Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to remove the Trojan horse in xp, the article is very detailed, has a certain reference value, interested friends must read it!

Trojan Horse is a remote-controlled hacker tool, its concealment and harmfulness are not as great. In the xp system, it is relatively easy to target the system, so users of the xp system will have to learn to manually remove the Trojan horse.

Hideout of Trojans and general investigation techniques

● starts the Trojan horse in Win.ini:

In the [Windows] section of Win.ini, there are startup commands "load=" and "run=". In general, "=" is followed by an empty, if followed by a program, such as:

Run=C:Windows ile.exe

Load=C:Windows ile.exe

Then this file.exe is likely to be a Trojan program.

● modifies the file association in the Windows XP registry:

Modifying the file association in the registry is a common means of Trojans, and how to modify it has been described in the previous articles in this series. For example, under normal circumstances, the txt file is opened by Notepad.exe (notepad), but once the file is associated with a Trojan, the txt file becomes opened with a Trojan. Such as the famous domestic Trojan "Glacier", that is, the registry HKEY_CLASSES_ROOT xtfileshellopencommand sub-key branch of the key value "default" key value "C:Windows otepad.exe% 1" changed to "C:WindowsSystemSysexplr.exe", so that when you double-click a txt file, the file that should have been opened with notepad is now the start Trojan program. Of course, not only txt files, but also other types of files, such as htm, exe, zip, com and so on, are also the targets of Trojans. Be careful.

For this kind of Trojan, you can only check the branch of the shellopen command subkey of the file type in HKEY_CLASSES_ROOT in the registry to see if its value is normal.

● bundles Trojans in the Windows XP system:

To achieve this trigger condition, first of all, the control side and the server have established a connection through the Trojan horse, and the users on the control side use tool software to bundle the Trojan file with an application, and upload it to the server to overwrite the original file. in this way, even if the Trojan is deleted, as long as you run the application bundled with the Trojan, the Trojan will be reinstalled. If bundled on a system file, the Trojan will be started every time Windows XP starts.

● starts the Trojan horse in System.ini:

The shell=Explorer.exe in the [boot] section of System.ini is a favorite hideout for Trojans. The usual practice for Trojans is to change the statement like this:

Shell=Explorer.exe file.exe

The file.exe here is the Trojan server program.

In addition, in the [386enh] section, pay attention to check the "driver=path program name" in this section, because it may also be used by Trojans. The three sections [mic], [drivers], and [drivers32] also load drivers, so they are also ideal places to add Trojans.

● uses the Windows XP registry to load and run:

The following locations in the registry are preferred hideouts for Trojans:

All key value item data starting with "run" under the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion subkey branch.

All key value item data starting with "run" under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion subkey branch.

All key value item data starting with "run" under the HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersion subkey branch.

● loads and runs Trojans in Autoexec.bat and Config.sys:

To establish a connection between the control side and the server, upload the file with the same name that has been added to the Trojan startup command to the server and overwrite two files in order to start the Trojan in this way. However, it is not very hidden, so this way is rare, but it should not be taken lightly.

● starts the Trojan horse in Winstart.bat:

Winstart.bat is also a file that can be loaded and run automatically by Windows XP, most of the time automatically generated by applications and Windows, and starts after Win.com or Kernel386.exe is executed and most drivers are loaded (this can be known by pressing F8 at startup to choose the startup method to track the startup process step by step). Because the function of Autoexec.bat can be replaced by Winstart.bat, Trojans can be loaded and run just like they do in Autoexec.bat.

General troubleshooting Technology of Trojan Horse virus

Now that we know the hiding place of the Trojan horse, it is naturally easy to detect and kill the Trojan horse. If you find that your computer has been hit by a Trojan horse, the safest and most effective way is to open the network segment immediately to prevent computer hackers from attacking you through the network, perform the following steps:

Edit the Win.ini file and change "run= Trojan" or "load= Trojan" under the [Windows] section to "run=" or "load=".

Edit the System.ini file and change the "shell= Trojan file" under the [boot] section to "shell=Explorer.exe".

L modify in the Windows XP registry: first find the file name of the Trojan program under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun subkey branch to delete, and look for the Trojan program in the entire registry, delete or replace it. But the abominable thing is, not all Trojans can be all right as long as deleted, some Trojans will be automatically added immediately after being deleted, at this time, you need to write down the location of the Trojan, that is, its path and file name, and then go back to the DOS system, find this file and delete it. Restart the computer, return to the registry again, and delete the key keys of all Trojan files.

The Trojan horse enters the system invisibly, which is imperceptible to many users, coupled with its mysterious invisible place, it is even more difficult. Users can only spend more time and patience to sweep away the mines hidden in the system and ensure the security of the system.

The above is all the content of the article "how to remove Trojan Horse in xp". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.