The computer virus has sprung up, the virus invaded our computer unscrupulously, the interception of the anti-virus program blocked, and the computer defense battle was performed every day on the computer. One day, you will suddenly find that the QQ you are hanging on is actually some scam information and unsightly pictures, or forced to go offline when QQ is good. Then we opened the defense war of the defense virus ourselves. We first changed the secret, and then went back through the appeal. In this case, is there any good way to prevent it? Please see the article below.
How to judge the Trojan
Patient: Trojan horse damage is too big, then how do I know that my computer has a Trojan?
Doctor: After the computer has a Trojan, sometimes there will be some typical Symptoms, such as automatic shutdown of anti-virus software, slow computer running, frequent pop-up webpage pop-ups, some programs in the system can not run, etc.; sometimes the symptoms are not obvious, but we can use some clues to analyze whether the computer is In the Trojan, for example, check "Task Manager" whether there are unfamiliar processes (once you find it, search online to see if it is a virus program), check whether it is suspicious from the system folder, registry, startup program, etc. File or project.
The following is an example of a computer infected with the recently active SoundMan Trojan to learn about some common behaviors of Trojans.
SoundMan Trojan
SoundMan Trojan is a kind of online game Trojan downloader that uses Realtek sound card related programs and icons to confuse users. It has the function of blocking the display of hidden files by ordinary Trojan. You can start itself with a replacement service, etc., and have the ability to end anti-virus software and download a large number of online games Trojans in the background.
1. Hidden files can no longer be displayed
Open a folder, select “Tools/Folder Options> in the menu above, and check all files and folders in “View” ”, and remove the "hide" extension of the known file type & rdquo; After such an operation, the hidden file still cannot be displayed.
Hint: Once you find that you have set "Show all files and folders" and the system still can't display hidden files, you must pay enough attention and there is a possibility that Trojans will invade.
2. View System32 folder
into the System32 folder (assuming Windows XP is installed in the C drive), you can find the Trojan created three files ineters.exe, SoundMan.exe, tthh3.ini (Editor's note: We have already dealt with the display of hidden files before).
Tip: Trojans generally release virus files and related ini files in the system folder System32. If you suspect a Trojan, be sure to check the files created in this folder before and after the symptoms of poisoning.
3. View User Accounts
Click “Start/Settings/Control Panel” and double-click “User Accounts” to find out if the guest account in the computer is activated for no reason, or more strangers. Accounts, such as those named Microsoft, should also be vigilant, which is a typical feature of infected Trojans.
4. View auto file
When the SoundMan.exe Trojan is in the system, as long as there is new removable storage access, this Trojan will write auto.exe and autorun.inf files, so we are in the mouse If you find any of the auto and autorun options in the right-click menu, or if you find the two files auto.exe and autorun.inf in the root directory of the mobile hard disk or flash memory, it proves poisoned.
Tips: Now Trojans generally use the auto-play feature of the mobile storage settings to write and propagate viruses, so if you find auto.exe and autorun.inf in the hard disk partition and the root directory of the removable storage device. , both computers and mobile hard drives have been poisoned.
In addition to checking the above places, we can also find clues from the following places where Trojans like to hide.
One is to determine whether it is poisoned from the “Win.ini” file. Use Notepad to open the Win.ini file in the "C:Windows" directory. In the [windows] field of the file, look for the start command “load=” and “run=” followed by the program, in general, “=” behind is blank, if in the “=&rdquo The number is followed by the program (Figure 2), which is usually a Trojan virus.
The second is to determine whether it is poisoned from the "System.ini" file. Use Notepad to open the "System.ini" file located in the "C:Windows" directory. If you find the program in the [boot] field after "shell=Explorer.exe", it is usually a Trojan server program. . In addition, in the [386Enh] field in System.ini, be careful to check the "driver=path program name" in this section, which may also be used by Trojans. The three fields [Mic], [drivers], and [drivers32] in System.ini play the role of loading drivers, but they are also a good place to add Trojans, so they need to be checked.
The third is to open the registry editor to find. Trojans generally use the Run, RunServices, RunOnce and other sub-items in the registry to load, enter “regedit” enter & quoquo; regedit” enter the registry editor, view in the following places .
(1) Startup items in the registry
View "HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion" under RunServices, RunServicesOnce, Run, RunOnce, and "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion" under RunServices, Run, RunOnce, whether there are suspicious items.
If you find that some strange programs are loaded into the system folder, then there may be a Trojan virus.
(2) file association key
Some Trojans also load the program by modifying the key value of a certain type of file in the registry. Check “HKEY_CLASSES_ROOTXXX (Editor: XXX here can be exefile, comfile, batfile, htafile, piffile) shellopencommand” subkeys in the "default" value: "““%1”%*”; check“ HKEY_LOCAL_MACHINESoftwareCLASSESXXX (Editor: XXX here can be exefile, comfile, batfile, htafile, piffile) shellopencommand” subkey "default" value: "““%1”%*”.
These “%1%*” can be assigned, and if the default value is modified, for example, the virus Trojan changes it to “muma.exe%1%*”, it may be poisoned.