Trojan horse" programs will do everything possible to hide themselves. The main ways are: hiding themselves in the taskbar, which is the most basic method. As long as the Visible property of the Form is set to False and ShowInTaskBar is set to False, the program will not appear in the taskbar when running. Hiding in the Task Manager: setting the program as a "system service" can easily disguise itself. Of course, it will also start silently. Hackers certainly don't expect users to click the "Trojan horse" icon to run the server end every time after startup. The "Trojan horse" will be automatically loaded every time the user starts. The methods of automatically loading applications when the Windows system starts are all used by "Trojan horses", such as: startup group, Win.ini, System.ini, registry, etc., which are all good places for "Trojan horses" to hide.
The following specifically talks about how the "Trojan horse" is automatically loaded. In the Win.ini file, under [WINDOWS], "run=" and "load=" are possible ways to load the "Trojan horse" program, which must be carefully watched. Generally, there should be nothing behind the equal sign. If you find that there are paths and file names behind that you are not familiar with as startup files, your computer may be infected with a "Trojan horse". Of course, you also need to see clearly. Because many "Trojan horses", such as "AOL Trojan horse", disguise themselves as command.exe (the real system file is command.com) file. If you don't pay attention, you may not find that it is not the real system startup file (especially under the Windows window).
In the System.ini file, under [BOOT], there is a "shell=file name". The correct file name should be "explorer.exe". If it is not "explorer.exe" but "shell= explorer.exe program name", then the program following it is the "Trojan horse" program, that is, you have been infected with a "Trojan horse". The situation in the registry is the most complicated. Open the registry editor through the regedit command, and when clicking to: "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory, check if there are unfamiliar automatically started files in the key values, with the extension EXE. Here, it is remembered: some "Trojan horse" programs generate files that are very similar to the system's own files, trying to get through by camouflage, such as "Acid Battery v1.0 Trojan horse", which changes the Explorer key value under "HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" to Explorer= "C:WINDOWSexpiorer.exe". There is only a difference between "i" and "l" between the "Trojan horse" program and the real Explorer. Of course, there are many places in the registry where "Trojan horse" programs can be hidden, such as: "HKEY-CURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS****SoftwareMicrosoftWindowsCurrentVersionRun" directories may all be possible. The best way is to find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then search throughout the registry.
Knowing the working principle of the "Trojan horse", it becomes very easy to detect and remove the "Trojan horse". If a "Trojan horse" is found, the most effective method is to immediately disconnect the computer from the network to prevent hackers from attacking you through the network. Then edit the win.ini file, change "run= "Trojan horse" program" or "load= "Trojan horse" program" under [WINDOWS] to "run=" and "load="; edit the system.ini file, change "shell= 'Trojan horse' file" under [BOOT] to "shell=explorer.exe"; in the registry, use regedit to edit the registry. First, find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", then search and replace the "Trojan horse" program throughout the registry. Sometimes, it should also be noted that some "Trojan horse" programs are not just deleting the "Trojan horse" key value under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun". For example, for the BladeRunner "Trojan horse", if you delete it, the "Trojan horse" will be automatically added immediately. What you need to do is write down the name and directory of the "Trojan horse", then return to MS-DOS, find this "Trojan horse" file and delete it. Restart the computer, and then delete all the key values of the "Trojan horse" files in the registry. At this point, we have succeeded.
Found a virus, but can't remove it?
Q: Found a virus, but can't remove it in both safe mode and Windows?
A: Due to the particularity of some directories and files, they cannot be directly removed (including antivirus methods such as antivirus in safe mode), and the virus-infected files that need to be removed by some special means. The directories mentioned below all include their subdirectories.
1. Virus-infected files are in the \Temporary Internet Files directory.
Because Windows will have a certain protection effect on the files in this directory (not verified). So even in safe mode, the virus-infected files in this directory cannot be removed. For this situation, please close some other program software first, then open IE, select "Tools" \ "Internet Options" in the IE toolbar, select "Delete files" to delete, and if there is a prompt "Delete all offline content", please also select to delete it together.
2. Virus-infected files are in the _Restore directory or System Volume Information directory.
This is the directory where the system restore stores restore files. It will only exist in Windows Me/XP operating systems. Because the system has a protection effect on this directory. For this situation, you need to first cancel the "system restore" function, then delete the virus-infected files, and even delete the entire directory is also possible. Method to close system restore. For Windows Me, disable system restore and delete it under DOS. Method to close system restore for XP: right-click "My Computer", select "Properties" -- "System Restore" -- tick "Turn off system restore on all drives" in front -- press "OK" to exit.
3. Virus-infected files are in compressed files such as.rar,.zip,.cab.
At present, there are very few antivirus software that can directly kill virus-infected files in compressed files, and even those that can only support some common compressed formats; so, for most antivirus software, they can only detect virus-infected files in compressed files at most, but cannot directly remove them. And some encrypted compressed files are even more impossible to directly remove.
To remove the virus in the compressed file, it is recommended to decompress it and then remove it, or use the function of the external antivirus program of the compression tool software to kill the virus in the virus-infected compressed file.
4. The virus is in the boot sector or SUHDLOG.DAT or SUHDLOG.BAK file.
This kind of virus is generally a boot sector virus, and the reported virus name generally has words like boot, wyx, etc. If the virus only exists in a mobile storage device (such as a floppy disk, flash drive, mobile hard disk), you can use the antivirus software on the local hard disk to directly kill it; if this kind of virus is on the hard disk, you need to use a clean bootable disk to start and kill it.
For this kind of virus, it is recommended to use a clean floppy disk to start and kill it. But be sure to back up the original boot sector before killing, especially in the case of originally installing other operating systems, such as Japanese Windows, Linux, etc.
If there is no clean bootable disk, you can use the following method for emergency virus killing:
(1) Make a clean bootable disk on another computer. This bootable disk can be made through "Add/Remove Programs" in Windows 95/98/ME system, but note that the operating system for making the floppy disk must be the same as the operating system you are using;
(2) Use this floppy disk to boot the infected computer, then run the following commands:
A:\>fdisk/mbr
A:\>sys a: c:
If the virus-infected file is in the SUHDLOG.DAT or SUHDLOG.BAK file, then directly delete it. This is a backup file of the hard disk boot sector made when the system is installed, which is generally not very useful, and the virus in it is no longer effective.
5. The suffix of virus-infected files is.vir,.kav,.kbk, etc.
These files are generally backup files made by some antivirus software for the original virus-infected files. Generally, if it is confirmed that these files are useless, then delete these files.
6. Virus-infected files are in some email files, such as dbx, eml, box, etc.
Some antivirus software can directly check whether the files in these email files are virus-infected, but often cannot directly operate on these virus-infected files. For some virus-infected emails in the mailbox, you can find the virus-infected email according to the information provided by the antivirus software, delete the attachment in the email or delete the email; if some email files such as eml, nws are virus-infected, you can open them with the relevant email software, confirm the email and its attachment, and then delete the relevant content. Generally, if there are a large number of virus-infected eml, nws files, they are all files automatically generated by the virus, and it is recommended to delete them directly.
7. There are residual codes of viruses in the file.
This situation is more common, such as residual codes of CIH, Funlove, macro viruses (including macro viruses in documents such as Word, Excel, Powerpoint and Wordpro, etc.) and individual web page viruses. Usually, the virus name suffix reported by the antivirus software for these files with virus residual codes usually ends with int, app, etc., and is not common, such as W32/FunLove.app, W32.Funlove.int. Generally, these residual codes will not affect the normal operation of the program, nor will they be contagious. If you need to completely remove them, you need to remove them according to the actual situation of each virus.
8. File error.
This situation does not occur very often. Usually, some antivirus software does not clean the virus very cleanly from the original virus-infected file, nor does it repair the file well, resulting in the file being unable to be used normally, and also causing false positives by other antivirus software. These files can be directly deleted.
9. Encrypted file or directory.
For some encrypted files or directories, please kill the virus after decrypting them.
10. Shared directory.
This includes two situations: local shared directory and remote shared directory in the network (including mapped drives). When encountering the situation that the virus-infected files in the local shared directory cannot be removed, usually other users in the local area network are reading and writing these files. When killing the virus, it shows that the virus in these virus-infected files cannot be directly removed. If the virus is performing virus writing operations on these directories, it shows that after clearing the virus in the shared directory, files are still continuously infected or virus files are continuously generated. For both of these situations, it is recommended to cancel the sharing, then thoroughly kill the virus in the shared directory. When restoring the sharing, pay attention not to open too high permissions, and set a password for the shared directory. When killing the virus in the remote shared directory (including mapped drives), first ensure that the operating system of the local computer is clean, and also have the highest read and write permissions for the shared directory. If the remote computer is infected with a virus, it is recommended to directly kill the virus on the remote computer. In particular, it is recommended to cancel all local shares when removing other viruses, and then perform the antivirus operation. In daily use, also pay attention to the security of the shared directory, set a password, and do not directly read the files in the remote shared directory unless necessary. It is recommended to copy them to the local and check for viruses before operating.
11. Some storage media such as CDs.
Do not try to directly remove the virus on the CD, which is something that even the gods can't do. Also, when killing the virus on other storage devices, pay attention to whether they are in write protection or password protection state.
The following specifically talks about how the "Trojan horse" is automatically loaded. In the Win.ini file, under [WINDOWS], "run=" and "load=" are possible ways to load the "Trojan horse" program, which must be carefully watched. Generally, there should be nothing behind the equal sign. If you find that there are paths and file names behind that you are not familiar with as startup files, your computer may be infected with a "Trojan horse". Of course, you also need to see clearly. Because many "Trojan horses", such as "AOL Trojan horse", disguise themselves as command.exe (the real system file is command.com) file. If you don't pay attention, you may not find that it is not the real system startup file (especially under the Windows window).
In the System.ini file, under [BOOT], there is a "shell=file name". The correct file name should be "explorer.exe". If it is not "explorer.exe" but "shell= explorer.exe program name", then the program following it is the "Trojan horse" program, that is, you have been infected with a "Trojan horse". The situation in the registry is the most complicated. Open the registry editor through the regedit command, and when clicking to: "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory, check if there are unfamiliar automatically started files in the key values, with the extension EXE. Here, it is remembered: some "Trojan horse" programs generate files that are very similar to the system's own files, trying to get through by camouflage, such as "Acid Battery v1.0 Trojan horse", which changes the Explorer key value under "HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" to Explorer= "C:WINDOWSexpiorer.exe". There is only a difference between "i" and "l" between the "Trojan horse" program and the real Explorer. Of course, there are many places in the registry where "Trojan horse" programs can be hidden, such as: "HKEY-CURRENTUSERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS****SoftwareMicrosoftWindowsCurrentVersionRun" directories may all be possible. The best way is to find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then search throughout the registry.
Knowing the working principle of the "Trojan horse", it becomes very easy to detect and remove the "Trojan horse". If a "Trojan horse" is found, the most effective method is to immediately disconnect the computer from the network to prevent hackers from attacking you through the network. Then edit the win.ini file, change "run= "Trojan horse" program" or "load= "Trojan horse" program" under [WINDOWS] to "run=" and "load="; edit the system.ini file, change "shell= 'Trojan horse' file" under [BOOT] to "shell=explorer.exe"; in the registry, use regedit to edit the registry. First, find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", then search and replace the "Trojan horse" program throughout the registry. Sometimes, it should also be noted that some "Trojan horse" programs are not just deleting the "Trojan horse" key value under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun". For example, for the BladeRunner "Trojan horse", if you delete it, the "Trojan horse" will be automatically added immediately. What you need to do is write down the name and directory of the "Trojan horse", then return to MS-DOS, find this "Trojan horse" file and delete it. Restart the computer, and then delete all the key values of the "Trojan horse" files in the registry. At this point, we have succeeded.
Found a virus, but can't remove it?
Q: Found a virus, but can't remove it in both safe mode and Windows?
A: Due to the particularity of some directories and files, they cannot be directly removed (including antivirus methods such as antivirus in safe mode), and the virus-infected files that need to be removed by some special means. The directories mentioned below all include their subdirectories.
1. Virus-infected files are in the \Temporary Internet Files directory.
Because Windows will have a certain protection effect on the files in this directory (not verified). So even in safe mode, the virus-infected files in this directory cannot be removed. For this situation, please close some other program software first, then open IE, select "Tools" \ "Internet Options" in the IE toolbar, select "Delete files" to delete, and if there is a prompt "Delete all offline content", please also select to delete it together.
2. Virus-infected files are in the _Restore directory or System Volume Information directory.
This is the directory where the system restore stores restore files. It will only exist in Windows Me/XP operating systems. Because the system has a protection effect on this directory. For this situation, you need to first cancel the "system restore" function, then delete the virus-infected files, and even delete the entire directory is also possible. Method to close system restore. For Windows Me, disable system restore and delete it under DOS. Method to close system restore for XP: right-click "My Computer", select "Properties" -- "System Restore" -- tick "Turn off system restore on all drives" in front -- press "OK" to exit.
3. Virus-infected files are in compressed files such as.rar,.zip,.cab.
At present, there are very few antivirus software that can directly kill virus-infected files in compressed files, and even those that can only support some common compressed formats; so, for most antivirus software, they can only detect virus-infected files in compressed files at most, but cannot directly remove them. And some encrypted compressed files are even more impossible to directly remove.
To remove the virus in the compressed file, it is recommended to decompress it and then remove it, or use the function of the external antivirus program of the compression tool software to kill the virus in the virus-infected compressed file.
4. The virus is in the boot sector or SUHDLOG.DAT or SUHDLOG.BAK file.
This kind of virus is generally a boot sector virus, and the reported virus name generally has words like boot, wyx, etc. If the virus only exists in a mobile storage device (such as a floppy disk, flash drive, mobile hard disk), you can use the antivirus software on the local hard disk to directly kill it; if this kind of virus is on the hard disk, you need to use a clean bootable disk to start and kill it.
For this kind of virus, it is recommended to use a clean floppy disk to start and kill it. But be sure to back up the original boot sector before killing, especially in the case of originally installing other operating systems, such as Japanese Windows, Linux, etc.
If there is no clean bootable disk, you can use the following method for emergency virus killing:
(1) Make a clean bootable disk on another computer. This bootable disk can be made through "Add/Remove Programs" in Windows 95/98/ME system, but note that the operating system for making the floppy disk must be the same as the operating system you are using;
(2) Use this floppy disk to boot the infected computer, then run the following commands:
A:\>fdisk/mbr
A:\>sys a: c:
If the virus-infected file is in the SUHDLOG.DAT or SUHDLOG.BAK file, then directly delete it. This is a backup file of the hard disk boot sector made when the system is installed, which is generally not very useful, and the virus in it is no longer effective.
5. The suffix of virus-infected files is.vir,.kav,.kbk, etc.
These files are generally backup files made by some antivirus software for the original virus-infected files. Generally, if it is confirmed that these files are useless, then delete these files.
6. Virus-infected files are in some email files, such as dbx, eml, box, etc.
Some antivirus software can directly check whether the files in these email files are virus-infected, but often cannot directly operate on these virus-infected files. For some virus-infected emails in the mailbox, you can find the virus-infected email according to the information provided by the antivirus software, delete the attachment in the email or delete the email; if some email files such as eml, nws are virus-infected, you can open them with the relevant email software, confirm the email and its attachment, and then delete the relevant content. Generally, if there are a large number of virus-infected eml, nws files, they are all files automatically generated by the virus, and it is recommended to delete them directly.
7. There are residual codes of viruses in the file.
This situation is more common, such as residual codes of CIH, Funlove, macro viruses (including macro viruses in documents such as Word, Excel, Powerpoint and Wordpro, etc.) and individual web page viruses. Usually, the virus name suffix reported by the antivirus software for these files with virus residual codes usually ends with int, app, etc., and is not common, such as W32/FunLove.app, W32.Funlove.int. Generally, these residual codes will not affect the normal operation of the program, nor will they be contagious. If you need to completely remove them, you need to remove them according to the actual situation of each virus.
8. File error.
This situation does not occur very often. Usually, some antivirus software does not clean the virus very cleanly from the original virus-infected file, nor does it repair the file well, resulting in the file being unable to be used normally, and also causing false positives by other antivirus software. These files can be directly deleted.
9. Encrypted file or directory.
For some encrypted files or directories, please kill the virus after decrypting them.
10. Shared directory.
This includes two situations: local shared directory and remote shared directory in the network (including mapped drives). When encountering the situation that the virus-infected files in the local shared directory cannot be removed, usually other users in the local area network are reading and writing these files. When killing the virus, it shows that the virus in these virus-infected files cannot be directly removed. If the virus is performing virus writing operations on these directories, it shows that after clearing the virus in the shared directory, files are still continuously infected or virus files are continuously generated. For both of these situations, it is recommended to cancel the sharing, then thoroughly kill the virus in the shared directory. When restoring the sharing, pay attention not to open too high permissions, and set a password for the shared directory. When killing the virus in the remote shared directory (including mapped drives), first ensure that the operating system of the local computer is clean, and also have the highest read and write permissions for the shared directory. If the remote computer is infected with a virus, it is recommended to directly kill the virus on the remote computer. In particular, it is recommended to cancel all local shares when removing other viruses, and then perform the antivirus operation. In daily use, also pay attention to the security of the shared directory, set a password, and do not directly read the files in the remote shared directory unless necessary. It is recommended to copy them to the local and check for viruses before operating.
11. Some storage media such as CDs.
Do not try to directly remove the virus on the CD, which is something that even the gods can't do. Also, when killing the virus on other storage devices, pay attention to whether they are in write protection or password protection state.