Pick up the camouflage system Trojan and remove the coup

The thing to do after hacking a computer is to upload the back door of the Trojan. In order to make the uploaded Trojans undetected, they will try their best to disguise them. As a victim, how can we see the camouflage, remove the Trojans from the system and remove them all! Use anti-virus software, no, no, no, or use manual inspection and removal of viruses.

Accompanied by our anti-virus software for many years, facing the ever-changing viruses and Trojans, they are very "smooth", it is difficult to drive them out of the country, and some even the existence of viruses and Trojans can not be found, let alone how Clear it. Therefore, it is still necessary to use manual inspection and removal of viruses. This article takes the Wmiprvse.exe process Trojan disguised as a system as an example to explain the Trojan removal in a step-by-step manner.

First, press and hold the “Ctrl+Alt+Del” key on the keyboard to open the “Task Manager” and cut into the “Process” label. However, today, unlike the past, from the "process" label, suddenly found a Wmiprvse.exe process. So I used Baidu to search for information about the Wmiprvse.exe process. The answer is that wmiprvse.exe is part of the Microsoft Windows operating system. Used to handle WMI operations through the WinMgmt.exe program, which is very important for the normal operation of your system.

Seeing this may feel that this is a normal and safe process, so it is not a serious matter, and started its own online game "career", but it didn't take long for the computer to start. Automatically restarted, and then restarted several times intermittently. When there are no suspicious objects, you can choose to take advantage of the system's search capabilities. Look for this pop-up Wmiprvse.exe program file, but the result is the same two Wmiprvse.exe files coexist.

Take a closer look and find that the two program files are the same size, but there is a Wmiprvse.exe file in the Windows2 directory, and then further read the creation time of the two folders, Windows2 is indeed reinstalling the system itself. Time, so both are system directories, just the last one was not deleted clean at the last time. Then open the "Task Manager" dialog box and find that there are two Wmiprvse.exe processes in the system, which are run by users with different permissions. The file located under the \\System32\\wbem file is a normal file. In other words, the Wmiprvse.exe file under Windows\\System32\\wbem that is not directly deleted is a virus file. Then in the "Task Manager" dialog box, after stopping the process, it enters the process folder and deletes its virus file. I thought the virus was wiped out like this, and it didn't wait for a reboot. It took about ten minutes, and the virus process appeared on the task manager again.

Holding a rather killing one, never let go of a virus file, stop the Trojan process again, delete all the files in the Windows2 directory, and then in the registry, search for relevant keys The value is deleted, then restarted the computer, and then open the "Task Manager" dialog box, found that the Wmiprvse.exe process has disappeared, and the system automatically re-starts the phenomenon, so it is true False “ Monkey King & rdquo; I saw the dawn. If you encounter the Trojan that disguise the Wmiprvse.exe program, it is better to remove the virus according to the ideas in this article, why bother with time-consuming and labor-intensive reloading.

The system "trojan" is a very troublesome thing, the above small series will introduce the hidden tricks, automatic loading methods of these Trojans, and their response to these tricks, I hope everyone Helpful.