Five strategies to clear hacker's cloned account

Once our computer is successfully hacked, they will leave a backdoor channel to control our computer for a long time. Although our daily anti-virus software can play a certain killing effect, there is still a backdoor that can't be detected by anti-virus software. This backdoor is a hidden system clone account, and the result of this clone account is very serious. We will focus on sharing the five strategies for clearing the cloned account.

●What is a clone account?

Cloning an account is the most hidden backdoor. In Windows, each account has a corresponding key value in the registry. This key value affects the account. permission. When the hacker copies the key value in the registry, he can clone the account with one user right into an account with administrator rights and hide the account. Hidden accounts are invisible both in “user management" or "command prompt". Therefore, general computer administrators rarely find hidden accounts, and the harm is enormous.

●Add an account in command line mode

Click “Start”→“Run”, enter“cmd”Run“command prompt”, enter the following command :net user test$ /add and hit enter, so you can create an account called test$ in the system. Continue typing: net localgroup administrators test$ /add and press Enter, which will raise the test$ account to administrator privileges.

●Add a hidden account

Step 01 Click “Start”→“Run”, enter “regedt32.exe”, press Enter, pop-up; Registry Edit & rdquo;. In regedt32.exe, go to “HKEY_LOCAL_MACHINESAMSAM”, click “Edit"Menu →“Permissions", in the pop-up "SAM Permissions" edit window, select "administrators" account, below Go to the full control of the permission settings, and click “OK<;

●Set Registry Operation Permissions

Step 02 Enter “regedit.exe"Run“Registry Editor" in the "Run", navigate to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames” At the point where you click on the hidden account “test$”, the "type" in the key value displayed on the right is displayed as 0x404, go up to “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers”, you can find “00000404” The two correspond to each other, and all information about the hidden account “test$” is in the item "00000404". Similarly, we can find the item corresponding to the “administrator” account as “000001F4”.

Step 03 exports the key value of “test$” to test$.reg, and exports the F key values ​​of the “00000404” and “000001F4” items to user.reg, admin. Reg. Open the admin.reg with “Notepad”, copy the content after the value of "F”", replace the "F” value content in user.reg, save it after completion

●Find hidden Account corresponding key value

Step 04 Enter the "net user test$ /del” command in the "command prompt>; delete the hidden account we created. Don't worry, this step just deletes the hidden account's "empty shell", just like the cleanup trace after the invasion, the hidden account is not changed. Finally, we double-click the two registry files test$.reg and user.reg and import them into the registry and you're done.

In general, we will rely more on anti-virus software to maintain our system security, and some viruses can not be detected by anti-virus software, such as the clone account we are talking about today. If your computer has been attacked once, you can't take it lightly. Use the above five strategies to clear the accounts hidden by hackers in our system and build system security.