How do I detect whether there is a Trojan in a system? Now use only some simple Trojan to use the trick: 1. Start the task manager, see if there is a strange process, record it, do not move it 2, start the Registry Editor, check the following places: HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run ... HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Run ... Take a look at the suspicious program hkey_classes_root / exec / shell / open / command / intermediary Document related Type Trojan, the correct key value should be: "% 1"% * hkey_classes_root / inffile / shell / open / command to see if there is an INF file associated Trojan, the correct key value should be:% systemroot% / System32 / notepad.exe% 1 HKEY_CLASS_ROOT / INIFILE / Shell / Open / Command Take a look at whether there is an INI file associated Trojan program, the correct key value should be:% systemroot% / system32 / notepad.exe% 1 hkey_classes_root / txtFile / shell / Open / command to see if there is a TXT file associated Trojan program, the correct key value should be:% systemroot% / system32 / notepad.exe% 1 record, do not change 3, start a CMD window, netstat -an See if there is an exception port, it is recommended to download an Active ports to see the relationship between the port and the process, find the process using the exception port 4, view the Winnt / and WinNT / System32 file with the Explorer (Remember Display all files, including protected files), sort by time, find a program that sets time or modify the time exception, record 5, start-> program -> whether there is a strange boot file synthesis 5 steps, It should be able to rank out a list of suspicious procedures. Here is a single kill horse: D 6, clear the order of the Trojan is: stop the process -> Clean up the registry related entry -> Delete hard disk on Trojan file Note: For some Trojans Using thread injection or three thread protection methods, you need to use the related tools to clear (or try your own writing, just practice coding) In addition, I have seen a horse, using it. Autorun file association, there is an autorun file in each partition, just access this partition, you will load a tip skill: After the EXE file is associated, regedit.exe can be reged when the exe file cannot be opened. Copy to regedit.com and run the regedit.com to change the EXE file to change, provided that there is no related process in the system to monitor this entry. The above is just simply saying how to use a simple method to determine if there is a horse in the system. More importantly, it is prevention, the most basic preventive way is to give MS point face, diligent patch, and do not try to run a suspicious process. It is best to have a powerful antivirus software, recommended Norton Antivirus
