Seven methods for clearing common Trojans

Network Bull (Netbull)

The network bull is a Chinese Trojan and the default connection port is 23444. After the service end program newserver.exeruns, it will automatically become checkdll.exe, which is located in C: windowssystem. the next time checkdll.exe is enabled, it will automatically run, so it is very hidden and harmful. At the same time, the server automatically binds the following files after running:

Win2000: notepad.exe1_regedit.exe,reged32.exe1_drwtsn32.exe1_winmine.exe.

After the server is running, it is bound to a third-party software (such as realplay.exe, QQ, and ICQ) that automatically runs at startup. In the registry, the network Bull also quietly takes the root.

The network Bull uses the file bundle function, which is associated with the files listed above. It is very difficult to clear them. This also has a disadvantage: it is easy to expose yourself! As long as you have a little experience, you will find that the file length has changed, and thus suspect that you are in the Trojan.

Clear method:

1. Delete the self-starting Program C: WINDOWSSYSTEMCheckDll.exe of the network bull.

2. Delete all the key values created by the network bull in the registry:

3. Check the files listed above. If the file length changes (about 40 K is increased, you can delete them by comparing them with normal files on other hosts! Click "Start> attachment> System Tools> System Information> Tools> System File Checker". In the displayed dialog box, select "extract a file from the installation floppy disk (E )", enter the files to be extracted in the box (the files you deleted earlier), click "OK", and then press the on-screen prompt to restore the files. If a third-party software such as realplay.exe, QQ, and ICQ is bound during startup, delete the files and reinstall them.

Netspy)

Netspy, also known as the network Genie, is a Chinese Trojan. The latest version is 3.0, and the default connection port is 7306. In this version, the registry editing and browser monitoring functions are added. The client can now perform remote monitoring through IE or Navigate without using NetMonitor. After the server program is executed, the netspy.exe file is generated in the C: windowssystemdirectory. At the same time, the key value Cwindows systemnetspy.exe is created under the HKEY_LOCAL_MACHINEsoftware microsoftwindowsCurrentVersion Run in the registry for automatic loading and running at system startup.

Clear method:

1. Restart the machine and press F5 to enter the command line status when prompted by Staring windows. Run the following command in the C: windowssystem Directory: del netspy.exe;

2. Go to HKEY_LOCAL_MACHINE

Softwaremicrosoftwindows CurrentVersionRun: delete the key value of Netspy to safely clear Netspy.

SubSeven

Compared with BO2K, SubSeven has never been used. The latest version is 2.2 (the default connection port is 27374), and the server side is only 54.5 KB, so it is easy to bind it to other software without being discovered. The latest anti-virus software such as Kingsoft drug overlord cannot find it. Server-side program server.exe, and client-side program subseven.exe. After the SubSeven server is executed, the names of processes started every time change, making it difficult to query.

Clear method:

1. Open Regedit and click: HKEY_LOCAL_MACHINESOFTWARE.

In MicrosoftWindowsCurrentVersionRun and RunService, if a file is loaded, delete the project on the right: loader = "c: windowssystem ***". Note: the loader and file name are randomly changed.

2. Open the win. Ini file and check whether an executable file name is added after "run =". If yes, delete it.

3.open the system.ini file and check whether the file has been followed by mongoshell‑policer.exe. If yes, delete the file.

4. Restart Windows and delete the corresponding Trojan program. Generally, in c: windowssystem, the file name is vqpbk.exe when I perform an experiment on the local machine.

Glaciers

Here we will introduce its standard edition. It is easy to know how to clear the standard edition and deal with variant glaciers. The ice server program is g-server.exe, the client program is g-client.exe, and the default connection port is 7626. Once you run G-server, the program will generate kernel32.exe and sy *** plr.exe in the C: windowssystemdirectory and delete itself. Kernel32.exe is automatically loaded and run when the system starts. sy *** plr.exe is associated with the TXT file.

<