Many novices who don’t know much about security are helpless after they become "*s" in computers. Although there are many new versions of antivirus software on the market that can automatically remove most "*s", they cannot prevent new "*s" programs. Therefore, the most important thing in checking and killing *s is to know the working principle of the "*s". I believe that after reading this article, you will become a master of detecting and killing "*s".
The "*" program will try every means to hide itself. The main ways are: hide yourself in the taskbar, which is the most basic way. As long as the Form's Visible property is set to False and ShowInTaskBar is set to False, the program will not appear in the taskbar when it is running. Invisible in Task Manager: Setting the program to "System Service" makes it easy to disguise yourself. Of course, it will also start silently. Of course, hackers will not expect users to click the "*" icon to run the server after each startup. The "*" will be in
Automatically load each time the user starts. The method of automatically loading applications when Windows system starts, and the "*" will be used, such as: startup groups, registry, etc. are all good places for "*s" to hide.
Let’s talk about how the “*” is automatically loaded. In the file, under [WINDOWS], "run=" and "load=" are ways to load "*" programs, and they must be carefully watched. Generally speaking, there should be nothing after their equal signs. If you find that the path and file name are not the startup file you are familiar with, your computer may be a "*". Of course, you have to see clearly, because many "* horses", such as "AOL * * horses", disguise themselves as (the real system file is) files. If you are not careful, you may not find that it is not a real system startup file (especially under the Windows window).
In the file, there is a "shell=filename" under [BOOT]. The correct file name should be "". If it is not "", but "shell= program name", then the program followed is the "*" program, which means that you have already been infected with the "*". The situation in the registry is the most complicated. Open the registry editor through the regedit command. Click to the directory "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" to check if there are any unfamiliar automatic startup files in the key value. The extension is EXE. Remember here: the files generated by some "*" programs are very similar to the system's own files. I figured it out. Pass the disguise and miss the level, such as "Acid Battery v1.0 *", it changes the Explorer key value under the registry "HKEY-LOCAL-MACHINESO FTWAREMicrosoft WindowsCurrentVersionRun" to Explorer= "C:". There is only the difference between "i" and "l" between the "*" program and the real Explorer. Of course, there are many places in the registry that can hide "*" programs, such as: "HKEY-CURRENTUSERSoftwareMicrosoft WindowsCurrentVersionRun" and "HKEY-USERS****SoftwareMicrosoft WindowsCurrentVersionRun". The best way is to "HKEY-
Find the file name of the "*" program under LOCAL-MACHINESoftware Microsoft WindowsCurrentVersionRun", and then search in the entire registry.
Once you know the working principle of "*s", it becomes easy to detect and kill "*s". If you find that there is a "*" in it, the most effective way is to disconnect the computer from the network immediately to prevent hackers from attacking you through the network. Then edit the file, change the "run="*" program" or "load="*" program" below [WINDOWS] to "run="and "load=""; edit the file, and change the "shell="" file" below [BOOT] to: "shell="; in the registry, use regedit to edit the registry, first find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then Search and replace the "*" program in the entire registry. Sometimes it is also important to note that some "*" programs do not directly delete the "*" key value under "HKEY-LOCAL-MACHINESoftware Microsoft WindowsCurrentVersionRun", because some "*s" such as: BladeRunner "*s", if you delete it, the "*s" will be added automatically immediately. What you need is to record the name and directory of the "*s", then return to MS-DOS, find this "*s" file and delete it. Restart the computer and then go to the registry to delete the key values of all * files. At this point, we are done.
The "*" program will try every means to hide itself. The main ways are: hide yourself in the taskbar, which is the most basic way. As long as the Form's Visible property is set to False and ShowInTaskBar is set to False, the program will not appear in the taskbar when it is running. Invisible in Task Manager: Setting the program to "System Service" makes it easy to disguise yourself. Of course, it will also start silently. Of course, hackers will not expect users to click the "*" icon to run the server after each startup. The "*" will be in
Automatically load each time the user starts. The method of automatically loading applications when Windows system starts, and the "*" will be used, such as: startup groups, registry, etc. are all good places for "*s" to hide.
Let’s talk about how the “*” is automatically loaded. In the file, under [WINDOWS], "run=" and "load=" are ways to load "*" programs, and they must be carefully watched. Generally speaking, there should be nothing after their equal signs. If you find that the path and file name are not the startup file you are familiar with, your computer may be a "*". Of course, you have to see clearly, because many "* horses", such as "AOL * * horses", disguise themselves as (the real system file is) files. If you are not careful, you may not find that it is not a real system startup file (especially under the Windows window).
In the file, there is a "shell=filename" under [BOOT]. The correct file name should be "". If it is not "", but "shell= program name", then the program followed is the "*" program, which means that you have already been infected with the "*". The situation in the registry is the most complicated. Open the registry editor through the regedit command. Click to the directory "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" to check if there are any unfamiliar automatic startup files in the key value. The extension is EXE. Remember here: the files generated by some "*" programs are very similar to the system's own files. I figured it out. Pass the disguise and miss the level, such as "Acid Battery v1.0 *", it changes the Explorer key value under the registry "HKEY-LOCAL-MACHINESO FTWAREMicrosoft WindowsCurrentVersionRun" to Explorer= "C:". There is only the difference between "i" and "l" between the "*" program and the real Explorer. Of course, there are many places in the registry that can hide "*" programs, such as: "HKEY-CURRENTUSERSoftwareMicrosoft WindowsCurrentVersionRun" and "HKEY-USERS****SoftwareMicrosoft WindowsCurrentVersionRun". The best way is to "HKEY-
Find the file name of the "*" program under LOCAL-MACHINESoftware Microsoft WindowsCurrentVersionRun", and then search in the entire registry.
Once you know the working principle of "*s", it becomes easy to detect and kill "*s". If you find that there is a "*" in it, the most effective way is to disconnect the computer from the network immediately to prevent hackers from attacking you through the network. Then edit the file, change the "run="*" program" or "load="*" program" below [WINDOWS] to "run="and "load=""; edit the file, and change the "shell="" file" below [BOOT] to: "shell="; in the registry, use regedit to edit the registry, first find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then find the file name of the "*" program under "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun", and then Search and replace the "*" program in the entire registry. Sometimes it is also important to note that some "*" programs do not directly delete the "*" key value under "HKEY-LOCAL-MACHINESoftware Microsoft WindowsCurrentVersionRun", because some "*s" such as: BladeRunner "*s", if you delete it, the "*s" will be added automatically immediately. What you need is to record the name and directory of the "*s", then return to MS-DOS, find this "*s" file and delete it. Restart the computer and then go to the registry to delete the key values of all * files. At this point, we are done.