The thing to do after hacking a computer is to upload the back door of the Trojan. In order to prevent the uploaded Trojan from being discovered, they will try to disguise it in various ways. As a victim, how can we see the camouflage, remove the Trojans from the system and remove them all! Use anti-virus software, no, no, no, or use manual inspection and removal of viruses.
We have been with us for many years. Anti-virus software, in the face of ever-changing viruses and Trojans, they appear to be "smooth", it is difficult to drive them out of the country, and some even the existence of viruses and Trojans can not be found, not to mention how to remove. Therefore, it is still necessary to use manual inspection and removal of viruses. This article takes the Wmiprvse.exe process Trojan disguised as a system as an example to explain the Trojan removal in a step-by-step manner.
First, press and hold the “Ctrl+Alt+Del” key on the keyboard to open the “Task Manager” and cut into the “Process” label. However, today, unlike the past, from the "process" label, suddenly found a Wmiprvse.exe process. So I used Baidu to search for information about the Wmiprvse.exe process. The answer is that wmiprvse.exe is part of the Microsoft Windows operating system. Used to handle WMI operations through the WinMgmt.exe program, which is very important for the normal operation of your system.
Seeing this may feel that this is a normal and safe program process, so it is not a serious matter, and started its own online game "career", but it didn't take long for the computer to start automatically restarting. And then restarted several times intermittently. When there are no suspicious objects, you can choose to take advantage of the system's search capabilities. Look for this pop-up Wmiprvse.exe program file, but the result is the same two Wmiprvse.exe files coexist.
A closer look reveals that the two program files are the same size, but there is a Wmiprvse.exe file in the Windows2 directory, and then further read the creation time of the two folders, Windows2 is indeed in the reinstallation system time, So both are system directories, just the last one was not deleted clean at the last time. Then open the "Task Manager" dialog box and find that there are two Wmiprvse.exe processes in the system, which are run by users with different permissions. The file located under the \\System32\\wbem file is a normal file. In other words, the Wmiprvse.exe file under Windows\\System32\\wbem that is not directly deleted is a virus file. Then in the "Task Manager" dialog box, after stopping the process, it enters the process folder and deletes its virus file. I thought the virus was wiped out like this, and it didn't wait for a reboot. It took about ten minutes, and the virus process appeared on the task manager again.
Holding Ning can kill one, never let go of a virus file, stop the Trojan process again, delete all the files in the Windows2 directory, and then delete the relevant key values in the registry. Then restarted the computer, and then opened the "Task Manager" dialog box, found that the Wmiprvse.exe process has disappeared, and the system always automatically restarts the phenomenon is also disappeared, so that true and false “ The Monkey King, I saw it. If you encounter the Trojan that disguise the Wmiprvse.exe program, it is better to remove the virus according to the ideas in this article, why bother with time-consuming and labor-intensive reloading.
The system "trojan" is a very troublesome thing, the above small series will introduce the hidden tricks of these Trojans, the automatic loading method, and the response to these tricks, I hope to help everyone. .