由于很多新手对安全问题了解不多,所以并不知道自己的计算机中了“木马”该怎么样清除。 As many know much about security novice, so do not know their computer a "Trojan horse" that how to remove. 虽然现在市面上有很多新版杀毒软件都可以自动清除“木马”,但它们并不能防范新出现的“木马”程序,因此最关键的还是要知道“木马”的工作原理,这样就会很容易发现“木马”。 Although the market there are many new anti-virus software can automatically clear the "Trojan horse", but they can not prevent the new "Trojan horse" program, so the most important thing to know, "Trojan horse" works, so you can easily find "Trojan." 相信你看了这篇文章之后,就会成为一名查杀“木马”的高手了。 I believe you read this article, the killing will be a "Trojan horse" of the master.
“木马”程序会想尽一切办法隐藏自己,主要途径有:在任务栏中隐藏自己,这是最基本的只要把Form的Visible属性设为False、ShowInTaskBar设为False,程序运行时就不会出现在任务栏中了。 "Trojan horse" program will do anything to hide themselves, main ways: in the taskbar to hide themselves, as long as this is the most basic Form's Visible property to False, ShowInTaskBar set to False, the program is running will not appear in the task bar of the. 在任务管理器中隐形:将程序设为“系统服务”可以很轻松地伪装自己。 Invisible in Task Manager: The program is set to "System Services" can easily disguise themselves. 当然它也会悄无声息地启动,你当然不会指望用户每次启动后点击“木马”图标来运行服务端,:),“木马”会在每次用户启动时自动装载服务端,Windows 系统启动时自动加载应用程序的方法,“木马”都会用上,如:启动组、win.ini、system.ini、注册表等等都是“木马”藏身的好地方。 Of course, it will quietly start, you would not expect each time a user starts click on the "Trojan horse" icon to run the server ,:)," Trojan "will start automatically each time the user loads the server, Windows system application loading automatically at startup method, "Trojan horse" will spend, such as: Startup group, win.ini, system.ini, registry, etc. are "Trojan horse" a good hiding place. 下面具体谈谈“木马”是怎样自动加载的。 The following more specific about the "Trojan horse" is how the automatic loading.
在win.ini文件中,在[WINDOWS]下面,“run=”和“load=”是可能加载“木马”程序的途径,必须仔细留心它们。 In the win.ini file in the [WINDOWS] Here, "run =" and "load =" it is possible to load the "Trojan horse" program approach, must be carefully pay attention to them. 一般情况下,它们的等号后面什么都没有,如果发现后面跟有路径与文件名不是你熟悉的启动文件,你的计算机就可能中上“木马”了。 Under normal circumstances, they have nothing after the equal sign, if we find followed the path and file name is not familiar with your startup files, your computer may be in the "Trojan horse" of the. 当然你也得看清楚,因为好多“木马”,如“AOL Trojan木马”,它把自身伪装成command.exe文件,如果不注意可能不会发现它不是真正的系统启动文件。 Of course, you have to look at, because a lot of "Trojan horse", such as "AOL Trojan horse", which put itself disguised as command.exe file, may not find it if you pay attention to is not a true system startup files.
在system.ini文件中,在[BOOT]下面有个“shell=文件名”。 In the system.ini file, in the [BOOT] Here there is a "shell = file name." 正确的文件名应该是“explorer.exe”,如果不是“explorer.exe”,而是“shell= explorer.exe 程序名”,那么后面跟着的那个程序就是“木马”程序,就是说你已经中“木马”了。 The correct file name should be "explorer.exe", if not "explorer.exe", but the "shell = explorer.exe program name", then followed that procedure is the "Trojan horse" program, that you have in " Trojan horse "of the.
在注册表中的情况最复杂,通过regedit命令打开注册表编辑器,在点击至:“HKEY-LOCAL-MACHINE\Software \Microsoft\Windows\CurrentVersion\Run”目录下,查看键值中有没有自己不熟悉的自动启动文件,扩展名为EXE,这里切记:有的“木马”程序生成的文件很像系统自身文件,想通过伪装蒙混过关,如“Acid Battery v1.0木马”,它将注册表“HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run”下的Explorer 键值改为Explorer=“C:\WINDOWS\expiorer.exe”,“木马”程序与真正的Explorer之间只有“i”与“l”的差别。 In the case of the most complex registry through regedit command to open the Registry Editor, click on to: "HKEY-LOCAL-MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run" directory, view the key in there they do not familiar with the automatic startup file extension EXE, keep in mind here: some of the "Trojan horse" program generated files like the file system itself, to muddle through the camouflage, such as "Acid Battery v1.0 Trojan horse" that will registry. " HKEY-LOCAL-MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run "under the Explorer key to Explorer =" C: \ WINDOWS \ expiorer.exe "," Trojan horse "program with real Explorer only between the" i " and "l" of the difference. 当然在注册表中还有很多地方都可以隐藏“木马”程序,如:“HKEY-CURRENT-USER\Software\Microsoft\Windows \CurrentVersion\Run”、“HKEY-USERS\****\Software\Microsoft\Windows \CurrentVersion\Run”的目录下都有可能,最好的办法就是在“HKEY-LOCAL-MACHINE\Software \Microsoft\Windows\CurrentVersion\Run”下找到“木马”程序的文件名,再在整个注册表中搜索即可。 Of course there are many places in the registry can be hidden "Trojan horse" programs, such as: "HKEY-CURRENT-USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run", "HKEY-USERS \ **** \ Software \ Microsoft \ Windows \ CurrentVersion \ Run "directory is possible, the best way is to" HKEY-LOCAL-MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run "to find" Trojan horse "program file name, then the entire registry search.
知道了“木马”的工作原理,查杀“木马”就变得很容易,如果发现有“木马”存在,最安全也是最有效的方法就是马上将计算机与网络断开,防止黑客通过网络对你进行攻击。 Know the "Trojan horse" of the works, killing "Trojan horse" becomes very easy, if you find a "Trojan horse" exists, the safest and most effective way to immediately disconnect the computer from the network to prevent hackers on your network to attack. 然后编辑win.ini文件,将[WINDOWS]下面,“run=“木马”程序”或“load=“木马”程序”更改为“run=”和“load=”;编辑 system.ini文件,将[BOOT]下面的“shell='木马'文件”,更改为:“shell=explorer.exe”;在注册表中,用 regedit对注册表进行编辑,先在“HKEY-LOCAL-MACHINE\Software\Microsoft\Windows \CurrentVersion\Run”下找到“木马”程序的文件名,再在整个注册表中搜索并替换掉“木马”程序,有时候还需注意的是:有的“木马”程序并不是直接将“HKEY-LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion \Run”下的“木马”键值删除就行了,因为有的“木马”如:BladeRunner“木马”,如果你删除它,“木马”会立即自动加上,你需要的是记下 “木马”的名字与目录,然后退回到MS-DOS下,找到此“木马”文件并删除掉。 Then edit the win.ini file, the [WINDOWS] Here, "run =" Trojan horse "program" or "load =" Trojan horse "program" changed to "run =" and "load ="; edit the system.ini file, the [ BOOT] following the "shell = 'Trojan horse' file ', changed to:" shell = explorer.exe "; in the registry, use regedit to edit the registry, first in" HKEY-LOCAL-MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run "to find" Trojan horse "program file name, and then search the entire registry and replace the" Trojan horse "program, and sometimes need to note: some of the" Trojan horse "program is not directly" HKEY-LOCAL-MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run "under the" Trojan horse "key to delete the line, because some of the" Trojan horse "as: BladeRunner" Trojan horse ", if you delete it," Trojan horse "immediately automatically added, you need is a note of the "Trojan horse" in the name and directory, and then back to MS-DOS, find this "Trojan" file and removed. 重新启动计算机,然后再到注册表中将所有“木马”文件的键值删除。 Restart the computer, and then to the registry will be all the "Trojan horse" key to delete the file. 至此,我们就大功告成了。 At this point, we're done.
Tidak ada komentar:
Posting Komentar