Joke Collection Website - Public benefit messages - Trojan-Downloader.VBS.Small.df
Trojan-Downloader.VBS.Small.df
Trojan horse virus!
How to remove this virus? Trojan horse (Trojan horse)
A complete Trojan horse program generally consists of two parts: one is the server program and the other is the controller program. "Being caught by a Trojan horse" means that a Trojan horse server program is installed. If your computer is installed with a server program, someone with the controller program can control your computer through the network and do whatever they want. At this time, various Files, programs, and the accounts and passwords used on your computer are no longer secure.
Trojan horse programs cannot be regarded as viruses, but more and more new versions of anti-virus software have begun to detect and kill some Trojan horses, so many people call Trojan horse programs hacker viruses.
How the Trojan horse is started
1. Start in Win.ini
In the [windows] field of Win.ini there is the startup command "load" =" and "run=", in general, "=" is followed by a blank. If there is a program followed, for example, it looks like this:
run=c:\windows\file.exe
p>load=c:\windows\file.exe
Be careful, this file.exe is probably a Trojan horse.
2. Start in System.ini
System.ini is located in the Windows installation directory, and the shell=Explorer.exe in its [boot] field is one of the hidden loads that Trojans like. Therefore, the usual approach of Trojans is to change what should be like this: shell=Explorer.exefile.exe. Note that file.exe here is the Trojan server program!
In addition, in the [386Enh] field in System., pay attention to check the "driver=path\program name" in this section. It is also possible here Exploited by Trojans. Furthermore, the three fields [mic], [drivers], and [drivers32] in System.ini are also used to load drivers, but they are also a good place to add Trojan programs. Now you should know Pay attention here.
3. Use the registry to load and run
The registry locations shown below are the favorite places for Trojans to hide and load. Check quickly to see what programs are under it.
4. Load and run Autoexec.bat and Config.sys
Please note that these two files in the root directory of the C drive can also start Trojans. However, this loading method generally requires the control user to establish a connection with the server and then upload the file with the same name to which the Trojan startup command has been added to the server to overwrite the two files, and this method is not very covert. It is easy to be discovered, so it is rare to load Trojan programs in Autoexec.bat and Confings, but this should not be taken lightly.
5. Start in Winstart.bat
Winstart.bat is a batch file that is no less special than Autoexec.bat, and it is also a batch file that can be automatically loaded and run by Windows. document. In most cases, it is automatically generated for applications and Windows. It is automatically generated after executing Windows, executing Win.com and adding most drivers.
Start execution (this can be done by pressing the You can find out by pressing F8 and selecting the startup method of gradually tracking the startup process). Since the functions of Autoexec.bat can be completed by Witart.bat, the Trojan can be loaded and run just like in Autoexec.bat, and the danger comes from this.
6. Startup group
Although Trojans are not very hidden if they are hidden in the startup group, it is indeed a good place for automatic loading and running, so there are still Trojans that like to reside here. of. The folder corresponding to the startup group is C:\Windows\start menu\programs\startup, and its location in the registry is: HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\shell
Folders Startup=" c:\windows\start menu\programs\startup". Pay attention to check the startup group frequently!
7.*.INI
That is, the startup configuration file of the application. The control end uses the characteristics of these files to start the program and will create the Upload the file with the same name with the Trojan startup command to the server to overwrite the file with the same name, so that the purpose of starting the Trojan can be achieved. Only start the method once: in winint.ini. (used for more installations).
8. Modify file associations
Modifying file associations is a common method used by Trojans (mainly domestic Trojans, most foreign Trojans do not have this function), for example, under normal circumstances, TXT files The opening method is Notepad.EXE file, but once the file association Trojan is hit, the opening method of the txt file will be modified to be opened with a Trojan program. For example, the famous domestic Trojan Binghe does this. "Binghe" is done by modifying HKEY_CLASSES_ROOT\ The key value under txtfile\whell\open\command, open "C:\WINDOWS\NOTEPAD.EXE with Notepad, such as the famous domestic HKEY-CLASSES-ROOT\txt\shell\open\commandT key value, Change "C:\WINDOWS\NOTEPAD.EXEl" to "C:\WINDOWS\SYSTEM\SYSEXPLR.EXEl". In this way, once you double-click a TXT file, you originally used Notepad to open the file, but now it becomes a Trojan horse program. , so vicious! Please note that not only TXT files, but also other such as HTM, EXE, ZIP.COM, etc. are the targets of Trojans, so be careful.
You can only deal with such Trojans frequently. Check the HKEY_C\shell\open\command primary key to see if its key value is normal.
9. Bundle file
To achieve this trigger condition, the control end and server must first pass the Trojan. Establish a connection, and then the control end user uses tool software to bundle the Trojan file with an application, and then uploads it to the server to overwrite the source file. In this way, even if the Trojan is deleted, as long as the application bundled with the Trojan is run, the Trojan will be destroyed. Install it. If it is bound to a certain application, if it is bound to a system file, the Trojan will be launched every time Windows starts.
10. Active connection method of the bounce port type Trojan
We have already mentioned the bounce port type Trojan before. Because it is contrary to the general Trojan, its server (controlled end) actively establishes a connection with the client (control end), and the listening port is usually opened at 80. Therefore, it is really difficult to prevent this type of Trojan without the appropriate tools and rich experience." Since such Trojans still have to create key-value changes in the registry, it is not difficult to detect them. At the same time, the latest Skynet firewall (as we talked about in the third point), so as long as you pay attention, you can also find it when the Network Thief server makes an active connection.
WORM_NUGACHE.G (Wiking) and TROJ_CLAGGE.B Trojan horse (Trojan horse)
Solution:
WORM_NUGACHE.G (Wiking)
Virus pattern release date: Dec 8, 2006
Solution:
Note: To fully remove all associated malware, perform the clean solution for TROJ_DLOADER.IBZ.
Terminating the Malware Program
This procedure terminates the running malware process.
Open Windows Task Manager. On Windows 98 and ME, press
CTRL ALT DELETE On Windows NT, 2000, XP, and Server 2003, press
CTRL SHIFT ESC, then click the Processes tab.
In the list of running programs*, locate the process:
MSTC.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
p>To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.
On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or
Process Explorer, but you are unable to terminate it, restart your computer in safe mode.
Editing the Registry
This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:
HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
Open Registry Editor. Click Startgt; Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINEgt;SOFTWAREgt;Microsoftgt;
Windowsgt; CurrentVersiongt; Run
In the right panel, locate and delete the entry:
Microsoft Domain Controller = "System\mstc.exe"
(Note: System is the Windows system folder, which is usually
C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
Removing Added Key from the Registry
Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINEgt;SOFTWARE
In the left panel, locate and delete the following key:
GNU
Close Registry Editor.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as WORM_NUGACHE.G. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
Applying Patch
This malware exploits known vulnerability in Windows. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by
vendors.
TROJ_CLAGGE.B Trojan horse
Virus pattern release date: Sep 18, 2006
Solution:
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your computer with your Trend Micro antivirus product.
NOTE the path and file name of all files detected as TROJ_CLAGGE.B.
Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.
p>Editing the Registry
This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:
HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003
Removing Malware Entry from the Registry
Open Registry Editor. Click Startgt; Run, type REGEDIT, then press Enter.
In the left panel, double -click the following:
HKEY_LOCAL_MACHINEgt;SYSTEMgt;CurrentControlSetgt;Servicesgt;
SharedAccessgt;Pa
rametersgt;FiREWaLLpolicygt;StAnDaRDPrOFiLegt;
AUtHorizedapplicationsgt;List
In the right panel, locate and delete the entry:
{Malware path and file name} =" {Malware path and file name}: *: ENABLED: 0"
Close Registry Editor.
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Running Trend Micro Antivirus
p>
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as TROJ_CLAGGE.B and TROJ_KEYLOG. CO. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner
- Previous article:What should I do if I forget my wallet password?
- Next article:What about Yantai Qi Ming Network Technology Co., Ltd.?
- Related articles
- Humorous jokes about chasing girls
- What rights of natural persons are violated by spam messages and harassing phone calls?
- What eggs are there in WeChat?
- What is 50 yuan Unlimited Traffic Packet?
- Xiaomi note changes SMS background
- I like a girl. I often send her messages, and she replies. Do you think she likes me?
- Hello, thank you for answering my question just now. I bought it yesterday and it hasn't been opened yet. In this case, is my machine refurbished or not? Please help. thank you
- Wechat has not logged in for two months. Can I receive messages from my friends when I log in again?
- The applet is bound to the mobile phone number. Will text messages be sent to applets?
- Apple 6splus sent a text message saying that it hasn't been sent yet, but the other party has received it.