Sender: shaoxiang(Na Yun)
Compiled by: williamlong(2001-11-21 21:04:50), on-site mail
1. Glacier v1.1 v2.2
Glacier is the best domestic trojan.
Steps to remove the v1.1 trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Find the following two paths and delete them
" C:\windows\system\ kernel32.exe"
" C:\windows\system\ sysexplr.exe"
Close Regedit
Restart into MS-DOS mode
Delete the trojan programs C:\windows\system\ kernel32.exe and C:\windows\system\ sysexplr.exe
Restart. OK
Steps to remove the v2.2 trojan:
The server program and path can be defined freely by the user, and the key name written into the registry can also be defined by yourself.
So it cannot be stated clearly.
You can check the registry and delete suspicious file paths.
Restart into MS-DOS mode
Delete the trojan program corresponding to the registry entry
Restart Windows. OK
2. Acid Battery v1.0
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Explorer ="C:\WINDOWS\expiorer.exe" on the right
Close Regedit
Restart into MS-DOS mode
Delete the trojan program c:\windows\expiorer.exe
Note: do not delete the correct ExpLorer.exe program; the only difference between them is i and L.
Restart. OK
3. Acid Shiver v1.0 + 1.0Mod + lmacid
Steps to remove the trojan:
Restart into MS-DOS mode
Delete C:\windows\MSGSVR16.EXE
Then go back into Windows
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Explorer = "C:\WINDOWS\MSGSVR16.EXE" on the right
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Delete Explorer = "C:\WINDOWS\MSGSVR16.EXE" on the right
Close Regedit
Restart. OK
Restart into MS-DOS mode
Delete C:\windows\wintour.exe then go back into Windows
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Wintour = "C:\WINDOWS\WINTOUR.EXE" on the right
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Delete Wintour = "C:\WINDOWS\WINTOUR.EXE" on the right
Close Regedit
Restart. OK
4. Ambush
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Delete zka = "zcn32.exe" on the right
Close Regedit
Restart into MS-DOS mode
Delete C:\Windows\ zcn32.exe
Restart. OK
5. AOL Trojan
Steps to remove the trojan:
Boot into MS-DOS mode
Delete C:\ command.exe (remove the file's hidden attribute before deleting)
Note: do not delete the real command.com file.
Delete C:\ americ~1.0\buddyl~1.exe (remove the file's hidden attribute before deleting)
Delete C:\ windows\system\norton~1\regist~1.exe (remove the file's hidden attribute before deleting)
Open the WIN.INI file
Under , both "run=" and "load=" have the path of the Trojan program loaded, and they must be cleared:
run=
load=
Save WIN.INI
You also need to correct the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete WinProfile = c:\command.exe on the right
Close Regedit, restart Windows. OK
6. Asylum v0.1, 0.1.1, 0.1.2, 0.1.3 + Mini 1.0, 1.1
Steps to remove the trojan:
Note: the default filename of the trojan program is wincmp32.exe, but the program can change the filename freely.
We can remove the trojan based on the two files system.ini and win.ini that it modifies.
Open the system.ini file
Under there is a "shell=filename". The correct filename is explorer.exe
If it is not "explorer.exe", then that file is the trojan program. Find it and delete it.
Save and exit system.ini
Open the win.ini file
Under there is a run=
If you see a path and filename after the =, you must delete it.
The correct state is that there is nothing after run=.
The path and filename after the = is the trojan; find it and delete it.
Save and exit win.ini.
OK
7. AttackFTP
Steps to remove the trojan:
Open the win.ini file
Under there is load=wscan.exe
Delete wscan.exe; the correct form is load=
Save and exit win.ini.
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Reminder="wscan.exe /s" on the right
Close Regedit, restart into the MS-DOS system
Delete C:\windows\system\ wscan.exe
OK
8. Back Construction 1.0 - 2.5
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete "C:\WINDOWS\Cmctl32.exe" on the right
Close Regedit, restart into the MS-DOS system
Delete C:\WINDOWS\Cmctl32.exe
OK
9. BackDoor v2.00 - v2.03
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete ‘c:\windows\notpa.exe /o=yes‘ on the right
Close Regedit, restart into the MS-DOS system
Delete c:\windows\notpa.exe
Note: do not delete the real notepad.exe Notepad program
OK
10. BF Evolution v5.3.12
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete (Default)=" " on the right
Close Regedit, restart the computer again.
Then C:\windows\system\ .exe (the space exe file)
OK
Of course there are many more trojans; they won't be listed one by one here.
Hehe~~
Compiled by: williamlong(2001-11-21 21:04:50), on-site mail
1. Glacier v1.1 v2.2
Glacier is the best domestic trojan.
Steps to remove the v1.1 trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Find the following two paths and delete them
" C:\windows\system\ kernel32.exe"
" C:\windows\system\ sysexplr.exe"
Close Regedit
Restart into MS-DOS mode
Delete the trojan programs C:\windows\system\ kernel32.exe and C:\windows\system\ sysexplr.exe
Restart. OK
Steps to remove the v2.2 trojan:
The server program and path can be defined freely by the user, and the key name written into the registry can also be defined by yourself.
So it cannot be stated clearly.
You can check the registry and delete suspicious file paths.
Restart into MS-DOS mode
Delete the trojan program corresponding to the registry entry
Restart Windows. OK
2. Acid Battery v1.0
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Explorer ="C:\WINDOWS\expiorer.exe" on the right
Close Regedit
Restart into MS-DOS mode
Delete the trojan program c:\windows\expiorer.exe
Note: do not delete the correct ExpLorer.exe program; the only difference between them is i and L.
Restart. OK
3. Acid Shiver v1.0 + 1.0Mod + lmacid
Steps to remove the trojan:
Restart into MS-DOS mode
Delete C:\windows\MSGSVR16.EXE
Then go back into Windows
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Explorer = "C:\WINDOWS\MSGSVR16.EXE" on the right
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Delete Explorer = "C:\WINDOWS\MSGSVR16.EXE" on the right
Close Regedit
Restart. OK
Restart into MS-DOS mode
Delete C:\windows\wintour.exe then go back into Windows
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Wintour = "C:\WINDOWS\WINTOUR.EXE" on the right
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Delete Wintour = "C:\WINDOWS\WINTOUR.EXE" on the right
Close Regedit
Restart. OK
4. Ambush
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Delete zka = "zcn32.exe" on the right
Close Regedit
Restart into MS-DOS mode
Delete C:\Windows\ zcn32.exe
Restart. OK
5. AOL Trojan
Steps to remove the trojan:
Boot into MS-DOS mode
Delete C:\ command.exe (remove the file's hidden attribute before deleting)
Note: do not delete the real command.com file.
Delete C:\ americ~1.0\buddyl~1.exe (remove the file's hidden attribute before deleting)
Delete C:\ windows\system\norton~1\regist~1.exe (remove the file's hidden attribute before deleting)
Open the WIN.INI file
Under , both "run=" and "load=" have the path of the Trojan program loaded, and they must be cleared:
run=
load=
Save WIN.INI
You also need to correct the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete WinProfile = c:\command.exe on the right
Close Regedit, restart Windows. OK
6. Asylum v0.1, 0.1.1, 0.1.2, 0.1.3 + Mini 1.0, 1.1
Steps to remove the trojan:
Note: the default filename of the trojan program is wincmp32.exe, but the program can change the filename freely.
We can remove the trojan based on the two files system.ini and win.ini that it modifies.
Open the system.ini file
Under there is a "shell=filename". The correct filename is explorer.exe
If it is not "explorer.exe", then that file is the trojan program. Find it and delete it.
Save and exit system.ini
Open the win.ini file
Under there is a run=
If you see a path and filename after the =, you must delete it.
The correct state is that there is nothing after run=.
The path and filename after the = is the trojan; find it and delete it.
Save and exit win.ini.
OK
7. AttackFTP
Steps to remove the trojan:
Open the win.ini file
Under there is load=wscan.exe
Delete wscan.exe; the correct form is load=
Save and exit win.ini.
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete Reminder="wscan.exe /s" on the right
Close Regedit, restart into the MS-DOS system
Delete C:\windows\system\ wscan.exe
OK
8. Back Construction 1.0 - 2.5
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete "C:\WINDOWS\Cmctl32.exe" on the right
Close Regedit, restart into the MS-DOS system
Delete C:\WINDOWS\Cmctl32.exe
OK
9. BackDoor v2.00 - v2.03
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete ‘c:\windows\notpa.exe /o=yes‘ on the right
Close Regedit, restart into the MS-DOS system
Delete c:\windows\notpa.exe
Note: do not delete the real notepad.exe Notepad program
OK
10. BF Evolution v5.3.12
Steps to remove the trojan:
Open the registry Regedit
Click through to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Delete (Default)=" " on the right
Close Regedit, restart the computer again.
Then C:\windows\system\ .exe (the space exe file)
OK
Of course there are many more trojans; they won't be listed one by one here.
Hehe~~
ko20010214
=================================
大功告成,打个Kiss!
ko20010214@MSN.com
神州优雅Q300C
Intel CeleronM 370处理器 | 256MbDDR内存
40G硬盘 | USB2.0 | IEEE 1394
13.3 ' WXGA 宽屏(16:10) | COMBO光驱
10/100M网卡 | 四合一读卡器
=================================
大功告成,打个Kiss!
ko20010214@MSN.com
神州优雅Q300C
Intel CeleronM 370处理器 | 256MbDDR内存
40G硬盘 | USB2.0 | IEEE 1394
13.3 ' WXGA 宽屏(16:10) | COMBO光驱
10/100M网卡 | 四合一读卡器
