Universal trojan detection and removal

 

If you are a human, you have to compare your mind with your own articles that are hard to get out. At the very least, you have to read the post to show me your feelings? Who else has the confidence to do it? Drop diver!
The trojan program tries its best to hide itself by hiding itself in the taskbar. This is the most basic method. As long as you set the Form's Visible attribute to False and ShowInTaskBar to False, the program will not appear in the taskbar when running the program. Stealth in Task Manager: setting a program as a "system service" can easily disguise itself. Of course, it will also start quietly, and hackers will not expect users to click the "Trojan" icon after each startup to run the server. The "Trojan" will be automatically loaded every time the user starts. When a Windows System starts, the System automatically loads the application. All Trojans are used, such as Startup Group, Win. ini, System. ini, and registry.
The following describes how a trojan is automatically loaded. In the Win. ini file, under WINDOWS], "run =" and "load =" are possible ways to load the "Trojan" program. You must pay attention to them carefully. Generally, there should be nothing behind their equal signs. If you find that there are paths and file names behind them not a STARTUP file that you are familiar with, your computer may be "Trojan. Of course, you have to see clearly, because many "Trojans", such as the "AOL Trojan", disguise themselves as command.exe (the real system file is command.com) files, if you do not pay attention, you may not find that it is not a real System Startup File (especially in Windows ).
In the System. ini file, there is a "shell = file name" under [BOOT ". The specified file name should be "assumer.exefolder. If it is not" assumer.exe "but" shell = assumer.exe program name ", the program that follows is a" Trojan "program, that is, you are already in the" Trojan. The situation in the registry is the most complex. Open the Registry Editor using the regedit command, and click the "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory to check whether the key value contains an unfamiliar Automatic startup file, the extension is EXE. Remember: some files generated by the "Trojan" program are similar to those of the system. They want to pass through disguise, such as the "Acid Battery v1.0 Trojan ", it changes the Explorer key value under the Registry "HKEY-LOCAL-MACHINESO FTWAREMicrosoftWindowsCurrentVersionRun" to Explorer = "C: WINDOWSexpiorer.exe ", there is only a difference between the trojan program and the real Explorer between "I" and "l. Of course, there are many places in the registry that can hide the "Trojan" program, such as: "HKEY-CURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS *** SoftwareMicrosoftWindowsCurrentVersionRun" directory is possible, the best way is-
Under LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun, find the file name of the Trojan program, and then search the entire registry.

Knowing how a trojan works, it is easy to scan and kill a trojan. If a trojan exists, the most effective way is to immediately disconnect the computer from the network, prevent hackers from attacking you through the network. Edit win. INI file. Under [WINDOWS], change "run =" Trojan "program" or "load =" Trojan "program" to "run =" and "load =". Edit system. in the INI file, change "shell = 'Trojan 'file" under [BOOT] To mongoshell‑policer.exe ". In the registry, use regedit to edit the registry, find the file name of the Trojan program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", search for and replace the "Trojan" program in the entire registry, and note that: some "Trojan" programs do not directly Delete the "Trojan" key value under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", because some "Trojan" such as: BladeRunner "Trojan ", if you delete it, the trojan will be automatically added immediately. , You need to write down the trojan name and directory, and then return to the MS-DOS, find the trojan file and delete it. Restart the computer and then delete the key values of all trojan files in the registry. So far, we have achieved success.

What should I do if the virus is detected and cannot be cleared?

Q: What should I do if a virus is detected but cannot be cleared in security mode or in Windows?

A: because of the special nature of some directories and files, they cannot be directly cleared (including some methods such as anti-virus in security mode), and some special methods are required to clear the files with viruses. The following directories contain subdirectories.

1. The Files with viruses are in the Temporary Internet Files directory.

Windows protects files in this directory (unconfirmed ). Therefore, the files in this directory cannot be cleared even in safe mode. In this case, close other program software and then open IE, select "tool" "Internet Options" in the IE Toolbar and click "delete file" to delete the file. If you are prompted to "delete all offline content", delete the file together with IE.

2. The files with viruses are in the \ _ Restore directory or the System Volume Information directory.

This is the directory where the system restores and stores the restored files. This directory is available only on the Windows Me/XP operating system. This directory is protected by the system. In this case, you need to cancel the "System Restore" function, delete the files with viruses, and even delete the entire directory. Disable the system restoration method. For Windows ME, disable System Restoration and delete under DOS. XP: Right-click my computer ", select "property"> "System Restore"> "Disable System Restore on All Drives", and press "OK" to exit.

The 3most infected files are in. rar#.zip,. cab, and other compressed files.

Currently, there are few anti-virus software that can directly scan and kill compressed files with virus files, and even some common compression formats are supported. Therefore, for most anti-virus software, you can only check the infected files in the compressed files, but cannot clear them directly. In addition, some encrypted compressed files cannot be directly cleared.

To clear the virus in the compressed file, we recommend that you decompress the file and clear it, or use the plug-in anti-virus program function of the compression tool software to disinfect the compressed files with viruses.

4. The virus is in the boot area, SUHDLOG. DAT, or SUHDLOG. BAK file.

This type of virus is generally a boot zone virus, and the reported virus name generally contains the words "boot" and "wyx. If the virus only exists on a mobile storage device (such as a floppy disk, flash drive, or mobile hard disk), you can use the anti-virus software on the local hard disk to directly scan and kill the virus. If the virus exists on the hard disk, you need to use a clean boot disk to start scanning and killing.

We recommend that you use a clean floppy disk for virus scanning and removal. However, before scanning and removal, you must back up the original boot zone, especially when other operating systems are installed, such as Windows and Linux.

If you do not have a clean boot disk, you can use the following method for emergency antivirus:
(1) make a clean boot disk on another computer. This boot disk can be created on the Windows 95/98/ME system through "Add/delete programs", but note that, the operating system for making a floppy disk must be the same as the operating system used by you;
(2) Use this floppy disk to boot the computer with viruses, and then run the following command:
A:> fdisk/mbr
A:> sys a: c:
If the files with viruses are in SUHDLOG. DAT or SUHDLOG. BAK, delete them directly. This is a backup file used by the system during the installation of the boot area of the hard disk. It does not work normally and the virus does not work in it.

5. The extension names of the files with viruses are. vir,. kav, And. kbk.

These files are generally backup files that some anti-virus software has made to the original files with viruses. Normally, If you confirm that these files are useless, delete them.

6. Infected files are contained in some mail files, such as dbx, eml, and box.

Some anti-virus software can directly check whether the files in these mail files are infected with viruses, but they often cannot directly operate on these files. For some emails containing viruses, you can find the letter containing the virus according to the information provided by the anti-virus software, delete the attachment in the letter, or delete the letter. If it is an eml or nws letter file containing the virus, you can use the relevant mail software to open it, confirm the letter and its attachment, and then delete the relevant content. Generally, a large number of eml and nws files are generated automatically by viruses. We recommend that you delete them directly.

7. The file contains the Residual code of viruses.

In this case, the most common is the Residual code with CIH, Funlove, macro viruses (including macro viruses in documents such as Word, Excel, Powerpoint, and Wordpro) and individual webpage viruses, generally, antivirus software reports the suffix of the virus name to these files with Residual code, such as int and app, which is not common, such as W32/FunLove. app, W32.Funlove.int. Under normal circumstances, the residual code will not affect the running of Normal programs, and will not be infected. If you need to completely clear the code, you need to clear the virus based on the actual situation.

8. File error.

There are not many such cases. Generally, some antivirus software does not clean up the virus from the original files and does not properly fix the files, which causes the files to become unavailable, at the same time, it may cause false positives of other anti-virus software. These files can be deleted directly.

9. encrypted files or directories.

For encrypted files or directories, perform virus scanning and removal after decryption.

10. shared directory.

There are two scenarios: Local shared directory and remote shared directory on the network (including the ing disk ). In the case that the files with viruses in the shared local directory cannot be cleared, it is usually because other users in the LAN are reading and writing these files, and the virus in these files cannot be directly cleared during antivirus, if a virus is writing a virus to these directories, the virus is cleared after the shared directory is infected or virus files are generated continuously. In the above two cases, we recommend that you cancel sharing and thoroughly scan and kill shared directories. When resuming sharing, be sure not to open too high permissions and add a password to the shared directory. When virus removal is performed on a remote shared directory (including a ing disk), ensure that the operating system of the Local Computer is clean and that the shared directory has the highest read and write permissions. If the remote computer is infected with the virus, we recommend that you directly scan and kill the virus on the remote computer. In particular, we recommend that you cancel all local sharing and then perform anti-virus operations when removing other viruses. During normal usage, you should also pay attention to the security of the shared directory, add a password, and do not directly read the files in the remote shared directory if necessary, we recommend that you copy the data to the local computer and check the virus before performing the operation.

11. Light