* hiding place and general investigation technology
The * horse is taken from the * horse in ancient Greek mythology. It is a hacker tool based on remote control and has strong hiddenness and harm. In order to achieve the purpose of controlling the server host, *s often use various means to activate themselves and load and run them. Here, we briefly introduce the common activation methods of *s, their hiding places, and use some examples to let you understand how to manually clear *s.
●Start the * in:
In the [Windows] section, there are the startup commands "load=" and "run=". In general, "=" are empty after "=". If there is a program followed by it, for example:
run=C:Windows
load=C:Windows
Then this is very likely a * program.
●Modify file associations in the Windows XP registry:
Modifying file associations in the registry is a common method used by *s. How to modify them has been explained in the previous articles in this series. For example, under normal circumstances, the txt file is opened as (Notepad), but once the file-associated * is infected, the txt file becomes a txt file and is opened with a * program. For example, the famous domestic * "Glacier" is to modify the key value "C:Windows %1" of the key value item "default" under the subkey branch of the registry HKEY_CLASSES_ROOT xtfileshellopencommand to "C:". In this way, when you double-click a txt file, the file that should have been opened with Notepad now becomes a * program. Of course, not only txt files, but other types of files, such as htm, exe, zip, com, etc., are also the goals of * programs, so be careful.
For this type of * program, you can only check the file type shellopencommand subkey branch in HKEY_CLASSES_ROOT in the registry to see if its value is normal.
●Bundle * files in Windows XP system:
To achieve this trigger condition, the first thing to do is to establish a connection between the control terminal and the server. The control terminal user uses tool software to bundle the * file and an application, and upload it to the server to overwrite the original file. In this way, even if the * is deleted, as long as the application bundled with the * is run, the * will be reinstalled again. If bundled on a system file, a * will be launched every time Windows XP starts.
●Start the * in:
The shell= in the [boot] section in the [boot] section is the favorite hiding place for *s. The usual practice of *s is to change the statement to this:
Shell=
Here is the * server program.
In addition, in the [386enh] section, be careful to check the "driver=path program name" in this section, because it may also be used by *s. The three subsections [mic], [drivers], and [drivers32] also need to load drivers, so they are also an ideal place to add *s.
●Use Windows XP registry to load and run:
The following locations in the registry are *s' preferred hiding places:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion subkey branch all key-value items starting with "run".
HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersion subkey branch all key-value items starting with "run".
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersion subkey branch all key-value items starting with "run".
● Load the running * in the mer:
To establish a connection between the control side and the server, upload the file with the same name that has been added to the server with the * startup commands and cover two files to start the * in this way. But it is not very concealed, so this method is rare, but it cannot be taken lightly.
●Start the * in:
It is also a file that can be automatically loaded and run by Windows XP. Most of the time it is automatically generated by applications and Windows. After execution or, most drivers are loaded, it starts executing (this can be learned by pressing F8 at startup to select the startup method that gradually tracks the startup process). Since the function can be completed by , the * can be loaded and run like in it.
General troubleshooting technology for * viruses
Now that we already know the hiding place of * horses, it is naturally easy to find out and kill * horses. If you find that your computer has been hit by a *, the safest and most effective way is to immediately open the network segment to prevent computer hackers from attacking you through the network. Follow the steps below:
l Edit the file and change the "run=* program" or "load=* program" below the [Windows] section to "run=" and "load=".
l Edit the file and change the "shell=* file" below the [boot] section to "shell=".
l Modify in the Windows XP registry: First, find the file name of the * program under the HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRun subkey branch, and look for the * program in the entire registry, delete or replace it. But what's abominable thing is that not all * programs can be fine as long as they are deleted. Some * programs will be automatically added immediately after being deleted. At this time, you need to note the location of the *, that is, its path and file name, and then retreat to the DOS system, find the file and delete it. Restart the computer, return to the registry again, and delete all key-value entries of * files.
Computer * Clear Instance
●Glacier v1.1 registry clearing instance:
Open the HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRun subkey branch in the registry editor, find and delete C:, C: in the window on the right, and then restart to MS-DOS mode, delete the C: and C: *s.
AOL * registry clearing instance:
First, go to MS-DOS mode and delete the following files:
C:
C:Americ~1.0uddyl~
C:Windowssystem orton~1 egist~
Open the file, clear the path of the * horse program under the [Windows] section, and change it to "run=", "load=", and save the file.
Then open the Windows XP registry, open the HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRun subkey branch, delete the key value item "WinProfile=C:" in the right table window, close the registry, and restart the computer.
●Doly v1.1-v1.5 registry instance (v1.6 and v1.7 are similar):
First, enter the MS-DOS mode and delete the following three * programs, but there is one more * file in v1.35.
C:WindowsSystem
C:WindwosStart
C:Program
C:Program
Restart Windows, open the file, delete "load=C:WindowsSystem" under the [windows] section, that is, change it to "load=", and save the file.
Then, open the HKEY_CURRENT_USERSOFTWAREMicrosoft WindowsCurrentVersionRun subkey branch in the registry, delete the key value item "Mstesk="C:Program"" in the window on the right, open the HKEY_CURRENT_USERSOFTWAREMicrosoft WindowsCurrentVersionss subkey branch, and delete all the contents under it (all servers selected and set by * parameters); then open the HKEY_USERS.DEFAULTSOFTWAREMicrosoft WindowsCurrentVersionRun subkey branch, delete the key value item "Mstesk="C:Program"" in the window on the right.
Close the registry, open the C: file, and delete the following two lines:
@echo off copy c: C:WindowsStart MenuStartup Items
Del c:
Save and close the file.
●IndocTrination v0.1-v0.11 registry clearing instance:
Open the following subkey in the registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices Once
Delete the following key-value items in the window to the right of these subkeys:
Msgsrv16 = "Msgsrv16", close the registry and restart Windows, and delete the C: file.
●SubSeven-Introduction v1.8 registry clearing instance:
Open the HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRun subkey branch and the HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRunServices subkey branch, find the key value item data containing "C:" in the right window and delete it.
Open the file, change "run=" to "run=", save and close the file.
Open the file, change the "shell=" to "shell=", save and close the file, restart Windows, and delete the C: file.
●Example of clearing the registry of Guangdong University of Foreign Studies:
Retreat to MS-DOS mode and delete the system directory. Since the virus is associated with an exe file, any exe file in the Windows environment will not run after deleting it. We first find the registry editor "" in the Windows directory and rename it "".
Return to Windows mode and run "". Open HKEY_CLASSES_ROOTexefileshellopencommand, change its default value to "%1 %*", and delete the key value item "Diagnostic Configuration" under HKEY_LOCAL_MACHINESOFTWAREMicrosoft WindowsCurrentVersionRunServices. Close the registry.
Go back to the Windows directory and change "" back to "".
●Netbull registry clearing instance:
The virus is under Windows 9X: Bundle,,,, and. Bundle under Windows NT/2000:,,,, and. Open:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
Delete the key value item ""="C:WindowsSystemCheckDll..exe" under these subkeys.
In addition, to check whether your machine is infected with the virus, you can check the files listed above. If you find that the file length has changed (about 40K increased), delete them. Then click [Start] | [Attachment] | [System Tools] | [System File Checker], select "Extract a File from the Installation Floppy Disk" in the dialog box that pops up, fill in the file to be extracted (the one you deleted earlier), click "OK", and follow the screen prompts to restore these files. If third-party software that automatically runs when booting, such as QQ, etc., are bundled, you must delete these files and reinstall them.
●Smart Gene Registry Clearance Example:
Delete the sum of C:Windows, and then delete the files under C:WindowsSystem. If the server is already running, you must first terminate the process with process management software before you can delete it.
Open HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun and delete the key value item "MainBroad BackManager". Change the default value of HKEY_CLASSES_ROOT xtfileshellopencommand to "C: %1" to restore the txt file association. Change the default value of HKEY_CLASSES_ROOThlpfileshellopencommand to "C: %1" to restore hlp file association.
The above are some typical manual * horse operation steps. I hope everyone can be inspired in the process of doing things and slowly explore the hiding and activation rules of * horses to achieve the state of responding to changes in the same way. Good luck to everyone :)