and filename are randomly changed.

2. Open the Win.ini file, check "run=" after the addition of an executable file name, if there is deleted.

3. Open System.ini file, check "Shell=Explorer.exe" after there is no with a file, if it is deleted.

4. Restart Windows, delete the corresponding Trojan program, generally under C:windowssystem, when I do experiments on this machine found that the file name is Vqpbk.exe.

Ice

We are here to introduce the standard version of how to clear the standard version, and then to deal with the Mutant glacier is very easy. The server-side program for the glacier is G-server.exe, the client program is G-client.exe, and the default connection port is 7626. Once the G-server is run, the program generates Kernel32.exe and Sy***plr.exe in the C:windowssystem directory and deletes itself. Kernel32.exe is automatically loaded when the system starts, Sy***plr.exe and txt files are associated. Even if you delete the Kernel32.exe, but as soon as you open TXT file, Sy***plr.exe will be activated, it will generate Kernel32.exe again.

Purge method:

1. Deletion of Kernel32.exe and sy***plr.exe documents under C:windowssystem;

2. The glacier will take root under the registry Hkey_local_ Machinesoftwaremicrosoftwindowscurrentversionrun, the key value is C:windowssystemkernel32.exe, delete it;

3. Under the Hkey_local_ machinesoftwaremicrosoftwindowscurrentversionrunservices of the Registry, Also have the key value is C:windowssystemkernel32.exe, also want to delete;

4. Finally, change the default value under the registry Hkey_classes_roottxtfileshellopencommand, the c:windowssystemsy***plr.exe% after the Trojan in the table 1 change to normal C:windowsnotepad.exe% 1, you can restore TXT file association function.

Internet God steals (Nethief)

The network God steals is a bounce port type Trojan horse. What is called "Bounce port" type Trojan? Contrary to the general Trojan Horse, the server side of the bounce port (the controlled side) uses the active port, the client (the control side) uses the passive port, for the sake of concealment, the client's listening port is generally open at 80, so that even if the user uses the port scanning software to check its own port Found is similar to "TCP Server IP Address: 1026 Client IP Address: 80ESTABLISHED" Situation, a little negligence you will think that you are browsing the Web.

Purge method:

1. The network God steals will establish the key value "the Internet" under the registry Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun, its value is "internet.exe/s", Deletes the key value;

2. Remove the C:windowssysteminternet.exe from the startup program.

Guang Wai Girls

"Guang Wai Girls" is a new appearance of remote monitoring tools, destructive very large, remote upload, download, delete files, modify the registry, and so naturally. The terrible thing is that the "wide outside girl" service is executed, will automatically check whether the process contains "Jinshan poison Pa", "Skynet" and so on, if found on the process to terminate, that is to make the firewall completely out of effect!

Purge method:

1. Boot to pure DOS mode, find the DIAGFG.EXE under the system directory, delete it;

2. We found the Registry Editor "Regedit.exe" in the Windows directory and renamed it "Regedit.com";

3. Back to Windows mode, run the regedit.com program under Windows directory (that is, the file we just renamed);

4. Find Hkey_classes_rootexefileshellopencommand, change its default key value to "%1"%*;

5. Delete the key value named "Diagnostic Configuration" in the registry;

6. Turn off the Registry Editor and return to the Windows directory and change "regedit.com" Back to "Regedit.exe".

WAY2.4

WAY2.4 is a domestic trojan program, the default connection port is 8011. WAY2.4 registry operations do have a unique feature of the controlled-end registry to read and write, as well as the local registry to read and write as convenient! WAY2.4 server is running after the C:windowssystem to generate Msgsvc.exe files, icon is a text file icon, very hidden. It seems that it wants to impersonate a system file Msgsvc32.exe. At the same time, WAY2.4 sets the string value Msgtask under the registry Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun.

Purge method:

Using the Process Management tool to view, you will find that the process cway, just delete it in the registry key value, and then delete the C:windowssystem under the Msgsvc.exe this file can be.

Be aware that deleting Msgsvc.exe directly under Windows is not deleted, and you can use the Process Management tool to terminate its process and then delete it. Or to Dos to delete the Msgsvc.exe can also. If the server is already bundled with the executable file, then only the executable file is deleted. Note Make a backup before deleting it.