『楼 主』:
木马万能查杀法
使用 LLM 解释/回答一下
木马”程序会想尽一切办法隐藏自己,主要途径有:在任务栏中隐藏自己,这是最基本的办法。只要把Form的Visible属性设为False,ShowInTaskBar设为False,程序运行时就不会出现在任务栏中了。在任务管理器中隐形:将程序设为“系统服务”可以很轻松地伪装自己。当然它也会悄无声息地启动,黑客当然不会指望用户每次启动后点击“木马”图标来运行服务端,“木马”会在每次用户启动时自动装载。Windows系统启动时自动加载应用程序的方法,“木马”都会用上,如:启动组、Win.ini、System.ini、注册表等都是“木马”藏身的好地方。
下面具体谈谈“木马”是怎样自动加载的。在Win.ini文件中,在WINDOWS]下面,“run=”和 “load=” 是可能加载“木马”程序的途径,必须仔细留心它们。一般情况下,它们的等号后面应该什么都没有,如果发现后面跟有路径与文件名不是你熟悉的启动文件,你的计算机就可能中“木马”了。当然你也得看清楚,因为好多“木马”,如“AOL Trojan木马”,它把自身伪装成 command.exe(真正的系统文件为command.com)文件,如果不注意可能不会发现它不是真正的系统启动文件(特别是在Windows窗口下)。
在System.ini文件中,在[BOOT]下面有个“shell=文件名”。正确的文件名应该是“explorer.exe”,如果不是“explorer.exe”,而是“shell= explorer.exe程序名”,那么后面跟着的那个程序就是“木马”程序,就是说你已经中“木马”了。注册表中的情况最复杂,通过regedit命令打开注册表编辑器,在点击至:“HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun”目录下,查看键值中有没有自己不熟悉的自动启动文件,扩展名为EXE,这里切记:有的“木马”程序生成的文件很像系统自身文件,想通过伪装蒙混过关,如“Acid Battery v1.0木马”,它将注册表“HKEY-LOCAL-MACHINESO FTWAREMicrosoftWindowsCurrentVersionRun”下的Explorer键值改为Explorer= “C:WINDOWSexpiorer.exe”,“木马”程序与真正的Explorer之间只有“i”与“l”的差别。当然在注册表中还有很多地方都可以隐藏“木马”程序,如:“HKEY-CURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun”、“HKEY-USERS****SoftwareMicrosoftWindowsCurrentVersionRun”的目录下都有可能,最好的办法就是在“HKEY-
LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun”下找到“木马”程序的文件名,再在整个注册表中搜索即可。
知道了“木马”的工作原理,查杀“木马”就变得很容易,如果发现有“木马”存在,最有效的方法就是马上将计算机与网络断开,防止黑客通过网络对你进行攻击。然后编辑win.ini文件,将[WINDOWS]下面,“run=“木马”程序”或“load=“木马”程序”更改为“run=”和“load=”;编辑system.ini文件,将[BOOT]下面的“shell=‘木马’文件”,更改为:“shell=explorer.exe”;在注册表中,用regedit对注册表进行编辑,先在“HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun”下找到“木马”程序的文件名,再在整个注册表中搜索并替换掉“木马”程序,有时候还需注意的是:有的“木马”程序并不是直接 将“HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun”下的“木马”键值删除就行了,因为有的“木马”如:BladeRunner“木马”,如果你删除它,“木马”会立即自动加上,你需要的是记下“木马”的名字与目录,然后退回到MS-DOS下,找到此“木马”文件并删除掉。重新启动计算机,然后再到注册表中将所有“木马”文件的键值删除。至此,我们就大功告成了。
发现病毒, 无法清除怎么办?
Q:发现病毒,但是无论在安全模式还是Windows下都无法清除怎么办?
A:由于某些目录和文件的特殊性,无法直接清除(包括安全模式下杀毒等一些方式杀毒),而需要某些特殊手段清除的带毒文件。以下所说的目录均包含其下面的子目录。
1、带毒文件在\Temporary Internet Files目录下。
由于这个目录下的文件,Windows会对此有一定的保护作用(未经证实)。所以对这个目录下的带毒文件即使在安全模式下也不能进行清除,对于这种情况,请先关闭其他一些程序软件,然后打开IE,选择IE工具栏中的"工具"\"Internet选项",选择"删除文件"删除即可,如果有提示"删除所有脱机内容",也请选上一并删除。
2、带毒文件在\_Restore目录下,或者System Volume Information目录下。
这是系统还原存放还原文件的目录,只有在装了Windows Me/XP操作系统上才会有这个目录,由于系统对这个目录有保护作用。对于这种情况需要先取消"系统还原"功能,然后将带毒文件删除,甚至将整个目录删除也是可以的。 关闭系统还原方法。WindowsMe的话,禁用系统还原,DOS下删除。XP关闭系统还原的方法:右键单击“我的电脑”,选“属性”--“系统还原”--在“在所有驱动器上关闭系统还原”前面打勾--按“确定”退出。
3、带毒文件在.rar、.zip、.cab等压缩文件中。
现今能支持直接查杀压缩文件中带毒文件的反病毒软件还很少,即使有也只能支持常用的一些压缩格式;所以,对于绝大多数的反病毒软件来说,最多只能检查出压缩文件中的带毒文件,而不能直接清除。而且有些加密了的压缩文件就更不可能直接清除了。
要清除压缩文件中的病毒,建议解压缩后清除,或者借助压缩工具软件的外挂杀毒程序的功能,对带毒的压缩文件进行杀毒。
4、病毒在引导区或者SUHDLOG.DAT或SUHDLOG.BAK文件中。
这种病毒一般是引导区病毒,报告的病毒名称一般带有boot、wyx等字样。如果病毒只是存在于移动存储设备(如软盘、闪存盘、移动硬盘)上,就可以借助本地硬盘上的反病毒软件直接进行查杀;如果这种病毒是在硬盘上,则需要用干净的可引导盘启动进行查杀。
对于这类病毒建议用干净软盘启动进行查杀,不过在查杀之前一定要备份原来的引导区,特别是原来装有别的操作系统的情况,如日文Windows、Linux等。
如果没有干净的可引导盘,则可使用下面的方法进行应急杀毒:
(1) 在别的计算机上做一张干净的可引导盘,此引导盘可以在Windows 95/98/ME系统上通过"添加/删除程序"进行制作,但要注意的是,制作软盘的操作系统须和自己所使用的操作系统相同;
(2) 用这张软盘引导启动带毒的计算机,然后运行以下命令:
A:\>fdisk/mbr
A:\>sys a: c:
如果带毒的文件是在SUHDLOG.DAT或SUHDLOG.BAK文件中,那么直接删除即可。这是系统在安装的时候对硬盘引导区做的一个备份文件,一般作用不大,病毒在其中已经不起作用了。
5、带毒文件的后缀名是.vir、.kav、.kbk等。
这些文件一般是一些防毒软件对原来带毒的文件做的备份文件,一般情况下,如果确认这些文件已经无用了,那就将这些文件删除即可。
6、带毒文件在一些邮件文件中,如dbx、eml、box等。
有些防毒软件可以直接检查这些邮件文件中的文件是否带毒,但往往不能对这些带毒的文件直接的进行操作,对于一些邮箱中的带毒的信件,可以根据防毒软件提供的信息找到那带毒的信件,删除信件中的附件或者删除该信件;如果是eml、nws一些信件文件带毒,可以用相关的邮件软件打开,确认该信件及其附件,然后删除相关内容。一般有大量的eml、nws的带毒文件的话,都是病毒自动生成的文件,建议都直接删除。
7、文件中有病毒的残留代码。
这种情况比较多见的就是带有CIH、Funlove、宏病毒(包括Word、Excel、Powerpoint和Wordpro等文档中的宏病毒)和个别网页病毒的残留代码,通常防毒软件对这些带有病毒残留代码的文件报告的病毒名称后缀通常是int、app等结尾,而且并不常见,如W32/FunLove.app、W32.Funlove.int。一般情况下,这些残留的代码不会影响正常程序的运行,也不会传染,如果需要彻底清除的话,要根据各个病毒的实际情况进行清除。
8、文件错误。
这种情况出现的并不多,通常是某些防毒软件将原来带毒的文件并没有很干净地清除病毒,也没有很好的修复文件,造成文件无法正常使用,同时造成别的防毒软件的误报。这些文件可以直接删除。
9、加密的文件或目录。
对于一些加密了的文件或目录,请在解密后再进行病毒查杀。
10、共享目录。
这里包括两种情况:本地共享目录和网络中远程共享目录(其中也包括映射盘)。遇到本地共享的目录中的带毒文件不能清除的情况,通常是局域网中别的用户在读写这些文件,杀毒的时候表现为无法直接清除这些带毒文件中的病毒,如果是有病毒在对这些目录在写病毒操作,表现为对共享目录进行清除病毒操作后,还是不断有文件被感染或者不断生成病毒文件。以上这两种情况,都建议取消共享,然后针对共享目录进行彻底查杀,恢复共享的时候,注意不要开放太高的权限,并对共享目录加设密码。对远程的共享目录(包括映射盘)查杀病毒的时候,首先要保证本地计算机的操作系统是干净的,同时对共享目录也有最高的读写权限。如果是远程计算机感染病毒的话,建议还是直接在远程计算机进行查杀病毒。特别的,如果在清除别的病毒的时侯都建议取消所有的本地共享,再进行杀毒操作。在平时的使用中,也应注意共享目录的安全性,加设密码,同时,非必要的情况下,不要直接读取远程共享目录中的文件,建议拷贝到本地检查过病毒后再进行操作。
11、光盘等一些存储介质。
对于光盘上带有的病毒,不要试图直接清除,这是神仙也做不到的事情。同时,对另外一些存储设备查杀病毒的,也需要注意其是否处于写保护或者密码保护状态。
Trojan horse" programs will do everything possible to hide themselves. The main ways are: hiding themselves in the taskbar, which is the most basic method. As long as the Visible property of the Form is set to False and ShowInTaskBar is set to False, the program will not appear in the taskbar when running. Hiding in the Task Manager: setting the program as a "system service" can easily disguise itself. Of course, it will also start silently. Hackers certainly don't expect users to click the "Trojan horse" icon to run the server end every time after startup. The "Trojan horse" will be automatically loaded every time the user starts. The methods of automatically loading applications when the Windows system starts are all used by "Trojan horses", such as: startup group, Win.ini, System.ini, registry, etc., which are all good places for "Trojan horses" to hide.
The following specifically talks about how the "Trojan horse" is automatically loaded. In the Win.ini file, under , "run=" and "load=" are possible ways to load the "Trojan horse" program, which must be carefully watched. Generally, there should be nothing behind the equal sign. If you find that there are paths and file names behind that you are not familiar with as startup files, your computer may be infected with a "Trojan horse". Of course, you also need to see clearly. Because many "Trojan horses", such as "AOL Trojan horse", disguise themselves as command.exe (the real system file is command.com) file. If you don't pay attention, you may not find that it is not the real system startup file (especially under the Windows window).
In the System.ini file, under , there is a "shell=file name". The correct file name should be "explorer.exe". If it is not "explorer.exe" but "shell= explorer.exe program name", then the program following it is the "Trojan horse" program, that is, you have been infected with a "Trojan horse". The situation in the registry is the most complicated. Open the registry editor through the regedit command, and when clicking to: "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory, check if there are unfamiliar automatically started files in the key values, with the extension EXE. Here, it is remembered: some "Trojan horse" programs generate files that are very similar to the system's own files, trying to get through by camouflage, such as "Acid Battery v1.0 Trojan horse", which changes the Explorer key value under "HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" to Explorer= "C:WINDOWSexpiorer.exe". There is only a difference between "i" and "l" between the "Trojan horse" program and the real Explorer. Of course, there are many places in the registry where "Trojan horse" programs can be hidden, such as: "HKEY-CURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS****SoftwareMicrosoftWindowsCurrentVersionRun" directories may all be possible. The best way is to find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then search throughout the registry.
Knowing the working principle of the "Trojan horse", it becomes very easy to detect and remove the "Trojan horse". If a "Trojan horse" is found, the most effective method is to immediately disconnect the computer from the network to prevent hackers from attacking you through the network. Then edit the win.ini file, change "run= "Trojan horse" program" or "load= "Trojan horse" program" under to "run=" and "load="; edit the system.ini file, change "shell= 'Trojan horse' file" under to "shell=explorer.exe"; in the registry, use regedit to edit the registry. First, find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", then search and replace the "Trojan horse" program throughout the registry. Sometimes, it should also be noted that some "Trojan horse" programs are not just deleting the "Trojan horse" key value under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun". For example, for the BladeRunner "Trojan horse", if you delete it, the "Trojan horse" will be automatically added immediately. What you need to do is write down the name and directory of the "Trojan horse", then return to MS-DOS, find this "Trojan horse" file and delete it. Restart the computer, and then delete all the key values of the "Trojan horse" files in the registry. At this point, we have succeeded.
Found a virus, but can't remove it?
Q: Found a virus, but can't remove it in both safe mode and Windows?
A: Due to the particularity of some directories and files, they cannot be directly removed (including antivirus methods such as antivirus in safe mode), and the virus-infected files that need to be removed by some special means. The directories mentioned below all include their subdirectories.
1. Virus-infected files are in the \Temporary Internet Files directory.
Because Windows will have a certain protection effect on the files in this directory (not verified). So even in safe mode, the virus-infected files in this directory cannot be removed. For this situation, please close some other program software first, then open IE, select "Tools" \ "Internet Options" in the IE toolbar, select "Delete files" to delete, and if there is a prompt "Delete all offline content", please also select to delete it together.
2. Virus-infected files are in the _Restore directory or System Volume Information directory.
This is the directory where the system restore stores restore files. It will only exist in Windows Me/XP operating systems. Because the system has a protection effect on this directory. For this situation, you need to first cancel the "system restore" function, then delete the virus-infected files, and even delete the entire directory is also possible. Method to close system restore. For Windows Me, disable system restore and delete it under DOS. Method to close system restore for XP: right-click "My Computer", select "Properties" -- "System Restore" -- tick "Turn off system restore on all drives" in front -- press "OK" to exit.
3. Virus-infected files are in compressed files such as.rar,.zip,.cab.
At present, there are very few antivirus software that can directly kill virus-infected files in compressed files, and even those that can only support some common compressed formats; so, for most antivirus software, they can only detect virus-infected files in compressed files at most, but cannot directly remove them. And some encrypted compressed files are even more impossible to directly remove.
To remove the virus in the compressed file, it is recommended to decompress it and then remove it, or use the function of the external antivirus program of the compression tool software to kill the virus in the virus-infected compressed file.
4. The virus is in the boot sector or SUHDLOG.DAT or SUHDLOG.BAK file.
This kind of virus is generally a boot sector virus, and the reported virus name generally has words like boot, wyx, etc. If the virus only exists in a mobile storage device (such as a floppy disk, flash drive, mobile hard disk), you can use the antivirus software on the local hard disk to directly kill it; if this kind of virus is on the hard disk, you need to use a clean bootable disk to start and kill it.
For this kind of virus, it is recommended to use a clean floppy disk to start and kill it. But be sure to back up the original boot sector before killing, especially in the case of originally installing other operating systems, such as Japanese Windows, Linux, etc.
If there is no clean bootable disk, you can use the following method for emergency virus killing:
(1) Make a clean bootable disk on another computer. This bootable disk can be made through "Add/Remove Programs" in Windows 95/98/ME system, but note that the operating system for making the floppy disk must be the same as the operating system you are using;
(2) Use this floppy disk to boot the infected computer, then run the following commands:
A:\>fdisk/mbr
A:\>sys a: c:
If the virus-infected file is in the SUHDLOG.DAT or SUHDLOG.BAK file, then directly delete it. This is a backup file of the hard disk boot sector made when the system is installed, which is generally not very useful, and the virus in it is no longer effective.
5. The suffix of virus-infected files is.vir,.kav,.kbk, etc.
These files are generally backup files made by some antivirus software for the original virus-infected files. Generally, if it is confirmed that these files are useless, then delete these files.
6. Virus-infected files are in some email files, such as dbx, eml, box, etc.
Some antivirus software can directly check whether the files in these email files are virus-infected, but often cannot directly operate on these virus-infected files. For some virus-infected emails in the mailbox, you can find the virus-infected email according to the information provided by the antivirus software, delete the attachment in the email or delete the email; if some email files such as eml, nws are virus-infected, you can open them with the relevant email software, confirm the email and its attachment, and then delete the relevant content. Generally, if there are a large number of virus-infected eml, nws files, they are all files automatically generated by the virus, and it is recommended to delete them directly.
7. There are residual codes of viruses in the file.
This situation is more common, such as residual codes of CIH, Funlove, macro viruses (including macro viruses in documents such as Word, Excel, Powerpoint and Wordpro, etc.) and individual web page viruses. Usually, the virus name suffix reported by the antivirus software for these files with virus residual codes usually ends with int, app, etc., and is not common, such as W32/FunLove.app, W32.Funlove.int. Generally, these residual codes will not affect the normal operation of the program, nor will they be contagious. If you need to completely remove them, you need to remove them according to the actual situation of each virus.
8. File error.
This situation does not occur very often. Usually, some antivirus software does not clean the virus very cleanly from the original virus-infected file, nor does it repair the file well, resulting in the file being unable to be used normally, and also causing false positives by other antivirus software. These files can be directly deleted.
9. Encrypted file or directory.
For some encrypted files or directories, please kill the virus after decrypting them.
10. Shared directory.
This includes two situations: local shared directory and remote shared directory in the network (including mapped drives). When encountering the situation that the virus-infected files in the local shared directory cannot be removed, usually other users in the local area network are reading and writing these files. When killing the virus, it shows that the virus in these virus-infected files cannot be directly removed. If the virus is performing virus writing operations on these directories, it shows that after clearing the virus in the shared directory, files are still continuously infected or virus files are continuously generated. For both of these situations, it is recommended to cancel the sharing, then thoroughly kill the virus in the shared directory. When restoring the sharing, pay attention not to open too high permissions, and set a password for the shared directory. When killing the virus in the remote shared directory (including mapped drives), first ensure that the operating system of the local computer is clean, and also have the highest read and write permissions for the shared directory. If the remote computer is infected with a virus, it is recommended to directly kill the virus on the remote computer. In particular, it is recommended to cancel all local shares when removing other viruses, and then perform the antivirus operation. In daily use, also pay attention to the security of the shared directory, set a password, and do not directly read the files in the remote shared directory unless necessary. It is recommended to copy them to the local and check for viruses before operating.
11. Some storage media such as CDs.
Do not try to directly remove the virus on the CD, which is something that even the gods can't do. Also, when killing the virus on other storage devices, pay attention to whether they are in write protection or password protection state.
|
