With the increase of Internet users, various types of virus Trojan Daohao process naturally be regarded as the mouth delicious. Trojans fall in the pioneer batch of Daohao the same time, will generate alternative Daohao procedures, one after another, a network of improper use of personal online banking account will be brought no small loss, so many users a headache.
Principle of Trojan
This is not recently the emergence of new internet banking Trojan Win32.Troj.BankJp.a.221184 program, the Trojans can keep all equipment and third-party networks to spread, will give systems, network losses caused bank users. But the presence of the Trojan horse of a system, the system will first look for the "Personal Banking Professional Edition" of the window and steal online banking account password, and then the virus will automatically replace the large number of system files, and records for the keyboard, use the delete destruction into Hurley system userinit.exe key landing procedures to achieve the system reboot repeatedly landing interface, the system can not access the desktop, that they can not function properly, the virus can automatically update the Trojan, a serious threat to user privacy and security of property.
In an infected computer, the virus in its file directory% windir% survival mshelp.dll, mspw.dll dynamic link library files, and then add in the registry under the service entry branch HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices power, and try to back up files % system% calc.exe ->% system% dllcachec_20218.nls,% system% userinit.exe ->% system% dllcachec_20911.nls and% windir%
otepad.exe ->% system% dllcachec_20601.nls file. After the success of the virus began to automatically find and replace the system directory% windir% under the calc.exe file;% system% directory userinit.exe, notepad.exe file;% system% dllcache directory calc.exe, userinit.exe and notepad.exe file to reach the depth of hiding.
So far, the virus is still not over their own Trojan reinforcement function, will be created in the system root folder RECYCLER .., for the storage of the virus back.
Virus clean-up process
When Internet users are not careful the virus infected the Trojan, the should be cleared as soon as the computer, based on their own computer virus emergency response capabilities, here are two options:
Method 1, using the remote Registry Repair
As the system default key to open the remote registry service, in a LAN users can connect remotely modify the registry editor registry of infected computers. First item in the Start menu, type regedit running redeployment Registry Editor, click the File menu, open the connection in which the network registry project, in which the infected computer input IP address \ machine name (Note: If the other party after a successful connection computer requires a user name and password will enter).
Then turn to find the registry branch HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionImage File Execution Options to delete the item under the userinit.exe process (Note: sometimes there was no TV, can not find the virus hijack the userinit.exe item, then find the time to register on Table branch HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon, to modify its system under the default key value for the key Userinit C: WINDOWSsystem32UserInit.exe), if found userinit.exe, the virus destroyed, you can start using the windows installation CD after the quick fix to achieve the reduction userinit. exe file.
Finally, use the DOS command will be renamed the virus and move the c_20911.nls reset command as follows: copy c: windowssystem32dllcachec_20911.nls c: windowssystem32 after reboot, the system can return to normal.
Method 2, WINPE boot CD to repair the
First, the user starts the computer, press delete key to enter the BIOS, set the computer boot from the CD-ROM (Note: all brands of computers into the BIOS, slightly different, please refer to each specification to be stable operation), set after the completion of stuffed WinPE CD-ROM to the optical drive, and then press the F10 key to save the exit, then the computer will restart, boot into the CD-ROM interface.
Out into the WinPE virtual system, find the registry branch HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionImage File Execution Options to delete the item under the userinit.exe process, find the registry branch HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon, under Userinit key to change its default key value for the system C : WINDOWSsystem32UserInit.exe, then visit the WinPE CD-ROM, the I386 directory of system32 folder userinit.exe program copied to the system where the disk windowssystem32 path.
Finally remove the CD, restart the computer, the virus hijack the userinit.exe will return to normal, the operating system starts normally, restart again no longer appear to solve the problem.
HIV prevention
Virus is not terrible, terrible virus maker of heart. Internet users must constantly guard against property loss, the face of the early Internet user, then in the end what methods can facilitate anti-virus, anti-theft then? In fact, the network did not really secure system, only the relative safety of the platform. If you want to reduce the threat from the network to a minimum, the user should note the following:
First, do not attempt to remove the inexplicable web and instant messaging software delivery site, but not free to receive and click on strangers or unknown program (including: EXE executable files, pictures, animation, movies, music, electronic books, etc.) to prevent the move.
Second, open system patches automatically update feature, and set every day for this unit installed security software update feature to achieve the latest version. Carried out in the network communicate, to open the firewall, no firewall installed on the user need to get on, so you can prevent if the computer in the Chu Xian Cheng Xu for remote 连接 strange when, prior Zao know and carry out audits.
Third, to irregular use of anti-virus software or third-party security tools, a comprehensive scan on the computer test, on real-time Communication users, such as: QQ, QQ doctors to make use of the system into the patch, and testing Daohao procedures to avoid from Office poisoning infection in Malaysia online banking.